|
|
|
@ -4,7 +4,7 @@ let |
|
|
|
|
environment.systemPackages = [ pkgs.openssl ]; |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
in import ./make-test.nix { |
|
|
|
|
in import ./make-test-python.nix { |
|
|
|
|
name = "dhparams"; |
|
|
|
|
|
|
|
|
|
nodes.generation1 = { pkgs, config, ... }: { |
|
|
|
@ -66,79 +66,77 @@ in import ./make-test.nix { |
|
|
|
|
node = "generation${toString gen}"; |
|
|
|
|
in nodes.${node}.config.security.dhparams.params.${name}.path; |
|
|
|
|
|
|
|
|
|
assertParamBits = gen: name: bits: let |
|
|
|
|
path = getParamPath gen name; |
|
|
|
|
in '' |
|
|
|
|
$machine->nest('check bit size of ${path}', sub { |
|
|
|
|
my $out = $machine->succeed('openssl dhparam -in ${path} -text'); |
|
|
|
|
$out =~ /^\s*DH Parameters:\s+\((\d+)\s+bit\)\s*$/m; |
|
|
|
|
die "bit size should be ${toString bits} but it is $1 instead." |
|
|
|
|
if $1 != ${toString bits}; |
|
|
|
|
}); |
|
|
|
|
''; |
|
|
|
|
|
|
|
|
|
switchToGeneration = gen: let |
|
|
|
|
node = "generation${toString gen}"; |
|
|
|
|
inherit (nodes.${node}.config.system.build) toplevel; |
|
|
|
|
switchCmd = "${toplevel}/bin/switch-to-configuration test"; |
|
|
|
|
in '' |
|
|
|
|
$machine->nest('switch to generation ${toString gen}', sub { |
|
|
|
|
$machine->succeed('${switchCmd}'); |
|
|
|
|
$main::machine = ''$${node}; |
|
|
|
|
}); |
|
|
|
|
with machine.nested("switch to generation ${toString gen}"): |
|
|
|
|
machine.succeed( |
|
|
|
|
"${switchCmd}" |
|
|
|
|
) |
|
|
|
|
machine = ${node} |
|
|
|
|
''; |
|
|
|
|
|
|
|
|
|
in '' |
|
|
|
|
my $machine = $generation1; |
|
|
|
|
import re |
|
|
|
|
|
|
|
|
|
$machine->waitForUnit('multi-user.target'); |
|
|
|
|
|
|
|
|
|
subtest "verify startup order", sub { |
|
|
|
|
$machine->succeed('systemctl is-active foo.service'); |
|
|
|
|
}; |
|
|
|
|
def assert_param_bits(path, bits): |
|
|
|
|
with machine.nested(f"check bit size of {path}"): |
|
|
|
|
output = machine.succeed(f"openssl dhparam -in {path} -text") |
|
|
|
|
pattern = re.compile(r"^\s*DH Parameters:\s+\((\d+)\s+bit\)\s*$", re.M) |
|
|
|
|
match = pattern.match(output) |
|
|
|
|
if match is None: |
|
|
|
|
raise Exception("bla") |
|
|
|
|
if match[1] != str(bits): |
|
|
|
|
raise Exception(f"bit size should be {bits} but it is {match[1]} instead.") |
|
|
|
|
|
|
|
|
|
subtest "check bit sizes of dhparam files", sub { |
|
|
|
|
${assertParamBits 1 "foo" 16} |
|
|
|
|
${assertParamBits 1 "bar" 17} |
|
|
|
|
}; |
|
|
|
|
|
|
|
|
|
machine = generation1 |
|
|
|
|
|
|
|
|
|
machine.wait_for_unit("multi-user.target") |
|
|
|
|
|
|
|
|
|
with subtest("verify startup order"): |
|
|
|
|
machine.succeed("systemctl is-active foo.service") |
|
|
|
|
|
|
|
|
|
with subtest("check bit sizes of dhparam files"): |
|
|
|
|
assert_param_bits("${getParamPath 1 "foo"}", 16) |
|
|
|
|
assert_param_bits("${getParamPath 1 "bar"}", 17) |
|
|
|
|
|
|
|
|
|
${switchToGeneration 2} |
|
|
|
|
|
|
|
|
|
subtest "check whether bit size has changed", sub { |
|
|
|
|
${assertParamBits 2 "foo" 18} |
|
|
|
|
}; |
|
|
|
|
with subtest("check whether bit size has changed"): |
|
|
|
|
assert_param_bits("${getParamPath 2 "foo"}", 18) |
|
|
|
|
|
|
|
|
|
subtest "ensure that dhparams file for 'bar' was deleted", sub { |
|
|
|
|
$machine->fail('test -e ${getParamPath 1 "bar"}'); |
|
|
|
|
}; |
|
|
|
|
with subtest("ensure that dhparams file for 'bar' was deleted"): |
|
|
|
|
machine.fail("test -e ${getParamPath 1 "bar"}") |
|
|
|
|
|
|
|
|
|
${switchToGeneration 3} |
|
|
|
|
|
|
|
|
|
subtest "ensure that 'security.dhparams.path' has been deleted", sub { |
|
|
|
|
$machine->fail( |
|
|
|
|
'test -e ${nodes.generation3.config.security.dhparams.path}' |
|
|
|
|
); |
|
|
|
|
}; |
|
|
|
|
with subtest("ensure that 'security.dhparams.path' has been deleted"): |
|
|
|
|
machine.fail("test -e ${nodes.generation3.config.security.dhparams.path}") |
|
|
|
|
|
|
|
|
|
${switchToGeneration 4} |
|
|
|
|
|
|
|
|
|
subtest "check bit sizes dhparam files", sub { |
|
|
|
|
${assertParamBits 4 "foo2" 18} |
|
|
|
|
${assertParamBits 4 "bar2" 19} |
|
|
|
|
}; |
|
|
|
|
with subtest("check bit sizes dhparam files"): |
|
|
|
|
assert_param_bits( |
|
|
|
|
"${getParamPath 4 "foo2"}", 18 |
|
|
|
|
) |
|
|
|
|
assert_param_bits( |
|
|
|
|
"${getParamPath 4 "bar2"}", 19 |
|
|
|
|
) |
|
|
|
|
|
|
|
|
|
subtest "check whether dhparam files are in the Nix store", sub { |
|
|
|
|
$machine->succeed( |
|
|
|
|
'expr match ${getParamPath 4 "foo2"} ${builtins.storeDir}', |
|
|
|
|
'expr match ${getParamPath 4 "bar2"} ${builtins.storeDir}', |
|
|
|
|
); |
|
|
|
|
}; |
|
|
|
|
with subtest("check whether dhparam files are in the Nix store"): |
|
|
|
|
machine.succeed( |
|
|
|
|
"expr match ${getParamPath 4 "foo2"} ${builtins.storeDir}", |
|
|
|
|
"expr match ${getParamPath 4 "bar2"} ${builtins.storeDir}", |
|
|
|
|
) |
|
|
|
|
|
|
|
|
|
${switchToGeneration 5} |
|
|
|
|
|
|
|
|
|
subtest "check whether defaultBitSize works as intended", sub { |
|
|
|
|
${assertParamBits 5 "foo3" 30} |
|
|
|
|
${assertParamBits 5 "bar3" 30} |
|
|
|
|
}; |
|
|
|
|
with subtest("check whether defaultBitSize works as intended"): |
|
|
|
|
assert_param_bits("${getParamPath 5 "foo3"}", 30) |
|
|
|
|
assert_param_bits("${getParamPath 5 "bar3"}", 30) |
|
|
|
|
''; |
|
|
|
|
} |
|
|
|
|