test: improve modularization

This improves debugging and experimenting by making it easy to compose fine-grained
scenarios that have specific tests and features enabled.

The VM test output now includes the subtest name and duration.

Remove the 'raise Exception()' hack for interactive mode.

Run 'banlist-and-restart' test before 'backups'. This speeds up the test
by avoiding an extra shutdown of all bitcoin-related services.
This commit is contained in:
Erik Arvstedt 2020-09-27 12:43:20 +02:00
parent 14d2d97ba6
commit 1e18d3ea3b
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
8 changed files with 385 additions and 181 deletions

41
test/lib/make-test.nix Normal file
View File

@ -0,0 +1,41 @@
scenario: testConfig:
{
vm = import ./make-test-vm.nix {
name = "nix-bitcoin-${scenario}";
machine = {
imports = [ testConfig ];
# Needed because duplicity requires 270 MB of free temp space, regardless of backup size
virtualisation.diskSize = 1024;
};
testScript = nodes: let
cfg = nodes.nodes.machine.config;
data = {
data = cfg.test.data;
tests = cfg.tests;
};
dataFile = builtins.toFile "test-data" (builtins.toJSON data);
initData = ''
import json
with open("${dataFile}") as f:
data = json.load(f)
enabled_tests = set(test for (test, enabled) in data["tests"].items() if enabled)
test_data = data["data"]
'';
in
builtins.concatStringsSep "\n\n" [
initData
(builtins.readFile ./../tests.py)
# Don't run tests in interactive mode.
# is_interactive is set in ../run-tests.sh
''
if not "is_interactive" in vars():
run_tests()
''
];
};
}

30
test/lib/test-lib.nix Normal file
View File

@ -0,0 +1,30 @@
{ config, lib, ... }:
with lib;
{
options = {
test = {
noConnections = mkOption {
type = types.bool;
default = true;
description = ''
Whether services should be configured to not connect to external hosts.
This can silence some warnings while running the test in an offline environment.
'';
};
data = mkOption {
type = types.attrs;
default = {};
description = ''
Attrs that are available in the Python test script under the global
dictionary variable 'test_data'. The data is exported via JSON.
'';
};
};
tests = mkOption {
type = with types; attrsOf bool;
default = {};
description = "Python tests that should be run.";
};
};
}

View File

@ -8,7 +8,10 @@
# ./run-tests.sh # ./run-tests.sh
# #
# Test specific scenario # Test specific scenario
# ./run-tests.sh --scenario <scenario> # ./run-tests.sh --scenario|-s <scenario>
#
# When <scenario> is undefined, the test is run with an adhoc scenario
# where services.<scenario> is enabled.
# #
# Run test and link results to avoid garbage collection # Run test and link results to avoid garbage collection
# ./run-tests.sh [--scenario <scenario>] --out-link-prefix /tmp/nix-bitcoin-test build # ./run-tests.sh [--scenario <scenario>] --out-link-prefix /tmp/nix-bitcoin-test build
@ -19,8 +22,10 @@
# Run interactive test debugging # Run interactive test debugging
# ./run-tests.sh [--scenario <scenario>] debug # ./run-tests.sh [--scenario <scenario>] debug
# #
# This starts the testing VM and drops you into a Python REPL where you can # This starts the testing VM and drops you into a Python REPL where you can
# manually execute the tests from ./test-script.py # manually execute the tests from ./tests.py
#
# To add custom scenarios, set the environment variable `scenarioOverridesFile`.
set -eo pipefail set -eo pipefail
@ -67,20 +72,14 @@ run() {
export TMPDIR=$(mktemp -d /tmp/nix-bitcoin-test.XXX) export TMPDIR=$(mktemp -d /tmp/nix-bitcoin-test.XXX)
trap "rm -rf $TMPDIR" EXIT trap "rm -rf $TMPDIR" EXIT
nix-build --out-link $TMPDIR/driver -E "import \"$scriptDir/tests.nix\" { scenario = \"$scenario\"; }" -A driver nix-build --out-link $TMPDIR/driver -E "(import \"$scriptDir/tests.nix\" { scenario = \"$scenario\"; }).vm" -A driver
# Variable 'tests' contains the Python code that is executed by the driver on startup # Variable 'tests' contains the Python code that is executed by the driver on startup
if [[ $1 == --interactive ]]; then if [[ $1 == --interactive ]]; then
echo "Running interactive testing environment" echo "Running interactive testing environment"
tests=$( tests=$(
echo 'is_interactive = True' echo 'is_interactive = True'
# The test script raises an error when 'is_interactive' is defined so echo 'exec(os.environ["testScript"])'
# that it just loads the initial helper functions and stops before
# executing the actual tests
echo 'try:'
echo ' exec(os.environ["testScript"])'
echo 'except:'
echo ' pass'
# Start VM # Start VM
echo 'start_all()' echo 'start_all()'
# Start REPL # Start REPL
@ -135,7 +134,7 @@ exprForCI() {
vmTestNixExpr() { vmTestNixExpr() {
cat <<EOF cat <<EOF
(import "$scriptDir/tests.nix" { scenario = "$scenario"; } {}).overrideAttrs (old: rec { ((import "$scriptDir/tests.nix" { scenario = "$scenario"; }).vm {}).overrideAttrs (old: rec {
buildCommand = '' buildCommand = ''
export QEMU_OPTS="-smp $numCPUs -m $memoryMiB" export QEMU_OPTS="-smp $numCPUs -m $memoryMiB"
echo "VM stats: CPUs: $numCPUs, memory: $memoryMiB MiB" echo "VM stats: CPUs: $numCPUs, memory: $memoryMiB MiB"

View File

@ -1,5 +0,0 @@
def prestop():
pass
run_tests()

View File

@ -1,71 +0,0 @@
netns_ips = {
"bitcoind": "169.254.1.12",
"clightning": "169.254.1.13",
"lnd": "169.254.1.14",
"liquidd": "169.254.1.15",
"electrs": "169.254.1.16",
"spark-wallet": "169.254.1.17",
"lightning-charge": "169.254.1.18",
"nanopos": "169.254.1.19",
"recurring-donations": "169.254.1.20",
"nginx": "169.254.1.21",
"lightning-loop": "169.254.1.22",
"nbxplorer": "169.254.1.23",
"btcpayserver": "169.254.1.24",
}
def ip(netns):
return netns_ips[netns]
def prestop():
ping_bitcoind = "ip netns exec nb-bitcoind ping -c 1 -w 1"
ping_nanopos = "ip netns exec nb-nanopos ping -c 1 -w 1"
ping_nbxplorer = "ip netns exec nb-nbxplorer ping -c 1 -w 1"
# Positive ping tests (non-exhaustive)
machine.succeed(
"%s %s &&" % (ping_bitcoind, ip("bitcoind"))
+ "%s %s &&" % (ping_bitcoind, ip("clightning"))
+ "%s %s &&" % (ping_bitcoind, ip("lnd"))
+ "%s %s &&" % (ping_bitcoind, ip("liquidd"))
+ "%s %s &&" % (ping_bitcoind, ip("nbxplorer"))
+ "%s %s &&" % (ping_nbxplorer, ip("btcpayserver"))
+ "%s %s &&" % (ping_nanopos, ip("lightning-charge"))
+ "%s %s &&" % (ping_nanopos, ip("nanopos"))
+ "%s %s" % (ping_nanopos, ip("nginx"))
)
# Negative ping tests (non-exhaustive)
machine.fail(
"%s %s ||" % (ping_bitcoind, ip("spark-wallet"))
+ "%s %s ||" % (ping_bitcoind, ip("lightning-loop"))
+ "%s %s ||" % (ping_bitcoind, ip("lightning-charge"))
+ "%s %s ||" % (ping_bitcoind, ip("nanopos"))
+ "%s %s ||" % (ping_bitcoind, ip("recurring-donations"))
+ "%s %s ||" % (ping_bitcoind, ip("nginx"))
+ "%s %s ||" % (ping_nanopos, ip("bitcoind"))
+ "%s %s ||" % (ping_nanopos, ip("clightning"))
+ "%s %s ||" % (ping_nanopos, ip("lnd"))
+ "%s %s ||" % (ping_nanopos, ip("lightning-loop"))
+ "%s %s ||" % (ping_nanopos, ip("liquidd"))
+ "%s %s ||" % (ping_nanopos, ip("electrs"))
+ "%s %s ||" % (ping_nanopos, ip("spark-wallet"))
+ "%s %s ||" % (ping_nanopos, ip("recurring-donations"))
+ "%s %s" % (ping_nanopos, ip("btcpayserver"))
)
# test that netns-exec can't be run for unauthorized namespace
machine.fail("netns-exec nb-electrs ip a")
# test that netns-exec drops capabilities
assert_full_match(
"su operator -c 'netns-exec nb-bitcoind capsh --print | grep Current '", "Current: =\n"
)
# test that netns-exec can not be executed by users that are not operator
machine.fail("sudo -u clightning netns-exec nb-bitcoind ip a")
run_tests()

View File

@ -1,76 +1,142 @@
# Integration test, can be run without internet access. # Integration tests, can be run without internet access.
# Make sure to update build() in ./run-tests.sh when adding new scenarios
{ scenario ? "default" }: { scenario ? "default" }:
import ./make-test.nix rec { import ./lib/make-test.nix scenario (
name = "nix-bitcoin-${scenario}"; { config, pkgs, lib, ... }: with lib;
let testEnv = rec {
cfg = config.services;
mkIfTest = test: mkIf (config.tests.${test} or false);
hardened = { baseConfig = {
imports = [ <nixpkgs/nixos/modules/profiles/hardened.nix> ];
security.allowUserNamespaces = true; # re-enable disabled option
};
machine = { pkgs, lib, ... }: with lib; {
imports = [ imports = [
../modules/presets/secure-node.nix ./lib/test-lib.nix
../modules/modules.nix
../modules/secrets/generate-secrets.nix ../modules/secrets/generate-secrets.nix
# using the hardened profile increases total test duration by ~50%, so disable it for now
# hardened
]; ];
# needed because duplicity requires 270 MB of free temp space, regardless of backup size. config = {
virtualisation.diskSize = 1024; tests.bitcoind = cfg.bitcoind.enable;
services.bitcoind = {
enable = true;
extraConfig = mkIf config.test.noConnections (mkForce "connect=0");
};
nix-bitcoin.netns-isolation.enable = (scenario == "netns"); tests.clightning = cfg.clightning.enable;
services.bitcoind.extraConfig = mkForce "connect=0"; tests.spark-wallet = cfg.spark-wallet.enable;
services.clightning.enable = true; tests.nanopos = cfg.nanopos.enable;
services.spark-wallet.enable = true;
services.lightning-charge.enable = true;
services.nanopos.enable = true;
services.lnd.enable = true; tests.lnd = cfg.lnd.enable;
services.lnd.listenPort = 9736; services.lnd.listenPort = 9736;
services.lightning-loop.enable = true;
services.electrs.enable = true; tests.lightning-loop = cfg.lightning-loop.enable;
services.liquidd = { tests.electrs = cfg.electrs.enable;
enable = true;
listen = mkForce false;
extraConfig = "noconnect=1";
};
services.nix-bitcoin-webindex.enable = true; tests.liquidd = cfg.liquidd.enable;
services.liquidd = optionalAttrs config.test.noConnections {
listen = mkForce false;
extraConfig = "noconnect=1";
};
services.hardware-wallets = { tests.btcpayserver = cfg.btcpayserver.enable;
trezor = true; services.btcpayserver.lightningBackend = "lnd";
ledger = true; # Needed to test macaroon creation
}; environment.systemPackages = mkIfTest "btcpayserver" (with pkgs; [ openssl xxd ]);
services.backups.enable = true; tests.joinmarket = cfg.joinmarket.enable;
services.joinmarket.yieldgenerator = {
enable = config.services.joinmarket.enable;
customParameters = ''
txfee = 200
cjfee_a = 300
'';
};
services.btcpayserver.enable = true; tests.backups = cfg.backups.enable;
services.btcpayserver.lightningBackend = "lnd";
# needed to test macaroon creation
environment.systemPackages = with pkgs; [ openssl xxd ];
services.joinmarket.enable = true; # To test that unused secrets are made inaccessible by 'setup-secrets'
services.joinmarket.yieldgenerator = { systemd.services.generate-secrets.postStart = mkIfTest "security" ''
enable = true; install -o nobody -g nogroup -m777 <(:) /secrets/dummy
customParameters = ''
txfee = 200
cjfee_a = 300
''; '';
}; };
# to test that unused secrets are made inaccessible by 'setup-secrets'
systemd.services.generate-secrets.postStart = ''
install -o nobody -g nogroup -m777 <(:) /secrets/dummy
'';
}; };
testScript =
builtins.readFile ./tests.py + "\n\n" + builtins.readFile "${./.}/scenarios/${scenario}.py"; scenarios = {
} base = baseConfig; # Included in all scenarios
default = scenarios.secureNode;
# All available basic services and tests
full = {
tests.security = true;
services.clightning.enable = true;
services.spark-wallet.enable = true;
services.lightning-charge.enable = true;
services.nanopos.enable = true;
services.lnd.enable = true;
services.lightning-loop.enable = true;
services.electrs.enable = true;
services.liquidd.enable = true;
services.btcpayserver.enable = true;
services.joinmarket.enable = true;
services.backups.enable = true;
services.hardware-wallets = {
trezor = true;
ledger = true;
};
};
secureNode = {
imports = [
scenarios.full
../modules/presets/secure-node.nix
];
services.nix-bitcoin-webindex.enable = true;
tests.secure-node = true;
tests.banlist-and-restart = true;
};
netns = {
imports = [ scenarios.secureNode ];
nix-bitcoin.netns-isolation.enable = true;
tests.netns-isolation = true;
};
## Examples / debug helper
# Run a selection of tests in scenario 'netns'
selectedTests = {
imports = [ scenarios.netns ];
tests = mkForce {
btcpayserver = true;
netns-isolation = true;
};
};
adhoc = {
# <Add your config here>
# You can also set the env var `scenarioOverridesFile` (used below) to define custom scenarios.
};
};
};
in
let
overrides = builtins.getEnv "scenarioOverridesFile";
scenarios = testEnv.scenarios // (optionalAttrs (overrides != "") (import overrides {
inherit testEnv config pkgs lib;
}));
autoScenario = {
services.${scenario}.enable = true;
};
in {
imports = [
scenarios.base
(scenarios.${scenario} or autoScenario)
];
}
)

View File

@ -1,4 +1,4 @@
is_interactive = "is_interactive" in vars() from collections import OrderedDict
def succeed(*cmds): def succeed(*cmds):
@ -28,7 +28,8 @@ def assert_no_failure(unit):
def assert_running(unit): def assert_running(unit):
machine.wait_for_unit(unit) with machine.nested(f"waiting for unit: {unit}"):
machine.wait_for_unit(unit)
assert_no_failure(unit) assert_no_failure(unit)
@ -41,13 +42,63 @@ def wait_for_open_port(address, port):
retry(is_port_open) retry(is_port_open)
### Test runner
tests = OrderedDict()
def test(name):
def x(fn):
tests[name] = fn
return x
def run_tests(): def run_tests():
# Don't execute the following test suite when this script is running in interactive mode enabled = enabled_tests.copy()
if is_interactive: to_run = []
raise Exception() for test in tests:
if test in enabled:
enabled.remove(test)
to_run.append(test)
if enabled:
raise RuntimeError(f"The following tests are enabled but not defined: {enabled}")
machine.connect() # Visually separate boot output from the test output
for test in to_run:
with log.nested(f"test: {test}"):
tests[test]()
test_security()
def run_test(test):
tests[test]()
### Tests
# All tests are executed in the order they are defined here
@test("security")
def _():
assert_running("setup-secrets")
# Unused secrets should be inaccessible
succeed('[[ $(stat -c "%U:%G %a" /secrets/dummy) = "root:root 440" ]]')
if "secure-node" in enabled_tests:
# Access to '/proc' should be restricted
machine.succeed("grep -Fq hidepid=2 /proc/mounts")
machine.wait_for_unit("bitcoind")
# `systemctl status` run by unprivileged users shouldn't leak cgroup info
assert_matches(
"sudo -u electrs systemctl status bitcoind 2>&1 >/dev/null",
"Failed to dump process list for 'bitcoind.service', ignoring: Access denied",
)
# The 'operator' with group 'proc' has full access
assert_full_match("sudo -u operator systemctl status bitcoind 2>&1 >/dev/null", "")
@test("bitcoind")
def _():
assert_running("bitcoind") assert_running("bitcoind")
machine.wait_until_succeeds("bitcoin-cli getnetworkinfo") machine.wait_until_succeeds("bitcoin-cli getnetworkinfo")
assert_matches("su operator -c 'bitcoin-cli getnetworkinfo' | jq", '"version"') assert_matches("su operator -c 'bitcoin-cli getnetworkinfo' | jq", '"version"')
@ -59,6 +110,10 @@ def run_tests():
log_has_string("bitcoind", "RPC User public not allowed to call method stop") log_has_string("bitcoind", "RPC User public not allowed to call method stop")
) )
# Impure: Stops electrs
@test("electrs")
def _():
assert_running("electrs") assert_running("electrs")
wait_for_open_port(ip("electrs"), 4224) # prometeus metrics provider wait_for_open_port(ip("electrs"), 4224) # prometeus metrics provider
# Check RPC connection to bitcoind # Check RPC connection to bitcoind
@ -66,18 +121,30 @@ def run_tests():
# Stop electrs from spamming the test log with 'wait for bitcoind sync' messages # Stop electrs from spamming the test log with 'wait for bitcoind sync' messages
succeed("systemctl stop electrs") succeed("systemctl stop electrs")
@test("liquidd")
def _():
assert_running("liquidd") assert_running("liquidd")
machine.wait_until_succeeds("elements-cli getnetworkinfo") machine.wait_until_succeeds("elements-cli getnetworkinfo")
assert_matches("su operator -c 'elements-cli getnetworkinfo' | jq", '"version"') assert_matches("su operator -c 'elements-cli getnetworkinfo' | jq", '"version"')
succeed("su operator -c 'liquidswap-cli --help'") succeed("su operator -c 'liquidswap-cli --help'")
@test("clightning")
def _():
assert_running("clightning") assert_running("clightning")
assert_matches("su operator -c 'lightning-cli getinfo' | jq", '"id"') assert_matches("su operator -c 'lightning-cli getinfo' | jq", '"id"')
@test("lnd")
def _():
assert_running("lnd") assert_running("lnd")
assert_matches("su operator -c 'lncli getinfo' | jq", '"version"') assert_matches("su operator -c 'lncli getinfo' | jq", '"version"')
assert_no_failure("lnd") assert_no_failure("lnd")
@test("lightning-loop")
def _():
assert_running("lightning-loop") assert_running("lightning-loop")
assert_matches("su operator -c 'loop --version'", "version") assert_matches("su operator -c 'loop --version'", "version")
# Check that lightning-loop fails with the right error, making sure # Check that lightning-loop fails with the right error, making sure
@ -89,6 +156,9 @@ def run_tests():
) )
) )
@test("btcpayserver")
def _():
assert_running("nbxplorer") assert_running("nbxplorer")
machine.wait_until_succeeds(log_has_string("nbxplorer", "BTC: RPC connection successful")) machine.wait_until_succeeds(log_has_string("nbxplorer", "BTC: RPC connection successful"))
wait_for_open_port(ip("nbxplorer"), 24444) wait_for_open_port(ip("nbxplorer"), 24444)
@ -103,11 +173,17 @@ def run_tests():
'"version"', '"version"',
) )
@test("spark-wallet")
def _():
assert_running("spark-wallet") assert_running("spark-wallet")
wait_for_open_port(ip("spark-wallet"), 9737) wait_for_open_port(ip("spark-wallet"), 9737)
spark_auth = re.search("login=(.*)", succeed("cat /secrets/spark-wallet-login"))[1] spark_auth = re.search("login=(.*)", succeed("cat /secrets/spark-wallet-login"))[1]
assert_matches(f"curl -s {spark_auth}@{ip('spark-wallet')}:9737", "Spark") assert_matches(f"curl -s {spark_auth}@{ip('spark-wallet')}:9737", "Spark")
@test("lightning-charge")
def _():
assert_running("lightning-charge") assert_running("lightning-charge")
wait_for_open_port(ip("lightning-charge"), 9112) wait_for_open_port(ip("lightning-charge"), 9112)
machine.wait_until_succeeds(f"nc -z {ip('lightning-charge')} 9112") machine.wait_until_succeeds(f"nc -z {ip('lightning-charge')} 9112")
@ -116,12 +192,16 @@ def run_tests():
f"curl -s api-token:{charge_auth}@{ip('lightning-charge')}:9112/info | jq", '"id"' f"curl -s api-token:{charge_auth}@{ip('lightning-charge')}:9112/info | jq", '"id"'
) )
@test("nanopos")
def _():
assert_running("nanopos") assert_running("nanopos")
wait_for_open_port(ip("nanopos"), 9116) wait_for_open_port(ip("nanopos"), 9116)
assert_matches(f"curl {ip('nanopos')}:9116", "tshirt") assert_matches(f"curl {ip('nanopos')}:9116", "tshirt")
assert_running("onion-chef")
@test("joinmarket")
def _():
assert_running("joinmarket") assert_running("joinmarket")
machine.wait_until_succeeds( machine.wait_until_succeeds(
log_has_string("joinmarket", "P2EPDaemonServerProtocolFactory starting on 27184") log_has_string("joinmarket", "P2EPDaemonServerProtocolFactory starting on 27184")
@ -130,6 +210,11 @@ def run_tests():
log_has_string("joinmarket-yieldgenerator", "Failure to get blockheight",) log_has_string("joinmarket-yieldgenerator", "Failure to get blockheight",)
) )
@test("secure-node")
def _():
assert_running("onion-chef")
# FIXME: use 'wait_for_unit' because 'create-web-index' always fails during startup due # FIXME: use 'wait_for_unit' because 'create-web-index' always fails during startup due
# to incomplete unit dependencies. # to incomplete unit dependencies.
# 'create-web-index' implicitly tests 'nodeinfo'. # 'create-web-index' implicitly tests 'nodeinfo'.
@ -139,30 +224,62 @@ def run_tests():
assert_matches(f"curl {ip('nginx')}", "nix-bitcoin") assert_matches(f"curl {ip('nginx')}", "nix-bitcoin")
assert_matches(f"curl -L {ip('nginx')}/store", "tshirt") assert_matches(f"curl -L {ip('nginx')}/store", "tshirt")
machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist"))
assert_no_failure("bitcoind-import-banlist")
### Additional tests # Run this test before the following tests that shut down services
# (and their corresponding network namespaces).
@test("netns-isolation")
def _():
ping_bitcoind = "ip netns exec nb-bitcoind ping -c 1 -w 1"
ping_nanopos = "ip netns exec nb-nanopos ping -c 1 -w 1"
ping_nbxplorer = "ip netns exec nb-nbxplorer ping -c 1 -w 1"
# Current time in µs # Positive ping tests (non-exhaustive)
pre_restart = succeed("date +%s.%6N").rstrip() machine.succeed(
"%s %s &&" % (ping_bitcoind, ip("bitcoind"))
# Sanity-check system by restarting all services + "%s %s &&" % (ping_bitcoind, ip("clightning"))
succeed( + "%s %s &&" % (ping_bitcoind, ip("lnd"))
"systemctl restart bitcoind clightning lnd lightning-loop spark-wallet lightning-charge nanopos liquidd" + "%s %s &&" % (ping_bitcoind, ip("liquidd"))
+ "%s %s &&" % (ping_bitcoind, ip("nbxplorer"))
+ "%s %s &&" % (ping_nbxplorer, ip("btcpayserver"))
+ "%s %s &&" % (ping_nanopos, ip("lightning-charge"))
+ "%s %s &&" % (ping_nanopos, ip("nanopos"))
+ "%s %s" % (ping_nanopos, ip("nginx"))
) )
# Now that the bitcoind restart triggered a banlist import restart, check that # Negative ping tests (non-exhaustive)
# re-importing already banned addresses works machine.fail(
machine.wait_until_succeeds( "%s %s ||" % (ping_bitcoind, ip("spark-wallet"))
log_has_string(f"bitcoind-import-banlist --since=@{pre_restart}", "Importing node banlist") + "%s %s ||" % (ping_bitcoind, ip("lightning-loop"))
+ "%s %s ||" % (ping_bitcoind, ip("lightning-charge"))
+ "%s %s ||" % (ping_bitcoind, ip("nanopos"))
+ "%s %s ||" % (ping_bitcoind, ip("recurring-donations"))
+ "%s %s ||" % (ping_bitcoind, ip("nginx"))
+ "%s %s ||" % (ping_nanopos, ip("bitcoind"))
+ "%s %s ||" % (ping_nanopos, ip("clightning"))
+ "%s %s ||" % (ping_nanopos, ip("lnd"))
+ "%s %s ||" % (ping_nanopos, ip("lightning-loop"))
+ "%s %s ||" % (ping_nanopos, ip("liquidd"))
+ "%s %s ||" % (ping_nanopos, ip("electrs"))
+ "%s %s ||" % (ping_nanopos, ip("spark-wallet"))
+ "%s %s ||" % (ping_nanopos, ip("recurring-donations"))
+ "%s %s" % (ping_nanopos, ip("btcpayserver"))
) )
assert_no_failure("bitcoind-import-banlist")
prestop() # test that netns-exec can't be run for unauthorized namespace
machine.fail("netns-exec nb-electrs ip a")
### Test duplicity # test that netns-exec drops capabilities
assert_full_match(
"su operator -c 'netns-exec nb-bitcoind capsh --print | grep Current '", "Current: =\n"
)
# test that netns-exec can not be executed by users that are not operator
machine.fail("sudo -u clightning netns-exec nb-bitcoind ip a")
# Impure: stops bitcoind (and dependent services)
@test("backups")
def _():
succeed("systemctl stop bitcoind") succeed("systemctl stop bitcoind")
succeed("systemctl start duplicity") succeed("systemctl start duplicity")
machine.wait_until_succeeds(log_has_string("duplicity", "duplicity.service: Succeeded.")) machine.wait_until_succeeds(log_has_string("duplicity", "duplicity.service: Succeeded."))
@ -181,23 +298,50 @@ def run_tests():
assert "var/backup/postgresql/btcpaydb.sql.gz" in files assert "var/backup/postgresql/btcpaydb.sql.gz" in files
def test_security(): # Impure: restarts services
assert_running("setup-secrets") @test("banlist-and-restart")
# Unused secrets should be inaccessible def _():
succeed('[[ $(stat -c "%U:%G %a" /secrets/dummy) = "root:root 440" ]]') machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist"))
assert_no_failure("bitcoind-import-banlist")
# Access to '/proc' should be restricted # Current time in µs
machine.succeed("grep -Fq hidepid=2 /proc/mounts") pre_restart = succeed("date +%s.%6N").rstrip()
machine.wait_for_unit("bitcoind") # Sanity-check system by restarting all services
# `systemctl status` run by unprivileged users shouldn't leak cgroup info succeed(
assert_matches( "systemctl restart bitcoind clightning lnd lightning-loop spark-wallet lightning-charge nanopos liquidd"
"sudo -u electrs systemctl status bitcoind 2>&1 >/dev/null",
"Failed to dump process list for 'bitcoind.service', ignoring: Access denied",
) )
# The 'operator' with group 'proc' has full access
assert_full_match("sudo -u operator systemctl status bitcoind 2>&1 >/dev/null", "") # Now that the bitcoind restart triggered a banlist import restart, check that
# re-importing already banned addresses works
machine.wait_until_succeeds(
log_has_string(f"bitcoind-import-banlist --since=@{pre_restart}", "Importing node banlist")
)
assert_no_failure("bitcoind-import-banlist")
def ip(_): if "netns-isolation" in enabled_tests:
return "127.0.0.1" netns_ips = {
"bitcoind": "169.254.1.12",
"clightning": "169.254.1.13",
"lnd": "169.254.1.14",
"liquidd": "169.254.1.15",
"electrs": "169.254.1.16",
"spark-wallet": "169.254.1.17",
"lightning-charge": "169.254.1.18",
"nanopos": "169.254.1.19",
"recurring-donations": "169.254.1.20",
"nginx": "169.254.1.21",
"lightning-loop": "169.254.1.22",
"nbxplorer": "169.254.1.23",
"btcpayserver": "169.254.1.24",
}
def ip(netns):
return netns_ips[netns]
else:
def ip(_):
return "127.0.0.1"