blob: 7e8fd4cd4f50118dc7eb665f47d07e0a90b8243e (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
|
# Use a separate accountd server process
adduser --disabled-password \
--home /home/lacme-account \
--gecos "lacme account user" \
--quiet lacme-account
# non-existent parent directory
! lacme --socket="/nonexistent/S.lacme" account 2>"$STDERR" || fail
grepstderr -Fxq "Error: stat(/nonexistent): No such file or directory"
# word-writable parent directory
! lacme --socket="/tmp/S.lacme" account 2>"$STDERR" || fail
grepstderr -Fxq "Error: Insecure permissions on /tmp"
# missing socket
SOCKET=~lacme-account/S.lacme
! lacme --socket="$SOCKET" account 2>"$STDERR" || fail
grepstderr -Fxq "Can't stat $SOCKET: No such file or directory (Is lacme-accountd running?)"
#######################################################################
# missing configuration at default location
! runuser -u lacme-account -- lacme-accountd --debug 2>"$STDERR" || fail
grepstderr -Fxq "Ignoring missing configuration file at default location /home/lacme-account/.config/lacme/lacme-accountd.conf"
grepstderr -Fxq "Error: 'privkey' is not specified"
install -olacme-account -glacme-account -Ddm0700 -- \
~lacme-account/.config/lacme ~lacme-account/.local/share/lacme
mv -t ~lacme-account/.config/lacme /etc/lacme/account.key
chown lacme-account: ~lacme-account/.config/lacme/account.key
cat >~lacme-account/.config/lacme/lacme-accountd.conf <<-EOF
privkey = file:%E/lacme/account.key
logfile = %h/.local/share/lacme/accountd.log
EOF
# non-existent parent directory
! runuser -u lacme-account -- lacme-accountd --socket="/nonexistent/S.lacme" 2>"$STDERR" || fail
grepstderr -Fxq "Error: stat(/nonexistent): No such file or directory"
# word-writable parent directory
! runuser -u lacme-account -- lacme-accountd --socket="%T/S.lacme" account 2>"$STDERR" || fail
grepstderr -Fxq "Error: Insecure permissions on /tmp"
# unset XDG_RUNTIME_DIR
! runuser -u lacme-account -- lacme-accountd 2>"$STDERR" || fail
grepstderr "Error: Undefined expansion %t in \"%t/S.lacme\""
# non-existent $XDG_RUNTIME_DIR
! runuser -u lacme-account -- env XDG_RUNTIME_DIR="/nonexistent" lacme-accountd 2>"$STDERR" || fail
grepstderr -Fxq "Error: stat(/nonexistent): No such file or directory"
# test running accountd
runuser -u lacme-account -- env XDG_RUNTIME_DIR=/home/lacme-account lacme-accountd --debug 2>"$STDERR" & PID=$!
sleep 1
kill $PID || fail
wait || fail
grepstderr -Fxq "Using configuration file: /home/lacme-account/.config/lacme/lacme-accountd.conf"
grepstderr -Fxq "Starting lacme Account Key Manager at /home/lacme-account/S.lacme"
# make sure errors are logged too
grep -F "Error: " ~lacme-account/.local/share/lacme/accountd.log
# rotate the log and start accountd
rm -f ~lacme-account/.local/share/lacme/accountd.log
runuser -u lacme-account -- lacme-accountd --socket="$SOCKET" --quiet & PID=$!
# run lacme(8) multiple times using that single lacme-accountd(1) instance
lacme --socket="$SOCKET" --debug account 2>"$STDERR" || fail
grepstderr -F "Received extra greeting data from accountd:"
lacme --socket="$SOCKET" newOrder 2>"$STDERR" || fail
test /etc/lacme/simpletest.rsa.crt -nt /etc/lacme/simpletest.rsa.key
# terminate accountd and check that it removes the socket
kill $PID
wait
! test -e "$SOCKET"
# ensure signature requests are logged
grep -Fq "Starting lacme Account Key Manager at /home/lacme-account/S.lacme" ~lacme-account/.local/share/lacme/accountd.log
grep -Fq "[0] Accepted new connection" ~lacme-account/.local/share/lacme/accountd.log
grep -Fq "[1] Accepted new connection" ~lacme-account/.local/share/lacme/accountd.log
grep -Fq "Shutting down and closing lacme Account Key Manager" ~lacme-account/.local/share/lacme/accountd.log
grep -F "] SIGNED header=base64url({" ~lacme-account/.local/share/lacme/accountd.log
# vim: set filetype=sh :
|