diff --git a/test/scenarios/default.py b/test/scenarios/default.py index 76c9fcb..7de4c0a 100644 --- a/test/scenarios/default.py +++ b/test/scenarios/default.py @@ -18,7 +18,6 @@ machine.wait_until_succeeds( ) assert_running("electrs") -machine.wait_for_open_port(4224) # prometeus metrics provider # Check RPC connection to bitcoind machine.wait_until_succeeds(log_has_string("electrs", "NetworkInfo")) assert_running("nginx") @@ -35,17 +34,11 @@ assert_matches("su operator -c 'lightning-cli getinfo' | jq", '"id"') assert_running("spark-wallet") spark_auth = re.search("login=(.*)", succeed("cat /secrets/spark-wallet-login"))[1] -machine.wait_for_open_port(9737) -assert_matches(f"curl -s {spark_auth}@localhost:9737", "Spark") assert_running("lightning-charge") charge_auth = re.search("API_TOKEN=(.*)", succeed("cat /secrets/lightning-charge-env"))[1] -machine.wait_for_open_port(9112) -assert_matches(f"curl -s api-token:{charge_auth}@localhost:9112/info | jq", '"id"') assert_running("nanopos") -machine.wait_for_open_port(9116) -assert_matches("curl localhost:9116", "tshirt") assert_running("onion-chef") @@ -53,9 +46,6 @@ assert_running("onion-chef") # to incomplete unit dependencies. # 'create-web-index' implicitly tests 'nodeinfo'. machine.wait_for_unit("create-web-index") -machine.wait_for_open_port(80) -assert_matches("curl localhost", "nix-bitcoin") -assert_matches("curl -L localhost/store", "tshirt") machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist")) assert_no_failure("bitcoind-import-banlist") @@ -84,7 +74,8 @@ assert_no_failure("bitcoind-import-banlist") ### Test lnd -succeed("systemctl stop nanopos lightning-charge spark-wallet clightning") +stopped_services = "nanopos lightning-charge spark-wallet clightning" +succeed("systemctl stop " + stopped_services) succeed("systemctl start lnd") assert_matches("su operator -c 'lncli getinfo' | jq", '"version"') assert_no_failure("lnd") @@ -98,3 +89,29 @@ assert_matches("su operator -c 'loop --version'", "version") machine.wait_until_succeeds( log_has_string("lightning-loop", "chain notifier RPC isstill in the process of starting") ) + +### Stop lnd and restart clightning +succeed("systemctl stop lnd") +succeed("systemctl start " + stopped_services) + +## electrs +# the main test body stops electrs +succeed("systemctl start electrs") +machine.wait_for_open_port(4224) # prometeus metrics provider + +## spark-wallet +machine.wait_for_open_port(9737) +assert_matches(f"curl -s {spark_auth}@localhost:9737", "Spark") + +## lightning-charge +machine.wait_for_open_port(9112) +assert_matches(f"curl -s api-token:{charge_auth}@localhost:9112/info | jq", '"id"') + +## nanopos +machine.wait_for_open_port(9116) +assert_matches("curl localhost:9116", "tshirt") + +## web index +machine.wait_for_open_port(80) +assert_matches("curl localhost", "nix-bitcoin") +assert_matches("curl -L localhost/store", "tshirt") diff --git a/test/scenarios/withnetns.py b/test/scenarios/withnetns.py index 06567c3..0cf8e64 100644 --- a/test/scenarios/withnetns.py +++ b/test/scenarios/withnetns.py @@ -1,15 +1,3 @@ -# netns IP addresses -bitcoind_ip = "169.254.1.12" -clightning_ip = "169.254.1.13" -lnd_ip = "169.254.1.14" -liquidd_ip = "169.254.1.15" -electrs_ip = "169.254.1.16" -sparkwallet_ip = "169.254.1.17" -lightningcharge_ip = "169.254.1.18" -nanopos_ip = "169.254.1.19" -recurringdonations_ip = "169.254.1.20" -nginx_ip = "169.254.1.21" - ### Tests assert_running("setup-secrets") @@ -30,9 +18,6 @@ machine.wait_until_succeeds( ) assert_running("electrs") -machine.wait_until_succeeds( - "ip netns exec nb-electrs nc -z localhost 4224" -) # prometeus metrics provider # Check RPC connection to bitcoind machine.wait_until_succeeds(log_has_string("electrs", "NetworkInfo")) assert_running("nginx") @@ -49,23 +34,11 @@ assert_matches("su operator -c 'lightning-cli getinfo' | jq", '"id"') assert_running("spark-wallet") spark_auth = re.search("login=(.*)", succeed("cat /secrets/spark-wallet-login"))[1] -machine.wait_until_succeeds("ip netns exec nb-spark-wallet nc -z %s 9737" % sparkwallet_ip) -assert_matches( - f"ip netns exec nb-spark-wallet curl -s {spark_auth}@%s:9737" % sparkwallet_ip, "Spark" -) assert_running("lightning-charge") charge_auth = re.search("API_TOKEN=(.*)", succeed("cat /secrets/lightning-charge-env"))[1] -machine.wait_until_succeeds("ip netns exec nb-nanopos nc -z %s 9112" % lightningcharge_ip) -assert_matches( - f"ip netns exec nb-nanopos curl -s api-token:{charge_auth}@%s:9112/info | jq" - % lightningcharge_ip, - '"id"', -) assert_running("nanopos") -machine.wait_until_succeeds("ip netns exec nb-lightning-charge nc -z %s 9116" % nanopos_ip) -assert_matches("ip netns exec nb-lightning-charge curl %s:9116" % nanopos_ip, "tshirt") assert_running("onion-chef") @@ -73,12 +46,96 @@ assert_running("onion-chef") # to incomplete unit dependencies. # 'create-web-index' implicitly tests 'nodeinfo'. machine.wait_for_unit("create-web-index") + +machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist")) +assert_no_failure("bitcoind-import-banlist") + +# test that `systemctl status` can't leak credentials +assert_matches( + "sudo -u electrs systemctl status clightning 2>&1 >/dev/null", + "Failed to dump process list for 'clightning.service', ignoring: Access denied", +) +machine.succeed("grep -Fq hidepid=2 /proc/mounts") + +### Additional tests + +# Current time in µs +pre_restart = succeed("date +%s.%6N").rstrip() + +# Sanity-check system by restarting all services +succeed("systemctl restart bitcoind clightning spark-wallet lightning-charge nanopos liquidd") + +# Now that the bitcoind restart triggered a banlist import restart, check that +# re-importing already banned addresses works +machine.wait_until_succeeds( + log_has_string(f"bitcoind-import-banlist --since=@{pre_restart}", "Importing node banlist") +) +assert_no_failure("bitcoind-import-banlist") + +### Test lnd + +stopped_services = "nanopos lightning-charge spark-wallet clightning" +succeed("systemctl stop " + stopped_services) +succeed("systemctl start lnd") +assert_matches("su operator -c 'lncli getinfo' | jq", '"version"') +assert_no_failure("lnd") + +### Test loopd + +succeed("systemctl start lightning-loop") +assert_matches("su operator -c 'loop --version'", "version") +# Check that lightning-loop fails with the right error, making sure +# lightning-loop can connect to lnd +machine.wait_until_succeeds( + log_has_string("lightning-loop", "chain notifier RPC isstill in the process of starting") +) + +### Stop lnd and restart clightning +succeed("systemctl stop lnd") +succeed("systemctl start " + stopped_services) + +# netns IP addresses +bitcoind_ip = "169.254.1.12" +clightning_ip = "169.254.1.13" +lnd_ip = "169.254.1.14" +liquidd_ip = "169.254.1.15" +electrs_ip = "169.254.1.16" +sparkwallet_ip = "169.254.1.17" +lightningcharge_ip = "169.254.1.18" +nanopos_ip = "169.254.1.19" +recurringdonations_ip = "169.254.1.20" +nginx_ip = "169.254.1.21" + +## electrs +# the main test body stops electrs +succeed("systemctl start electrs") +machine.wait_until_succeeds( + "ip netns exec nb-electrs nc -z localhost 4224" +) # prometeus metrics provider + +## spark-wallet +machine.wait_until_succeeds("ip netns exec nb-spark-wallet nc -z %s 9737" % sparkwallet_ip) +assert_matches( + f"ip netns exec nb-spark-wallet curl -s {spark_auth}@%s:9737" % sparkwallet_ip, "Spark" +) + +## lightning-charge +machine.wait_until_succeeds("ip netns exec nb-nanopos nc -z %s 9112" % lightningcharge_ip) +assert_matches( + f"ip netns exec nb-nanopos curl -s api-token:{charge_auth}@%s:9112/info | jq" + % lightningcharge_ip, + '"id"', +) + +## nanopos +machine.wait_until_succeeds("ip netns exec nb-lightning-charge nc -z %s 9116" % nanopos_ip) +assert_matches("ip netns exec nb-lightning-charge curl %s:9116" % nanopos_ip, "tshirt") + +## webindex machine.wait_until_succeeds("ip netns exec nb-nginx nc -z localhost 80") assert_matches("ip netns exec nb-nginx curl localhost", "nix-bitcoin") assert_matches("ip netns exec nb-nginx curl -L localhost/store", "tshirt") -machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist")) -assert_no_failure("bitcoind-import-banlist") ### Security tests @@ -121,42 +178,3 @@ assert_matches_exactly( # test that netns-exec can not be executed by users that are not operator machine.fail("sudo -u clightning netns-exec nb-bitcoind ip a") - -# test that `systemctl status` can't leak credentials -assert_matches( - "sudo -u electrs systemctl status clightning 2>&1 >/dev/null", - "Failed to dump process list for 'clightning.service', ignoring: Access denied", -) -machine.succeed("grep -Fq hidepid=2 /proc/mounts") - -### Additional tests - -# Current time in µs -pre_restart = succeed("date +%s.%6N").rstrip() - -# Sanity-check system by restarting all services -succeed("systemctl restart bitcoind clightning spark-wallet lightning-charge nanopos liquidd") - -# Now that the bitcoind restart triggered a banlist import restart, check that -# re-importing already banned addresses works -machine.wait_until_succeeds( - log_has_string(f"bitcoind-import-banlist --since=@{pre_restart}", "Importing node banlist") -) -assert_no_failure("bitcoind-import-banlist") - -### Test lnd - -succeed("systemctl stop nanopos lightning-charge spark-wallet clightning") -succeed("systemctl start lnd") -assert_matches("su operator -c 'lncli getinfo' | jq", '"version"') -assert_no_failure("lnd") - -### Test loopd - -succeed("systemctl start lightning-loop") -assert_matches("su operator -c 'loop --version'", "version") -# Check that lightning-loop fails with the right error, making sure -# lightning-loop can connect to lnd -machine.wait_until_succeeds( - log_has_string("lightning-loop", "chain notifier RPC isstill in the process of starting") -)