1 files changed, 61 insertions, 79 deletions
diff --git a/nixos/tests/scion/freestanding-deployment/default.nix b/nixos/tests/scion/freestanding-deployment/default.nix
index e060f9c312709..55b2322ab02da 100644
--- a/nixos/tests/scion/freestanding-deployment/default.nix
+++ b/nixos/tests/scion/freestanding-deployment/default.nix
@@ -5,81 +5,8 @@ let
     buildInputs = [
       pkgs.scion
     ];
-  } ''
-    set -euo pipefail
+  } (builtins.readFile ./bootstrap.sh);
 
-    mkdir /tmp/tutorial-scion-certs && cd /tmp/tutorial-scion-certs
-    mkdir AS{1..5}
-
-    # Create voting and root keys and (self-signed) certificates for core ASes
-    pushd AS1
-    scion-pki certificate create --not-after=3650d --profile=sensitive-voting <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 sensitive voting cert"}') sensitive-voting.pem sensitive-voting.key
-    scion-pki certificate create --not-after=3650d --profile=regular-voting <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 regular voting cert"}') regular-voting.pem regular-voting.key
-    scion-pki certificate create --not-after=3650d --profile=cp-root <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 cp root cert"}') cp-root.pem cp-root.key
-    popd
-
-    pushd AS2
-    scion-pki certificate create --not-after=3650d --profile=cp-root <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 cp root cert"}') cp-root.pem cp-root.key
-    popd
-
-    pushd AS3
-    scion-pki certificate create --not-after=3650d --profile=sensitive-voting <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 sensitive voting cert"}') sensitive-voting.pem sensitive-voting.key
-    scion-pki certificate create --not-after=3650d --profile=regular-voting <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 regular voting cert"}') regular-voting.pem regular-voting.key
-    popd
-
-    # Create the TRC (Trust Root Configuration)
-    mkdir tmp
-    echo '
-    isd = 42
-    description = "Demo ISD 42"
-    serial_version = 1
-    base_version = 1
-    voting_quorum = 2
-
-    core_ases = ["ffaa:1:1", "ffaa:1:2", "ffaa:1:3"]
-    authoritative_ases = ["ffaa:1:1", "ffaa:1:2", "ffaa:1:3"]
-    cert_files = ["AS1/sensitive-voting.pem", "AS1/regular-voting.pem", "AS1/cp-root.pem", "AS2/cp-root.pem", "AS3/sensitive-voting.pem", "AS3/regular-voting.pem"]
-
-    [validity]
-    not_before = '$(date +%s)'
-    validity = "365d"' \
-    > trc-B1-S1-pld.tmpl
-
-    scion-pki trc payload --out=tmp/ISD42-B1-S1.pld.der --template trc-B1-S1-pld.tmpl
-    rm trc-B1-S1-pld.tmpl
-
-    # Sign and bundle the TRC
-    scion-pki trc sign tmp/ISD42-B1-S1.pld.der AS1/sensitive-voting.{pem,key} --out tmp/ISD42-B1-S1.AS1-sensitive.trc
-    scion-pki trc sign tmp/ISD42-B1-S1.pld.der AS1/regular-voting.{pem,key} --out tmp/ISD42-B1-S1.AS1-regular.trc
-    scion-pki trc sign tmp/ISD42-B1-S1.pld.der AS3/sensitive-voting.{pem,key} --out tmp/ISD42-B1-S1.AS3-sensitive.trc
-    scion-pki trc sign tmp/ISD42-B1-S1.pld.der AS3/regular-voting.{pem,key} --out tmp/ISD42-B1-S1.AS3-regular.trc
-
-    scion-pki trc combine tmp/ISD42-B1-S1.AS{1,3}-{sensitive,regular}.trc --payload tmp/ISD42-B1-S1.pld.der --out ISD42-B1-S1.trc
-    rm tmp -r
-
-    # Create CA key and certificate for issuing ASes
-    pushd AS1
-    scion-pki certificate create --profile=cp-ca <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 CA cert"}') cp-ca.pem cp-ca.key --ca cp-root.pem --ca-key cp-root.key
-    popd
-    pushd AS2
-    scion-pki certificate create --profile=cp-ca <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 CA cert"}') cp-ca.pem cp-ca.key --ca cp-root.pem --ca-key cp-root.key
-    popd
-
-    # Create AS key and certificate chains
-    scion-pki certificate create --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:1", "common_name": "42-ffaa:1:1 AS cert"}') AS1/cp-as.pem AS1/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle
-    scion-pki certificate create --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:2", "common_name": "42-ffaa:1:2 AS cert"}') AS2/cp-as.pem AS2/cp-as.key --ca AS2/cp-ca.pem --ca-key AS2/cp-ca.key --bundle
-    scion-pki certificate create --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:3", "common_name": "42-ffaa:1:3 AS cert"}') AS3/cp-as.pem AS3/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle
-    scion-pki certificate create --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:4", "common_name": "42-ffaa:1:4 AS cert"}') AS4/cp-as.pem AS4/cp-as.key --ca AS1/cp-ca.pem --ca-key AS1/cp-ca.key --bundle
-    scion-pki certificate create --profile=cp-as <(echo '{"isd_as": "42-ffaa:1:5", "common_name": "42-ffaa:1:5 AS cert"}') AS5/cp-as.pem AS5/cp-as.key --ca AS2/cp-ca.pem --ca-key AS2/cp-ca.key --bundle
-
-    for i in {1..5}
-    do
-      mkdir -p $out/AS$i
-      cp AS$i/cp-as.{key,pem} $out/AS$i
-    done
-
-    mv *.trc $out
-  '';
   imports = hostId: [
     ({
       services.scion = {
@@ -121,9 +48,47 @@ in
     };
     scion04 = { ... }: {
       imports = (imports 4);
+      networking.interfaces."lo".ipv4.addresses = [{ address = "172.16.1.1"; prefixLength = 32; }];
+      services.scion.scion-ip-gateway = {
+        enable = true;
+        config = {
+          tunnel = {
+            src_ipv4 = "172.16.1.1";
+          };
+        };
+        trafficConfig = {
+          ASes = {
+            "42-ffaa:1:5" = {
+              Nets = [
+                "172.16.100.0/24"
+              ];
+            };
+          };
+          ConfigVersion = 9001;
+        };
+      };
     };
     scion05 = { ... }: {
       imports = (imports 5);
+      networking.interfaces."lo".ipv4.addresses = [{ address = "172.16.100.1"; prefixLength = 32; }];
+      services.scion.scion-ip-gateway = {
+        enable = true;
+        config = {
+          tunnel = {
+            src_ipv4 = "172.16.100.1";
+          };
+        };
+        trafficConfig = {
+          ASes = {
+            "42-ffaa:1:4" = {
+              Nets = [
+                "172.16.1.0/24"
+              ];
+            };
+          };
+          ConfigVersion = 9001;
+        };
+      };
     };
   };
   testScript = let
@@ -131,25 +96,35 @@ in
       addresses="42-ffaa:1:1 42-ffaa:1:2 42-ffaa:1:3 42-ffaa:1:4 42-ffaa:1:5"
       timeout=100
       wait_for_all() {
+        ret=0
         for as in "$@"
         do
           scion showpaths $as --no-probe > /dev/null
-          return 1
+          ret=$?
+          if [ "$ret" -ne "0" ]; then
+            break
+          fi
         done
-        return 0
+        return $ret
       }
       ping_all() {
+        ret=0
         for as in "$@"
         do
           scion ping "$as,127.0.0.1" -c 3
+          ret=$?
+          if [ "$ret" -ne "0" ]; then
+            break
+          fi
         done
-        return 0
+        return $ret
       }
       for i in $(seq 0 $timeout); do
-        wait_for_all $addresses && exit 0
-        ping_all $addresses && exit 0
         sleep 1
+        wait_for_all $addresses || continue
+        ping_all $addresses && exit 0
       done
+      exit 1
     '';
   in
   ''
@@ -183,9 +158,16 @@ in
     # Wait for scion-control.service on all instances
     wait_for_unit("scion-control.service")
 
+    # Ensure cert is valid against TRC
+    succeed("scion-pki certificate verify --trc /etc/scion/certs/*.trc /etc/scion/crypto/as/*.pem >&2")
+
     # Execute pingAll command on all instances
     succeed("${pingAll} >&2")
 
+    # Execute ICMP pings across scion-ip-gateway
+    scion04.succeed("ping -c 3 172.16.100.1 >&2")
+    scion05.succeed("ping -c 3 172.16.1.1 >&2")
+
     # Restart all scion services and ping again to test robustness
     succeed("systemctl restart scion-* >&2")
     succeed("${pingAll} >&2")