761266bd18
We're going to implement an option which allows us to turn off stateful handling of Diffie-Hellman parameter files by putting them into the Nix store. However, modules now might need a way to reference these files, so we add a now path option to every param specified, which carries a read-only value of the path where to find the corresponding DH params file. I've also improved the description of security.dhparams.params a bit so that it uses <warning/> and <note/>. The NixOS VM test also reflects this change and checks whether the old way to specify the bit size still works. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog
109 lines
3.4 KiB
Nix
109 lines
3.4 KiB
Nix
let
|
|
common = { pkgs, ... }: {
|
|
security.dhparams.enable = true;
|
|
environment.systemPackages = [ pkgs.openssl ];
|
|
};
|
|
|
|
in import ./make-test.nix {
|
|
name = "dhparams";
|
|
|
|
nodes.generation1 = { pkgs, config, ... }: {
|
|
imports = [ common ];
|
|
security.dhparams.params = {
|
|
# Use low values here because we don't want the test to run for ages.
|
|
foo.bits = 16;
|
|
# Also use the old format to make sure the type is coerced in the right
|
|
# way.
|
|
bar = 17;
|
|
};
|
|
|
|
systemd.services.foo = {
|
|
description = "Check systemd Ordering";
|
|
wantedBy = [ "multi-user.target" ];
|
|
unitConfig = {
|
|
# This is to make sure that the dhparams generation of foo occurs
|
|
# before this service so we need this service to start as early as
|
|
# possible to provoke a race condition.
|
|
DefaultDependencies = false;
|
|
|
|
# We check later whether the service has been started or not.
|
|
ConditionPathExists = config.security.dhparams.params.foo.path;
|
|
};
|
|
serviceConfig.Type = "oneshot";
|
|
serviceConfig.RemainAfterExit = true;
|
|
# The reason we only provide an ExecStop here is to ensure that we don't
|
|
# accidentally trigger an error because a file system is not yet ready
|
|
# during very early startup (we might not even have the Nix store
|
|
# available, for example if future changes in NixOS use systemd mount
|
|
# units to do early file system initialisation).
|
|
serviceConfig.ExecStop = "${pkgs.coreutils}/bin/true";
|
|
};
|
|
};
|
|
|
|
nodes.generation2 = {
|
|
imports = [ common ];
|
|
security.dhparams.params.foo.bits = 18;
|
|
};
|
|
|
|
nodes.generation3 = common;
|
|
|
|
testScript = { nodes, ... }: let
|
|
getParamPath = gen: name: let
|
|
node = "generation${toString gen}";
|
|
in nodes.${node}.config.security.dhparams.params.${name}.path;
|
|
|
|
assertParamBits = gen: name: bits: let
|
|
path = getParamPath gen name;
|
|
in ''
|
|
$machine->nest('check bit size of ${path}', sub {
|
|
my $out = $machine->succeed('openssl dhparam -in ${path} -text');
|
|
$out =~ /^\s*DH Parameters:\s+\((\d+)\s+bit\)\s*$/m;
|
|
die "bit size should be ${toString bits} but it is $1 instead."
|
|
if $1 != ${toString bits};
|
|
});
|
|
'';
|
|
|
|
switchToGeneration = gen: let
|
|
node = "generation${toString gen}";
|
|
inherit (nodes.${node}.config.system.build) toplevel;
|
|
switchCmd = "${toplevel}/bin/switch-to-configuration test";
|
|
in ''
|
|
$machine->nest('switch to generation ${toString gen}', sub {
|
|
$machine->succeed('${switchCmd}');
|
|
$main::machine = ''$${node};
|
|
});
|
|
'';
|
|
|
|
in ''
|
|
my $machine = $generation1;
|
|
|
|
$machine->waitForUnit('multi-user.target');
|
|
|
|
subtest "verify startup order", sub {
|
|
$machine->succeed('systemctl is-active foo.service');
|
|
};
|
|
|
|
subtest "check bit sizes of dhparam files", sub {
|
|
${assertParamBits 1 "foo" 16}
|
|
${assertParamBits 1 "bar" 17}
|
|
};
|
|
|
|
${switchToGeneration 2}
|
|
|
|
subtest "check whether bit size has changed", sub {
|
|
${assertParamBits 2 "foo" 18}
|
|
};
|
|
|
|
subtest "ensure that dhparams file for 'bar' was deleted", sub {
|
|
$machine->fail('test -e ${getParamPath 1 "bar"}');
|
|
};
|
|
|
|
${switchToGeneration 3}
|
|
|
|
subtest "ensure that 'security.dhparams.path' has been deleted", sub {
|
|
$machine->fail(
|
|
'test -e ${nodes.generation3.config.security.dhparams.path}'
|
|
);
|
|
};
|
|
'';
|
|
}
|