diff options
Diffstat (limited to 'nixos/tests/fscrypt.nix')
-rw-r--r-- | nixos/tests/fscrypt.nix | 50 |
1 files changed, 50 insertions, 0 deletions
diff --git a/nixos/tests/fscrypt.nix b/nixos/tests/fscrypt.nix new file mode 100644 index 0000000000000..03367979359bd --- /dev/null +++ b/nixos/tests/fscrypt.nix @@ -0,0 +1,50 @@ +import ./make-test-python.nix ({ ... }: +{ + name = "fscrypt"; + + nodes.machine = { pkgs, ... }: { + imports = [ ./common/user-account.nix ]; + security.pam.enableFscrypt = true; + }; + + testScript = '' + def login_as_alice(): + machine.wait_until_tty_matches("1", "login: ") + machine.send_chars("alice\n") + machine.wait_until_tty_matches("1", "Password: ") + machine.send_chars("foobar\n") + machine.wait_until_tty_matches("1", "alice\@machine") + + + def logout(): + machine.send_chars("logout\n") + machine.wait_until_tty_matches("1", "login: ") + + + machine.wait_for_unit("default.target") + + with subtest("Enable fscrypt on filesystem"): + machine.succeed("tune2fs -O encrypt /dev/vda") + machine.succeed("fscrypt setup --quiet --force --time=1ms") + + with subtest("Set up alice with an fscrypt-enabled home directory"): + machine.succeed("(echo foobar; echo foobar) | passwd alice") + machine.succeed("chown -R alice.users ~alice") + machine.succeed("echo foobar | fscrypt encrypt --skip-unlock --source=pam_passphrase --user=alice /home/alice") + + with subtest("Create file as alice"): + login_as_alice() + machine.succeed("echo hello > /home/alice/world") + logout() + # Wait for logout to be processed + machine.sleep(1) + + with subtest("File should not be readable without being logged in as alice"): + machine.fail("cat /home/alice/world") + + with subtest("File should be readable again as alice"): + login_as_alice() + machine.succeed("cat /home/alice/world") + logout() + ''; +}) |