From: muradm <mail@muradm.net>
To: 56608@debbugs.gnu.org, Maxim Cournoyer <maxim.cournoyer@gmail.com>
Subject: [bug#56608] [PATCH v2 2/2] gnu: tests: Add fail2ban tests.
Date: Mon, 22 Aug 2022 20:26:07 +0300 [thread overview]
Message-ID: <20220822172607.31515-3-mail@muradm.net> (raw)
In-Reply-To: <20220822172607.31515-1-mail@muradm.net>
* gnu/tests/security.scm: New module.
* gnu/local.mk: Add new security module.
---
gnu/local.mk | 1 +
gnu/tests/security.scm | 314 +++++++++++++++++++++++++++++++++++++++++
2 files changed, 315 insertions(+)
create mode 100644 gnu/tests/security.scm
diff --git a/gnu/local.mk b/gnu/local.mk
index acd41797b9..31569033bc 100644
--- a/gnu/local.mk
+++ b/gnu/local.mk
@@ -758,6 +758,7 @@ GNU_SYSTEM_MODULES = \
%D%/tests/package-management.scm \
%D%/tests/reconfigure.scm \
%D%/tests/rsync.scm \
+ %D%/tests/security.scm \
%D%/tests/security-token.scm \
%D%/tests/singularity.scm \
%D%/tests/ssh.scm \
diff --git a/gnu/tests/security.scm b/gnu/tests/security.scm
new file mode 100644
index 0000000000..4003eff1e5
--- /dev/null
+++ b/gnu/tests/security.scm
@@ -0,0 +1,314 @@
+;;; GNU Guix --- Functional package management for GNU
+;;; Copyright © 2022 muradm <mail@muradm.net>
+;;;
+;;; This file is part of GNU Guix.
+;;;
+;;; GNU Guix is free software; you can redistribute it and/or modify it
+;;; under the terms of the GNU General Public License as published by
+;;; the Free Software Foundation; either version 3 of the License, or (at
+;;; your option) any later version.
+;;;
+;;; GNU Guix is distributed in the hope that it will be useful, but
+;;; WITHOUT ANY WARRANTY; without even the implied warranty of
+;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;;; GNU General Public License for more details.
+;;;
+;;; You should have received a copy of the GNU General Public License
+;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
+
+(define-module (gnu tests security)
+ #:use-module (guix gexp)
+ #:use-module (gnu packages admin)
+ #:use-module (gnu services)
+ #:use-module (gnu services security)
+ #:use-module (gnu services ssh)
+ #:use-module (gnu system)
+ #:use-module (gnu system vm)
+ #:use-module (gnu tests)
+ #:export (%test-fail2ban-basic
+ %test-fail2ban-simple
+ %test-fail2ban-extending))
+
+\f
+;;;
+;;; fail2ban tests
+;;;
+
+(define (run-fail2ban-basic-test)
+
+ (define os
+ (marionette-operating-system
+ (simple-operating-system
+ (service fail2ban-service-type))
+ #:imported-modules '((gnu services herd)
+ (guix combinators))))
+
+ (define vm
+ (virtual-machine
+ (operating-system os)
+ (port-forwardings '())))
+
+ (define test
+ (with-imported-modules '((gnu build marionette)
+ (guix build utils))
+ #~(begin
+ (use-modules (srfi srfi-64)
+ (gnu build marionette))
+
+ (define marionette (make-marionette (list #$vm)))
+
+ (define (wait-for-unix-socket-m socket)
+ (wait-for-unix-socket socket marionette))
+
+ (test-runner-current (system-test-runner #$output))
+ (test-begin "fail2ban-basic-test")
+
+ (test-assert "fail2ban running"
+ (marionette-eval
+ '(begin
+ (use-modules (gnu services herd))
+ (start-service 'fail2ban))
+ marionette))
+
+ (test-assert "fail2ban socket ready"
+ (wait-for-unix-socket-m
+ "/var/run/fail2ban/fail2ban.sock"))
+
+ (test-assert "fail2ban pid ready"
+ (marionette-eval
+ '(file-exists? "/var/run/fail2ban/fail2ban.pid")
+ marionette))
+
+ (test-assert "fail2ban log file"
+ (marionette-eval
+ '(file-exists? "/var/log/fail2ban.log")
+ marionette))
+
+ (test-end))))
+
+ (gexp->derivation "fail2ban-basic-test" test))
+
+(define %test-fail2ban-basic
+ (system-test
+ (name "fail2ban-basic")
+ (description "Test basic fail2ban running capability.")
+ (value (run-fail2ban-basic-test))))
+
+(define %fail2ban-server-cmd
+ (program-file
+ "fail2ban-server-cmd"
+ #~(begin
+ (let ((cmd #$(file-append fail2ban "/bin/fail2ban-server")))
+ (apply execl cmd cmd `("-p" "/var/run/fail2ban/fail2ban.pid"
+ "-s" "/var/run/fail2ban/fail2ban.sock"
+ ,@(cdr (program-arguments))))))))
+
+(define (run-fail2ban-simple-test)
+
+ (define os
+ (marionette-operating-system
+ (simple-operating-system
+ (service
+ fail2ban-service-type
+ (fail2ban-configuration
+ (jails
+ (list
+ (fail2ban-jail-configuration (name "sshd") (enabled #t)))))))
+ #:imported-modules '((gnu services herd)
+ (guix combinators))))
+
+ (define vm
+ (virtual-machine
+ (operating-system os)
+ (port-forwardings '())))
+
+ (define test
+ (with-imported-modules '((gnu build marionette)
+ (guix build utils))
+ #~(begin
+ (use-modules (srfi srfi-64)
+ (ice-9 popen)
+ (ice-9 rdelim)
+ (rnrs io ports)
+ (gnu build marionette)
+ (guix build utils))
+
+ (define marionette (make-marionette (list #$vm)))
+
+ (define (wait-for-unix-socket-m socket)
+ (wait-for-unix-socket socket marionette))
+
+ (test-runner-current (system-test-runner #$output))
+ (test-begin "fail2ban-simple-test")
+
+ (test-assert "fail2ban running"
+ (marionette-eval
+ '(begin
+ (use-modules (gnu services herd))
+ (start-service 'fail2ban))
+ marionette))
+
+ (test-assert "fail2ban socket ready"
+ (wait-for-unix-socket-m
+ "/var/run/fail2ban/fail2ban.sock"))
+
+ (test-assert "fail2ban pid ready"
+ (marionette-eval
+ '(file-exists? "/var/run/fail2ban/fail2ban.pid")
+ marionette))
+
+ (test-assert "fail2ban log file"
+ (marionette-eval
+ '(file-exists? "/var/log/fail2ban.log")
+ marionette))
+
+ (test-equal "fail2ban sshd jail running"
+ '("Status for the jail: sshd"
+ "|- Filter"
+ "| |- Currently failed:\t0"
+ "| |- Total failed:\t0"
+ "| `- File list:\t/var/log/secure"
+ "`- Actions"
+ " |- Currently banned:\t0"
+ " |- Total banned:\t0"
+ " `- Banned IP list:\t"
+ "")
+ (marionette-eval
+ '(begin
+ (use-modules (ice-9 rdelim) (ice-9 popen) (rnrs io ports))
+ (let ((call-command
+ (lambda (cmd)
+ (let* ((err-cons (pipe))
+ (port (with-error-to-port (cdr err-cons)
+ (lambda () (open-input-pipe cmd))))
+ (_ (setvbuf (car err-cons) 'block
+ (* 1024 1024 16)))
+ (result (read-delimited "" port)))
+ (close-port (cdr err-cons))
+ (values result (read-delimited "" (car err-cons)))))))
+ (string-split
+ (call-command
+ (string-join (list #$%fail2ban-server-cmd "status" "sshd") " "))
+ #\newline)))
+ marionette))
+
+ (test-equal "fail2ban sshd jail running"
+ 0
+ (marionette-eval
+ '(status:exit-val (system* #$%fail2ban-server-cmd "status" "sshd"))
+ marionette))
+
+ (test-end))))
+
+ (gexp->derivation "fail2ban-simple-test" test))
+
+(define %test-fail2ban-simple
+ (system-test
+ (name "fail2ban-simple")
+ (description "Test simple fail2ban running capability.")
+ (value (run-fail2ban-simple-test))))
+
+(define (run-fail2ban-extending-test)
+
+ (define os
+ (marionette-operating-system
+ (simple-operating-system
+ (service
+ (fail2ban-jail-service
+ openssh-service-type
+ (fail2ban-jail-configuration
+ (name "sshd") (enabled #t)))
+ (openssh-configuration)))
+ #:imported-modules '((gnu services herd)
+ (guix combinators))))
+
+ (define vm
+ (virtual-machine
+ (operating-system os)
+ (port-forwardings '())))
+
+ (define test
+ (with-imported-modules '((gnu build marionette)
+ (guix build utils))
+ #~(begin
+ (use-modules (srfi srfi-64)
+ (ice-9 popen)
+ (ice-9 rdelim)
+ (rnrs io ports)
+ (gnu build marionette)
+ (guix build utils))
+
+ (define marionette (make-marionette (list #$vm)))
+
+ (define (wait-for-unix-socket-m socket)
+ (wait-for-unix-socket socket marionette))
+
+ (test-runner-current (system-test-runner #$output))
+ (test-begin "fail2ban-extending-test")
+
+ (test-assert "sshd running"
+ (marionette-eval
+ '(begin
+ (use-modules (gnu services herd))
+ (start-service 'ssh-daemon))
+ marionette))
+
+ (test-assert "fail2ban socket ready"
+ (wait-for-unix-socket-m
+ "/var/run/fail2ban/fail2ban.sock"))
+
+ (test-assert "fail2ban pid ready"
+ (marionette-eval
+ '(file-exists? "/var/run/fail2ban/fail2ban.pid")
+ marionette))
+
+ (test-assert "fail2ban log file"
+ (marionette-eval
+ '(file-exists? "/var/log/fail2ban.log")
+ marionette))
+
+ (test-equal "fail2ban sshd jail running"
+ '("Status for the jail: sshd"
+ "|- Filter"
+ "| |- Currently failed:\t0"
+ "| |- Total failed:\t0"
+ "| `- File list:\t/var/log/secure"
+ "`- Actions"
+ " |- Currently banned:\t0"
+ " |- Total banned:\t0"
+ " `- Banned IP list:\t"
+ "")
+ (marionette-eval
+ '(begin
+ (use-modules (ice-9 rdelim) (ice-9 popen) (rnrs io ports))
+ (let ((call-command
+ (lambda (cmd)
+ (let* ((err-cons (pipe))
+ (port (with-error-to-port (cdr err-cons)
+ (lambda () (open-input-pipe cmd))))
+ (_ (setvbuf (car err-cons) 'block
+ (* 1024 1024 16)))
+ (result (read-delimited "" port)))
+ (close-port (cdr err-cons))
+ (values result (read-delimited "" (car err-cons)))))))
+ (string-split
+ (call-command
+ (string-join (list #$%fail2ban-server-cmd "status" "sshd") " "))
+ #\newline)))
+ marionette))
+
+ (test-equal "fail2ban sshd jail running"
+ 0
+ (marionette-eval
+ '(status:exit-val (system* #$%fail2ban-server-cmd "status" "sshd"))
+ marionette))
+
+ (test-end))))
+
+ (gexp->derivation "fail2ban-extending-test" test))
+
+(define %test-fail2ban-extending
+ (system-test
+ (name "fail2ban-extending")
+ (description "Test extending fail2ban running capability.")
+ (value (run-fail2ban-extending-test))))
--
2.37.1
next prev parent reply other threads:[~2022-08-22 19:20 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-17 2:32 [bug#56608] [PATCH] gnu: security: Add fail2ban-service-type muradm
2022-08-03 16:09 ` Maxim Cournoyer
2022-08-22 17:26 ` [bug#56608] [PATCH v2 0/2] " muradm
2022-08-22 17:26 ` [bug#56608] [PATCH v2 1/2] gnu: security: " muradm
2022-08-22 18:53 ` Maxim Cournoyer
2022-08-23 18:22 ` muradm
2022-08-22 17:26 ` muradm [this message]
2022-08-22 19:13 ` [bug#56608] [PATCH v2 2/2] gnu: tests: Add fail2ban tests Maxim Cournoyer
2022-08-23 18:51 ` muradm
2022-08-23 20:13 ` [bug#56608] [PATCH v3] gnu: security: Add fail2ban-service-type muradm
2022-08-29 2:01 ` bug#56608: " Maxim Cournoyer
2022-08-23 20:19 ` [bug#56608] [PATCH v2 2/2] gnu: tests: Add fail2ban tests muradm
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220822172607.31515-3-mail@muradm.net \
--to=mail@muradm.net \
--cc=56608@debbugs.gnu.org \
--cc=maxim.cournoyer@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
Code repositories for project(s) associated with this external index
https://git.savannah.gnu.org/cgit/guix.git
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.