nixpkgs/nixos/tests/dhparams.nix
aszlig 81fc2c3509
nixos/dhparams: Add a defaultBitSize option
This allows to set the default bit size for all the Diffie-Hellman
parameters defined in security.dhparams.params and it's particularly
useful so that we can set it to a very low value in tests (so it doesn't
take ages to generate).

Regardless for the use in testing, this also has an impact in production
systems if the owner wants to set all of them to a different size than
2048, they don't need to set it individually for every params that are
set.

I've added a subtest to the "dhparams" NixOS test to ensure this is
working properly.

Signed-off-by: aszlig <aszlig@nix.build>
2018-05-07 04:58:52 +02:00

145 lines
4.3 KiB
Nix

let
common = { pkgs, ... }: {
security.dhparams.enable = true;
environment.systemPackages = [ pkgs.openssl ];
};
in import ./make-test.nix {
name = "dhparams";
nodes.generation1 = { pkgs, config, ... }: {
imports = [ common ];
security.dhparams.params = {
# Use low values here because we don't want the test to run for ages.
foo.bits = 16;
# Also use the old format to make sure the type is coerced in the right
# way.
bar = 17;
};
systemd.services.foo = {
description = "Check systemd Ordering";
wantedBy = [ "multi-user.target" ];
unitConfig = {
# This is to make sure that the dhparams generation of foo occurs
# before this service so we need this service to start as early as
# possible to provoke a race condition.
DefaultDependencies = false;
# We check later whether the service has been started or not.
ConditionPathExists = config.security.dhparams.params.foo.path;
};
serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
# The reason we only provide an ExecStop here is to ensure that we don't
# accidentally trigger an error because a file system is not yet ready
# during very early startup (we might not even have the Nix store
# available, for example if future changes in NixOS use systemd mount
# units to do early file system initialisation).
serviceConfig.ExecStop = "${pkgs.coreutils}/bin/true";
};
};
nodes.generation2 = {
imports = [ common ];
security.dhparams.params.foo.bits = 18;
};
nodes.generation3 = common;
nodes.generation4 = {
imports = [ common ];
security.dhparams.stateful = false;
security.dhparams.params.foo2.bits = 18;
security.dhparams.params.bar2.bits = 19;
};
nodes.generation5 = {
imports = [ common ];
security.dhparams.defaultBitSize = 30;
security.dhparams.params.foo3 = {};
security.dhparams.params.bar3 = {};
};
testScript = { nodes, ... }: let
getParamPath = gen: name: let
node = "generation${toString gen}";
in nodes.${node}.config.security.dhparams.params.${name}.path;
assertParamBits = gen: name: bits: let
path = getParamPath gen name;
in ''
$machine->nest('check bit size of ${path}', sub {
my $out = $machine->succeed('openssl dhparam -in ${path} -text');
$out =~ /^\s*DH Parameters:\s+\((\d+)\s+bit\)\s*$/m;
die "bit size should be ${toString bits} but it is $1 instead."
if $1 != ${toString bits};
});
'';
switchToGeneration = gen: let
node = "generation${toString gen}";
inherit (nodes.${node}.config.system.build) toplevel;
switchCmd = "${toplevel}/bin/switch-to-configuration test";
in ''
$machine->nest('switch to generation ${toString gen}', sub {
$machine->succeed('${switchCmd}');
$main::machine = ''$${node};
});
'';
in ''
my $machine = $generation1;
$machine->waitForUnit('multi-user.target');
subtest "verify startup order", sub {
$machine->succeed('systemctl is-active foo.service');
};
subtest "check bit sizes of dhparam files", sub {
${assertParamBits 1 "foo" 16}
${assertParamBits 1 "bar" 17}
};
${switchToGeneration 2}
subtest "check whether bit size has changed", sub {
${assertParamBits 2 "foo" 18}
};
subtest "ensure that dhparams file for 'bar' was deleted", sub {
$machine->fail('test -e ${getParamPath 1 "bar"}');
};
${switchToGeneration 3}
subtest "ensure that 'security.dhparams.path' has been deleted", sub {
$machine->fail(
'test -e ${nodes.generation3.config.security.dhparams.path}'
);
};
${switchToGeneration 4}
subtest "check bit sizes dhparam files", sub {
${assertParamBits 4 "foo2" 18}
${assertParamBits 4 "bar2" 19}
};
subtest "check whether dhparam files are in the Nix store", sub {
$machine->succeed(
'expr match ${getParamPath 4 "foo2"} ${builtins.storeDir}',
'expr match ${getParamPath 4 "bar2"} ${builtins.storeDir}',
);
};
${switchToGeneration 5}
subtest "check whether defaultBitSize works as intended", sub {
${assertParamBits 5 "foo3" 30}
${assertParamBits 5 "bar3" 30}
};
'';
}