diff options
author | Lucas Savva <lucas@m1cr0man.com> | 2021-03-15 19:25:49 +0000 |
---|---|---|
committer | Lucas Savva <lucas@m1cr0man.com> | 2021-03-15 19:25:49 +0000 |
commit | 2dd7973751e411e5dd6dc06e19b8c23e42ff2c3d (patch) | |
tree | 0eb1c3b55851254ea74580010f5033688cb16606 /nixos/tests/acme.nix | |
parent | 920a3f5a9d0d603b2435bac2c58d76ab784fcddd (diff) | |
download | nixpkgs-2dd7973751e411e5dd6dc06e19b8c23e42ff2c3d.tar nixpkgs-2dd7973751e411e5dd6dc06e19b8c23e42ff2c3d.tar.gz nixpkgs-2dd7973751e411e5dd6dc06e19b8c23e42ff2c3d.tar.bz2 nixpkgs-2dd7973751e411e5dd6dc06e19b8c23e42ff2c3d.tar.lz nixpkgs-2dd7973751e411e5dd6dc06e19b8c23e42ff2c3d.tar.xz nixpkgs-2dd7973751e411e5dd6dc06e19b8c23e42ff2c3d.tar.zst nixpkgs-2dd7973751e411e5dd6dc06e19b8c23e42ff2c3d.zip |
nixos/acme: Add permissions tests
Diffstat (limited to 'nixos/tests/acme.nix')
-rw-r--r-- | nixos/tests/acme.nix | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/nixos/tests/acme.nix b/nixos/tests/acme.nix index ef5021bf1a0..99dd8ec6fd3 100644 --- a/nixos/tests/acme.nix +++ b/nixos/tests/acme.nix @@ -334,6 +334,21 @@ in import ./make-test-python.nix ({ lib, ... }: { check_issuer(webserver, "a.example.test", "pebble") check_connection(client, "a.example.test") + with subtest("Certificates and accounts have safe + valid permissions"): + group = "${nodes.webserver.config.security.acme.certs."a.example.test".group}" + webserver.succeed( + f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/a.example.test/* | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5" + ) + webserver.succeed( + f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/.lego/a.example.test/**/* | tee /dev/stderr | grep '640 acme {group}' | wc -l) -eq 5" + ) + webserver.succeed( + f"test $(stat -L -c \"%a %U %G\" /var/lib/acme/a.example.test | tee /dev/stderr | grep '750 acme {group}' | wc -l) -eq 1" + ) + webserver.succeed( + f"test $(find /var/lib/acme/accounts -type f -exec stat -L -c \"%a %U %G\" {{}} \\; | tee /dev/stderr | grep -v '600 acme {group}' | wc -l) -eq 0" + ) + with subtest("Can generate valid selfsigned certs"): webserver.succeed("systemctl clean acme-a.example.test.service --what=state") webserver.succeed("systemctl start acme-selfsigned-a.example.test.service") |