nixos/tests/ecryptfs.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / ecryptfs.nix
at master 2.8 kB view raw
 1{ ... }:
 2{
 3  name = "ecryptfs";
 4
 5  nodes.machine =
 6    { pkgs, ... }:
 7    {
 8      imports = [ ./common/user-account.nix ];
 9      boot.kernelModules = [ "ecryptfs" ];
10      security.pam.enableEcryptfs = true;
11      environment.systemPackages = with pkgs; [ keyutils ];
12    };
13
14  testScript = ''
15    def login_as_alice():
16        machine.wait_until_tty_matches("1", "login: ")
17        machine.send_chars("alice\n")
18        machine.wait_until_tty_matches("1", "Password: ")
19        machine.send_chars("foobar\n")
20        machine.wait_until_tty_matches("1", "alice\@machine")
21
22
23    def logout():
24        machine.send_chars("logout\n")
25        machine.wait_until_tty_matches("1", "login: ")
26
27
28    machine.wait_for_unit("default.target")
29
30    with subtest("Set alice up with a password and a home"):
31        machine.succeed("(echo foobar; echo foobar) | passwd alice")
32        machine.succeed("chown -R alice.users ~alice")
33
34    with subtest("Migrate alice's home"):
35        out = machine.succeed("echo foobar | ecryptfs-migrate-home -u alice")
36        machine.log(f"ecryptfs-migrate-home said: {out}")
37
38    with subtest("Log alice in (ecryptfs passwhrase is wrapped during first login)"):
39        login_as_alice()
40        machine.send_chars("logout\n")
41        machine.wait_until_tty_matches("1", "login: ")
42
43    # Why do I need to do this??
44    machine.succeed("su alice -c ecryptfs-umount-private || true")
45    machine.sleep(1)
46
47    with subtest("check that encrypted home is not mounted"):
48        machine.fail("mount | grep ecryptfs")
49
50    with subtest("Show contents of the user keyring"):
51        out = machine.succeed("su - alice -c 'keyctl list \@u'")
52        machine.log(f"keyctl unlink said: {out}")
53
54    with subtest("Log alice again"):
55        login_as_alice()
56
57    with subtest("Create some files in encrypted home"):
58        machine.succeed("su alice -c 'touch ~alice/a'")
59        machine.succeed("su alice -c 'echo c > ~alice/b'")
60
61    with subtest("Logout"):
62        logout()
63
64    # Why do I need to do this??
65    machine.succeed("su alice -c ecryptfs-umount-private || true")
66    machine.sleep(1)
67
68    with subtest("Check that the filesystem is not accessible"):
69        machine.fail("mount | grep ecryptfs")
70        machine.succeed("su alice -c 'test \! -f ~alice/a'")
71        machine.succeed("su alice -c 'test \! -f ~alice/b'")
72
73    with subtest("Log alice once more"):
74        login_as_alice()
75
76    with subtest("Check that the files are there"):
77        machine.sleep(1)
78        machine.succeed("su alice -c 'test -f ~alice/a'")
79        machine.succeed("su alice -c 'test -f ~alice/b'")
80        machine.succeed('test "$(cat ~alice/b)" = "c"')
81
82    with subtest("Catch https://github.com/NixOS/nixpkgs/issues/16766"):
83        machine.succeed("su alice -c 'ls -lh ~alice/'")
84
85    logout()
86  '';
87}