3c2d2b45 |
1 | ;;; GNU Guix --- Functional package management for GNU |
2 | ;;; Copyright © 2022 muradm <mail@muradm.net> |
3 | ;;; |
4 | ;;; This file is part of GNU Guix. |
5 | ;;; |
6 | ;;; GNU Guix is free software; you can redistribute it and/or modify it |
7 | ;;; under the terms of the GNU General Public License as published by |
8 | ;;; the Free Software Foundation; either version 3 of the License, or (at |
9 | ;;; your option) any later version. |
10 | ;;; |
11 | ;;; GNU Guix is distributed in the hope that it will be useful, but |
12 | ;;; WITHOUT ANY WARRANTY; without even the implied warranty of |
13 | ;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
14 | ;;; GNU General Public License for more details. |
15 | ;;; |
16 | ;;; You should have received a copy of the GNU General Public License |
17 | ;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>. |
18 | |
19 | (define-module (gnu tests security) |
20 | #:use-module (guix gexp) |
21 | #:use-module (gnu packages admin) |
22 | #:use-module (gnu services) |
23 | #:use-module (gnu services security) |
24 | #:use-module (gnu services ssh) |
25 | #:use-module (gnu system) |
26 | #:use-module (gnu system vm) |
27 | #:use-module (gnu tests) |
28 | #:export (%test-fail2ban-basic |
29 | %test-fail2ban-extension |
30 | %test-fail2ban-simple)) |
31 | |
32 | \f |
33 | ;;; |
34 | ;;; fail2ban tests |
35 | ;;; |
36 | |
37 | (define-syntax-rule (fail2ban-test test-name test-os tests-more ...) |
38 | (lambda () |
39 | (define os |
40 | (marionette-operating-system |
41 | test-os |
42 | #:imported-modules '((gnu services herd)))) |
43 | |
44 | (define vm |
45 | (virtual-machine |
46 | (operating-system os) |
47 | (port-forwardings '()))) |
48 | |
49 | (define test |
50 | (with-imported-modules '((gnu build marionette) |
51 | (guix build utils)) |
52 | #~(begin |
53 | (use-modules (srfi srfi-64) |
54 | (gnu build marionette)) |
55 | |
56 | (define marionette (make-marionette (list #$vm))) |
57 | |
58 | (test-runner-current (system-test-runner #$output)) |
59 | (test-begin test-name) |
60 | |
61 | (test-assert "fail2ban running" |
62 | (marionette-eval |
63 | '(begin |
64 | (use-modules (gnu services herd)) |
65 | (start-service 'fail2ban)) |
66 | marionette)) |
67 | |
68 | (test-assert "fail2ban socket ready" |
69 | (wait-for-unix-socket |
70 | "/var/run/fail2ban/fail2ban.sock" marionette)) |
71 | |
72 | (test-assert "fail2ban running after restart" |
73 | (marionette-eval |
74 | '(begin |
75 | (use-modules (gnu services herd)) |
76 | (restart-service 'fail2ban)) |
77 | marionette)) |
78 | |
79 | (test-assert "fail2ban socket ready after restart" |
80 | (wait-for-unix-socket |
81 | "/var/run/fail2ban/fail2ban.sock" marionette)) |
82 | |
83 | (test-assert "fail2ban pid ready" |
84 | (marionette-eval |
85 | '(file-exists? "/var/run/fail2ban/fail2ban.pid") |
86 | marionette)) |
87 | |
88 | (test-assert "fail2ban log file" |
89 | (marionette-eval |
90 | '(file-exists? "/var/log/fail2ban.log") |
91 | marionette)) |
92 | |
93 | tests-more ... |
94 | |
95 | (test-end)))) |
96 | |
97 | (gexp->derivation test-name test))) |
98 | |
99 | (define run-fail2ban-basic-test |
100 | (fail2ban-test |
101 | "fail2ban-basic-test" |
102 | |
103 | (simple-operating-system |
104 | (service fail2ban-service-type)))) |
105 | |
106 | (define %test-fail2ban-basic |
107 | (system-test |
108 | (name "fail2ban-basic") |
109 | (description "Test basic fail2ban running capability.") |
110 | (value (run-fail2ban-basic-test)))) |
111 | |
112 | (define %fail2ban-server-cmd |
113 | (program-file |
114 | "fail2ban-server-cmd" |
115 | #~(begin |
116 | (let ((cmd #$(file-append fail2ban "/bin/fail2ban-server"))) |
117 | (apply execl cmd cmd `("-p" "/var/run/fail2ban/fail2ban.pid" |
118 | "-s" "/var/run/fail2ban/fail2ban.sock" |
119 | ,@(cdr (program-arguments)))))))) |
120 | |
121 | (define run-fail2ban-simple-test |
122 | (fail2ban-test |
123 | "fail2ban-basic-test" |
124 | |
125 | (simple-operating-system |
126 | (service fail2ban-service-type (fail2ban-configuration |
127 | (jails (list (fail2ban-jail-configuration |
128 | (name "sshd"))))))) |
129 | |
130 | (test-equal "fail2ban sshd jail running status output" |
131 | '("Status for the jail: sshd" |
132 | "|- Filter" |
133 | "| |- Currently failed:\t0" |
134 | "| |- Total failed:\t0" |
135 | "| `- File list:\t/var/log/secure" |
136 | "`- Actions" |
137 | " |- Currently banned:\t0" |
138 | " |- Total banned:\t0" |
139 | " `- Banned IP list:\t" |
140 | "") |
141 | (marionette-eval |
142 | '(begin |
143 | (use-modules (ice-9 rdelim) (ice-9 popen) (rnrs io ports)) |
144 | (let ((call-command |
145 | (lambda (cmd) |
146 | (let* ((err-cons (pipe)) |
147 | (port (with-error-to-port (cdr err-cons) |
148 | (lambda () (open-input-pipe cmd)))) |
149 | (_ (setvbuf (car err-cons) 'block |
150 | (* 1024 1024 16))) |
151 | (result (read-delimited "" port))) |
152 | (close-port (cdr err-cons)) |
153 | (values result (read-delimited "" (car err-cons))))))) |
154 | (string-split |
155 | (call-command |
156 | (string-join (list #$%fail2ban-server-cmd "status" "sshd") " ")) |
157 | #\newline))) |
158 | marionette)) |
159 | |
160 | (test-equal "fail2ban sshd jail running exit code" |
161 | 0 |
162 | (marionette-eval |
163 | '(status:exit-val (system* #$%fail2ban-server-cmd "status" "sshd")) |
164 | marionette)))) |
165 | |
166 | (define %test-fail2ban-simple |
167 | (system-test |
168 | (name "fail2ban-simple") |
169 | (description "Test simple fail2ban running capability.") |
170 | (value (run-fail2ban-simple-test)))) |
171 | |
172 | (define run-fail2ban-extension-test |
173 | (fail2ban-test |
174 | "fail2ban-extension-test" |
175 | |
176 | (simple-operating-system |
177 | (service (fail2ban-jail-service openssh-service-type (fail2ban-jail-configuration |
178 | (name "sshd") (enabled? #t))) |
179 | (openssh-configuration))) |
180 | |
181 | (test-equal "fail2ban sshd jail running status output" |
182 | '("Status for the jail: sshd" |
183 | "|- Filter" |
184 | "| |- Currently failed:\t0" |
185 | "| |- Total failed:\t0" |
186 | "| `- File list:\t/var/log/secure" |
187 | "`- Actions" |
188 | " |- Currently banned:\t0" |
189 | " |- Total banned:\t0" |
190 | " `- Banned IP list:\t" |
191 | "") |
192 | (marionette-eval |
193 | '(begin |
194 | (use-modules (ice-9 rdelim) (ice-9 popen) (rnrs io ports)) |
195 | (let ((call-command |
196 | (lambda (cmd) |
197 | (let* ((err-cons (pipe)) |
198 | (port (with-error-to-port (cdr err-cons) |
199 | (lambda () (open-input-pipe cmd)))) |
200 | (_ (setvbuf (car err-cons) 'block |
201 | (* 1024 1024 16))) |
202 | (result (read-delimited "" port))) |
203 | (close-port (cdr err-cons)) |
204 | (values result (read-delimited "" (car err-cons))))))) |
205 | (string-split |
206 | (call-command |
207 | (string-join (list #$%fail2ban-server-cmd "status" "sshd") " ")) |
208 | #\newline))) |
209 | marionette)) |
210 | |
211 | (test-equal "fail2ban sshd jail running exit code" |
212 | 0 |
213 | (marionette-eval |
214 | '(status:exit-val (system* #$%fail2ban-server-cmd "status" "sshd")) |
215 | marionette)))) |
216 | |
217 | (define %test-fail2ban-extension |
218 | (system-test |
219 | (name "fail2ban-extension") |
220 | (description "Test extension fail2ban running capability.") |
221 | (value (run-fail2ban-extension-test)))) |