test: improve modularization
This improves debugging and experimenting by making it easy to compose fine-grained scenarios that have specific tests and features enabled. The VM test output now includes the subtest name and duration. Remove the 'raise Exception()' hack for interactive mode. Run 'banlist-and-restart' test before 'backups'. This speeds up the test by avoiding an extra shutdown of all bitcoin-related services.
This commit is contained in:
parent
14d2d97ba6
commit
1e18d3ea3b
41
test/lib/make-test.nix
Normal file
41
test/lib/make-test.nix
Normal file
@ -0,0 +1,41 @@
|
|||||||
|
scenario: testConfig:
|
||||||
|
|
||||||
|
{
|
||||||
|
vm = import ./make-test-vm.nix {
|
||||||
|
name = "nix-bitcoin-${scenario}";
|
||||||
|
|
||||||
|
machine = {
|
||||||
|
imports = [ testConfig ];
|
||||||
|
# Needed because duplicity requires 270 MB of free temp space, regardless of backup size
|
||||||
|
virtualisation.diskSize = 1024;
|
||||||
|
};
|
||||||
|
|
||||||
|
testScript = nodes: let
|
||||||
|
cfg = nodes.nodes.machine.config;
|
||||||
|
data = {
|
||||||
|
data = cfg.test.data;
|
||||||
|
tests = cfg.tests;
|
||||||
|
};
|
||||||
|
dataFile = builtins.toFile "test-data" (builtins.toJSON data);
|
||||||
|
initData = ''
|
||||||
|
import json
|
||||||
|
|
||||||
|
with open("${dataFile}") as f:
|
||||||
|
data = json.load(f)
|
||||||
|
|
||||||
|
enabled_tests = set(test for (test, enabled) in data["tests"].items() if enabled)
|
||||||
|
test_data = data["data"]
|
||||||
|
'';
|
||||||
|
in
|
||||||
|
builtins.concatStringsSep "\n\n" [
|
||||||
|
initData
|
||||||
|
(builtins.readFile ./../tests.py)
|
||||||
|
# Don't run tests in interactive mode.
|
||||||
|
# is_interactive is set in ../run-tests.sh
|
||||||
|
''
|
||||||
|
if not "is_interactive" in vars():
|
||||||
|
run_tests()
|
||||||
|
''
|
||||||
|
];
|
||||||
|
};
|
||||||
|
}
|
30
test/lib/test-lib.nix
Normal file
30
test/lib/test-lib.nix
Normal file
@ -0,0 +1,30 @@
|
|||||||
|
{ config, lib, ... }:
|
||||||
|
with lib;
|
||||||
|
{
|
||||||
|
options = {
|
||||||
|
test = {
|
||||||
|
noConnections = mkOption {
|
||||||
|
type = types.bool;
|
||||||
|
default = true;
|
||||||
|
description = ''
|
||||||
|
Whether services should be configured to not connect to external hosts.
|
||||||
|
This can silence some warnings while running the test in an offline environment.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
data = mkOption {
|
||||||
|
type = types.attrs;
|
||||||
|
default = {};
|
||||||
|
description = ''
|
||||||
|
Attrs that are available in the Python test script under the global
|
||||||
|
dictionary variable 'test_data'. The data is exported via JSON.
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
tests = mkOption {
|
||||||
|
type = with types; attrsOf bool;
|
||||||
|
default = {};
|
||||||
|
description = "Python tests that should be run.";
|
||||||
|
};
|
||||||
|
};
|
||||||
|
}
|
@ -8,7 +8,10 @@
|
|||||||
# ./run-tests.sh
|
# ./run-tests.sh
|
||||||
#
|
#
|
||||||
# Test specific scenario
|
# Test specific scenario
|
||||||
# ./run-tests.sh --scenario <scenario>
|
# ./run-tests.sh --scenario|-s <scenario>
|
||||||
|
#
|
||||||
|
# When <scenario> is undefined, the test is run with an adhoc scenario
|
||||||
|
# where services.<scenario> is enabled.
|
||||||
#
|
#
|
||||||
# Run test and link results to avoid garbage collection
|
# Run test and link results to avoid garbage collection
|
||||||
# ./run-tests.sh [--scenario <scenario>] --out-link-prefix /tmp/nix-bitcoin-test build
|
# ./run-tests.sh [--scenario <scenario>] --out-link-prefix /tmp/nix-bitcoin-test build
|
||||||
@ -19,8 +22,10 @@
|
|||||||
# Run interactive test debugging
|
# Run interactive test debugging
|
||||||
# ./run-tests.sh [--scenario <scenario>] debug
|
# ./run-tests.sh [--scenario <scenario>] debug
|
||||||
#
|
#
|
||||||
# This starts the testing VM and drops you into a Python REPL where you can
|
# This starts the testing VM and drops you into a Python REPL where you can
|
||||||
# manually execute the tests from ./test-script.py
|
# manually execute the tests from ./tests.py
|
||||||
|
#
|
||||||
|
# To add custom scenarios, set the environment variable `scenarioOverridesFile`.
|
||||||
|
|
||||||
set -eo pipefail
|
set -eo pipefail
|
||||||
|
|
||||||
@ -67,20 +72,14 @@ run() {
|
|||||||
export TMPDIR=$(mktemp -d /tmp/nix-bitcoin-test.XXX)
|
export TMPDIR=$(mktemp -d /tmp/nix-bitcoin-test.XXX)
|
||||||
trap "rm -rf $TMPDIR" EXIT
|
trap "rm -rf $TMPDIR" EXIT
|
||||||
|
|
||||||
nix-build --out-link $TMPDIR/driver -E "import \"$scriptDir/tests.nix\" { scenario = \"$scenario\"; }" -A driver
|
nix-build --out-link $TMPDIR/driver -E "(import \"$scriptDir/tests.nix\" { scenario = \"$scenario\"; }).vm" -A driver
|
||||||
|
|
||||||
# Variable 'tests' contains the Python code that is executed by the driver on startup
|
# Variable 'tests' contains the Python code that is executed by the driver on startup
|
||||||
if [[ $1 == --interactive ]]; then
|
if [[ $1 == --interactive ]]; then
|
||||||
echo "Running interactive testing environment"
|
echo "Running interactive testing environment"
|
||||||
tests=$(
|
tests=$(
|
||||||
echo 'is_interactive = True'
|
echo 'is_interactive = True'
|
||||||
# The test script raises an error when 'is_interactive' is defined so
|
echo 'exec(os.environ["testScript"])'
|
||||||
# that it just loads the initial helper functions and stops before
|
|
||||||
# executing the actual tests
|
|
||||||
echo 'try:'
|
|
||||||
echo ' exec(os.environ["testScript"])'
|
|
||||||
echo 'except:'
|
|
||||||
echo ' pass'
|
|
||||||
# Start VM
|
# Start VM
|
||||||
echo 'start_all()'
|
echo 'start_all()'
|
||||||
# Start REPL
|
# Start REPL
|
||||||
@ -135,7 +134,7 @@ exprForCI() {
|
|||||||
|
|
||||||
vmTestNixExpr() {
|
vmTestNixExpr() {
|
||||||
cat <<EOF
|
cat <<EOF
|
||||||
(import "$scriptDir/tests.nix" { scenario = "$scenario"; } {}).overrideAttrs (old: rec {
|
((import "$scriptDir/tests.nix" { scenario = "$scenario"; }).vm {}).overrideAttrs (old: rec {
|
||||||
buildCommand = ''
|
buildCommand = ''
|
||||||
export QEMU_OPTS="-smp $numCPUs -m $memoryMiB"
|
export QEMU_OPTS="-smp $numCPUs -m $memoryMiB"
|
||||||
echo "VM stats: CPUs: $numCPUs, memory: $memoryMiB MiB"
|
echo "VM stats: CPUs: $numCPUs, memory: $memoryMiB MiB"
|
||||||
|
@ -1,5 +0,0 @@
|
|||||||
def prestop():
|
|
||||||
pass
|
|
||||||
|
|
||||||
|
|
||||||
run_tests()
|
|
@ -1,71 +0,0 @@
|
|||||||
netns_ips = {
|
|
||||||
"bitcoind": "169.254.1.12",
|
|
||||||
"clightning": "169.254.1.13",
|
|
||||||
"lnd": "169.254.1.14",
|
|
||||||
"liquidd": "169.254.1.15",
|
|
||||||
"electrs": "169.254.1.16",
|
|
||||||
"spark-wallet": "169.254.1.17",
|
|
||||||
"lightning-charge": "169.254.1.18",
|
|
||||||
"nanopos": "169.254.1.19",
|
|
||||||
"recurring-donations": "169.254.1.20",
|
|
||||||
"nginx": "169.254.1.21",
|
|
||||||
"lightning-loop": "169.254.1.22",
|
|
||||||
"nbxplorer": "169.254.1.23",
|
|
||||||
"btcpayserver": "169.254.1.24",
|
|
||||||
}
|
|
||||||
|
|
||||||
|
|
||||||
def ip(netns):
|
|
||||||
return netns_ips[netns]
|
|
||||||
|
|
||||||
|
|
||||||
def prestop():
|
|
||||||
ping_bitcoind = "ip netns exec nb-bitcoind ping -c 1 -w 1"
|
|
||||||
ping_nanopos = "ip netns exec nb-nanopos ping -c 1 -w 1"
|
|
||||||
ping_nbxplorer = "ip netns exec nb-nbxplorer ping -c 1 -w 1"
|
|
||||||
|
|
||||||
# Positive ping tests (non-exhaustive)
|
|
||||||
machine.succeed(
|
|
||||||
"%s %s &&" % (ping_bitcoind, ip("bitcoind"))
|
|
||||||
+ "%s %s &&" % (ping_bitcoind, ip("clightning"))
|
|
||||||
+ "%s %s &&" % (ping_bitcoind, ip("lnd"))
|
|
||||||
+ "%s %s &&" % (ping_bitcoind, ip("liquidd"))
|
|
||||||
+ "%s %s &&" % (ping_bitcoind, ip("nbxplorer"))
|
|
||||||
+ "%s %s &&" % (ping_nbxplorer, ip("btcpayserver"))
|
|
||||||
+ "%s %s &&" % (ping_nanopos, ip("lightning-charge"))
|
|
||||||
+ "%s %s &&" % (ping_nanopos, ip("nanopos"))
|
|
||||||
+ "%s %s" % (ping_nanopos, ip("nginx"))
|
|
||||||
)
|
|
||||||
|
|
||||||
# Negative ping tests (non-exhaustive)
|
|
||||||
machine.fail(
|
|
||||||
"%s %s ||" % (ping_bitcoind, ip("spark-wallet"))
|
|
||||||
+ "%s %s ||" % (ping_bitcoind, ip("lightning-loop"))
|
|
||||||
+ "%s %s ||" % (ping_bitcoind, ip("lightning-charge"))
|
|
||||||
+ "%s %s ||" % (ping_bitcoind, ip("nanopos"))
|
|
||||||
+ "%s %s ||" % (ping_bitcoind, ip("recurring-donations"))
|
|
||||||
+ "%s %s ||" % (ping_bitcoind, ip("nginx"))
|
|
||||||
+ "%s %s ||" % (ping_nanopos, ip("bitcoind"))
|
|
||||||
+ "%s %s ||" % (ping_nanopos, ip("clightning"))
|
|
||||||
+ "%s %s ||" % (ping_nanopos, ip("lnd"))
|
|
||||||
+ "%s %s ||" % (ping_nanopos, ip("lightning-loop"))
|
|
||||||
+ "%s %s ||" % (ping_nanopos, ip("liquidd"))
|
|
||||||
+ "%s %s ||" % (ping_nanopos, ip("electrs"))
|
|
||||||
+ "%s %s ||" % (ping_nanopos, ip("spark-wallet"))
|
|
||||||
+ "%s %s ||" % (ping_nanopos, ip("recurring-donations"))
|
|
||||||
+ "%s %s" % (ping_nanopos, ip("btcpayserver"))
|
|
||||||
)
|
|
||||||
|
|
||||||
# test that netns-exec can't be run for unauthorized namespace
|
|
||||||
machine.fail("netns-exec nb-electrs ip a")
|
|
||||||
|
|
||||||
# test that netns-exec drops capabilities
|
|
||||||
assert_full_match(
|
|
||||||
"su operator -c 'netns-exec nb-bitcoind capsh --print | grep Current '", "Current: =\n"
|
|
||||||
)
|
|
||||||
|
|
||||||
# test that netns-exec can not be executed by users that are not operator
|
|
||||||
machine.fail("sudo -u clightning netns-exec nb-bitcoind ip a")
|
|
||||||
|
|
||||||
|
|
||||||
run_tests()
|
|
174
test/tests.nix
174
test/tests.nix
@ -1,76 +1,142 @@
|
|||||||
# Integration test, can be run without internet access.
|
# Integration tests, can be run without internet access.
|
||||||
|
|
||||||
# Make sure to update build() in ./run-tests.sh when adding new scenarios
|
|
||||||
{ scenario ? "default" }:
|
{ scenario ? "default" }:
|
||||||
|
|
||||||
import ./make-test.nix rec {
|
import ./lib/make-test.nix scenario (
|
||||||
name = "nix-bitcoin-${scenario}";
|
{ config, pkgs, lib, ... }: with lib;
|
||||||
|
let testEnv = rec {
|
||||||
|
cfg = config.services;
|
||||||
|
mkIfTest = test: mkIf (config.tests.${test} or false);
|
||||||
|
|
||||||
hardened = {
|
baseConfig = {
|
||||||
imports = [ <nixpkgs/nixos/modules/profiles/hardened.nix> ];
|
|
||||||
security.allowUserNamespaces = true; # re-enable disabled option
|
|
||||||
};
|
|
||||||
|
|
||||||
machine = { pkgs, lib, ... }: with lib; {
|
|
||||||
imports = [
|
imports = [
|
||||||
../modules/presets/secure-node.nix
|
./lib/test-lib.nix
|
||||||
|
../modules/modules.nix
|
||||||
../modules/secrets/generate-secrets.nix
|
../modules/secrets/generate-secrets.nix
|
||||||
# using the hardened profile increases total test duration by ~50%, so disable it for now
|
|
||||||
# hardened
|
|
||||||
];
|
];
|
||||||
|
|
||||||
# needed because duplicity requires 270 MB of free temp space, regardless of backup size.
|
config = {
|
||||||
virtualisation.diskSize = 1024;
|
tests.bitcoind = cfg.bitcoind.enable;
|
||||||
|
services.bitcoind = {
|
||||||
|
enable = true;
|
||||||
|
extraConfig = mkIf config.test.noConnections (mkForce "connect=0");
|
||||||
|
};
|
||||||
|
|
||||||
nix-bitcoin.netns-isolation.enable = (scenario == "netns");
|
tests.clightning = cfg.clightning.enable;
|
||||||
|
|
||||||
services.bitcoind.extraConfig = mkForce "connect=0";
|
tests.spark-wallet = cfg.spark-wallet.enable;
|
||||||
|
|
||||||
services.clightning.enable = true;
|
tests.nanopos = cfg.nanopos.enable;
|
||||||
services.spark-wallet.enable = true;
|
|
||||||
services.lightning-charge.enable = true;
|
|
||||||
services.nanopos.enable = true;
|
|
||||||
|
|
||||||
services.lnd.enable = true;
|
tests.lnd = cfg.lnd.enable;
|
||||||
services.lnd.listenPort = 9736;
|
services.lnd.listenPort = 9736;
|
||||||
services.lightning-loop.enable = true;
|
|
||||||
|
|
||||||
services.electrs.enable = true;
|
tests.lightning-loop = cfg.lightning-loop.enable;
|
||||||
|
|
||||||
services.liquidd = {
|
tests.electrs = cfg.electrs.enable;
|
||||||
enable = true;
|
|
||||||
listen = mkForce false;
|
|
||||||
extraConfig = "noconnect=1";
|
|
||||||
};
|
|
||||||
|
|
||||||
services.nix-bitcoin-webindex.enable = true;
|
tests.liquidd = cfg.liquidd.enable;
|
||||||
|
services.liquidd = optionalAttrs config.test.noConnections {
|
||||||
|
listen = mkForce false;
|
||||||
|
extraConfig = "noconnect=1";
|
||||||
|
};
|
||||||
|
|
||||||
services.hardware-wallets = {
|
tests.btcpayserver = cfg.btcpayserver.enable;
|
||||||
trezor = true;
|
services.btcpayserver.lightningBackend = "lnd";
|
||||||
ledger = true;
|
# Needed to test macaroon creation
|
||||||
};
|
environment.systemPackages = mkIfTest "btcpayserver" (with pkgs; [ openssl xxd ]);
|
||||||
|
|
||||||
services.backups.enable = true;
|
tests.joinmarket = cfg.joinmarket.enable;
|
||||||
|
services.joinmarket.yieldgenerator = {
|
||||||
|
enable = config.services.joinmarket.enable;
|
||||||
|
customParameters = ''
|
||||||
|
txfee = 200
|
||||||
|
cjfee_a = 300
|
||||||
|
'';
|
||||||
|
};
|
||||||
|
|
||||||
services.btcpayserver.enable = true;
|
tests.backups = cfg.backups.enable;
|
||||||
services.btcpayserver.lightningBackend = "lnd";
|
|
||||||
# needed to test macaroon creation
|
|
||||||
environment.systemPackages = with pkgs; [ openssl xxd ];
|
|
||||||
|
|
||||||
services.joinmarket.enable = true;
|
# To test that unused secrets are made inaccessible by 'setup-secrets'
|
||||||
services.joinmarket.yieldgenerator = {
|
systemd.services.generate-secrets.postStart = mkIfTest "security" ''
|
||||||
enable = true;
|
install -o nobody -g nogroup -m777 <(:) /secrets/dummy
|
||||||
customParameters = ''
|
|
||||||
txfee = 200
|
|
||||||
cjfee_a = 300
|
|
||||||
'';
|
'';
|
||||||
};
|
};
|
||||||
|
|
||||||
# to test that unused secrets are made inaccessible by 'setup-secrets'
|
|
||||||
systemd.services.generate-secrets.postStart = ''
|
|
||||||
install -o nobody -g nogroup -m777 <(:) /secrets/dummy
|
|
||||||
'';
|
|
||||||
};
|
};
|
||||||
testScript =
|
|
||||||
builtins.readFile ./tests.py + "\n\n" + builtins.readFile "${./.}/scenarios/${scenario}.py";
|
scenarios = {
|
||||||
}
|
base = baseConfig; # Included in all scenarios
|
||||||
|
|
||||||
|
default = scenarios.secureNode;
|
||||||
|
|
||||||
|
# All available basic services and tests
|
||||||
|
full = {
|
||||||
|
tests.security = true;
|
||||||
|
|
||||||
|
services.clightning.enable = true;
|
||||||
|
services.spark-wallet.enable = true;
|
||||||
|
services.lightning-charge.enable = true;
|
||||||
|
services.nanopos.enable = true;
|
||||||
|
services.lnd.enable = true;
|
||||||
|
services.lightning-loop.enable = true;
|
||||||
|
services.electrs.enable = true;
|
||||||
|
services.liquidd.enable = true;
|
||||||
|
services.btcpayserver.enable = true;
|
||||||
|
services.joinmarket.enable = true;
|
||||||
|
services.backups.enable = true;
|
||||||
|
|
||||||
|
services.hardware-wallets = {
|
||||||
|
trezor = true;
|
||||||
|
ledger = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
secureNode = {
|
||||||
|
imports = [
|
||||||
|
scenarios.full
|
||||||
|
../modules/presets/secure-node.nix
|
||||||
|
];
|
||||||
|
services.nix-bitcoin-webindex.enable = true;
|
||||||
|
tests.secure-node = true;
|
||||||
|
tests.banlist-and-restart = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
netns = {
|
||||||
|
imports = [ scenarios.secureNode ];
|
||||||
|
nix-bitcoin.netns-isolation.enable = true;
|
||||||
|
tests.netns-isolation = true;
|
||||||
|
};
|
||||||
|
|
||||||
|
## Examples / debug helper
|
||||||
|
|
||||||
|
# Run a selection of tests in scenario 'netns'
|
||||||
|
selectedTests = {
|
||||||
|
imports = [ scenarios.netns ];
|
||||||
|
tests = mkForce {
|
||||||
|
btcpayserver = true;
|
||||||
|
netns-isolation = true;
|
||||||
|
};
|
||||||
|
};
|
||||||
|
|
||||||
|
adhoc = {
|
||||||
|
# <Add your config here>
|
||||||
|
# You can also set the env var `scenarioOverridesFile` (used below) to define custom scenarios.
|
||||||
|
};
|
||||||
|
};
|
||||||
|
};
|
||||||
|
in
|
||||||
|
let
|
||||||
|
overrides = builtins.getEnv "scenarioOverridesFile";
|
||||||
|
scenarios = testEnv.scenarios // (optionalAttrs (overrides != "") (import overrides {
|
||||||
|
inherit testEnv config pkgs lib;
|
||||||
|
}));
|
||||||
|
autoScenario = {
|
||||||
|
services.${scenario}.enable = true;
|
||||||
|
};
|
||||||
|
in {
|
||||||
|
imports = [
|
||||||
|
scenarios.base
|
||||||
|
(scenarios.${scenario} or autoScenario)
|
||||||
|
];
|
||||||
|
}
|
||||||
|
)
|
||||||
|
220
test/tests.py
220
test/tests.py
@ -1,4 +1,4 @@
|
|||||||
is_interactive = "is_interactive" in vars()
|
from collections import OrderedDict
|
||||||
|
|
||||||
|
|
||||||
def succeed(*cmds):
|
def succeed(*cmds):
|
||||||
@ -28,7 +28,8 @@ def assert_no_failure(unit):
|
|||||||
|
|
||||||
|
|
||||||
def assert_running(unit):
|
def assert_running(unit):
|
||||||
machine.wait_for_unit(unit)
|
with machine.nested(f"waiting for unit: {unit}"):
|
||||||
|
machine.wait_for_unit(unit)
|
||||||
assert_no_failure(unit)
|
assert_no_failure(unit)
|
||||||
|
|
||||||
|
|
||||||
@ -41,13 +42,63 @@ def wait_for_open_port(address, port):
|
|||||||
retry(is_port_open)
|
retry(is_port_open)
|
||||||
|
|
||||||
|
|
||||||
|
### Test runner
|
||||||
|
|
||||||
|
tests = OrderedDict()
|
||||||
|
|
||||||
|
|
||||||
|
def test(name):
|
||||||
|
def x(fn):
|
||||||
|
tests[name] = fn
|
||||||
|
|
||||||
|
return x
|
||||||
|
|
||||||
|
|
||||||
def run_tests():
|
def run_tests():
|
||||||
# Don't execute the following test suite when this script is running in interactive mode
|
enabled = enabled_tests.copy()
|
||||||
if is_interactive:
|
to_run = []
|
||||||
raise Exception()
|
for test in tests:
|
||||||
|
if test in enabled:
|
||||||
|
enabled.remove(test)
|
||||||
|
to_run.append(test)
|
||||||
|
if enabled:
|
||||||
|
raise RuntimeError(f"The following tests are enabled but not defined: {enabled}")
|
||||||
|
machine.connect() # Visually separate boot output from the test output
|
||||||
|
for test in to_run:
|
||||||
|
with log.nested(f"test: {test}"):
|
||||||
|
tests[test]()
|
||||||
|
|
||||||
test_security()
|
|
||||||
|
|
||||||
|
def run_test(test):
|
||||||
|
tests[test]()
|
||||||
|
|
||||||
|
|
||||||
|
### Tests
|
||||||
|
# All tests are executed in the order they are defined here
|
||||||
|
|
||||||
|
|
||||||
|
@test("security")
|
||||||
|
def _():
|
||||||
|
assert_running("setup-secrets")
|
||||||
|
# Unused secrets should be inaccessible
|
||||||
|
succeed('[[ $(stat -c "%U:%G %a" /secrets/dummy) = "root:root 440" ]]')
|
||||||
|
|
||||||
|
if "secure-node" in enabled_tests:
|
||||||
|
# Access to '/proc' should be restricted
|
||||||
|
machine.succeed("grep -Fq hidepid=2 /proc/mounts")
|
||||||
|
|
||||||
|
machine.wait_for_unit("bitcoind")
|
||||||
|
# `systemctl status` run by unprivileged users shouldn't leak cgroup info
|
||||||
|
assert_matches(
|
||||||
|
"sudo -u electrs systemctl status bitcoind 2>&1 >/dev/null",
|
||||||
|
"Failed to dump process list for 'bitcoind.service', ignoring: Access denied",
|
||||||
|
)
|
||||||
|
# The 'operator' with group 'proc' has full access
|
||||||
|
assert_full_match("sudo -u operator systemctl status bitcoind 2>&1 >/dev/null", "")
|
||||||
|
|
||||||
|
|
||||||
|
@test("bitcoind")
|
||||||
|
def _():
|
||||||
assert_running("bitcoind")
|
assert_running("bitcoind")
|
||||||
machine.wait_until_succeeds("bitcoin-cli getnetworkinfo")
|
machine.wait_until_succeeds("bitcoin-cli getnetworkinfo")
|
||||||
assert_matches("su operator -c 'bitcoin-cli getnetworkinfo' | jq", '"version"')
|
assert_matches("su operator -c 'bitcoin-cli getnetworkinfo' | jq", '"version"')
|
||||||
@ -59,6 +110,10 @@ def run_tests():
|
|||||||
log_has_string("bitcoind", "RPC User public not allowed to call method stop")
|
log_has_string("bitcoind", "RPC User public not allowed to call method stop")
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
# Impure: Stops electrs
|
||||||
|
@test("electrs")
|
||||||
|
def _():
|
||||||
assert_running("electrs")
|
assert_running("electrs")
|
||||||
wait_for_open_port(ip("electrs"), 4224) # prometeus metrics provider
|
wait_for_open_port(ip("electrs"), 4224) # prometeus metrics provider
|
||||||
# Check RPC connection to bitcoind
|
# Check RPC connection to bitcoind
|
||||||
@ -66,18 +121,30 @@ def run_tests():
|
|||||||
# Stop electrs from spamming the test log with 'wait for bitcoind sync' messages
|
# Stop electrs from spamming the test log with 'wait for bitcoind sync' messages
|
||||||
succeed("systemctl stop electrs")
|
succeed("systemctl stop electrs")
|
||||||
|
|
||||||
|
|
||||||
|
@test("liquidd")
|
||||||
|
def _():
|
||||||
assert_running("liquidd")
|
assert_running("liquidd")
|
||||||
machine.wait_until_succeeds("elements-cli getnetworkinfo")
|
machine.wait_until_succeeds("elements-cli getnetworkinfo")
|
||||||
assert_matches("su operator -c 'elements-cli getnetworkinfo' | jq", '"version"')
|
assert_matches("su operator -c 'elements-cli getnetworkinfo' | jq", '"version"')
|
||||||
succeed("su operator -c 'liquidswap-cli --help'")
|
succeed("su operator -c 'liquidswap-cli --help'")
|
||||||
|
|
||||||
|
|
||||||
|
@test("clightning")
|
||||||
|
def _():
|
||||||
assert_running("clightning")
|
assert_running("clightning")
|
||||||
assert_matches("su operator -c 'lightning-cli getinfo' | jq", '"id"')
|
assert_matches("su operator -c 'lightning-cli getinfo' | jq", '"id"')
|
||||||
|
|
||||||
|
|
||||||
|
@test("lnd")
|
||||||
|
def _():
|
||||||
assert_running("lnd")
|
assert_running("lnd")
|
||||||
assert_matches("su operator -c 'lncli getinfo' | jq", '"version"')
|
assert_matches("su operator -c 'lncli getinfo' | jq", '"version"')
|
||||||
assert_no_failure("lnd")
|
assert_no_failure("lnd")
|
||||||
|
|
||||||
|
|
||||||
|
@test("lightning-loop")
|
||||||
|
def _():
|
||||||
assert_running("lightning-loop")
|
assert_running("lightning-loop")
|
||||||
assert_matches("su operator -c 'loop --version'", "version")
|
assert_matches("su operator -c 'loop --version'", "version")
|
||||||
# Check that lightning-loop fails with the right error, making sure
|
# Check that lightning-loop fails with the right error, making sure
|
||||||
@ -89,6 +156,9 @@ def run_tests():
|
|||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
@test("btcpayserver")
|
||||||
|
def _():
|
||||||
assert_running("nbxplorer")
|
assert_running("nbxplorer")
|
||||||
machine.wait_until_succeeds(log_has_string("nbxplorer", "BTC: RPC connection successful"))
|
machine.wait_until_succeeds(log_has_string("nbxplorer", "BTC: RPC connection successful"))
|
||||||
wait_for_open_port(ip("nbxplorer"), 24444)
|
wait_for_open_port(ip("nbxplorer"), 24444)
|
||||||
@ -103,11 +173,17 @@ def run_tests():
|
|||||||
'"version"',
|
'"version"',
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
@test("spark-wallet")
|
||||||
|
def _():
|
||||||
assert_running("spark-wallet")
|
assert_running("spark-wallet")
|
||||||
wait_for_open_port(ip("spark-wallet"), 9737)
|
wait_for_open_port(ip("spark-wallet"), 9737)
|
||||||
spark_auth = re.search("login=(.*)", succeed("cat /secrets/spark-wallet-login"))[1]
|
spark_auth = re.search("login=(.*)", succeed("cat /secrets/spark-wallet-login"))[1]
|
||||||
assert_matches(f"curl -s {spark_auth}@{ip('spark-wallet')}:9737", "Spark")
|
assert_matches(f"curl -s {spark_auth}@{ip('spark-wallet')}:9737", "Spark")
|
||||||
|
|
||||||
|
|
||||||
|
@test("lightning-charge")
|
||||||
|
def _():
|
||||||
assert_running("lightning-charge")
|
assert_running("lightning-charge")
|
||||||
wait_for_open_port(ip("lightning-charge"), 9112)
|
wait_for_open_port(ip("lightning-charge"), 9112)
|
||||||
machine.wait_until_succeeds(f"nc -z {ip('lightning-charge')} 9112")
|
machine.wait_until_succeeds(f"nc -z {ip('lightning-charge')} 9112")
|
||||||
@ -116,12 +192,16 @@ def run_tests():
|
|||||||
f"curl -s api-token:{charge_auth}@{ip('lightning-charge')}:9112/info | jq", '"id"'
|
f"curl -s api-token:{charge_auth}@{ip('lightning-charge')}:9112/info | jq", '"id"'
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
@test("nanopos")
|
||||||
|
def _():
|
||||||
assert_running("nanopos")
|
assert_running("nanopos")
|
||||||
wait_for_open_port(ip("nanopos"), 9116)
|
wait_for_open_port(ip("nanopos"), 9116)
|
||||||
assert_matches(f"curl {ip('nanopos')}:9116", "tshirt")
|
assert_matches(f"curl {ip('nanopos')}:9116", "tshirt")
|
||||||
|
|
||||||
assert_running("onion-chef")
|
|
||||||
|
|
||||||
|
@test("joinmarket")
|
||||||
|
def _():
|
||||||
assert_running("joinmarket")
|
assert_running("joinmarket")
|
||||||
machine.wait_until_succeeds(
|
machine.wait_until_succeeds(
|
||||||
log_has_string("joinmarket", "P2EPDaemonServerProtocolFactory starting on 27184")
|
log_has_string("joinmarket", "P2EPDaemonServerProtocolFactory starting on 27184")
|
||||||
@ -130,6 +210,11 @@ def run_tests():
|
|||||||
log_has_string("joinmarket-yieldgenerator", "Failure to get blockheight",)
|
log_has_string("joinmarket-yieldgenerator", "Failure to get blockheight",)
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
||||||
|
@test("secure-node")
|
||||||
|
def _():
|
||||||
|
assert_running("onion-chef")
|
||||||
|
|
||||||
# FIXME: use 'wait_for_unit' because 'create-web-index' always fails during startup due
|
# FIXME: use 'wait_for_unit' because 'create-web-index' always fails during startup due
|
||||||
# to incomplete unit dependencies.
|
# to incomplete unit dependencies.
|
||||||
# 'create-web-index' implicitly tests 'nodeinfo'.
|
# 'create-web-index' implicitly tests 'nodeinfo'.
|
||||||
@ -139,30 +224,62 @@ def run_tests():
|
|||||||
assert_matches(f"curl {ip('nginx')}", "nix-bitcoin")
|
assert_matches(f"curl {ip('nginx')}", "nix-bitcoin")
|
||||||
assert_matches(f"curl -L {ip('nginx')}/store", "tshirt")
|
assert_matches(f"curl -L {ip('nginx')}/store", "tshirt")
|
||||||
|
|
||||||
machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist"))
|
|
||||||
assert_no_failure("bitcoind-import-banlist")
|
|
||||||
|
|
||||||
### Additional tests
|
# Run this test before the following tests that shut down services
|
||||||
|
# (and their corresponding network namespaces).
|
||||||
|
@test("netns-isolation")
|
||||||
|
def _():
|
||||||
|
ping_bitcoind = "ip netns exec nb-bitcoind ping -c 1 -w 1"
|
||||||
|
ping_nanopos = "ip netns exec nb-nanopos ping -c 1 -w 1"
|
||||||
|
ping_nbxplorer = "ip netns exec nb-nbxplorer ping -c 1 -w 1"
|
||||||
|
|
||||||
# Current time in µs
|
# Positive ping tests (non-exhaustive)
|
||||||
pre_restart = succeed("date +%s.%6N").rstrip()
|
machine.succeed(
|
||||||
|
"%s %s &&" % (ping_bitcoind, ip("bitcoind"))
|
||||||
# Sanity-check system by restarting all services
|
+ "%s %s &&" % (ping_bitcoind, ip("clightning"))
|
||||||
succeed(
|
+ "%s %s &&" % (ping_bitcoind, ip("lnd"))
|
||||||
"systemctl restart bitcoind clightning lnd lightning-loop spark-wallet lightning-charge nanopos liquidd"
|
+ "%s %s &&" % (ping_bitcoind, ip("liquidd"))
|
||||||
|
+ "%s %s &&" % (ping_bitcoind, ip("nbxplorer"))
|
||||||
|
+ "%s %s &&" % (ping_nbxplorer, ip("btcpayserver"))
|
||||||
|
+ "%s %s &&" % (ping_nanopos, ip("lightning-charge"))
|
||||||
|
+ "%s %s &&" % (ping_nanopos, ip("nanopos"))
|
||||||
|
+ "%s %s" % (ping_nanopos, ip("nginx"))
|
||||||
)
|
)
|
||||||
|
|
||||||
# Now that the bitcoind restart triggered a banlist import restart, check that
|
# Negative ping tests (non-exhaustive)
|
||||||
# re-importing already banned addresses works
|
machine.fail(
|
||||||
machine.wait_until_succeeds(
|
"%s %s ||" % (ping_bitcoind, ip("spark-wallet"))
|
||||||
log_has_string(f"bitcoind-import-banlist --since=@{pre_restart}", "Importing node banlist")
|
+ "%s %s ||" % (ping_bitcoind, ip("lightning-loop"))
|
||||||
|
+ "%s %s ||" % (ping_bitcoind, ip("lightning-charge"))
|
||||||
|
+ "%s %s ||" % (ping_bitcoind, ip("nanopos"))
|
||||||
|
+ "%s %s ||" % (ping_bitcoind, ip("recurring-donations"))
|
||||||
|
+ "%s %s ||" % (ping_bitcoind, ip("nginx"))
|
||||||
|
+ "%s %s ||" % (ping_nanopos, ip("bitcoind"))
|
||||||
|
+ "%s %s ||" % (ping_nanopos, ip("clightning"))
|
||||||
|
+ "%s %s ||" % (ping_nanopos, ip("lnd"))
|
||||||
|
+ "%s %s ||" % (ping_nanopos, ip("lightning-loop"))
|
||||||
|
+ "%s %s ||" % (ping_nanopos, ip("liquidd"))
|
||||||
|
+ "%s %s ||" % (ping_nanopos, ip("electrs"))
|
||||||
|
+ "%s %s ||" % (ping_nanopos, ip("spark-wallet"))
|
||||||
|
+ "%s %s ||" % (ping_nanopos, ip("recurring-donations"))
|
||||||
|
+ "%s %s" % (ping_nanopos, ip("btcpayserver"))
|
||||||
)
|
)
|
||||||
assert_no_failure("bitcoind-import-banlist")
|
|
||||||
|
|
||||||
prestop()
|
# test that netns-exec can't be run for unauthorized namespace
|
||||||
|
machine.fail("netns-exec nb-electrs ip a")
|
||||||
|
|
||||||
### Test duplicity
|
# test that netns-exec drops capabilities
|
||||||
|
assert_full_match(
|
||||||
|
"su operator -c 'netns-exec nb-bitcoind capsh --print | grep Current '", "Current: =\n"
|
||||||
|
)
|
||||||
|
|
||||||
|
# test that netns-exec can not be executed by users that are not operator
|
||||||
|
machine.fail("sudo -u clightning netns-exec nb-bitcoind ip a")
|
||||||
|
|
||||||
|
|
||||||
|
# Impure: stops bitcoind (and dependent services)
|
||||||
|
@test("backups")
|
||||||
|
def _():
|
||||||
succeed("systemctl stop bitcoind")
|
succeed("systemctl stop bitcoind")
|
||||||
succeed("systemctl start duplicity")
|
succeed("systemctl start duplicity")
|
||||||
machine.wait_until_succeeds(log_has_string("duplicity", "duplicity.service: Succeeded."))
|
machine.wait_until_succeeds(log_has_string("duplicity", "duplicity.service: Succeeded."))
|
||||||
@ -181,23 +298,50 @@ def run_tests():
|
|||||||
assert "var/backup/postgresql/btcpaydb.sql.gz" in files
|
assert "var/backup/postgresql/btcpaydb.sql.gz" in files
|
||||||
|
|
||||||
|
|
||||||
def test_security():
|
# Impure: restarts services
|
||||||
assert_running("setup-secrets")
|
@test("banlist-and-restart")
|
||||||
# Unused secrets should be inaccessible
|
def _():
|
||||||
succeed('[[ $(stat -c "%U:%G %a" /secrets/dummy) = "root:root 440" ]]')
|
machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist"))
|
||||||
|
assert_no_failure("bitcoind-import-banlist")
|
||||||
|
|
||||||
# Access to '/proc' should be restricted
|
# Current time in µs
|
||||||
machine.succeed("grep -Fq hidepid=2 /proc/mounts")
|
pre_restart = succeed("date +%s.%6N").rstrip()
|
||||||
|
|
||||||
machine.wait_for_unit("bitcoind")
|
# Sanity-check system by restarting all services
|
||||||
# `systemctl status` run by unprivileged users shouldn't leak cgroup info
|
succeed(
|
||||||
assert_matches(
|
"systemctl restart bitcoind clightning lnd lightning-loop spark-wallet lightning-charge nanopos liquidd"
|
||||||
"sudo -u electrs systemctl status bitcoind 2>&1 >/dev/null",
|
|
||||||
"Failed to dump process list for 'bitcoind.service', ignoring: Access denied",
|
|
||||||
)
|
)
|
||||||
# The 'operator' with group 'proc' has full access
|
|
||||||
assert_full_match("sudo -u operator systemctl status bitcoind 2>&1 >/dev/null", "")
|
# Now that the bitcoind restart triggered a banlist import restart, check that
|
||||||
|
# re-importing already banned addresses works
|
||||||
|
machine.wait_until_succeeds(
|
||||||
|
log_has_string(f"bitcoind-import-banlist --since=@{pre_restart}", "Importing node banlist")
|
||||||
|
)
|
||||||
|
assert_no_failure("bitcoind-import-banlist")
|
||||||
|
|
||||||
|
|
||||||
def ip(_):
|
if "netns-isolation" in enabled_tests:
|
||||||
return "127.0.0.1"
|
netns_ips = {
|
||||||
|
"bitcoind": "169.254.1.12",
|
||||||
|
"clightning": "169.254.1.13",
|
||||||
|
"lnd": "169.254.1.14",
|
||||||
|
"liquidd": "169.254.1.15",
|
||||||
|
"electrs": "169.254.1.16",
|
||||||
|
"spark-wallet": "169.254.1.17",
|
||||||
|
"lightning-charge": "169.254.1.18",
|
||||||
|
"nanopos": "169.254.1.19",
|
||||||
|
"recurring-donations": "169.254.1.20",
|
||||||
|
"nginx": "169.254.1.21",
|
||||||
|
"lightning-loop": "169.254.1.22",
|
||||||
|
"nbxplorer": "169.254.1.23",
|
||||||
|
"btcpayserver": "169.254.1.24",
|
||||||
|
}
|
||||||
|
|
||||||
|
def ip(netns):
|
||||||
|
return netns_ips[netns]
|
||||||
|
|
||||||
|
|
||||||
|
else:
|
||||||
|
|
||||||
|
def ip(_):
|
||||||
|
return "127.0.0.1"
|
||||||
|
Loading…
Reference in New Issue
Block a user