diff options
author | Vincent Haupert <mail@vincent-haupert.de> | 2021-12-04 15:13:26 +0100 |
---|---|---|
committer | Vincent Haupert <mail@vincent-haupert.de> | 2021-12-10 10:18:31 +0100 |
commit | d6cc0ad96e0a8723d457d0a8c6c6bfc54df2920b (patch) | |
tree | a1ac81496e32f788851653ade83a6d0fc08de591 /nixos | |
parent | 0b5c9f81e26e1c9656ec47dedd6cf82a0c127813 (diff) | |
download | nixpkgs-d6cc0ad96e0a8723d457d0a8c6c6bfc54df2920b.tar nixpkgs-d6cc0ad96e0a8723d457d0a8c6c6bfc54df2920b.tar.gz nixpkgs-d6cc0ad96e0a8723d457d0a8c6c6bfc54df2920b.tar.bz2 nixpkgs-d6cc0ad96e0a8723d457d0a8c6c6bfc54df2920b.tar.lz nixpkgs-d6cc0ad96e0a8723d457d0a8c6c6bfc54df2920b.tar.xz nixpkgs-d6cc0ad96e0a8723d457d0a8c6c6bfc54df2920b.tar.zst nixpkgs-d6cc0ad96e0a8723d457d0a8c6c6bfc54df2920b.zip |
nixosTests.aesmd: init
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/tests/aesmd.nix | 62 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 1 |
2 files changed, 63 insertions, 0 deletions
diff --git a/nixos/tests/aesmd.nix b/nixos/tests/aesmd.nix new file mode 100644 index 00000000000..59c04fe7e96 --- /dev/null +++ b/nixos/tests/aesmd.nix @@ -0,0 +1,62 @@ +import ./make-test-python.nix ({ pkgs, lib, ... }: { + name = "aesmd"; + meta = { + maintainers = with lib.maintainers; [ veehaitch ]; + }; + + machine = { lib, ... }: { + services.aesmd = { + enable = true; + settings = { + defaultQuotingType = "ecdsa_256"; + proxyType = "direct"; + whitelistUrl = "http://nixos.org"; + }; + }; + + # Should have access to the AESM socket + users.users."sgxtest" = { + isNormalUser = true; + extraGroups = [ "sgx" ]; + }; + + # Should NOT have access to the AESM socket + users.users."nosgxtest".isNormalUser = true; + + # We don't have a real SGX machine in NixOS tests + systemd.services.aesmd.unitConfig.AssertPathExists = lib.mkForce [ ]; + }; + + testScript = '' + with subtest("aesmd.service starts"): + machine.wait_for_unit("aesmd.service") + status, main_pid = machine.systemctl("show --property MainPID --value aesmd.service") + assert status == 0, "Could not get MainPID of aesmd.service" + main_pid = main_pid.strip() + + with subtest("aesmd.service runtime directory permissions"): + runtime_dir = "/run/aesmd"; + res = machine.succeed(f"stat -c '%a %U %G' {runtime_dir}").strip() + assert "750 aesmd sgx" == res, f"{runtime_dir} does not have the expected permissions: {res}" + + with subtest("aesm.socket available on host"): + socket_path = "/var/run/aesmd/aesm.socket" + machine.wait_until_succeeds(f"test -S {socket_path}") + machine.succeed(f"test 777 -eq $(stat -c '%a' {socket_path})") + for op in [ "-r", "-w", "-x" ]: + machine.succeed(f"sudo -u sgxtest test {op} {socket_path}") + machine.fail(f"sudo -u nosgxtest test {op} {socket_path}") + + with subtest("Copies white_list_cert_to_be_verify.bin"): + whitelist_path = "/var/opt/aesmd/data/white_list_cert_to_be_verify.bin" + whitelist_perms = machine.succeed( + f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/stat -c '%a' {whitelist_path}" + ).strip() + assert "644" == whitelist_perms, f"white_list_cert_to_be_verify.bin has permissions {whitelist_perms}" + + with subtest("Writes and binds aesm.conf in service namespace"): + aesmd_config = machine.succeed(f"nsenter -m -t {main_pid} ${pkgs.coreutils}/bin/cat /etc/aesmd.conf") + + assert aesmd_config == "whitelist url = http://nixos.org\nproxy type = direct\ndefault quoting type = ecdsa_256\n", "aesmd.conf differs" + ''; +}) diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index 06305460c6a..f86cc2544da 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -23,6 +23,7 @@ in { _3proxy = handleTest ./3proxy.nix {}; acme = handleTest ./acme.nix {}; + aesmd = handleTest ./aesmd.nix {}; agda = handleTest ./agda.nix {}; airsonic = handleTest ./airsonic.nix {}; amazon-init-shell = handleTest ./amazon-init-shell.nix {}; |