81fc2c3509
This allows to set the default bit size for all the Diffie-Hellman parameters defined in security.dhparams.params and it's particularly useful so that we can set it to a very low value in tests (so it doesn't take ages to generate). Regardless for the use in testing, this also has an impact in production systems if the owner wants to set all of them to a different size than 2048, they don't need to set it individually for every params that are set. I've added a subtest to the "dhparams" NixOS test to ensure this is working properly. Signed-off-by: aszlig <aszlig@nix.build>
145 lines
4.3 KiB
Nix
145 lines
4.3 KiB
Nix
let
|
|
common = { pkgs, ... }: {
|
|
security.dhparams.enable = true;
|
|
environment.systemPackages = [ pkgs.openssl ];
|
|
};
|
|
|
|
in import ./make-test.nix {
|
|
name = "dhparams";
|
|
|
|
nodes.generation1 = { pkgs, config, ... }: {
|
|
imports = [ common ];
|
|
security.dhparams.params = {
|
|
# Use low values here because we don't want the test to run for ages.
|
|
foo.bits = 16;
|
|
# Also use the old format to make sure the type is coerced in the right
|
|
# way.
|
|
bar = 17;
|
|
};
|
|
|
|
systemd.services.foo = {
|
|
description = "Check systemd Ordering";
|
|
wantedBy = [ "multi-user.target" ];
|
|
unitConfig = {
|
|
# This is to make sure that the dhparams generation of foo occurs
|
|
# before this service so we need this service to start as early as
|
|
# possible to provoke a race condition.
|
|
DefaultDependencies = false;
|
|
|
|
# We check later whether the service has been started or not.
|
|
ConditionPathExists = config.security.dhparams.params.foo.path;
|
|
};
|
|
serviceConfig.Type = "oneshot";
|
|
serviceConfig.RemainAfterExit = true;
|
|
# The reason we only provide an ExecStop here is to ensure that we don't
|
|
# accidentally trigger an error because a file system is not yet ready
|
|
# during very early startup (we might not even have the Nix store
|
|
# available, for example if future changes in NixOS use systemd mount
|
|
# units to do early file system initialisation).
|
|
serviceConfig.ExecStop = "${pkgs.coreutils}/bin/true";
|
|
};
|
|
};
|
|
|
|
nodes.generation2 = {
|
|
imports = [ common ];
|
|
security.dhparams.params.foo.bits = 18;
|
|
};
|
|
|
|
nodes.generation3 = common;
|
|
|
|
nodes.generation4 = {
|
|
imports = [ common ];
|
|
security.dhparams.stateful = false;
|
|
security.dhparams.params.foo2.bits = 18;
|
|
security.dhparams.params.bar2.bits = 19;
|
|
};
|
|
|
|
nodes.generation5 = {
|
|
imports = [ common ];
|
|
security.dhparams.defaultBitSize = 30;
|
|
security.dhparams.params.foo3 = {};
|
|
security.dhparams.params.bar3 = {};
|
|
};
|
|
|
|
testScript = { nodes, ... }: let
|
|
getParamPath = gen: name: let
|
|
node = "generation${toString gen}";
|
|
in nodes.${node}.config.security.dhparams.params.${name}.path;
|
|
|
|
assertParamBits = gen: name: bits: let
|
|
path = getParamPath gen name;
|
|
in ''
|
|
$machine->nest('check bit size of ${path}', sub {
|
|
my $out = $machine->succeed('openssl dhparam -in ${path} -text');
|
|
$out =~ /^\s*DH Parameters:\s+\((\d+)\s+bit\)\s*$/m;
|
|
die "bit size should be ${toString bits} but it is $1 instead."
|
|
if $1 != ${toString bits};
|
|
});
|
|
'';
|
|
|
|
switchToGeneration = gen: let
|
|
node = "generation${toString gen}";
|
|
inherit (nodes.${node}.config.system.build) toplevel;
|
|
switchCmd = "${toplevel}/bin/switch-to-configuration test";
|
|
in ''
|
|
$machine->nest('switch to generation ${toString gen}', sub {
|
|
$machine->succeed('${switchCmd}');
|
|
$main::machine = ''$${node};
|
|
});
|
|
'';
|
|
|
|
in ''
|
|
my $machine = $generation1;
|
|
|
|
$machine->waitForUnit('multi-user.target');
|
|
|
|
subtest "verify startup order", sub {
|
|
$machine->succeed('systemctl is-active foo.service');
|
|
};
|
|
|
|
subtest "check bit sizes of dhparam files", sub {
|
|
${assertParamBits 1 "foo" 16}
|
|
${assertParamBits 1 "bar" 17}
|
|
};
|
|
|
|
${switchToGeneration 2}
|
|
|
|
subtest "check whether bit size has changed", sub {
|
|
${assertParamBits 2 "foo" 18}
|
|
};
|
|
|
|
subtest "ensure that dhparams file for 'bar' was deleted", sub {
|
|
$machine->fail('test -e ${getParamPath 1 "bar"}');
|
|
};
|
|
|
|
${switchToGeneration 3}
|
|
|
|
subtest "ensure that 'security.dhparams.path' has been deleted", sub {
|
|
$machine->fail(
|
|
'test -e ${nodes.generation3.config.security.dhparams.path}'
|
|
);
|
|
};
|
|
|
|
${switchToGeneration 4}
|
|
|
|
subtest "check bit sizes dhparam files", sub {
|
|
${assertParamBits 4 "foo2" 18}
|
|
${assertParamBits 4 "bar2" 19}
|
|
};
|
|
|
|
subtest "check whether dhparam files are in the Nix store", sub {
|
|
$machine->succeed(
|
|
'expr match ${getParamPath 4 "foo2"} ${builtins.storeDir}',
|
|
'expr match ${getParamPath 4 "bar2"} ${builtins.storeDir}',
|
|
);
|
|
};
|
|
|
|
${switchToGeneration 5}
|
|
|
|
subtest "check whether defaultBitSize works as intended", sub {
|
|
${assertParamBits 5 "foo3" 30}
|
|
${assertParamBits 5 "bar3" 30}
|
|
};
|
|
'';
|
|
}
|