tests: add netns to testing framework

test/test-script.py

@@ -9,6 +9,12 @@ def assert_matches(cmd, regexp):
         raise Exception(f"Pattern '{regexp}' not found in '{out}'")
 
 
+def assert_matches_exactly(cmd, regexp):
+    out = succeed(cmd)
+    if not re.fullmatch(regexp, out):
+        raise Exception(f"Pattern '{regexp}' doesn't match '{out}'")
+
+
 def log_has_string(unit, str):
     return f"journalctl -b --output=cat -u {unit} --grep='{str}'"
 
@@ -27,6 +33,18 @@ def assert_running(unit):
 if "is_interactive" in vars():
     raise Exception()
 
+# netns IP addresses
+bitcoind_ip = "169.254.1.12"
+clightning_ip = "169.254.1.13"
+lnd_ip = "169.254.1.14"
+liquidd_ip = "169.254.1.15"
+electrs_ip = "169.254.1.16"
+sparkwallet_ip = "169.254.1.17"
+lightningcharge_ip = "169.254.1.18"
+nanopos_ip = "169.254.1.19"
+recurringdonations_ip = "169.254.1.20"
+nginx_ip = "169.254.1.21"
+
 ### Tests
 
 assert_running("setup-secrets")
@@ -38,13 +56,15 @@ machine.wait_until_succeeds("bitcoin-cli getnetworkinfo")
 assert_matches("su operator -c 'bitcoin-cli getnetworkinfo' | jq", '"version"')
 
 assert_running("electrs")
-machine.wait_for_open_port(4224)  # prometeus metrics provider
+machine.wait_until_succeeds(
+    "ip netns exec nb-electrs nc -z localhost 4224"
+)  # prometeus metrics provider
 # Check RPC connection to bitcoind
 machine.wait_until_succeeds(log_has_string("electrs", "NetworkInfo"))
 assert_running("nginx")
 # SSL stratum server via nginx. Only check for open port, no content is served here
 # as electrs isn't ready.
-machine.wait_for_open_port(50003)
+machine.wait_until_succeeds("ip netns exec nb-nginx nc -z localhost 50003")
 # Stop electrs from spamming the test log with 'wait for bitcoind sync' messages
 succeed("systemctl stop electrs")
 
@@ -58,17 +78,23 @@ assert_matches("su operator -c 'lightning-cli getinfo' | jq", '"id"')
 
 assert_running("spark-wallet")
 spark_auth = re.search("login=(.*)", succeed("cat /secrets/spark-wallet-login"))[1]
-machine.wait_for_open_port(9737)
-assert_matches(f"curl -s {spark_auth}@localhost:9737", "Spark")
+machine.wait_until_succeeds("ip netns exec nb-spark-wallet nc -z %s 9737" % sparkwallet_ip)
+assert_matches(
+    f"ip netns exec nb-spark-wallet curl -s {spark_auth}@%s:9737" % sparkwallet_ip, "Spark"
+)
 
 assert_running("lightning-charge")
 charge_auth = re.search("API_TOKEN=(.*)", succeed("cat /secrets/lightning-charge-env"))[1]
-machine.wait_for_open_port(9112)
-assert_matches(f"curl -s api-token:{charge_auth}@localhost:9112/info | jq", '"id"')
+machine.wait_until_succeeds("ip netns exec nb-nanopos nc -z %s 9112" % lightningcharge_ip)
+assert_matches(
+    f"ip netns exec nb-nanopos curl -s api-token:{charge_auth}@%s:9112/info | jq"
+    % lightningcharge_ip,
+    '"id"',
+)
 
 assert_running("nanopos")
-machine.wait_for_open_port(9116)
-assert_matches("curl localhost:9116", "tshirt")
+machine.wait_until_succeeds("ip netns exec nb-lightning-charge nc -z %s 9116" % nanopos_ip)
+assert_matches("ip netns exec nb-lightning-charge curl %s:9116" % nanopos_ip, "tshirt")
 
 assert_running("onion-chef")
 
@@ -76,13 +102,55 @@ assert_running("onion-chef")
 # to incomplete unit dependencies.
 # 'create-web-index' implicitly tests 'nodeinfo'.
 machine.wait_for_unit("create-web-index")
-machine.wait_for_open_port(80)
-assert_matches("curl localhost", "nix-bitcoin")
-assert_matches("curl -L localhost/store", "tshirt")
+machine.wait_until_succeeds("ip netns exec nb-nginx nc -z localhost 80")
+assert_matches("ip netns exec nb-nginx curl localhost", "nix-bitcoin")
+assert_matches("ip netns exec nb-nginx curl -L localhost/store", "tshirt")
 
 machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist"))
 assert_no_failure("bitcoind-import-banlist")
 
+### Security tests
+
+ping_bitcoind = "ip netns exec nb-bitcoind ping -c 1 -w 1"
+ping_nanopos = "ip netns exec nb-nanopos ping -c 1 -w 1"
+
+# Positive ping tests (non-exhaustive)
+machine.succeed(
+    "%s %s &&" % (ping_bitcoind, bitcoind_ip)
+    + "%s %s &&" % (ping_bitcoind, clightning_ip)
+    + "%s %s &&" % (ping_bitcoind, liquidd_ip)
+    + "%s %s &&" % (ping_nanopos, lightningcharge_ip)
+    + "%s %s &&" % (ping_nanopos, nanopos_ip)
+    + "%s %s" % (ping_nanopos, nginx_ip)
+)
+
+# Negative ping tests (non-exhaustive)
+machine.fail(
+    "%s %s ||" % (ping_bitcoind, sparkwallet_ip)
+    + "%s %s ||" % (ping_bitcoind, lightningcharge_ip)
+    + "%s %s ||" % (ping_bitcoind, nanopos_ip)
+    + "%s %s ||" % (ping_bitcoind, recurringdonations_ip)
+    + "%s %s ||" % (ping_bitcoind, nginx_ip)
+    + "%s %s ||" % (ping_nanopos, bitcoind_ip)
+    + "%s %s ||" % (ping_nanopos, clightning_ip)
+    + "%s %s ||" % (ping_nanopos, lnd_ip)
+    + "%s %s ||" % (ping_nanopos, liquidd_ip)
+    + "%s %s ||" % (ping_nanopos, electrs_ip)
+    + "%s %s ||" % (ping_nanopos, sparkwallet_ip)
+    + "%s %s" % (ping_nanopos, recurringdonations_ip)
+)
+
+# test that netns-exec can't be run for unauthorized namespace
+machine.fail("netns-exec nb-electrs ip a")
+
+# test that netns-exec drops capabilities
+assert_matches_exactly(
+    "su operator -c 'netns-exec nb-bitcoind capsh --print | grep Current '", "Current: =\n"
+)
+
+# test that netns-exec can not be executed by users that are not operator
+machine.fail("sudo -u clightning netns-exec nb-bitcoind ip a")
+
 ### Additional tests
 
 # Current time in µs

test/test.nix

@@ -16,6 +16,8 @@ import ./make-test.nix rec {
       # hardened
     ];
 
+    nix-bitcoin.netns-isolation.enable = mkForce true;
+
     services.bitcoind.extraConfig = mkForce "connect=0";
 
     services.clightning.enable = true;