greg/nix-bitcoin
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

test: move security tests to separate function

Browse Source
This commit is contained in:
Erik Arvstedt 2020-08-20 13:11:09 +02:00
parent 588a0b2405
commit a36789b468
No known key found for this signature in database
GPG Key ID: 33312B944DD97846
1 changed files with 19 additions and 12 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

31
test/scenarios/lib.py
View File

@ -38,9 +38,7 @@ if "is_interactive" in vars():
# The argument extra_tests is a dictionary from strings to functions. The string # The argument extra_tests is a dictionary from strings to functions. The string
# determines at which point of run_tests the corresponding function is executed. # determines at which point of run_tests the corresponding function is executed.
def run_tests(extra_tests): def run_tests(extra_tests):
assert_running("setup-secrets") test_security()
# Unused secrets should be inaccessible
succeed('[[ $(stat -c "%U:%G %a" /secrets/dummy) = "root:root 440" ]]')
assert_running("bitcoind") assert_running("bitcoind")
machine.wait_until_succeeds("bitcoin-cli getnetworkinfo") machine.wait_until_succeeds("bitcoin-cli getnetworkinfo")
@ -103,15 +101,6 @@ def run_tests(extra_tests):
machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist")) machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist"))
assert_no_failure("bitcoind-import-banlist") assert_no_failure("bitcoind-import-banlist")
# `systemctl status` run by unprivileged users shouldn't leak cgroup info
assert_matches(
"sudo -u electrs systemctl status clightning 2>&1 >/dev/null",
"Failed to dump process list for 'clightning.service', ignoring: Access denied",
)
# The 'operator' with group 'proc' has full access
assert_full_match("sudo -u operator systemctl status clightning 2>&1 >/dev/null", "")
machine.succeed("grep -Fq hidepid=2 /proc/mounts")
### Additional tests ### Additional tests
# Current time in µs # Current time in µs
@ -157,3 +146,21 @@ def run_tests(extra_tests):
### Check that all extra_tests have been run ### Check that all extra_tests have been run
assert len(extra_tests) == 0 assert len(extra_tests) == 0
def test_security():
assert_running("setup-secrets")
# Unused secrets should be inaccessible
succeed('[[ $(stat -c "%U:%G %a" /secrets/dummy) = "root:root 440" ]]')
# Access to '/proc' should be restricted
machine.succeed("grep -Fq hidepid=2 /proc/mounts")
machine.wait_for_unit("bitcoind")
# `systemctl status` run by unprivileged users shouldn't leak cgroup info
assert_matches(
"sudo -u electrs systemctl status bitcoind 2>&1 >/dev/null",
"Failed to dump process list for 'bitcoind.service', ignoring: Access denied",
)
# The 'operator' with group 'proc' has full access
assert_full_match("sudo -u operator systemctl status bitcoind 2>&1 >/dev/null", "")