2022-05-17 18:16:22 +00:00
|
|
|
import ./make-test-python.nix (
|
|
|
|
{ ... }:
|
|
|
|
{
|
|
|
|
name = "fscrypt";
|
2024-12-10 19:26:33 +00:00
|
|
|
|
2022-05-17 18:16:22 +00:00
|
|
|
nodes.machine =
|
|
|
|
{ pkgs, ... }:
|
|
|
|
{
|
|
|
|
imports = [ ./common/user-account.nix ];
|
|
|
|
security.pam.enableFscrypt = true;
|
|
|
|
};
|
2024-12-10 19:26:33 +00:00
|
|
|
|
2022-05-17 18:16:22 +00:00
|
|
|
testScript = ''
|
|
|
|
def login_as_alice():
|
|
|
|
machine.wait_until_tty_matches("1", "login: ")
|
|
|
|
machine.send_chars("alice\n")
|
|
|
|
machine.wait_until_tty_matches("1", "Password: ")
|
|
|
|
machine.send_chars("foobar\n")
|
|
|
|
machine.wait_until_tty_matches("1", "alice\@machine")
|
2024-12-10 19:26:33 +00:00
|
|
|
|
|
|
|
|
2022-05-17 18:16:22 +00:00
|
|
|
def logout():
|
|
|
|
machine.send_chars("logout\n")
|
|
|
|
machine.wait_until_tty_matches("1", "login: ")
|
2024-12-10 19:26:33 +00:00
|
|
|
|
|
|
|
|
2022-05-17 18:16:22 +00:00
|
|
|
machine.wait_for_unit("default.target")
|
2024-12-10 19:26:33 +00:00
|
|
|
|
2022-05-17 18:16:22 +00:00
|
|
|
with subtest("Enable fscrypt on filesystem"):
|
|
|
|
machine.succeed("tune2fs -O encrypt /dev/vda")
|
|
|
|
machine.succeed("fscrypt setup --quiet --force --time=1ms")
|
2024-12-10 19:26:33 +00:00
|
|
|
|
2022-05-17 18:16:22 +00:00
|
|
|
with subtest("Set up alice with an fscrypt-enabled home directory"):
|
|
|
|
machine.succeed("(echo foobar; echo foobar) | passwd alice")
|
|
|
|
machine.succeed("chown -R alice.users ~alice")
|
|
|
|
machine.succeed("echo foobar | fscrypt encrypt --skip-unlock --source=pam_passphrase --user=alice /home/alice")
|
2024-12-10 19:26:33 +00:00
|
|
|
|
2022-05-17 18:16:22 +00:00
|
|
|
with subtest("Create file as alice"):
|
|
|
|
login_as_alice()
|
|
|
|
machine.succeed("echo hello > /home/alice/world")
|
|
|
|
logout()
|
|
|
|
# Wait for logout to be processed
|
|
|
|
machine.sleep(1)
|
2024-12-10 19:26:33 +00:00
|
|
|
|
2022-05-17 18:16:22 +00:00
|
|
|
with subtest("File should not be readable without being logged in as alice"):
|
|
|
|
machine.fail("cat /home/alice/world")
|
2024-12-10 19:26:33 +00:00
|
|
|
|
2022-05-17 18:16:22 +00:00
|
|
|
with subtest("File should be readable again as alice"):
|
|
|
|
login_as_alice()
|
|
|
|
machine.succeed("cat /home/alice/world")
|
|
|
|
logout()
|
|
|
|
'';
|
|
|
|
}
|
|
|
|
)
|