From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mp10.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by ms5.migadu.com with LMTPS id ALbxNIrVA2Pm+wAAbAwnHQ (envelope-from ) for ; Mon, 22 Aug 2022 21:14:18 +0200 Received: from aspmx1.migadu.com ([2001:41d0:2:4a6f::]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)) by mp10.migadu.com with LMTPS id 8MIYNIrVA2NffAEAG6o9tA (envelope-from ) for ; Mon, 22 Aug 2022 21:14:18 +0200 Received: from lists.gnu.org (lists.gnu.org [209.51.188.17]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by aspmx1.migadu.com (Postfix) with ESMTPS id 568DA2BB01 for ; Mon, 22 Aug 2022 21:14:18 +0200 (CEST) Received: from localhost ([::1]:36588 helo=lists1p.gnu.org) by lists.gnu.org with esmtp (Exim 4.90_1) (envelope-from ) id 1oQCsL-0003Tu-Bs for larch@yhetil.org; Mon, 22 Aug 2022 15:14:17 -0400 Received: from eggs.gnu.org ([2001:470:142:3::10]:50618) by lists.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256) (Exim 4.90_1) (envelope-from ) id 1oQCs6-0003Sl-Mj for guix-patches@gnu.org; Mon, 22 Aug 2022 15:14:04 -0400 Received: from debbugs.gnu.org ([209.51.188.43]:52054) by eggs.gnu.org with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.90_1) (envelope-from ) id 1oQCs6-0000qV-Dm for guix-patches@gnu.org; Mon, 22 Aug 2022 15:14:02 -0400 Received: from Debian-debbugs by debbugs.gnu.org with local (Exim 4.84_2) (envelope-from ) id 1oQCs6-0005nC-8H for guix-patches@gnu.org; Mon, 22 Aug 2022 15:14:02 -0400 X-Loop: help-debbugs@gnu.org Subject: [bug#56608] [PATCH v2 2/2] gnu: tests: Add fail2ban tests. Resent-From: Maxim Cournoyer Original-Sender: "Debbugs-submit" Resent-CC: guix-patches@gnu.org Resent-Date: Mon, 22 Aug 2022 19:14:02 +0000 Resent-Message-ID: Resent-Sender: help-debbugs@gnu.org X-GNU-PR-Message: followup 56608 X-GNU-PR-Package: guix-patches X-GNU-PR-Keywords: patch To: muradm Cc: 56608@debbugs.gnu.org Received: via spool by 56608-submit@debbugs.gnu.org id=B56608.166119560022199 (code B ref 56608); Mon, 22 Aug 2022 19:14:02 +0000 Received: (at 56608) by debbugs.gnu.org; 22 Aug 2022 19:13:20 +0000 Received: from localhost ([127.0.0.1]:41803 helo=debbugs.gnu.org) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oQCrP-0005lz-FF for submit@debbugs.gnu.org; Mon, 22 Aug 2022 15:13:20 -0400 Received: from mail-qk1-f182.google.com ([209.85.222.182]:39529) by debbugs.gnu.org with esmtp (Exim 4.84_2) (envelope-from ) id 1oQCrN-0005li-4f for 56608@debbugs.gnu.org; Mon, 22 Aug 2022 15:13:18 -0400 Received: by mail-qk1-f182.google.com with SMTP id c9so7507271qkk.6 for <56608@debbugs.gnu.org>; Mon, 22 Aug 2022 12:13:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=content-transfer-encoding:mime-version:user-agent:message-id :in-reply-to:date:references:subject:cc:to:from:from:to:cc; bh=p4u18mBkXOucIlLnxTvcRAnzoavrt3QphiO/2Ew5Ssw=; b=Ar48FwVLU/bhnpK1NwNW6YW9CgB64LzqEO4VBimolL7IyFqt8eZKI4LGk2P2Uza1z0 T1ogbP7k+ekKsY2aakhEBJ94ih/zmmbjLRoSbQz6IbfI189Vwf5f7J9Xd+r8s+t4c7Jq uBx+J0j94kA2/6D0RuC6ciZ5+ju490fu5pyN8RfHIvN1qhaySAG6q4UStok7s1dpFhQN 52Kc5ZATCKNMByQX07xQkBhN5qo8zjoOTz21Oj/cANibj3Sx4gto6aUd65G6KQRove9r ZdikKMyNaB7NtYtfWosZ3O2yawBM0EcsLlUHoP4wmpIFKeFzuLUFkdVYYYQKViGxT4Wp fkAw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=content-transfer-encoding:mime-version:user-agent:message-id :in-reply-to:date:references:subject:cc:to:from:x-gm-message-state :from:to:cc; bh=p4u18mBkXOucIlLnxTvcRAnzoavrt3QphiO/2Ew5Ssw=; b=ue29SghpIFZFD981d42u+QNjJRQXmP9QZadt5uflw+Udx9jze9CnL6xR4SLylSHbGr Yj9JZSAn1J7qyDpxMI9CG0JSATpwYLb5gxyr2ik9cKMHZ/cLNW7udOapJGOZEu1LK2RJ kPv/r8CKafyeWaNufQyeJD5ABAhu7auhwJ69M5BJXRVmz/Hjr6zIFSrMMl++axAOvdZv pl5tB5jSiCGHSNFHV00WYGiSR4d2RC72uM+Z95s4d9we0RFpPVkJoZH4VoEFTKlbk4Tl qOW0C/V2wYZoxI4+GJZq4EIO8mlMiOsXMLdeu6Ft8X1YJpUnyK52XYhjXh+jUsW9zeWp y9Iw== X-Gm-Message-State: ACgBeo1bKXBfbqOVUV+mZhngybm+SMGQsNoNuQgc+kODdwYNzEaPAjjs LkbjbqqTVEGh06w/U5dhwLpePsxYZqE= X-Google-Smtp-Source: AA6agR5pznNm3Mxrm/KbhWt8c1qsch3EDDSWS+3yPs9psybxTqiB2E6SWkV5YT/rSaQXrH7bFFTe7A== X-Received: by 2002:a37:902:0:b0:6bb:7640:3113 with SMTP id 2-20020a370902000000b006bb76403113mr13544450qkj.613.1661195591228; Mon, 22 Aug 2022 12:13:11 -0700 (PDT) Received: from hurd (dsl-150-55.b2b2c.ca. [66.158.150.55]) by smtp.gmail.com with ESMTPSA id h11-20020ac8514b000000b00342f4fc290esm9451636qtn.71.2022.08.22.12.13.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 22 Aug 2022 12:13:10 -0700 (PDT) From: Maxim Cournoyer References: <87edxxqpg3.fsf@gmail.com> <20220822172607.31515-1-mail@muradm.net> <20220822172607.31515-3-mail@muradm.net> Date: Mon, 22 Aug 2022 15:13:09 -0400 In-Reply-To: <20220822172607.31515-3-mail@muradm.net> (muradm's message of "Mon, 22 Aug 2022 20:26:07 +0300") Message-ID: <87edx8gkhm.fsf@gmail.com> User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/28.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: quoted-printable X-BeenThere: debbugs-submit@debbugs.gnu.org X-Mailman-Version: 2.1.18 Precedence: list X-BeenThere: guix-patches@gnu.org List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: guix-patches-bounces+larch=yhetil.org@gnu.org Sender: "Guix-patches" X-Migadu-Flow: FLOW_IN X-Migadu-To: larch@yhetil.org X-Migadu-Country: US ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=yhetil.org; s=key1; t=1661195658; h=from:from:sender:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding:resent-cc: resent-from:resent-sender:resent-message-id:in-reply-to:in-reply-to: references:references:list-id:list-help:list-unsubscribe: list-subscribe:list-post:dkim-signature; bh=q7DoI6CgGYw8D6Qt2LwByCVQybLqVmBy8osI1DMW28Q=; b=XBS2bVUhTZHxP/V2A/kolLC+A0vT0AFxL6mTn5ZKK6RT96Y/nOY88j5ljnDKyB1D/VuKsC S26/XM7EvM8Cq3nvuC+JYFmpC+7iV5mXBlT0f2VQnetzMAAIbffhNtQWki/9TE73rcDlwu aKsY/xxzh7WryHfmV/njBhcdF5RHOSJPjbQXOGh1CfK+ELeFJMmAIV7xO94LLp/GVYqdG4 KiOdrRSQNbUe+gSVet+LIO6eRGwxv5PEAVFoPVd6WbqUhCXA/6LXgV06wjgbzEe54ZOxkt l4Vb4f+dc71IjQvXrV+DLTyN8jFg6eH1GmyeEpMwp4OGYltn8FGBBnBAYuAQqQ== ARC-Seal: i=1; s=key1; d=yhetil.org; t=1661195658; a=rsa-sha256; cv=none; b=tFo6YyYs9eU55Cr1IV4trCp//EDksg0u1OEC0Ml/sN6ztz26LjkDN1m7f/vqnPnqXkouvL IdYpKYBDgHYWbsPjbjmFMfLXGgccS6fKD3rDvs5QO3losHnxW6vFJRgoVyByAOeRZlPqgk CFGhei6RlGGBvLkPSlao8NBA0g3xwSbWAGEQ9a/vZnLKBZ0wdrELs3arU9/euS8InHK4MR L2bXoXYxTVsyK/T/3kGRkdzeSegUVPvSoT+zwDIlN+iShc80uPi1c2b08jVT/rsR26+vWW QzyfB+KkVDn0BwAiv3+9mFVtvULS0uxeeERzefXWssTo/NmF3ubnJcPg8QDrtQ== ARC-Authentication-Results: i=1; aspmx1.migadu.com; dkim=fail ("body hash did not verify") header.d=gmail.com header.s=20210112 header.b=Ar48FwVL; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Spam-Score: 7.69 Authentication-Results: aspmx1.migadu.com; dkim=fail ("body hash did not verify") header.d=gmail.com header.s=20210112 header.b=Ar48FwVL; dmarc=fail reason="SPF not aligned (relaxed)" header.from=gmail.com (policy=none); spf=pass (aspmx1.migadu.com: domain of "guix-patches-bounces+larch=yhetil.org@gnu.org" designates 209.51.188.17 as permitted sender) smtp.mailfrom="guix-patches-bounces+larch=yhetil.org@gnu.org" X-Migadu-Queue-Id: 568DA2BB01 X-Spam-Score: 7.69 X-Migadu-Scanner: scn1.migadu.com X-TUID: NKN2W/QzqXwT Hi, muradm writes: [...] > --- /dev/null > +++ b/gnu/tests/security.scm I'd keep the tests with the introductory commit (squashed in preceding one). > @@ -0,0 +1,314 @@ > +;;; GNU Guix --- Functional package management for GNU > +;;; Copyright =C2=A9 2022 muradm > +;;; > +;;; This file is part of GNU Guix. > +;;; > +;;; GNU Guix is free software; you can redistribute it and/or modify it > +;;; under the terms of the GNU General Public License as published by > +;;; the Free Software Foundation; either version 3 of the License, or (at > +;;; your option) any later version. > +;;; > +;;; GNU Guix is distributed in the hope that it will be useful, but > +;;; WITHOUT ANY WARRANTY; without even the implied warranty of > +;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the > +;;; GNU General Public License for more details. > +;;; > +;;; You should have received a copy of the GNU General Public License > +;;; along with GNU Guix. If not, see . > + > +(define-module (gnu tests security) > + #:use-module (guix gexp) > + #:use-module (gnu packages admin) > + #:use-module (gnu services) > + #:use-module (gnu services security) > + #:use-module (gnu services ssh) > + #:use-module (gnu system) > + #:use-module (gnu system vm) > + #:use-module (gnu tests) > + #:export (%test-fail2ban-basic > + %test-fail2ban-simple > + %test-fail2ban-extending)) > + > + > +;;; > +;;; fail2ban tests > +;;; > + > +(define (run-fail2ban-basic-test) > + > + (define os > + (marionette-operating-system > + (simple-operating-system > + (service fail2ban-service-type)) > + #:imported-modules '((gnu services herd) > + (guix combinators)))) ^ (guix combinators) seems unused > + (define vm > + (virtual-machine > + (operating-system os) > + (port-forwardings '()))) (define vm (virtual-machine (operating-system os))) should be sufficient. > + > + (define test > + (with-imported-modules '((gnu build marionette) > + (guix build utils)) > + #~(begin > + (use-modules (srfi srfi-64) > + (gnu build marionette)) > + > + (define marionette (make-marionette (list #$vm))) > + > + (define (wait-for-unix-socket-m socket) > + (wait-for-unix-socket socket marionette)) Overkill as used once in scope. > + > + (test-runner-current (system-test-runner #$output)) > + (test-begin "fail2ban-basic-test") > + > + (test-assert "fail2ban running" > + (marionette-eval > + '(begin > + (use-modules (gnu services herd)) > + (start-service 'fail2ban)) > + marionette)) I like to test that services can be restarted too, as in my experience there can be races and other situations that may cause them to fail restarting. > + > + (test-assert "fail2ban socket ready" > + (wait-for-unix-socket-m > + "/var/run/fail2ban/fail2ban.sock")) Same comment as above. > + (test-assert "fail2ban pid ready" > + (marionette-eval > + '(file-exists? "/var/run/fail2ban/fail2ban.pid") > + marionette)) > + > + (test-assert "fail2ban log file" > + (marionette-eval > + '(file-exists? "/var/log/fail2ban.log") > + marionette)) > + > + (test-end)))) > + > + (gexp->derivation "fail2ban-basic-test" test)) > + > +(define %test-fail2ban-basic > + (system-test > + (name "fail2ban-basic") > + (description "Test basic fail2ban running capability.") > + (value (run-fail2ban-basic-test)))) > + > +(define %fail2ban-server-cmd > + (program-file > + "fail2ban-server-cmd" > + #~(begin > + (let ((cmd #$(file-append fail2ban "/bin/fail2ban-server"))) > + (apply execl cmd cmd `("-p" "/var/run/fail2ban/fail2ban.pid" > + "-s" "/var/run/fail2ban/fail2ban.sock" > + ,@(cdr (program-arguments)))))))) > + > +(define (run-fail2ban-simple-test) > + > + (define os > + (marionette-operating-system > + (simple-operating-system > + (service > + fail2ban-service-type > + (fail2ban-configuration > + (jails > + (list > + (fail2ban-jail-configuration (name "sshd") (enabled #t))))))) > + #:imported-modules '((gnu services herd) > + (guix combinators)))) ^ (guix combinators) not needed =20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20=20= =20=20=20=20 > + > + (define vm > + (virtual-machine > + (operating-system os) > + (port-forwardings '()))) Same comment as above. > + (define test > + (with-imported-modules '((gnu build marionette) > + (guix build utils)) > + #~(begin > + (use-modules (srfi srfi-64) > + (ice-9 popen) > + (ice-9 rdelim) > + (rnrs io ports) > + (gnu build marionette) > + (guix build utils)) > + > + (define marionette (make-marionette (list #$vm))) > + > + (define (wait-for-unix-socket-m socket) > + (wait-for-unix-socket socket marionette)) Likewise. > + (test-runner-current (system-test-runner #$output)) > + (test-begin "fail2ban-simple-test") > + > + (test-assert "fail2ban running" > + (marionette-eval > + '(begin > + (use-modules (gnu services herd)) > + (start-service 'fail2ban)) > + marionette)) > + > + (test-assert "fail2ban socket ready" > + (wait-for-unix-socket-m > + "/var/run/fail2ban/fail2ban.sock")) > + > + (test-assert "fail2ban pid ready" > + (marionette-eval > + '(file-exists? "/var/run/fail2ban/fail2ban.pid") > + marionette)) > + > + (test-assert "fail2ban log file" > + (marionette-eval > + '(file-exists? "/var/log/fail2ban.log") > + marionette)) > + > + (test-equal "fail2ban sshd jail running" > + '("Status for the jail: sshd" > + "|- Filter" > + "| |- Currently failed:\t0" > + "| |- Total failed:\t0" > + "| `- File list:\t/var/log/secure" > + "`- Actions" > + " |- Currently banned:\t0" > + " |- Total banned:\t0" > + " `- Banned IP list:\t" > + "") > + (marionette-eval > + '(begin > + (use-modules (ice-9 rdelim) (ice-9 popen) (rnrs io ports= )) > + (let ((call-command > + (lambda (cmd) > + (let* ((err-cons (pipe)) > + (port (with-error-to-port (cdr err-cons) > + (lambda () (open-input-pipe cmd)= ))) > + (_ (setvbuf (car err-cons) 'block > + (* 1024 1024 16))) > + (result (read-delimited "" port))) > + (close-port (cdr err-cons)) > + (values result (read-delimited "" (car err-co= ns))))))) > + (string-split > + (call-command > + (string-join (list #$%fail2ban-server-cmd "status" "= sshd") " ")) > + #\newline))) > + marionette)) Perhaps this could be turned into an Shepherd action, and the Guile procedure could do the above to return the text output; to simplify the test and reduce boilerplate, while providing value to the user. > + > + (test-equal "fail2ban sshd jail running" > + 0 > + (marionette-eval > + '(status:exit-val (system* #$%fail2ban-server-cmd "status" = "sshd")) > + marionette)) > + > + (test-end)))) > + > + (gexp->derivation "fail2ban-simple-test" test)) > + > +(define %test-fail2ban-simple > + (system-test > + (name "fail2ban-simple") > + (description "Test simple fail2ban running capability.") > + (value (run-fail2ban-simple-test)))) > + > +(define (run-fail2ban-extending-test) > + > + (define os > + (marionette-operating-system > + (simple-operating-system > + (service > + (fail2ban-jail-service > + openssh-service-type > + (fail2ban-jail-configuration > + (name "sshd") (enabled #t))) > + (openssh-configuration))) > + #:imported-modules '((gnu services herd) > + (guix combinators)))) Same comment as above w.r.t. (guix combinators) > + > + (define vm > + (virtual-machine > + (operating-system os) > + (port-forwardings '()))) Same comment as above. > + (define test > + (with-imported-modules '((gnu build marionette) > + (guix build utils)) > + #~(begin > + (use-modules (srfi srfi-64) > + (ice-9 popen) > + (ice-9 rdelim) > + (rnrs io ports) > + (gnu build marionette) > + (guix build utils)) > + > + (define marionette (make-marionette (list #$vm))) > + > + (define (wait-for-unix-socket-m socket) > + (wait-for-unix-socket socket marionette)) Same comment as above. > + (test-runner-current (system-test-runner #$output)) > + (test-begin "fail2ban-extending-test") > + > + (test-assert "sshd running" > + (marionette-eval > + '(begin > + (use-modules (gnu services herd)) > + (start-service 'ssh-daemon)) > + marionette)) > + > + (test-assert "fail2ban socket ready" > + (wait-for-unix-socket-m > + "/var/run/fail2ban/fail2ban.sock")) > + > + (test-assert "fail2ban pid ready" > + (marionette-eval > + '(file-exists? "/var/run/fail2ban/fail2ban.pid") > + marionette)) > + > + (test-assert "fail2ban log file" > + (marionette-eval > + '(file-exists? "/var/log/fail2ban.log") > + marionette)) > + > + (test-equal "fail2ban sshd jail running" > + '("Status for the jail: sshd" > + "|- Filter" > + "| |- Currently failed:\t0" > + "| |- Total failed:\t0" > + "| `- File list:\t/var/log/secure" > + "`- Actions" > + " |- Currently banned:\t0" > + " |- Total banned:\t0" > + " `- Banned IP list:\t" > + "") > + (marionette-eval > + '(begin > + (use-modules (ice-9 rdelim) (ice-9 popen) (rnrs io ports= )) > + (let ((call-command > + (lambda (cmd) > + (let* ((err-cons (pipe)) > + (port (with-error-to-port (cdr err-cons) > + (lambda () (open-input-pipe cmd)= ))) > + (_ (setvbuf (car err-cons) 'block > + (* 1024 1024 16))) > + (result (read-delimited "" port))) > + (close-port (cdr err-cons)) > + (values result (read-delimited "" (car err-co= ns))))))) > + (string-split > + (call-command > + (string-join (list #$%fail2ban-server-cmd "status" "= sshd") " ")) > + #\newline))) > + marionette)) > + > + (test-equal "fail2ban sshd jail running" > + 0 > + (marionette-eval > + '(status:exit-val (system* #$%fail2ban-server-cmd "status" = "sshd")) > + marionette)) > + > + (test-end)))) > + > + (gexp->derivation "fail2ban-extending-test" test)) > + > +(define %test-fail2ban-extending Perhaps %test-fail2ban-extension ? Otherwise, that last test seems to test exactly the same things as the preceding one, so there should be a procedure to generate the test, taking the OS as an argument to avoid code duplication. Thanks for working on this! Maxim