nixpkgs/nixos/tests/ecryptfs.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

90 lines
2.9 KiB
Nix
Raw Normal View History

2019-12-06 06:53:04 +00:00
import ./make-test-python.nix (
{ ... }:
2016-07-12 23:47:49 +00:00
{
name = "ecryptfs";
2022-03-20 23:15:30 +00:00
nodes.machine =
{ pkgs, ... }:
{
2016-07-12 23:47:49 +00:00
imports = [ ./common/user-account.nix ];
boot.kernelModules = [ "ecryptfs" ];
security.pam.enableEcryptfs = true;
environment.systemPackages = with pkgs; [ keyutils ];
};
2016-07-12 23:47:49 +00:00
testScript = ''
2019-12-06 06:53:04 +00:00
def login_as_alice():
machine.wait_until_tty_matches("1", "login: ")
2019-12-06 06:53:04 +00:00
machine.send_chars("alice\n")
machine.wait_until_tty_matches("1", "Password: ")
2019-12-06 06:53:04 +00:00
machine.send_chars("foobar\n")
machine.wait_until_tty_matches("1", "alice\@machine")
2019-12-06 06:53:04 +00:00
def logout():
machine.send_chars("logout\n")
machine.wait_until_tty_matches("1", "login: ")
2019-12-06 06:53:04 +00:00
machine.wait_for_unit("default.target")
2019-12-06 06:53:04 +00:00
with subtest("Set alice up with a password and a home"):
machine.succeed("(echo foobar; echo foobar) | passwd alice")
machine.succeed("chown -R alice.users ~alice")
2019-12-06 06:53:04 +00:00
with subtest("Migrate alice's home"):
out = machine.succeed("echo foobar | ecryptfs-migrate-home -u alice")
machine.log(f"ecryptfs-migrate-home said: {out}")
2019-12-06 06:53:04 +00:00
with subtest("Log alice in (ecryptfs passwhrase is wrapped during first login)"):
login_as_alice()
machine.send_chars("logout\n")
machine.wait_until_tty_matches("1", "login: ")
2016-07-12 23:47:49 +00:00
# Why do I need to do this??
2019-12-06 06:53:04 +00:00
machine.succeed("su alice -c ecryptfs-umount-private || true")
machine.sleep(1)
2019-12-06 06:53:04 +00:00
with subtest("check that encrypted home is not mounted"):
machine.fail("mount | grep ecryptfs")
2019-12-06 06:53:04 +00:00
with subtest("Show contents of the user keyring"):
out = machine.succeed("su - alice -c 'keyctl list \@u'")
machine.log(f"keyctl unlink said: {out}")
2019-12-06 06:53:04 +00:00
with subtest("Log alice again"):
login_as_alice()
2019-12-06 06:53:04 +00:00
with subtest("Create some files in encrypted home"):
machine.succeed("su alice -c 'touch ~alice/a'")
machine.succeed("su alice -c 'echo c > ~alice/b'")
2019-12-06 06:53:04 +00:00
with subtest("Logout"):
logout()
2016-07-12 23:47:49 +00:00
# Why do I need to do this??
2019-12-06 06:53:04 +00:00
machine.succeed("su alice -c ecryptfs-umount-private || true")
machine.sleep(1)
2019-12-06 06:53:04 +00:00
with subtest("Check that the filesystem is not accessible"):
machine.fail("mount | grep ecryptfs")
machine.succeed("su alice -c 'test \! -f ~alice/a'")
machine.succeed("su alice -c 'test \! -f ~alice/b'")
2019-12-06 06:53:04 +00:00
with subtest("Log alice once more"):
login_as_alice()
2019-12-06 06:53:04 +00:00
with subtest("Check that the files are there"):
machine.sleep(1)
machine.succeed("su alice -c 'test -f ~alice/a'")
machine.succeed("su alice -c 'test -f ~alice/b'")
machine.succeed('test "$(cat ~alice/b)" = "c"')
2019-12-06 06:53:04 +00:00
with subtest("Catch https://github.com/NixOS/nixpkgs/issues/16766"):
machine.succeed("su alice -c 'ls -lh ~alice/'")
2019-12-06 06:53:04 +00:00
logout()
2016-07-12 23:47:49 +00:00
'';
}
)