[jackhill/guix/guix.git] / gnu / tests / ssh.scm

;;; GNU Guix --- Functional package management for GNU
;;; Copyright © 2016, 2017, 2018, 2019 Ludovic Courtès <ludo@gnu.org>
;;; Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org>
;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
;;;
;;; This file is part of GNU Guix.
;;;
;;; GNU Guix is free software; you can redistribute it and/or modify it
;;; under the terms of the GNU General Public License as published by
;;; the Free Software Foundation; either version 3 of the License, or (at
;;; your option) any later version.
;;;
;;; GNU Guix is distributed in the hope that it will be useful, but
;;; WITHOUT ANY WARRANTY; without even the implied warranty of
;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
;;; GNU General Public License for more details.
;;;
;;; You should have received a copy of the GNU General Public License
;;; along with GNU Guix.  If not, see <http://www.gnu.org/licenses/>.

(define-module (gnu tests ssh)
  #:use-module (gnu tests)
  #:use-module (gnu system)
  #:use-module (gnu system vm)
  #:use-module (gnu services)
  #:use-module (gnu services ssh)
  #:use-module (gnu services networking)
  #:use-module (gnu packages ssh)
  #:use-module (guix gexp)
  #:use-module (guix store)
  #:export (%test-openssh
            %test-dropbear))

(define* (run-ssh-test name ssh-service pid-file
                       #:key (sftp? #f) (test-getlogin? #t))
  "Run a test of an OS running SSH-SERVICE, which writes its PID to PID-FILE.
SSH-SERVICE must be configured to listen on port 22 and to allow for root and
empty-password logins.

When SFTP? is true, run an SFTP server test."
  (define os
    (marionette-operating-system
     (simple-operating-system (service dhcp-client-service-type) ssh-service)
     #:imported-modules '((gnu services herd)
                          (guix combinators))))
  (define vm
    (virtual-machine
     (operating-system os)
     (port-forwardings '((2222 . 22)))))

  (define test
    (with-imported-modules '((gnu build marionette))
      (with-extensions (list guile-ssh)
        #~(begin
            (use-modules (gnu build marionette)
                         (srfi srfi-26)
                         (srfi srfi-64)
                         (ice-9 textual-ports)
                         (ice-9 match)
                         (ssh session)
                         (ssh auth)
                         (ssh channel)
                         (ssh popen)
                         (ssh sftp))

            (define marionette
              ;; Enable TCP forwarding of the guest's port 22.
              (make-marionette (list #$vm)))

            (define (make-session-for-test)
              "Make a session with predefined parameters for a test."
              (make-session #:user "root"
                            #:port 2222
                            #:host "localhost"
                            #:log-verbosity 'protocol))

            (define (call-with-connected-session proc)
              "Call the one-argument procedure PROC with a freshly created and
connected SSH session object, return the result of the procedure call.  The
session is disconnected when the PROC is finished."
              (let ((session (make-session-for-test)))
                (dynamic-wind
                  (lambda ()
                    (let ((result (connect! session)))
                      (unless (equal? result 'ok)
                        (error "Could not connect to a server"
                               session result))))
                  (lambda () (proc session))
                  (lambda () (disconnect! session)))))

            (define (call-with-connected-session/auth proc)
              "Make an authenticated session.  We should be able to connect as
root with an empty password."
              (call-with-connected-session
               (lambda (session)
                 ;; Try the simple authentication methods.  Dropbear requires
                 ;; 'none' when there are no passwords, whereas OpenSSH accepts
                 ;; 'password' with an empty password.
                 (let loop ((methods (list (cut userauth-password! <> "")
                                           (cut userauth-none! <>))))
                   (match methods
                     (()
                      (error "all the authentication methods failed"))
                     ((auth rest ...)
                      (match (pk 'auth (auth session))
                        ('success
                         (proc session))
                        ('denied
                         (loop rest)))))))))

            (mkdir #$output)
            (chdir #$output)

            (test-begin "ssh-daemon")

            ;; Wait for sshd to be up and running.
            (test-assert "service running"
              (marionette-eval
               '(begin
                  (use-modules (gnu services herd))
                  (start-service 'ssh-daemon))
               marionette))

            ;; Check sshd's PID file.
            (test-equal "sshd PID"
              (wait-for-file #$pid-file marionette)
              (marionette-eval
               '(begin
                  (use-modules (gnu services herd)
                               (srfi srfi-1))

                  (live-service-running
                   (find (lambda (live)
                           (memq 'ssh-daemon
                                 (live-service-provision live)))
                         (current-services))))
               marionette))

            ;; Connect to the guest over SSH.  Make sure we can run a shell
            ;; command there.
            (test-equal "shell command"
              'hello
              (call-with-connected-session/auth
               (lambda (session)
                 ;; FIXME: 'get-server-public-key' segfaults.
                 ;; (get-server-public-key session)
                 (let ((channel (make-channel session)))
                   (channel-open-session channel)
                   (channel-request-exec channel "echo hello > /root/witness")
                   (and (zero? (channel-get-exit-status channel))
                        (wait-for-file "/root/witness" marionette))))))

            ;; Check whether the 'getlogin' procedure returns the right thing.
            (unless #$test-getlogin?
              (test-skip 1))
            (test-equal "getlogin"
              '(0 "root")
              (call-with-connected-session/auth
               (lambda (session)
                 (let* ((pipe   (open-remote-input-pipe
                                 session
                                 "guile -c '(display (getlogin))'"))
                        (output (get-string-all pipe))
                        (status (channel-get-exit-status pipe)))
                   (list status output)))))

            ;; Connect to the guest over SFTP.  Make sure we can write and
            ;; read a file there.
            (unless #$sftp?
              (test-skip 1))
            (test-equal "SFTP file writing and reading"
              'hello
              (call-with-connected-session/auth
               (lambda (session)
                 (let ((sftp-session (make-sftp-session session))
                       (witness "/root/sftp-witness"))
                   (call-with-remote-output-file sftp-session witness
                                                 (cut display "hello" <>))
                   (call-with-remote-input-file sftp-session witness
                                                read)))))

            ;; Connect to the guest over SSH.  Make sure we can run commands
            ;; from the system profile.
            (test-equal "run executables from system profile"
              #t
              (call-with-connected-session/auth
               (lambda (session)
                 (let ((channel (make-channel session)))
                   (channel-open-session channel)
                   (channel-request-exec
                    channel
                    (string-append
                     "mkdir -p /root/.guix-profile/bin && "
                     "touch /root/.guix-profile/bin/path-witness && "
                     "chmod 755 /root/.guix-profile/bin/path-witness"))
                   (zero? (channel-get-exit-status channel))))))

            ;; Connect to the guest over SSH.  Make sure we can run commands
            ;; from the user profile.
            (test-equal "run executable from user profile"
              #t
              (call-with-connected-session/auth
               (lambda (session)
                 (let ((channel (make-channel session)))
                   (channel-open-session channel)
                   (channel-request-exec channel "path-witness")
                   (zero? (channel-get-exit-status channel))))))

            (test-end)
            (exit (= (test-runner-fail-count (test-runner-current)) 0))))))

  (gexp->derivation name test))

(define %test-openssh
  (system-test
   (name "openssh")
   (description "Connect to a running OpenSSH daemon.")
   (value (run-ssh-test name
                        ;; Allow root logins with an empty password to
                        ;; simplify testing.
                        (service openssh-service-type
                                 (openssh-configuration
                                  (permit-root-login #t)
                                  (allow-empty-passwords? #t)))
                        "/var/run/sshd.pid"
                        #:sftp? #t))))

(define %test-dropbear
  (system-test
   (name "dropbear")
   (description "Connect to a running Dropbear SSH daemon.")
   (value (run-ssh-test name
                        (service dropbear-service-type
                                 (dropbear-configuration
                                  (root-login? #t)
                                  (allow-empty-passwords? #t)))
                        "/var/run/dropbear.pid"

                        ;; XXX: Our Dropbear is not built with PAM support.
                        ;; Even when it is, it seems to ignore the PAM
                        ;; 'session' requirements.
                        #:test-getlogin? #f))))
Commit	Line	Data
d5b0c902	1	;;; GNU Guix --- Functional package management for GNU
e6b1a224	2	;;; Copyright © 2016, 2017, 2018, 2019 Ludovic Courtès <ludo@gnu.org>
c24b1547	3	;;; Copyright © 2017, 2018 Clément Lassieur <clement@lassieur.org>
5d7141cd	4	;;; Copyright © 2017 Marius Bakke <mbakke@fastmail.com>
d5b0c902 LC	5	;;;
	6	;;; This file is part of GNU Guix.
	7	;;;
	8	;;; GNU Guix is free software; you can redistribute it and/or modify it
	9	;;; under the terms of the GNU General Public License as published by
	10	;;; the Free Software Foundation; either version 3 of the License, or (at
	11	;;; your option) any later version.
	12	;;;
	13	;;; GNU Guix is distributed in the hope that it will be useful, but
	14	;;; WITHOUT ANY WARRANTY; without even the implied warranty of
	15	;;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
	16	;;; GNU General Public License for more details.
	17	;;;
	18	;;; You should have received a copy of the GNU General Public License
	19	;;; along with GNU Guix. If not, see <http://www.gnu.org/licenses/>.
	20
	21	(define-module (gnu tests ssh)
	22	#:use-module (gnu tests)
	23	#:use-module (gnu system)
d5b0c902 LC	24	#:use-module (gnu system vm)
d5b0c902 LC	25	#:use-module (gnu services)
d5b0c902 LC	26	#:use-module (gnu services ssh)
	27	#:use-module (gnu services networking)
	28	#:use-module (gnu packages ssh)
	29	#:use-module (guix gexp)
	30	#:use-module (guix store)
2b436389 LC	31	#:export (%test-openssh
2b436389 LC	32	%test-dropbear))
d5b0c902	33
e6b1a224 LC	34	(define* (run-ssh-test name ssh-service pid-file
e6b1a224 LC	35	#:key (sftp? #f) (test-getlogin? #t))
0e598850 LC	36	"Run a test of an OS running SSH-SERVICE, which writes its PID to PID-FILE.
0e598850 LC	37	SSH-SERVICE must be configured to listen on port 22 and to allow for root and
36f666c6 CL	38	empty-password logins.
	39
	40	When SFTP? is true, run an SFTP server test."
8b113790 LC	41	(define os
8b113790 LC	42	(marionette-operating-system
39d7fdce	43	(simple-operating-system (service dhcp-client-service-type) ssh-service)
8b113790 LC	44	#:imported-modules '((gnu services herd)
	45	(guix combinators))))
	46	(define vm
	47	(virtual-machine
	48	(operating-system os)
	49	(port-forwardings '((2222 . 22)))))
	50
	51	(define test
	52	(with-imported-modules '((gnu build marionette))
ff913cf5 LC	53	(with-extensions (list guile-ssh)
	54	#~(begin
	55	(use-modules (gnu build marionette)
	56	(srfi srfi-26)
	57	(srfi srfi-64)
e6b1a224	58	(ice-9 textual-ports)
ff913cf5 LC	59	(ice-9 match)
	60	(ssh session)
	61	(ssh auth)
	62	(ssh channel)
e6b1a224	63	(ssh popen)
ff913cf5 LC	64	(ssh sftp))
	65
	66	(define marionette
	67	;; Enable TCP forwarding of the guest's port 22.
	68	(make-marionette (list #$vm)))
	69
	70	(define (make-session-for-test)
	71	"Make a session with predefined parameters for a test."
	72	(make-session #:user "root"
	73	#:port 2222
	74	#:host "localhost"
	75	#:log-verbosity 'protocol))
	76
	77	(define (call-with-connected-session proc)
	78	"Call the one-argument procedure PROC with a freshly created and
cfaf4d11 CL	79	connected SSH session object, return the result of the procedure call. The
cfaf4d11 CL	80	session is disconnected when the PROC is finished."
ff913cf5 LC	81	(let ((session (make-session-for-test)))
	82	(dynamic-wind
	83	(lambda ()
	84	(let ((result (connect! session)))
	85	(unless (equal? result 'ok)
	86	(error "Could not connect to a server"
	87	session result))))
	88	(lambda () (proc session))
	89	(lambda () (disconnect! session)))))
	90
	91	(define (call-with-connected-session/auth proc)
	92	"Make an authenticated session. We should be able to connect as
cfaf4d11	93	root with an empty password."
ff913cf5 LC	94	(call-with-connected-session
	95	(lambda (session)
	96	;; Try the simple authentication methods. Dropbear requires
	97	;; 'none' when there are no passwords, whereas OpenSSH accepts
	98	;; 'password' with an empty password.
	99	(let loop ((methods (list (cut userauth-password! <> "")
	100	(cut userauth-none! <>))))
	101	(match methods
	102	(()
	103	(error "all the authentication methods failed"))
	104	((auth rest ...)
	105	(match (pk 'auth (auth session))
	106	('success
	107	(proc session))
	108	('denied
	109	(loop rest)))))))))
	110
	111	(mkdir #$output)
	112	(chdir #$output)
	113
	114	(test-begin "ssh-daemon")
	115
	116	;; Wait for sshd to be up and running.
c24b1547	117	(test-assert "service running"
ff913cf5 LC	118	(marionette-eval
	119	'(begin
	120	(use-modules (gnu services herd))
c24b1547	121	(start-service 'ssh-daemon))
ff913cf5 LC	122	marionette))
	123
	124	;; Check sshd's PID file.
	125	(test-equal "sshd PID"
	126	(wait-for-file #$pid-file marionette)
	127	(marionette-eval
	128	'(begin
	129	(use-modules (gnu services herd)
	130	(srfi srfi-1))
	131
	132	(live-service-running
	133	(find (lambda (live)
	134	(memq 'ssh-daemon
	135	(live-service-provision live)))
	136	(current-services))))
	137	marionette))
	138
	139	;; Connect to the guest over SSH. Make sure we can run a shell
	140	;; command there.
	141	(test-equal "shell command"
	142	'hello
	143	(call-with-connected-session/auth
	144	(lambda (session)
	145	;; FIXME: 'get-server-public-key' segfaults.
	146	;; (get-server-public-key session)
	147	(let ((channel (make-channel session)))
	148	(channel-open-session channel)
	149	(channel-request-exec channel "echo hello > /root/witness")
	150	(and (zero? (channel-get-exit-status channel))
	151	(wait-for-file "/root/witness" marionette))))))
	152
e6b1a224 LC	153	;; Check whether the 'getlogin' procedure returns the right thing.
	154	(unless #$test-getlogin?
	155	(test-skip 1))
	156	(test-equal "getlogin"
	157	'(0 "root")
	158	(call-with-connected-session/auth
	159	(lambda (session)
	160	(let* ((pipe (open-remote-input-pipe
	161	session
	162	"guile -c '(display (getlogin))'"))
	163	(output (get-string-all pipe))
	164	(status (channel-get-exit-status pipe)))
	165	(list status output)))))
	166
ff913cf5 LC	167	;; Connect to the guest over SFTP. Make sure we can write and
	168	;; read a file there.
	169	(unless #$sftp?
	170	(test-skip 1))
	171	(test-equal "SFTP file writing and reading"
	172	'hello
	173	(call-with-connected-session/auth
	174	(lambda (session)
	175	(let ((sftp-session (make-sftp-session session))
	176	(witness "/root/sftp-witness"))
	177	(call-with-remote-output-file sftp-session witness
	178	(cut display "hello" <>))
	179	(call-with-remote-input-file sftp-session witness
	180	read)))))
	181
	182	;; Connect to the guest over SSH. Make sure we can run commands
	183	;; from the system profile.
	184	(test-equal "run executables from system profile"
	185	#t
	186	(call-with-connected-session/auth
	187	(lambda (session)
	188	(let ((channel (make-channel session)))
	189	(channel-open-session channel)
	190	(channel-request-exec
	191	channel
	192	(string-append
	193	"mkdir -p /root/.guix-profile/bin && "
	194	"touch /root/.guix-profile/bin/path-witness && "
	195	"chmod 755 /root/.guix-profile/bin/path-witness"))
	196	(zero? (channel-get-exit-status channel))))))
	197
	198	;; Connect to the guest over SSH. Make sure we can run commands
	199	;; from the user profile.
	200	(test-equal "run executable from user profile"
	201	#t
	202	(call-with-connected-session/auth
	203	(lambda (session)
	204	(let ((channel (make-channel session)))
	205	(channel-open-session channel)
	206	(channel-request-exec channel "path-witness")
	207	(zero? (channel-get-exit-status channel))))))
	208
	209	(test-end)
	210	(exit (= (test-runner-fail-count (test-runner-current)) 0))))))
8b113790 LC	211
8b113790 LC	212	(gexp->derivation name test))
d5b0c902 LC	213
	214	(define %test-openssh
	215	(system-test
	216	(name "openssh")
	217	(description "Connect to a running OpenSSH daemon.")
0e598850 LC	218	(value (run-ssh-test name
	219	;; Allow root logins with an empty password to
	220	;; simplify testing.
	221	(service openssh-service-type
	222	(openssh-configuration
	223	(permit-root-login #t)
	224	(allow-empty-passwords? #t)))
36f666c6 CL	225	"/var/run/sshd.pid"
36f666c6 CL	226	#:sftp? #t))))
2b436389 LC	227
	228	(define %test-dropbear
	229	(system-test
	230	(name "dropbear")
	231	(description "Connect to a running Dropbear SSH daemon.")
	232	(value (run-ssh-test name
	233	(service dropbear-service-type
	234	(dropbear-configuration
	235	(root-login? #t)
	236	(allow-empty-passwords? #t)))
e6b1a224 LC	237	"/var/run/dropbear.pid"
	238
	239	;; XXX: Our Dropbear is not built with PAM support.
	240	;; Even when it is, it seems to ignore the PAM
	241	;; 'session' requirements.
	242	#:test-getlogin? #f))))