nixpkgs/nixos/tests/dhparams.nix

let
  common = { pkgs, ... }: {
    security.dhparams.enable = true;
    environment.systemPackages = [ pkgs.openssl ];
  };

in import ./make-test.nix {
  name = "dhparams";

  nodes.generation1 = { pkgs, config, ... }: {
    imports = [ common ];
    security.dhparams.params = {
      # Use low values here because we don't want the test to run for ages.
      foo.bits = 16;
      # Also use the old format to make sure the type is coerced in the right
      # way.
      bar = 17;
    };

    systemd.services.foo = {
      description = "Check systemd Ordering";
      wantedBy = [ "multi-user.target" ];
      unitConfig = {
        # This is to make sure that the dhparams generation of foo occurs
        # before this service so we need this service to start as early as
        # possible to provoke a race condition.
        DefaultDependencies = false;

        # We check later whether the service has been started or not.
        ConditionPathExists = config.security.dhparams.params.foo.path;
      };
      serviceConfig.Type = "oneshot";
      serviceConfig.RemainAfterExit = true;
      # The reason we only provide an ExecStop here is to ensure that we don't
      # accidentally trigger an error because a file system is not yet ready
      # during very early startup (we might not even have the Nix store
      # available, for example if future changes in NixOS use systemd mount
      # units to do early file system initialisation).
      serviceConfig.ExecStop = "${pkgs.coreutils}/bin/true";
    };
  };

  nodes.generation2 = {
    imports = [ common ];
    security.dhparams.params.foo.bits = 18;
  };

  nodes.generation3 = common;

  nodes.generation4 = {
    imports = [ common ];
    security.dhparams.stateful = false;
    security.dhparams.params.foo2.bits = 18;
    security.dhparams.params.bar2.bits = 19;
  };

  nodes.generation5 = {
    imports = [ common ];
    security.dhparams.defaultBitSize = 30;
    security.dhparams.params.foo3 = {};
    security.dhparams.params.bar3 = {};
  };

  testScript = { nodes, ... }: let
    getParamPath = gen: name: let
      node = "generation${toString gen}";
    in nodes.${node}.config.security.dhparams.params.${name}.path;

    assertParamBits = gen: name: bits: let
      path = getParamPath gen name;
    in ''
      $machine->nest('check bit size of ${path}', sub {
        my $out = $machine->succeed('openssl dhparam -in ${path} -text');
        $out =~ /^\s*DH Parameters:\s+\((\d+)\s+bit\)\s*$/m;
        die "bit size should be ${toString bits} but it is $1 instead."
          if $1 != ${toString bits};
      });
    '';

    switchToGeneration = gen: let
      node = "generation${toString gen}";
      inherit (nodes.${node}.config.system.build) toplevel;
      switchCmd = "${toplevel}/bin/switch-to-configuration test";
    in ''
      $machine->nest('switch to generation ${toString gen}', sub {
        $machine->succeed('${switchCmd}');
        $main::machine = ''$${node};
      });
    '';

  in ''
    my $machine = $generation1;

    $machine->waitForUnit('multi-user.target');

    subtest "verify startup order", sub {
      $machine->succeed('systemctl is-active foo.service');
    };

    subtest "check bit sizes of dhparam files", sub {
      ${assertParamBits 1 "foo" 16}
      ${assertParamBits 1 "bar" 17}
    };

    ${switchToGeneration 2}

    subtest "check whether bit size has changed", sub {
      ${assertParamBits 2 "foo" 18}
    };

    subtest "ensure that dhparams file for 'bar' was deleted", sub {
      $machine->fail('test -e ${getParamPath 1 "bar"}');
    };

    ${switchToGeneration 3}

    subtest "ensure that 'security.dhparams.path' has been deleted", sub {
      $machine->fail(
        'test -e ${nodes.generation3.config.security.dhparams.path}'
      );
    };

    ${switchToGeneration 4}

    subtest "check bit sizes dhparam files", sub {
      ${assertParamBits 4 "foo2" 18}
      ${assertParamBits 4 "bar2" 19}
    };

    subtest "check whether dhparam files are in the Nix store", sub {
      $machine->succeed(
        'expr match ${getParamPath 4 "foo2"} ${builtins.storeDir}',
        'expr match ${getParamPath 4 "bar2"} ${builtins.storeDir}',
      );
    };

    ${switchToGeneration 5}

    subtest "check whether defaultBitSize works as intended", sub {
      ${assertParamBits 5 "foo3" 30}
      ${assertParamBits 5 "bar3" 30}
    };
  '';
}
nixos/dhparams: Add a VM test We're going to make changes to the dhparams module so we really want to make sure we don't break it, so having a NixOS VM test is to make sure we don't blow things up and can iterate on it. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog 2018-04-26 06:09:05 +02:00			`let`
			`common = { pkgs, ... }: {`
			`security.dhparams.enable = true;`
			`environment.systemPackages = [ pkgs.openssl ];`
			`};`

			`in import ./make-test.nix {`
			`name = "dhparams";`

			`nodes.generation1 = { pkgs, config, ... }: {`
			`imports = [ common ];`
nixos/dhparams: Turn params into a submodule We're going to implement an option which allows us to turn off stateful handling of Diffie-Hellman parameter files by putting them into the Nix store. However, modules now might need a way to reference these files, so we add a now path option to every param specified, which carries a read-only value of the path where to find the corresponding DH params file. I've also improved the description of security.dhparams.params a bit so that it uses <warning/> and <note/>. The NixOS VM test also reflects this change and checks whether the old way to specify the bit size still works. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog 2018-04-26 06:19:48 +02:00			`security.dhparams.params = {`
			`# Use low values here because we don't want the test to run for ages.`
			`foo.bits = 16;`
			`# Also use the old format to make sure the type is coerced in the right`
			`# way.`
			`bar = 17;`
			`};`
nixos/dhparams: Add a VM test We're going to make changes to the dhparams module so we really want to make sure we don't break it, so having a NixOS VM test is to make sure we don't blow things up and can iterate on it. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog 2018-04-26 06:09:05 +02:00
			`systemd.services.foo = {`
			`description = "Check systemd Ordering";`
			`wantedBy = [ "multi-user.target" ];`
			`unitConfig = {`
			`# This is to make sure that the dhparams generation of foo occurs`
			`# before this service so we need this service to start as early as`
			`# possible to provoke a race condition.`
			`DefaultDependencies = false;`

			`# We check later whether the service has been started or not.`
nixos/dhparams: Turn params into a submodule We're going to implement an option which allows us to turn off stateful handling of Diffie-Hellman parameter files by putting them into the Nix store. However, modules now might need a way to reference these files, so we add a now path option to every param specified, which carries a read-only value of the path where to find the corresponding DH params file. I've also improved the description of security.dhparams.params a bit so that it uses <warning/> and <note/>. The NixOS VM test also reflects this change and checks whether the old way to specify the bit size still works. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog 2018-04-26 06:19:48 +02:00			`ConditionPathExists = config.security.dhparams.params.foo.path;`
nixos/dhparams: Add a VM test We're going to make changes to the dhparams module so we really want to make sure we don't break it, so having a NixOS VM test is to make sure we don't blow things up and can iterate on it. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog 2018-04-26 06:09:05 +02:00			`};`
			`serviceConfig.Type = "oneshot";`
			`serviceConfig.RemainAfterExit = true;`
			`# The reason we only provide an ExecStop here is to ensure that we don't`
			`# accidentally trigger an error because a file system is not yet ready`
			`# during very early startup (we might not even have the Nix store`
			`# available, for example if future changes in NixOS use systemd mount`
			`# units to do early file system initialisation).`
			`serviceConfig.ExecStop = "${pkgs.coreutils}/bin/true";`
			`};`
			`};`

			`nodes.generation2 = {`
			`imports = [ common ];`
nixos/dhparams: Turn params into a submodule We're going to implement an option which allows us to turn off stateful handling of Diffie-Hellman parameter files by putting them into the Nix store. However, modules now might need a way to reference these files, so we add a now path option to every param specified, which carries a read-only value of the path where to find the corresponding DH params file. I've also improved the description of security.dhparams.params a bit so that it uses <warning/> and <note/>. The NixOS VM test also reflects this change and checks whether the old way to specify the bit size still works. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog 2018-04-26 06:19:48 +02:00			`security.dhparams.params.foo.bits = 18;`
nixos/dhparams: Add a VM test We're going to make changes to the dhparams module so we really want to make sure we don't break it, so having a NixOS VM test is to make sure we don't blow things up and can iterate on it. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog 2018-04-26 06:09:05 +02:00			`};`

			`nodes.generation3 = common;`

nixos/dhparams: Introduce a 'stateful' option This option allows us to turn off stateful generation of Diffie-Hellman parameters, which in some way is still stateful as the generated DH params file is non-deterministic. However what we can avoid with this is to have an increased surface for failures during system startup, because generation of the parameters is done during build-time. Another advantage of this is that we no longer need to take care of cleaning up the files that are no longer used and in my humble opinion I would have preferred that #11505 (which puts the dhparams in the Nix store) would have been merged instead of #22634 (which we have now). Luckily we can still change that and this change gives the user the option to put the dhparams into the Nix store. Beside of the more obvious advantages pointed out here, this also effects test runtime if more services are starting to use this (for example see #39507 and #39288), because generating DH params could take a long time depending on the bit size which adds up to test runtime. If we generate the DH params in a separate derivation, subsequent test runs won't need to wait for DH params generation during bootup. Of course, tests could still mock this by force-disabling the service and adding a service or activation script that places pre-generated DH params in /var/lib/dhparams but this would make tests less readable and the workaround would have to be made for each test affected. Note that the 'stateful' option is still true by default so that we are backwards-compatible with existing systems. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog, @abbradar, @fpletz 2018-04-26 06:38:02 +02:00			`nodes.generation4 = {`
			`imports = [ common ];`
			`security.dhparams.stateful = false;`
			`security.dhparams.params.foo2.bits = 18;`
			`security.dhparams.params.bar2.bits = 19;`
			`};`

nixos/dhparams: Add a defaultBitSize option This allows to set the default bit size for all the Diffie-Hellman parameters defined in security.dhparams.params and it's particularly useful so that we can set it to a very low value in tests (so it doesn't take ages to generate). Regardless for the use in testing, this also has an impact in production systems if the owner wants to set all of them to a different size than 2048, they don't need to set it individually for every params that are set. I've added a subtest to the "dhparams" NixOS test to ensure this is working properly. Signed-off-by: aszlig <aszlig@nix.build> 2018-05-07 04:33:56 +02:00			`nodes.generation5 = {`
			`imports = [ common ];`
			`security.dhparams.defaultBitSize = 30;`
			`security.dhparams.params.foo3 = {};`
			`security.dhparams.params.bar3 = {};`
			`};`

nixos/dhparams: Add a VM test We're going to make changes to the dhparams module so we really want to make sure we don't break it, so having a NixOS VM test is to make sure we don't blow things up and can iterate on it. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog 2018-04-26 06:09:05 +02:00			`testScript = { nodes, ... }: let`
			`getParamPath = gen: name: let`
			`node = "generation${toString gen}";`
nixos/dhparams: Turn params into a submodule We're going to implement an option which allows us to turn off stateful handling of Diffie-Hellman parameter files by putting them into the Nix store. However, modules now might need a way to reference these files, so we add a now path option to every param specified, which carries a read-only value of the path where to find the corresponding DH params file. I've also improved the description of security.dhparams.params a bit so that it uses <warning/> and <note/>. The NixOS VM test also reflects this change and checks whether the old way to specify the bit size still works. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog 2018-04-26 06:19:48 +02:00			`in nodes.${node}.config.security.dhparams.params.${name}.path;`
nixos/dhparams: Add a VM test We're going to make changes to the dhparams module so we really want to make sure we don't break it, so having a NixOS VM test is to make sure we don't blow things up and can iterate on it. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog 2018-04-26 06:09:05 +02:00
			`assertParamBits = gen: name: bits: let`
			`path = getParamPath gen name;`
			`in ''`
			`$machine->nest('check bit size of ${path}', sub {`
			`my $out = $machine->succeed('openssl dhparam -in ${path} -text');`
			`$out =~ /^\sDH Parameters:\s+\((\d+)\s+bit\)\s$/m;`
			`die "bit size should be ${toString bits} but it is $1 instead."`
			`if $1 != ${toString bits};`
			`});`
			`'';`

			`switchToGeneration = gen: let`
			`node = "generation${toString gen}";`
			`inherit (nodes.${node}.config.system.build) toplevel;`
			`switchCmd = "${toplevel}/bin/switch-to-configuration test";`
			`in ''`
			`$machine->nest('switch to generation ${toString gen}', sub {`
			`$machine->succeed('${switchCmd}');`
			`$main::machine = ''$${node};`
			`});`
			`'';`

			`in ''`
			`my $machine = $generation1;`

			`$machine->waitForUnit('multi-user.target');`

			`subtest "verify startup order", sub {`
			`$machine->succeed('systemctl is-active foo.service');`
			`};`

			`subtest "check bit sizes of dhparam files", sub {`
			`${assertParamBits 1 "foo" 16}`
			`${assertParamBits 1 "bar" 17}`
			`};`

			`${switchToGeneration 2}`

			`subtest "check whether bit size has changed", sub {`
			`${assertParamBits 2 "foo" 18}`
			`};`

			`subtest "ensure that dhparams file for 'bar' was deleted", sub {`
			`$machine->fail('test -e ${getParamPath 1 "bar"}');`
			`};`

			`${switchToGeneration 3}`

			`subtest "ensure that 'security.dhparams.path' has been deleted", sub {`
			`$machine->fail(`
			`'test -e ${nodes.generation3.config.security.dhparams.path}'`
			`);`
			`};`
nixos/dhparams: Introduce a 'stateful' option This option allows us to turn off stateful generation of Diffie-Hellman parameters, which in some way is still stateful as the generated DH params file is non-deterministic. However what we can avoid with this is to have an increased surface for failures during system startup, because generation of the parameters is done during build-time. Another advantage of this is that we no longer need to take care of cleaning up the files that are no longer used and in my humble opinion I would have preferred that #11505 (which puts the dhparams in the Nix store) would have been merged instead of #22634 (which we have now). Luckily we can still change that and this change gives the user the option to put the dhparams into the Nix store. Beside of the more obvious advantages pointed out here, this also effects test runtime if more services are starting to use this (for example see #39507 and #39288), because generating DH params could take a long time depending on the bit size which adds up to test runtime. If we generate the DH params in a separate derivation, subsequent test runs won't need to wait for DH params generation during bootup. Of course, tests could still mock this by force-disabling the service and adding a service or activation script that places pre-generated DH params in /var/lib/dhparams but this would make tests less readable and the workaround would have to be made for each test affected. Note that the 'stateful' option is still true by default so that we are backwards-compatible with existing systems. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog, @abbradar, @fpletz 2018-04-26 06:38:02 +02:00
			`${switchToGeneration 4}`

			`subtest "check bit sizes dhparam files", sub {`
			`${assertParamBits 4 "foo2" 18}`
			`${assertParamBits 4 "bar2" 19}`
			`};`

			`subtest "check whether dhparam files are in the Nix store", sub {`
			`$machine->succeed(`
			`'expr match ${getParamPath 4 "foo2"} ${builtins.storeDir}',`
			`'expr match ${getParamPath 4 "bar2"} ${builtins.storeDir}',`
			`);`
			`};`
nixos/dhparams: Add a defaultBitSize option This allows to set the default bit size for all the Diffie-Hellman parameters defined in security.dhparams.params and it's particularly useful so that we can set it to a very low value in tests (so it doesn't take ages to generate). Regardless for the use in testing, this also has an impact in production systems if the owner wants to set all of them to a different size than 2048, they don't need to set it individually for every params that are set. I've added a subtest to the "dhparams" NixOS test to ensure this is working properly. Signed-off-by: aszlig <aszlig@nix.build> 2018-05-07 04:33:56 +02:00
			`${switchToGeneration 5}`

			`subtest "check whether defaultBitSize works as intended", sub {`
			`${assertParamBits 5 "foo3" 30}`
			`${assertParamBits 5 "bar3" 30}`
			`};`
nixos/dhparams: Add a VM test We're going to make changes to the dhparams module so we really want to make sure we don't break it, so having a NixOS VM test is to make sure we don't blow things up and can iterate on it. Signed-off-by: aszlig <aszlig@nix.build> Cc: @Ekleog 2018-04-26 06:09:05 +02:00			`'';`
			`}`