From 8783f38fba8ae6bc898c60b6a861c893089d5b46 Mon Sep 17 00:00:00 2001 From: nixbitcoin Date: Thu, 18 Jun 2020 10:22:44 +0000 Subject: [PATCH] tests: add netns to testing framework --- test/test-script.py | 90 +++++++++++++++++++++++++++++++++++++++------ test/test.nix | 2 + 2 files changed, 81 insertions(+), 11 deletions(-) diff --git a/test/test-script.py b/test/test-script.py index 5c35f9b..785a481 100644 --- a/test/test-script.py +++ b/test/test-script.py @@ -9,6 +9,12 @@ def assert_matches(cmd, regexp): raise Exception(f"Pattern '{regexp}' not found in '{out}'") +def assert_matches_exactly(cmd, regexp): + out = succeed(cmd) + if not re.fullmatch(regexp, out): + raise Exception(f"Pattern '{regexp}' doesn't match '{out}'") + + def log_has_string(unit, str): return f"journalctl -b --output=cat -u {unit} --grep='{str}'" @@ -27,6 +33,18 @@ def assert_running(unit): if "is_interactive" in vars(): raise Exception() +# netns IP addresses +bitcoind_ip = "169.254.1.12" +clightning_ip = "169.254.1.13" +lnd_ip = "169.254.1.14" +liquidd_ip = "169.254.1.15" +electrs_ip = "169.254.1.16" +sparkwallet_ip = "169.254.1.17" +lightningcharge_ip = "169.254.1.18" +nanopos_ip = "169.254.1.19" +recurringdonations_ip = "169.254.1.20" +nginx_ip = "169.254.1.21" + ### Tests assert_running("setup-secrets") @@ -38,13 +56,15 @@ machine.wait_until_succeeds("bitcoin-cli getnetworkinfo") assert_matches("su operator -c 'bitcoin-cli getnetworkinfo' | jq", '"version"') assert_running("electrs") -machine.wait_for_open_port(4224) # prometeus metrics provider +machine.wait_until_succeeds( + "ip netns exec nb-electrs nc -z localhost 4224" +) # prometeus metrics provider # Check RPC connection to bitcoind machine.wait_until_succeeds(log_has_string("electrs", "NetworkInfo")) assert_running("nginx") # SSL stratum server via nginx. Only check for open port, no content is served here # as electrs isn't ready. -machine.wait_for_open_port(50003) +machine.wait_until_succeeds("ip netns exec nb-nginx nc -z localhost 50003") # Stop electrs from spamming the test log with 'wait for bitcoind sync' messages succeed("systemctl stop electrs") @@ -58,17 +78,23 @@ assert_matches("su operator -c 'lightning-cli getinfo' | jq", '"id"') assert_running("spark-wallet") spark_auth = re.search("login=(.*)", succeed("cat /secrets/spark-wallet-login"))[1] -machine.wait_for_open_port(9737) -assert_matches(f"curl -s {spark_auth}@localhost:9737", "Spark") +machine.wait_until_succeeds("ip netns exec nb-spark-wallet nc -z %s 9737" % sparkwallet_ip) +assert_matches( + f"ip netns exec nb-spark-wallet curl -s {spark_auth}@%s:9737" % sparkwallet_ip, "Spark" +) assert_running("lightning-charge") charge_auth = re.search("API_TOKEN=(.*)", succeed("cat /secrets/lightning-charge-env"))[1] -machine.wait_for_open_port(9112) -assert_matches(f"curl -s api-token:{charge_auth}@localhost:9112/info | jq", '"id"') +machine.wait_until_succeeds("ip netns exec nb-nanopos nc -z %s 9112" % lightningcharge_ip) +assert_matches( + f"ip netns exec nb-nanopos curl -s api-token:{charge_auth}@%s:9112/info | jq" + % lightningcharge_ip, + '"id"', +) assert_running("nanopos") -machine.wait_for_open_port(9116) -assert_matches("curl localhost:9116", "tshirt") +machine.wait_until_succeeds("ip netns exec nb-lightning-charge nc -z %s 9116" % nanopos_ip) +assert_matches("ip netns exec nb-lightning-charge curl %s:9116" % nanopos_ip, "tshirt") assert_running("onion-chef") @@ -76,13 +102,55 @@ assert_running("onion-chef") # to incomplete unit dependencies. # 'create-web-index' implicitly tests 'nodeinfo'. machine.wait_for_unit("create-web-index") -machine.wait_for_open_port(80) -assert_matches("curl localhost", "nix-bitcoin") -assert_matches("curl -L localhost/store", "tshirt") +machine.wait_until_succeeds("ip netns exec nb-nginx nc -z localhost 80") +assert_matches("ip netns exec nb-nginx curl localhost", "nix-bitcoin") +assert_matches("ip netns exec nb-nginx curl -L localhost/store", "tshirt") machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist")) assert_no_failure("bitcoind-import-banlist") +### Security tests + +ping_bitcoind = "ip netns exec nb-bitcoind ping -c 1 -w 1" +ping_nanopos = "ip netns exec nb-nanopos ping -c 1 -w 1" + +# Positive ping tests (non-exhaustive) +machine.succeed( + "%s %s &&" % (ping_bitcoind, bitcoind_ip) + + "%s %s &&" % (ping_bitcoind, clightning_ip) + + "%s %s &&" % (ping_bitcoind, liquidd_ip) + + "%s %s &&" % (ping_nanopos, lightningcharge_ip) + + "%s %s &&" % (ping_nanopos, nanopos_ip) + + "%s %s" % (ping_nanopos, nginx_ip) +) + +# Negative ping tests (non-exhaustive) +machine.fail( + "%s %s ||" % (ping_bitcoind, sparkwallet_ip) + + "%s %s ||" % (ping_bitcoind, lightningcharge_ip) + + "%s %s ||" % (ping_bitcoind, nanopos_ip) + + "%s %s ||" % (ping_bitcoind, recurringdonations_ip) + + "%s %s ||" % (ping_bitcoind, nginx_ip) + + "%s %s ||" % (ping_nanopos, bitcoind_ip) + + "%s %s ||" % (ping_nanopos, clightning_ip) + + "%s %s ||" % (ping_nanopos, lnd_ip) + + "%s %s ||" % (ping_nanopos, liquidd_ip) + + "%s %s ||" % (ping_nanopos, electrs_ip) + + "%s %s ||" % (ping_nanopos, sparkwallet_ip) + + "%s %s" % (ping_nanopos, recurringdonations_ip) +) + +# test that netns-exec can't be run for unauthorized namespace +machine.fail("netns-exec nb-electrs ip a") + +# test that netns-exec drops capabilities +assert_matches_exactly( + "su operator -c 'netns-exec nb-bitcoind capsh --print | grep Current '", "Current: =\n" +) + +# test that netns-exec can not be executed by users that are not operator +machine.fail("sudo -u clightning netns-exec nb-bitcoind ip a") + ### Additional tests # Current time in µs diff --git a/test/test.nix b/test/test.nix index d609d3d..2982f7c 100644 --- a/test/test.nix +++ b/test/test.nix @@ -16,6 +16,8 @@ import ./make-test.nix rec { # hardened ]; + nix-bitcoin.netns-isolation.enable = mkForce true; + services.bitcoind.extraConfig = mkForce "connect=0"; services.clightning.enable = true;