nixos/tests/ecryptfs.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / ecryptfs.nix
at 25.11-pre 3.0 kB view raw
 1import ./make-test-python.nix (
 2  { ... }:
 3  {
 4    name = "ecryptfs";
 5
 6    nodes.machine =
 7      { pkgs, ... }:
 8      {
 9        imports = [ ./common/user-account.nix ];
10        boot.kernelModules = [ "ecryptfs" ];
11        security.pam.enableEcryptfs = true;
12        environment.systemPackages = with pkgs; [ keyutils ];
13      };
14
15    testScript = ''
16      def login_as_alice():
17          machine.wait_until_tty_matches("1", "login: ")
18          machine.send_chars("alice\n")
19          machine.wait_until_tty_matches("1", "Password: ")
20          machine.send_chars("foobar\n")
21          machine.wait_until_tty_matches("1", "alice\@machine")
22
23
24      def logout():
25          machine.send_chars("logout\n")
26          machine.wait_until_tty_matches("1", "login: ")
27
28
29      machine.wait_for_unit("default.target")
30
31      with subtest("Set alice up with a password and a home"):
32          machine.succeed("(echo foobar; echo foobar) | passwd alice")
33          machine.succeed("chown -R alice.users ~alice")
34
35      with subtest("Migrate alice's home"):
36          out = machine.succeed("echo foobar | ecryptfs-migrate-home -u alice")
37          machine.log(f"ecryptfs-migrate-home said: {out}")
38
39      with subtest("Log alice in (ecryptfs passwhrase is wrapped during first login)"):
40          login_as_alice()
41          machine.send_chars("logout\n")
42          machine.wait_until_tty_matches("1", "login: ")
43
44      # Why do I need to do this??
45      machine.succeed("su alice -c ecryptfs-umount-private || true")
46      machine.sleep(1)
47
48      with subtest("check that encrypted home is not mounted"):
49          machine.fail("mount | grep ecryptfs")
50
51      with subtest("Show contents of the user keyring"):
52          out = machine.succeed("su - alice -c 'keyctl list \@u'")
53          machine.log(f"keyctl unlink said: {out}")
54
55      with subtest("Log alice again"):
56          login_as_alice()
57
58      with subtest("Create some files in encrypted home"):
59          machine.succeed("su alice -c 'touch ~alice/a'")
60          machine.succeed("su alice -c 'echo c > ~alice/b'")
61
62      with subtest("Logout"):
63          logout()
64
65      # Why do I need to do this??
66      machine.succeed("su alice -c ecryptfs-umount-private || true")
67      machine.sleep(1)
68
69      with subtest("Check that the filesystem is not accessible"):
70          machine.fail("mount | grep ecryptfs")
71          machine.succeed("su alice -c 'test \! -f ~alice/a'")
72          machine.succeed("su alice -c 'test \! -f ~alice/b'")
73
74      with subtest("Log alice once more"):
75          login_as_alice()
76
77      with subtest("Check that the files are there"):
78          machine.sleep(1)
79          machine.succeed("su alice -c 'test -f ~alice/a'")
80          machine.succeed("su alice -c 'test -f ~alice/b'")
81          machine.succeed('test "$(cat ~alice/b)" = "c"')
82
83      with subtest("Catch https://github.com/NixOS/nixpkgs/issues/16766"):
84          machine.succeed("su alice -c 'ls -lh ~alice/'")
85
86      logout()
87    '';
88  }
89)