2020-09-27 10:43:20 +00:00
|
|
|
from collections import OrderedDict
|
2020-08-21 20:36:11 +00:00
|
|
|
|
|
|
|
|
2020-07-16 14:48:41 +00:00
|
|
|
def succeed(*cmds):
|
|
|
|
"""Returns the concatenated output of all cmds"""
|
|
|
|
return machine.succeed(*cmds)
|
|
|
|
|
|
|
|
|
|
|
|
def assert_matches(cmd, regexp):
|
|
|
|
out = succeed(cmd)
|
|
|
|
if not re.search(regexp, out):
|
|
|
|
raise Exception(f"Pattern '{regexp}' not found in '{out}'")
|
|
|
|
|
|
|
|
|
2020-08-20 11:11:05 +00:00
|
|
|
def assert_full_match(cmd, regexp):
|
2020-07-16 14:48:41 +00:00
|
|
|
out = succeed(cmd)
|
|
|
|
if not re.fullmatch(regexp, out):
|
|
|
|
raise Exception(f"Pattern '{regexp}' doesn't match '{out}'")
|
|
|
|
|
|
|
|
|
|
|
|
def log_has_string(unit, str):
|
|
|
|
return f"journalctl -b --output=cat -u {unit} --grep='{str}'"
|
|
|
|
|
|
|
|
|
|
|
|
def assert_no_failure(unit):
|
|
|
|
"""Unit should not have failed since the system is running"""
|
|
|
|
machine.fail(log_has_string(unit, "Failed with result"))
|
|
|
|
|
|
|
|
|
|
|
|
def assert_running(unit):
|
2020-09-27 10:43:20 +00:00
|
|
|
with machine.nested(f"waiting for unit: {unit}"):
|
|
|
|
machine.wait_for_unit(unit)
|
2020-07-16 14:48:41 +00:00
|
|
|
assert_no_failure(unit)
|
|
|
|
|
|
|
|
|
2020-09-27 10:43:17 +00:00
|
|
|
def wait_for_open_port(address, port):
|
|
|
|
def is_port_open(_):
|
|
|
|
status, _ = machine.execute(f"nc -z {address} {port}")
|
|
|
|
return status == 0
|
|
|
|
|
|
|
|
with log.nested(f"Waiting for TCP port {address}:{port}"):
|
|
|
|
retry(is_port_open)
|
|
|
|
|
|
|
|
|
2020-09-27 10:43:20 +00:00
|
|
|
### Test runner
|
|
|
|
|
|
|
|
tests = OrderedDict()
|
|
|
|
|
|
|
|
|
|
|
|
def test(name):
|
|
|
|
def x(fn):
|
|
|
|
tests[name] = fn
|
|
|
|
|
|
|
|
return x
|
|
|
|
|
|
|
|
|
2020-09-27 10:43:17 +00:00
|
|
|
def run_tests():
|
2020-09-27 10:43:20 +00:00
|
|
|
enabled = enabled_tests.copy()
|
|
|
|
to_run = []
|
|
|
|
for test in tests:
|
|
|
|
if test in enabled:
|
|
|
|
enabled.remove(test)
|
|
|
|
to_run.append(test)
|
|
|
|
if enabled:
|
|
|
|
raise RuntimeError(f"The following tests are enabled but not defined: {enabled}")
|
|
|
|
machine.connect() # Visually separate boot output from the test output
|
|
|
|
for test in to_run:
|
|
|
|
with log.nested(f"test: {test}"):
|
|
|
|
tests[test]()
|
|
|
|
|
|
|
|
|
|
|
|
def run_test(test):
|
|
|
|
tests[test]()
|
|
|
|
|
|
|
|
|
|
|
|
### Tests
|
|
|
|
# All tests are executed in the order they are defined here
|
|
|
|
|
|
|
|
|
|
|
|
@test("security")
|
|
|
|
def _():
|
|
|
|
assert_running("setup-secrets")
|
|
|
|
# Unused secrets should be inaccessible
|
|
|
|
succeed('[[ $(stat -c "%U:%G %a" /secrets/dummy) = "root:root 440" ]]')
|
|
|
|
|
|
|
|
if "secure-node" in enabled_tests:
|
|
|
|
# Access to '/proc' should be restricted
|
|
|
|
machine.succeed("grep -Fq hidepid=2 /proc/mounts")
|
|
|
|
|
|
|
|
machine.wait_for_unit("bitcoind")
|
|
|
|
# `systemctl status` run by unprivileged users shouldn't leak cgroup info
|
|
|
|
assert_matches(
|
|
|
|
"sudo -u electrs systemctl status bitcoind 2>&1 >/dev/null",
|
|
|
|
"Failed to dump process list for 'bitcoind.service', ignoring: Access denied",
|
|
|
|
)
|
|
|
|
# The 'operator' with group 'proc' has full access
|
|
|
|
assert_full_match("sudo -u operator systemctl status bitcoind 2>&1 >/dev/null", "")
|
2020-08-21 20:36:11 +00:00
|
|
|
|
2020-08-02 21:20:51 +00:00
|
|
|
|
2020-09-27 10:43:20 +00:00
|
|
|
@test("bitcoind")
|
|
|
|
def _():
|
2020-08-02 21:20:51 +00:00
|
|
|
assert_running("bitcoind")
|
|
|
|
machine.wait_until_succeeds("bitcoin-cli getnetworkinfo")
|
|
|
|
assert_matches("su operator -c 'bitcoin-cli getnetworkinfo' | jq", '"version"')
|
2020-08-27 10:17:39 +00:00
|
|
|
# RPC access for user 'public' should be restricted
|
2020-08-02 21:20:51 +00:00
|
|
|
machine.fail(
|
2020-08-27 10:17:39 +00:00
|
|
|
"bitcoin-cli -rpcuser=public -rpcpassword=$(cat /secrets/bitcoin-rpcpassword-public) stop"
|
2020-08-02 21:20:51 +00:00
|
|
|
)
|
|
|
|
machine.wait_until_succeeds(
|
2020-08-27 10:17:39 +00:00
|
|
|
log_has_string("bitcoind", "RPC User public not allowed to call method stop")
|
2020-08-02 21:20:51 +00:00
|
|
|
)
|
|
|
|
|
2020-09-27 10:43:20 +00:00
|
|
|
|
|
|
|
@test("electrs")
|
|
|
|
def _():
|
2020-08-02 21:20:51 +00:00
|
|
|
assert_running("electrs")
|
2020-09-27 10:43:17 +00:00
|
|
|
wait_for_open_port(ip("electrs"), 4224) # prometeus metrics provider
|
2020-08-02 21:20:51 +00:00
|
|
|
# Check RPC connection to bitcoind
|
|
|
|
machine.wait_until_succeeds(log_has_string("electrs", "NetworkInfo"))
|
2020-10-16 15:43:18 +00:00
|
|
|
|
|
|
|
|
|
|
|
# Impure: Stops electrs
|
|
|
|
# Stop electrs from spamming the test log with 'WARN - wait until IBD is over' messages
|
|
|
|
@test("stop-electrs")
|
|
|
|
def _():
|
2020-08-02 21:20:51 +00:00
|
|
|
succeed("systemctl stop electrs")
|
|
|
|
|
2020-09-27 10:43:20 +00:00
|
|
|
|
|
|
|
@test("liquidd")
|
|
|
|
def _():
|
2020-08-02 21:20:51 +00:00
|
|
|
assert_running("liquidd")
|
|
|
|
machine.wait_until_succeeds("elements-cli getnetworkinfo")
|
|
|
|
assert_matches("su operator -c 'elements-cli getnetworkinfo' | jq", '"version"')
|
|
|
|
succeed("su operator -c 'liquidswap-cli --help'")
|
|
|
|
|
2020-09-27 10:43:20 +00:00
|
|
|
|
|
|
|
@test("clightning")
|
|
|
|
def _():
|
2020-08-02 21:20:51 +00:00
|
|
|
assert_running("clightning")
|
|
|
|
assert_matches("su operator -c 'lightning-cli getinfo' | jq", '"id"')
|
|
|
|
|
2020-09-27 10:43:20 +00:00
|
|
|
|
|
|
|
@test("lnd")
|
|
|
|
def _():
|
2020-08-04 08:24:49 +00:00
|
|
|
assert_running("lnd")
|
|
|
|
assert_matches("su operator -c 'lncli getinfo' | jq", '"version"')
|
|
|
|
assert_no_failure("lnd")
|
|
|
|
|
2020-09-27 10:43:20 +00:00
|
|
|
|
|
|
|
@test("lightning-loop")
|
|
|
|
def _():
|
2020-09-24 16:39:18 +00:00
|
|
|
assert_running("lightning-loop")
|
2020-08-04 08:24:49 +00:00
|
|
|
assert_matches("su operator -c 'loop --version'", "version")
|
|
|
|
# Check that lightning-loop fails with the right error, making sure
|
|
|
|
# lightning-loop can connect to lnd
|
|
|
|
machine.wait_until_succeeds(
|
2020-08-30 08:07:02 +00:00
|
|
|
log_has_string(
|
|
|
|
"lightning-loop",
|
|
|
|
"Waiting for lnd to be fully synced to its chain backend, this might take a while",
|
|
|
|
)
|
2020-08-04 08:24:49 +00:00
|
|
|
)
|
|
|
|
|
2020-09-27 10:43:20 +00:00
|
|
|
|
|
|
|
@test("btcpayserver")
|
|
|
|
def _():
|
2020-08-12 14:16:22 +00:00
|
|
|
assert_running("nbxplorer")
|
|
|
|
machine.wait_until_succeeds(log_has_string("nbxplorer", "BTC: RPC connection successful"))
|
2020-09-27 10:43:17 +00:00
|
|
|
wait_for_open_port(ip("nbxplorer"), 24444)
|
2020-08-12 14:16:22 +00:00
|
|
|
assert_running("btcpayserver")
|
|
|
|
machine.wait_until_succeeds(log_has_string("btcpayserver", "Listening on"))
|
2020-09-27 10:43:17 +00:00
|
|
|
wait_for_open_port(ip("btcpayserver"), 23000)
|
|
|
|
# test lnd custom macaroon
|
|
|
|
assert_matches(
|
|
|
|
"sudo -u btcpayserver curl -s --cacert /secrets/lnd-cert "
|
|
|
|
'--header "Grpc-Metadata-macaroon: $(xxd -ps -u -c 1000 /run/lnd/btcpayserver.macaroon)" '
|
|
|
|
f"-X GET https://{ip('lnd')}:8080/v1/getinfo | jq",
|
|
|
|
'"version"',
|
|
|
|
)
|
2020-08-12 14:16:22 +00:00
|
|
|
|
2020-09-27 10:43:20 +00:00
|
|
|
|
|
|
|
@test("spark-wallet")
|
|
|
|
def _():
|
2020-08-02 21:20:51 +00:00
|
|
|
assert_running("spark-wallet")
|
2020-09-27 10:43:17 +00:00
|
|
|
wait_for_open_port(ip("spark-wallet"), 9737)
|
|
|
|
spark_auth = re.search("login=(.*)", succeed("cat /secrets/spark-wallet-login"))[1]
|
|
|
|
assert_matches(f"curl -s {spark_auth}@{ip('spark-wallet')}:9737", "Spark")
|
2020-08-02 21:20:51 +00:00
|
|
|
|
2020-09-27 10:43:20 +00:00
|
|
|
|
|
|
|
@test("lightning-charge")
|
|
|
|
def _():
|
2020-08-02 21:20:51 +00:00
|
|
|
assert_running("lightning-charge")
|
2020-09-27 10:43:17 +00:00
|
|
|
wait_for_open_port(ip("lightning-charge"), 9112)
|
|
|
|
machine.wait_until_succeeds(f"nc -z {ip('lightning-charge')} 9112")
|
|
|
|
charge_auth = re.search("API_TOKEN=(.*)", succeed("cat /secrets/lightning-charge-env"))[1]
|
|
|
|
assert_matches(
|
|
|
|
f"curl -s api-token:{charge_auth}@{ip('lightning-charge')}:9112/info | jq", '"id"'
|
|
|
|
)
|
2020-08-02 21:20:51 +00:00
|
|
|
|
2020-09-27 10:43:20 +00:00
|
|
|
|
|
|
|
@test("nanopos")
|
|
|
|
def _():
|
2020-08-02 21:20:51 +00:00
|
|
|
assert_running("nanopos")
|
2020-09-27 10:43:17 +00:00
|
|
|
wait_for_open_port(ip("nanopos"), 9116)
|
|
|
|
assert_matches(f"curl {ip('nanopos')}:9116", "tshirt")
|
2020-08-02 21:20:51 +00:00
|
|
|
|
|
|
|
|
2020-09-27 10:43:20 +00:00
|
|
|
@test("joinmarket")
|
|
|
|
def _():
|
2020-05-18 09:51:18 +00:00
|
|
|
assert_running("joinmarket")
|
|
|
|
machine.wait_until_succeeds(
|
|
|
|
log_has_string("joinmarket", "P2EPDaemonServerProtocolFactory starting on 27184")
|
|
|
|
)
|
2020-10-16 15:43:17 +00:00
|
|
|
|
|
|
|
|
|
|
|
@test("joinmarket-yieldgenerator")
|
|
|
|
def _():
|
2020-05-18 09:51:18 +00:00
|
|
|
machine.wait_until_succeeds(
|
2020-09-11 11:53:12 +00:00
|
|
|
log_has_string("joinmarket-yieldgenerator", "Failure to get blockheight",)
|
2020-05-18 09:51:18 +00:00
|
|
|
)
|
|
|
|
|
2020-09-27 10:43:20 +00:00
|
|
|
|
|
|
|
@test("secure-node")
|
|
|
|
def _():
|
|
|
|
assert_running("onion-chef")
|
|
|
|
|
2020-08-02 21:20:51 +00:00
|
|
|
# FIXME: use 'wait_for_unit' because 'create-web-index' always fails during startup due
|
|
|
|
# to incomplete unit dependencies.
|
|
|
|
# 'create-web-index' implicitly tests 'nodeinfo'.
|
|
|
|
machine.wait_for_unit("create-web-index")
|
2020-08-04 12:17:15 +00:00
|
|
|
assert_running("nginx")
|
2020-09-27 10:43:17 +00:00
|
|
|
wait_for_open_port(ip("nginx"), 80)
|
|
|
|
assert_matches(f"curl {ip('nginx')}", "nix-bitcoin")
|
|
|
|
assert_matches(f"curl -L {ip('nginx')}/store", "tshirt")
|
2020-08-02 21:20:51 +00:00
|
|
|
|
|
|
|
|
2020-09-27 10:43:20 +00:00
|
|
|
# Run this test before the following tests that shut down services
|
|
|
|
# (and their corresponding network namespaces).
|
|
|
|
@test("netns-isolation")
|
|
|
|
def _():
|
|
|
|
ping_bitcoind = "ip netns exec nb-bitcoind ping -c 1 -w 1"
|
|
|
|
ping_nanopos = "ip netns exec nb-nanopos ping -c 1 -w 1"
|
|
|
|
ping_nbxplorer = "ip netns exec nb-nbxplorer ping -c 1 -w 1"
|
|
|
|
|
|
|
|
# Positive ping tests (non-exhaustive)
|
|
|
|
machine.succeed(
|
|
|
|
"%s %s &&" % (ping_bitcoind, ip("bitcoind"))
|
|
|
|
+ "%s %s &&" % (ping_bitcoind, ip("clightning"))
|
|
|
|
+ "%s %s &&" % (ping_bitcoind, ip("lnd"))
|
|
|
|
+ "%s %s &&" % (ping_bitcoind, ip("liquidd"))
|
|
|
|
+ "%s %s &&" % (ping_bitcoind, ip("nbxplorer"))
|
|
|
|
+ "%s %s &&" % (ping_nbxplorer, ip("btcpayserver"))
|
|
|
|
+ "%s %s &&" % (ping_nanopos, ip("lightning-charge"))
|
|
|
|
+ "%s %s &&" % (ping_nanopos, ip("nanopos"))
|
|
|
|
+ "%s %s" % (ping_nanopos, ip("nginx"))
|
|
|
|
)
|
2020-08-02 21:20:51 +00:00
|
|
|
|
2020-09-27 10:43:20 +00:00
|
|
|
# Negative ping tests (non-exhaustive)
|
|
|
|
machine.fail(
|
|
|
|
"%s %s ||" % (ping_bitcoind, ip("spark-wallet"))
|
|
|
|
+ "%s %s ||" % (ping_bitcoind, ip("lightning-loop"))
|
|
|
|
+ "%s %s ||" % (ping_bitcoind, ip("lightning-charge"))
|
|
|
|
+ "%s %s ||" % (ping_bitcoind, ip("nanopos"))
|
|
|
|
+ "%s %s ||" % (ping_bitcoind, ip("nginx"))
|
|
|
|
+ "%s %s ||" % (ping_nanopos, ip("bitcoind"))
|
|
|
|
+ "%s %s ||" % (ping_nanopos, ip("clightning"))
|
|
|
|
+ "%s %s ||" % (ping_nanopos, ip("lnd"))
|
|
|
|
+ "%s %s ||" % (ping_nanopos, ip("lightning-loop"))
|
|
|
|
+ "%s %s ||" % (ping_nanopos, ip("liquidd"))
|
|
|
|
+ "%s %s ||" % (ping_nanopos, ip("electrs"))
|
|
|
|
+ "%s %s ||" % (ping_nanopos, ip("spark-wallet"))
|
|
|
|
+ "%s %s" % (ping_nanopos, ip("btcpayserver"))
|
2020-08-04 08:24:49 +00:00
|
|
|
)
|
2020-08-02 21:20:51 +00:00
|
|
|
|
2020-09-27 10:43:20 +00:00
|
|
|
# test that netns-exec can't be run for unauthorized namespace
|
|
|
|
machine.fail("netns-exec nb-electrs ip a")
|
|
|
|
|
|
|
|
# test that netns-exec drops capabilities
|
|
|
|
assert_full_match(
|
|
|
|
"su operator -c 'netns-exec nb-bitcoind capsh --print | grep Current '", "Current: =\n"
|
2020-08-02 21:20:51 +00:00
|
|
|
)
|
|
|
|
|
2020-09-27 10:43:20 +00:00
|
|
|
# test that netns-exec can not be executed by users that are not operator
|
|
|
|
machine.fail("sudo -u clightning netns-exec nb-bitcoind ip a")
|
2020-06-23 11:03:16 +00:00
|
|
|
|
|
|
|
|
2020-09-27 10:43:20 +00:00
|
|
|
# Impure: stops bitcoind (and dependent services)
|
|
|
|
@test("backups")
|
|
|
|
def _():
|
2020-06-23 11:03:16 +00:00
|
|
|
succeed("systemctl stop bitcoind")
|
|
|
|
succeed("systemctl start duplicity")
|
|
|
|
machine.wait_until_succeeds(log_has_string("duplicity", "duplicity.service: Succeeded."))
|
2020-09-27 10:43:18 +00:00
|
|
|
run_duplicity = "export $(cat /secrets/backup-encryption-env); duplicity"
|
|
|
|
# Files in backup and /var/lib should be identical
|
2020-06-23 11:03:16 +00:00
|
|
|
assert_matches(
|
2020-09-27 10:43:18 +00:00
|
|
|
f"{run_duplicity} verify --archive-dir /var/lib/duplicity file:///var/lib/localBackups /var/lib",
|
2020-06-23 11:03:16 +00:00
|
|
|
"0 differences found",
|
|
|
|
)
|
2020-09-27 10:43:18 +00:00
|
|
|
# Backup should include important files
|
|
|
|
files = succeed(f"{run_duplicity} list-current-files file:///var/lib/localBackups")
|
|
|
|
assert "var/lib/clightning/bitcoin/hsm_secret" in files
|
|
|
|
assert "secrets/lnd-seed-mnemonic" in files
|
|
|
|
assert "secrets/jm-wallet-seed" in files
|
|
|
|
assert "var/lib/bitcoind/wallet.dat" in files
|
|
|
|
assert "var/backup/postgresql/btcpaydb.sql.gz" in files
|
2020-08-02 21:20:51 +00:00
|
|
|
|
2020-08-20 11:11:09 +00:00
|
|
|
|
2020-09-27 10:43:20 +00:00
|
|
|
# Impure: restarts services
|
|
|
|
@test("banlist-and-restart")
|
|
|
|
def _():
|
|
|
|
machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist"))
|
|
|
|
assert_no_failure("bitcoind-import-banlist")
|
2020-08-20 11:11:09 +00:00
|
|
|
|
2020-09-27 10:43:20 +00:00
|
|
|
# Current time in µs
|
|
|
|
pre_restart = succeed("date +%s.%6N").rstrip()
|
2020-08-20 11:11:09 +00:00
|
|
|
|
2020-09-27 10:43:20 +00:00
|
|
|
# Sanity-check system by restarting all services
|
|
|
|
succeed(
|
|
|
|
"systemctl restart bitcoind clightning lnd lightning-loop spark-wallet lightning-charge nanopos liquidd"
|
2020-08-20 11:11:09 +00:00
|
|
|
)
|
2020-09-27 10:43:17 +00:00
|
|
|
|
2020-09-27 10:43:20 +00:00
|
|
|
# Now that the bitcoind restart triggered a banlist import restart, check that
|
|
|
|
# re-importing already banned addresses works
|
|
|
|
machine.wait_until_succeeds(
|
|
|
|
log_has_string(f"bitcoind-import-banlist --since=@{pre_restart}", "Importing node banlist")
|
|
|
|
)
|
|
|
|
assert_no_failure("bitcoind-import-banlist")
|
|
|
|
|
|
|
|
|
|
|
|
if "netns-isolation" in enabled_tests:
|
2020-09-27 10:43:31 +00:00
|
|
|
|
|
|
|
def ip(name):
|
|
|
|
return test_data["netns"][name]["address"]
|
2020-09-27 10:43:20 +00:00
|
|
|
|
|
|
|
|
|
|
|
else:
|
2020-09-27 10:43:17 +00:00
|
|
|
|
2020-09-27 10:43:20 +00:00
|
|
|
def ip(_):
|
|
|
|
return "127.0.0.1"
|