2020-08-11 18:08:41 +03:00
#!/usr/bin/env bash
2021-10-17 19:13:06 +03:00
# SPDX-License-Identifier: LGPL-2.1-or-later
2021-04-09 20:39:41 +03:00
# shellcheck disable=SC2016
set -eux
2020-08-11 18:08:41 +03:00
systemd-analyze log-level debug
# Verify that the creds are properly loaded and we can read them from the service's unpriv user
systemd-run -p LoadCredential = passwd:/etc/passwd \
-p LoadCredential = shadow:/etc/shadow \
-p SetCredential = dog:wuff \
-p DynamicUser = 1 \
--wait \
--pipe \
2021-04-08 01:09:55 +03:00
cat '${CREDENTIALS_DIRECTORY}/passwd' '${CREDENTIALS_DIRECTORY}/shadow' '${CREDENTIALS_DIRECTORY}/dog' >/tmp/ts54-concat
2020-08-11 18:08:41 +03:00
( cat /etc/passwd /etc/shadow && echo -n wuff ) | cmp /tmp/ts54-concat
rm /tmp/ts54-concat
2022-04-21 18:35:38 +03:00
# Test that SetCredential= acts as fallback for LoadCredential=
echo piff > /tmp/ts54-fallback
[ " $( systemd-run -p LoadCredential = paff:/tmp/ts54-fallback -p SetCredential = paff:poff --pipe --wait systemd-creds cat paff) " = "piff" ]
rm /tmp/ts54-fallback
[ " $( systemd-run -p LoadCredential = paff:/tmp/ts54-fallback -p SetCredential = paff:poff --pipe --wait systemd-creds cat paff) " = "poff" ]
2022-04-22 12:31:00 +03:00
if systemd-detect-virt -q -c ; then
2022-04-22 22:44:26 +03:00
expected_credential = mynspawncredential
expected_value = strangevalue
elif [ -d /sys/firmware/qemu_fw_cfg/by_name ] ; then
# Verify that passing creds through kernel cmdline works
[ " $( systemd-creds --system cat kernelcmdlinecred) " = "uff" ]
2022-07-13 19:26:44 +03:00
# And that it also works via SMBIOS
[ " $( systemd-creds --system cat smbioscredential) " = "magicdata" ]
[ " $( systemd-creds --system cat binarysmbioscredential) " = "magicbinarydata" ]
2022-04-22 22:44:26 +03:00
# If we aren't run in nspawn, we are run in qemu
systemd-detect-virt -q -v
expected_credential = myqemucredential
expected_value = othervalue
2022-07-14 14:41:37 +03:00
# Verify that writing a sysctl via the kernel cmdline worked
[ " $( cat /proc/sys/kernel/domainname) " = "sysctltest" ]
2022-07-13 12:06:04 +03:00
# Verify that creating a user via sysusers via the kernel cmdline worked
grep -q ^credtestuser: /etc/passwd
2022-07-13 12:32:39 +03:00
# Verify that writing a file via tmpfiles worked
[ " $( cat /tmp/sourcedfromcredential) " = "tmpfilessecret" ]
2022-07-15 17:33:20 +03:00
[ " $( cat /etc/motd.d/50-provision.conf) " = "hello" ]
[ " $( cat /etc/issue.d/50-provision.conf) " = "welcome" ]
2022-04-22 22:44:26 +03:00
else
echo "qemu_fw_cfg support missing in kernel. Sniff!"
expected_credential = ""
expected_value = ""
fi
if [ " $expected_credential " != "" ] ; then
2022-04-22 12:31:00 +03:00
# If this test is run in nspawn a credential should have been passed to us. See test/TEST-54-CREDS/test.sh
2022-04-22 22:44:26 +03:00
[ " $( systemd-creds --system cat " $expected_credential " ) " = " $expected_value " ]
2022-04-22 12:31:00 +03:00
# Test that propagation from system credential to service credential works
2022-04-22 22:44:26 +03:00
[ " $( systemd-run -p LoadCredential = " $expected_credential " --pipe --wait systemd-creds cat " $expected_credential " ) " = " $expected_value " ]
2022-04-22 12:31:00 +03:00
# Check it also works, if we rename it while propagating it
2022-04-22 22:44:26 +03:00
[ " $( systemd-run -p LoadCredential = miau:" $expected_credential " --pipe --wait systemd-creds cat miau) " = " $expected_value " ]
2022-04-22 12:31:00 +03:00
# Combine it with a fallback (which should have no effect, given the cred should be passed down)
2022-04-22 22:44:26 +03:00
[ " $( systemd-run -p LoadCredential = " $expected_credential " -p SetCredential = " $expected_credential " :zzz --pipe --wait systemd-creds cat " $expected_credential " ) " = " $expected_value " ]
2022-07-13 11:38:53 +03:00
# This should succeed
systemd-run -p AssertCredential = " $expected_credential " -p Type = oneshot true
# And this should fail
systemd-run -p AssertCredential = "undefinedcredential" -p Type = oneshot true && { echo 'unexpected success' ; exit 1; }
2022-04-22 12:31:00 +03:00
fi
2020-08-11 18:08:41 +03:00
# Verify that the creds are immutable
2021-04-08 02:27:33 +03:00
systemd-run -p LoadCredential = passwd:/etc/passwd \
2020-08-11 18:08:41 +03:00
-p DynamicUser = 1 \
--wait \
2021-04-08 02:27:33 +03:00
touch '${CREDENTIALS_DIRECTORY}/passwd' \
&& { echo 'unexpected success' ; exit 1; }
systemd-run -p LoadCredential = passwd:/etc/passwd \
2020-08-11 18:08:41 +03:00
-p DynamicUser = 1 \
--wait \
2021-04-08 02:27:33 +03:00
rm '${CREDENTIALS_DIRECTORY}/passwd' \
&& { echo 'unexpected success' ; exit 1; }
2020-08-11 18:08:41 +03:00
2021-07-24 19:38:22 +03:00
# Check directory-based loading
mkdir -p /tmp/ts54-creds/sub
echo -n a >/tmp/ts54-creds/foo
echo -n b >/tmp/ts54-creds/bar
echo -n c >/tmp/ts54-creds/baz
echo -n d >/tmp/ts54-creds/sub/qux
systemd-run -p LoadCredential = cred:/tmp/ts54-creds \
-p DynamicUser = 1 \
--wait \
--pipe \
cat '${CREDENTIALS_DIRECTORY}/cred_foo' \
'${CREDENTIALS_DIRECTORY}/cred_bar' \
'${CREDENTIALS_DIRECTORY}/cred_baz' \
'${CREDENTIALS_DIRECTORY}/cred_sub_qux' >/tmp/ts54-concat
( echo -n abcd ) | cmp /tmp/ts54-concat
rm /tmp/ts54-concat
rm -rf /tmp/ts54-creds
2021-06-24 11:28:28 +03:00
2021-07-24 19:38:22 +03:00
# Now test encrypted credentials (only supported when built with OpenSSL though)
2021-06-24 11:28:28 +03:00
if systemctl --version | grep -q -- +OPENSSL ; then
echo -n $RANDOM >/tmp/test-54-plaintext
systemd-creds encrypt --name= test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext
systemd-creds decrypt --name= test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext
systemd-run -p LoadCredentialEncrypted = test-54:/tmp/test-54-ciphertext \
--wait \
--pipe \
cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext
echo -n $RANDOM >/tmp/test-54-plaintext
systemd-creds encrypt --name= test-54 /tmp/test-54-plaintext /tmp/test-54-ciphertext
systemd-creds decrypt --name= test-54 /tmp/test-54-ciphertext | cmp /tmp/test-54-plaintext
2021-09-29 21:30:08 +03:00
systemd-run -p SetCredentialEncrypted = test-54:" $( cat /tmp/test-54-ciphertext) " \
2021-06-24 11:28:28 +03:00
--wait \
--pipe \
cat '${CREDENTIALS_DIRECTORY}/test-54' | cmp /tmp/test-54-plaintext
rm /tmp/test-54-plaintext /tmp/test-54-ciphertext
fi
2020-08-11 18:08:41 +03:00
systemd-analyze log-level info
2021-04-08 01:09:55 +03:00
echo OK >/testok
2020-08-11 18:08:41 +03:00
exit 0