systemd/test/units/testsuite-54.sh

#!/usr/bin/env bash
# shellcheck disable=SC2016
set -eux

systemd-analyze log-level debug

# Verify that the creds are properly loaded and we can read them from the service's unpriv user
systemd-run -p LoadCredential=passwd:/etc/passwd \
            -p LoadCredential=shadow:/etc/shadow \
            -p SetCredential=dog:wuff \
            -p DynamicUser=1 \
            --wait \
            --pipe \
            cat '${CREDENTIALS_DIRECTORY}/passwd' '${CREDENTIALS_DIRECTORY}/shadow' '${CREDENTIALS_DIRECTORY}/dog' >/tmp/ts54-concat
( cat /etc/passwd /etc/shadow && echo -n wuff ) | cmp /tmp/ts54-concat
rm /tmp/ts54-concat

# Verify that the creds are immutable
systemd-run -p LoadCredential=passwd:/etc/passwd \
            -p DynamicUser=1 \
            --wait \
            touch '${CREDENTIALS_DIRECTORY}/passwd' \
    && { echo 'unexpected success'; exit 1; }
systemd-run -p LoadCredential=passwd:/etc/passwd \
            -p DynamicUser=1 \
            --wait \
            rm '${CREDENTIALS_DIRECTORY}/passwd' \
    && { echo 'unexpected success'; exit 1; }

# Now test encrypted credentials (only supported when built with OpenSSL though)

if systemctl --version | grep -q -- +OPENSSL ; then
    echo -n $RANDOM >/tmp/test-54-plaintext
    systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext
    systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext

    systemd-run -p LoadCredentialEncrypted=test-54:/tmp/test-54-ciphertext \
                --wait \
                --pipe \
                cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext

    echo -n $RANDOM >/tmp/test-54-plaintext
    systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext
    systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext

    systemd-run -p SetCredentialEncrypted=test-54:"$(cat /tmp/test-54-ciphertext)" \
                --wait \
                --pipe \
                cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext

    rm /tmp/test-54-plaintext /tmp/test-54-ciphertext
fi

systemd-analyze log-level info

echo OK >/testok

exit 0
test: add test suite for new credentials logic 2020-08-11 18:08:41 +03:00			`#!/usr/bin/env bash`
test: use set -eux and set -o pipefail everywhere This should make the scripts more robust. 2021-04-09 20:39:41 +03:00			`# shellcheck disable=SC2016`
			`set -eux`
test: add test suite for new credentials logic 2020-08-11 18:08:41 +03:00
			`systemd-analyze log-level debug`

			`# Verify that the creds are properly loaded and we can read them from the service's unpriv user`
			`systemd-run -p LoadCredential=passwd:/etc/passwd \`
			`-p LoadCredential=shadow:/etc/shadow \`
			`-p SetCredential=dog:wuff \`
			`-p DynamicUser=1 \`
			`--wait \`
			`--pipe \`
TEST-*: use spacing before redirection operator, but not after << EOF → <<EOF > foo < bar → >foo <bar 2021-04-08 01:09:55 +03:00			`cat '${CREDENTIALS_DIRECTORY}/passwd' '${CREDENTIALS_DIRECTORY}/shadow' '${CREDENTIALS_DIRECTORY}/dog' >/tmp/ts54-concat`
test: add test suite for new credentials logic 2020-08-11 18:08:41 +03:00			`( cat /etc/passwd /etc/shadow && echo -n wuff ) \| cmp /tmp/ts54-concat`
			`rm /tmp/ts54-concat`

			`# Verify that the creds are immutable`
TEST-*: make failure tests actually fail on failure Here the intent was actually correct, and the tests still pass when the check is made effective. 2021-04-08 02:27:33 +03:00			`systemd-run -p LoadCredential=passwd:/etc/passwd \`
test: add test suite for new credentials logic 2020-08-11 18:08:41 +03:00			`-p DynamicUser=1 \`
			`--wait \`
TEST-*: make failure tests actually fail on failure Here the intent was actually correct, and the tests still pass when the check is made effective. 2021-04-08 02:27:33 +03:00			`touch '${CREDENTIALS_DIRECTORY}/passwd' \`
			`&& { echo 'unexpected success'; exit 1; }`
			`systemd-run -p LoadCredential=passwd:/etc/passwd \`
test: add test suite for new credentials logic 2020-08-11 18:08:41 +03:00			`-p DynamicUser=1 \`
			`--wait \`
TEST-*: make failure tests actually fail on failure Here the intent was actually correct, and the tests still pass when the check is made effective. 2021-04-08 02:27:33 +03:00			`rm '${CREDENTIALS_DIRECTORY}/passwd' \`
			`&& { echo 'unexpected success'; exit 1; }`
test: add test suite for new credentials logic 2020-08-11 18:08:41 +03:00
test: extend credentials test to cover encrypted credentials 2021-06-24 11:28:28 +03:00			`# Now test encrypted credentials (only supported when built with OpenSSL though)`

			`if systemctl --version \| grep -q -- +OPENSSL ; then`
			`echo -n $RANDOM >/tmp/test-54-plaintext`
			`systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext`
			`systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext \| cmp /tmp/test-54-plaintext`

			`systemd-run -p LoadCredentialEncrypted=test-54:/tmp/test-54-ciphertext \`
			`--wait \`
			`--pipe \`
			`cat '${CREDENTIALS_DIRECTORY}/test-54' \| cmp /tmp/test-54-plaintext`

			`echo -n $RANDOM >/tmp/test-54-plaintext`
			`systemd-creds encrypt --name=test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext`
			`systemd-creds decrypt --name=test-54 /tmp/test-54-ciphertext \| cmp /tmp/test-54-plaintext`

test: shellcheck-ify test scripts 2021-09-29 21:30:08 +03:00			`systemd-run -p SetCredentialEncrypted=test-54:"$(cat /tmp/test-54-ciphertext)" \`
test: extend credentials test to cover encrypted credentials 2021-06-24 11:28:28 +03:00			`--wait \`
			`--pipe \`
			`cat '${CREDENTIALS_DIRECTORY}/test-54' \| cmp /tmp/test-54-plaintext`

			`rm /tmp/test-54-plaintext /tmp/test-54-ciphertext`
			`fi`

test: add test suite for new credentials logic 2020-08-11 18:08:41 +03:00			`systemd-analyze log-level info`

TEST-*: use spacing before redirection operator, but not after << EOF → <<EOF > foo < bar → >foo <bar 2021-04-08 01:09:55 +03:00			`echo OK >/testok`
test: add test suite for new credentials logic 2020-08-11 18:08:41 +03:00
			`exit 0`