[jackhill/guix/guix.git] / gnu / tests / security.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2022 muradm <mail@muradm.net>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu tests security)
  #:use-module (guix gexp)
  #:use-module (gnu packages admin)
  #:use-module (gnu services)
  #:use-module (gnu services security)
  #:use-module (gnu services ssh)
  #:use-module (gnu system)
  #:use-module (gnu system vm)
  #:use-module (gnu tests)
  #:export (%test-fail2ban-basic
            %test-fail2ban-extension
            %test-fail2ban-simple))

\f
;;;
;;; fail2ban tests
;;;

(define-syntax-rule (fail2ban-test test-name test-os tests-more ...)
  (lambda ()
    (define os
      (marionette-operating-system
       test-os
       #:imported-modules '((gnu services herd))))

    (define vm
      (virtual-machine
       (operating-system os)
       (port-forwardings '())))

    (define test
      (with-imported-modules '((gnu build marionette)
                               (guix build utils))
        #~(begin
            (use-modules (srfi srfi-64)
                         (gnu build marionette))

            (define marionette (make-marionette (list #$vm)))

            (test-runner-current (system-test-runner #$output))
            (test-begin test-name)

            (test-assert "fail2ban running"
              (marionette-eval
               '(begin
                  (use-modules (gnu services herd))
                  (start-service 'fail2ban))
               marionette))

            (test-assert "fail2ban socket ready"
              (wait-for-unix-socket
               "/var/run/fail2ban/fail2ban.sock" marionette))

            (test-assert "fail2ban running after restart"
              (marionette-eval
               '(begin
                  (use-modules (gnu services herd))
                  (restart-service 'fail2ban))
               marionette))

            (test-assert "fail2ban socket ready after restart"
              (wait-for-unix-socket
               "/var/run/fail2ban/fail2ban.sock" marionette))

            (test-assert "fail2ban pid ready"
              (marionette-eval
               '(file-exists? "/var/run/fail2ban/fail2ban.pid")
               marionette))

            (test-assert "fail2ban log file"
              (marionette-eval
               '(file-exists? "/var/log/fail2ban.log")
               marionette))

            tests-more ...

            (test-end))))

    (gexp->derivation test-name test)))

(define run-fail2ban-basic-test
  (fail2ban-test
   "fail2ban-basic-test"

   (simple-operating-system
    (service fail2ban-service-type))))

(define %test-fail2ban-basic
  (system-test
   (name "fail2ban-basic")
   (description "Test basic fail2ban running capability.")
   (value (run-fail2ban-basic-test))))

(define %fail2ban-server-cmd
  (program-file
   "fail2ban-server-cmd"
   #~(begin
       (let ((cmd #$(file-append fail2ban "/bin/fail2ban-server")))
         (apply execl cmd cmd `("-p" "/var/run/fail2ban/fail2ban.pid"
                                "-s" "/var/run/fail2ban/fail2ban.sock"
                                ,@(cdr (program-arguments))))))))

(define run-fail2ban-simple-test
  (fail2ban-test
   "fail2ban-basic-test"

   (simple-operating-system
    (service fail2ban-service-type (fail2ban-configuration
                                    (jails (list (fail2ban-jail-configuration
                                                  (name "sshd")))))))

   (test-equal "fail2ban sshd jail running status output"
     '("Status for the jail: sshd"
       "|- Filter"
       "|  |- Currently failed:\t0"
       "|  |- Total failed:\t0"
       "|  `- File list:\t/var/log/secure"
       "`- Actions"
       "   |- Currently banned:\t0"
       "   |- Total banned:\t0"
       "   `- Banned IP list:\t"
       "")
     (marionette-eval
      '(begin
         (use-modules (ice-9 rdelim) (ice-9 popen) (rnrs io ports))
         (let ((call-command
                (lambda (cmd)
                  (let* ((err-cons (pipe))
                         (port (with-error-to-port (cdr err-cons)
                                 (lambda () (open-input-pipe cmd))))
                         (_ (setvbuf (car err-cons) 'block
                                     (* 1024 1024 16)))
                         (result (read-delimited "" port)))
                    (close-port (cdr err-cons))
                    (values result (read-delimited "" (car err-cons)))))))
           (string-split
            (call-command
             (string-join (list #$%fail2ban-server-cmd "status" "sshd") " "))
            #\newline)))
      marionette))

   (test-equal "fail2ban sshd jail running exit code"
     0
     (marionette-eval
      '(status:exit-val (system* #$%fail2ban-server-cmd "status" "sshd"))
      marionette))))

(define %test-fail2ban-simple
  (system-test
   (name "fail2ban-simple")
   (description "Test simple fail2ban running capability.")
   (value (run-fail2ban-simple-test))))

(define run-fail2ban-extension-test
  (fail2ban-test
   "fail2ban-extension-test"

   (simple-operating-system
    (service (fail2ban-jail-service openssh-service-type (fail2ban-jail-configuration
                                                          (name "sshd") (enabled? #t)))
             (openssh-configuration)))

   (test-equal "fail2ban sshd jail running status output"
     '("Status for the jail: sshd"
       "|- Filter"
       "|  |- Currently failed:\t0"
       "|  |- Total failed:\t0"
       "|  `- File list:\t/var/log/secure"
       "`- Actions"
       "   |- Currently banned:\t0"
       "   |- Total banned:\t0"
       "   `- Banned IP list:\t"
       "")
     (marionette-eval
      '(begin
         (use-modules (ice-9 rdelim) (ice-9 popen) (rnrs io ports))
         (let ((call-command
                (lambda (cmd)
                  (let* ((err-cons (pipe))
                         (port (with-error-to-port (cdr err-cons)
                                 (lambda () (open-input-pipe cmd))))
                         (_ (setvbuf (car err-cons) 'block
                                     (* 1024 1024 16)))
                         (result (read-delimited "" port)))
                    (close-port (cdr err-cons))
                    (values result (read-delimited "" (car err-cons)))))))
           (string-split
            (call-command
             (string-join (list #$%fail2ban-server-cmd "status" "sshd") " "))
            #\newline)))
      marionette))

   (test-equal "fail2ban sshd jail running exit code"
     0
     (marionette-eval
      '(status:exit-val (system* #$%fail2ban-server-cmd "status" "sshd"))
      marionette))))

(define %test-fail2ban-extension
  (system-test
   (name "fail2ban-extension")
   (description "Test extension fail2ban running capability.")
   (value (run-fail2ban-extension-test))))
Commit	Line	Data
3c2d2b45	1	;;; GNU Guix --- Functional package management for GNU
	2	;;; Copyright © 2022 muradm <mail@muradm.net>
	3	;;;
	4	;;; This file is part of GNU Guix.
	5	;;;
	6	;;; GNU Guix is free software; you can redistribute it and/or modify it
	7	;;; under the terms of the GNU General Public License as published by
	8	;;; the Free Software Foundation; either version 3 of the License, or (at
	9	;;; your option) any later version.
	10	;;;
	11	;;; GNU Guix is distributed in the hope that it will be useful, but
	12	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	13	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	14	;;; GNU General Public License for more details.
	15	;;;
	16	;;; You should have received a copy of the GNU General Public License
	17	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
	18
	19	(define-module (gnu tests security)
	20	#:use-module (guix gexp)
	21	#:use-module (gnu packages admin)
	22	#:use-module (gnu services)
	23	#:use-module (gnu services security)
	24	#:use-module (gnu services ssh)
	25	#:use-module (gnu system)
	26	#:use-module (gnu system vm)
	27	#:use-module (gnu tests)
	28	#:export (%test-fail2ban-basic
	29	%test-fail2ban-extension
	30	%test-fail2ban-simple))
	31
	32	\f
	33	;;;
	34	;;; fail2ban tests
	35	;;;
	36
	37	(define-syntax-rule (fail2ban-test test-name test-os tests-more ...)
	38	(lambda ()
	39	(define os
	40	(marionette-operating-system
	41	test-os
	42	#:imported-modules '((gnu services herd))))
	43
	44	(define vm
	45	(virtual-machine
	46	(operating-system os)
	47	(port-forwardings '())))
	48
	49	(define test
	50	(with-imported-modules '((gnu build marionette)
	51	(guix build utils))
	52	#~(begin
	53	(use-modules (srfi srfi-64)
	54	(gnu build marionette))
	55
	56	(define marionette (make-marionette (list #$vm)))
	57
	58	(test-runner-current (system-test-runner #$output))
	59	(test-begin test-name)
	60
	61	(test-assert "fail2ban running"
	62	(marionette-eval
	63	'(begin
	64	(use-modules (gnu services herd))
65	(start-service 'fail2ban))
66	marionette))
67
68	(test-assert "fail2ban socket ready"
69	(wait-for-unix-socket
70	"/var/run/fail2ban/fail2ban.sock" marionette))
71
72	(test-assert "fail2ban running after restart"
73	(marionette-eval
74	'(begin
75	(use-modules (gnu services herd))
76	(restart-service 'fail2ban))
77	marionette))
78
79	(test-assert "fail2ban socket ready after restart"
80	(wait-for-unix-socket
81	"/var/run/fail2ban/fail2ban.sock" marionette))
82
83	(test-assert "fail2ban pid ready"
84	(marionette-eval
85	'(file-exists? "/var/run/fail2ban/fail2ban.pid")
86	marionette))
87
88	(test-assert "fail2ban log file"
89	(marionette-eval
90	'(file-exists? "/var/log/fail2ban.log")
91	marionette))
92
93	tests-more ...
94
95	(test-end))))
96
97	(gexp->derivation test-name test)))
98
99	(define run-fail2ban-basic-test
100	(fail2ban-test
101	"fail2ban-basic-test"
102
103	(simple-operating-system
104	(service fail2ban-service-type))))
105
106	(define %test-fail2ban-basic
107	(system-test
108	(name "fail2ban-basic")
109	(description "Test basic fail2ban running capability.")
110	(value (run-fail2ban-basic-test))))
111
112	(define %fail2ban-server-cmd
113	(program-file
114	"fail2ban-server-cmd"
115	#~(begin
116	(let ((cmd #$(file-append fail2ban "/bin/fail2ban-server")))
117	(apply execl cmd cmd `("-p" "/var/run/fail2ban/fail2ban.pid"
118	"-s" "/var/run/fail2ban/fail2ban.sock"
119	,@(cdr (program-arguments))))))))
120
121	(define run-fail2ban-simple-test
122	(fail2ban-test
123	"fail2ban-basic-test"
124
125	(simple-operating-system
126	(service fail2ban-service-type (fail2ban-configuration
127	(jails (list (fail2ban-jail-configuration
128	(name "sshd")))))))
129
130	(test-equal "fail2ban sshd jail running status output"
131	'("Status for the jail: sshd"
132	"\|- Filter"
133	"\| \|- Currently failed:\t0"
134	"\| \|- Total failed:\t0"
135	"\| `- File list:\t/var/log/secure"
136	"`- Actions"
137	" \|- Currently banned:\t0"
138	" \|- Total banned:\t0"
139	" `- Banned IP list:\t"
140	"")
141	(marionette-eval
142	'(begin
143	(use-modules (ice-9 rdelim) (ice-9 popen) (rnrs io ports))
144	(let ((call-command
145	(lambda (cmd)
146	(let* ((err-cons (pipe))
147	(port (with-error-to-port (cdr err-cons)
148	(lambda () (open-input-pipe cmd))))
149	(_ (setvbuf (car err-cons) 'block
150	(* 1024 1024 16)))
151	(result (read-delimited "" port)))
152	(close-port (cdr err-cons))
153	(values result (read-delimited "" (car err-cons)))))))
154	(string-split
155	(call-command
156	(string-join (list #$%fail2ban-server-cmd "status" "sshd") " "))
157	#\newline)))
158	marionette))
159
160	(test-equal "fail2ban sshd jail running exit code"
161	0
162	(marionette-eval
163	'(status:exit-val (system* #$%fail2ban-server-cmd "status" "sshd"))
164	marionette))))
165
166	(define %test-fail2ban-simple
167	(system-test
168	(name "fail2ban-simple")
169	(description "Test simple fail2ban running capability.")
170	(value (run-fail2ban-simple-test))))
171
172	(define run-fail2ban-extension-test
173	(fail2ban-test
174	"fail2ban-extension-test"
175
176	(simple-operating-system
177	(service (fail2ban-jail-service openssh-service-type (fail2ban-jail-configuration
178	(name "sshd") (enabled? #t)))
179	(openssh-configuration)))
180
181	(test-equal "fail2ban sshd jail running status output"
182	'("Status for the jail: sshd"
183	"\|- Filter"
184	"\| \|- Currently failed:\t0"
185	"\| \|- Total failed:\t0"
186	"\| `- File list:\t/var/log/secure"
187	"`- Actions"
188	" \|- Currently banned:\t0"
189	" \|- Total banned:\t0"
190	" `- Banned IP list:\t"
191	"")
192	(marionette-eval
193	'(begin
194	(use-modules (ice-9 rdelim) (ice-9 popen) (rnrs io ports))
195	(let ((call-command
196	(lambda (cmd)
197	(let* ((err-cons (pipe))
198	(port (with-error-to-port (cdr err-cons)
199	(lambda () (open-input-pipe cmd))))
200	(_ (setvbuf (car err-cons) 'block
201	(* 1024 1024 16)))
202	(result (read-delimited "" port)))
203	(close-port (cdr err-cons))
204	(values result (read-delimited "" (car err-cons)))))))
205	(string-split
206	(call-command
207	(string-join (list #$%fail2ban-server-cmd "status" "sshd") " "))
208	#\newline)))
209	marionette))
210
211	(test-equal "fail2ban sshd jail running exit code"
212	0
213	(marionette-eval
214	'(status:exit-val (system* #$%fail2ban-server-cmd "status" "sshd"))
215	marionette))))
216
217	(define %test-fail2ban-extension
218	(system-test
219	(name "fail2ban-extension")
220	(description "Test extension fail2ban running capability.")
221	(value (run-fail2ban-extension-test))))