test: improve modularization

This improves debugging and experimenting by making it easy to compose fine-grained scenarios that have specific tests and features enabled. The VM test output now includes the subtest name and duration. Remove the 'raise Exception()' hack for interactive mode. Run 'banlist-and-restart' test before 'backups'. This speeds up the test by avoiding an extra shutdown of all bitcoin-related services.
2020-09-27 12:43:20 +02:00
parent 14d2d97ba6
commit 1e18d3ea3b
8 changed files with 385 additions and 181 deletions
--- a/test/tests.py
+++ b/test/tests.py
@@ -1,4 +1,4 @@
-is_interactive = "is_interactive" in vars()
+from collections import OrderedDict


 def succeed(*cmds):
@@ -28,7 +28,8 @@ def assert_no_failure(unit):


 def assert_running(unit):
-    machine.wait_for_unit(unit)
+    with machine.nested(f"waiting for unit: {unit}"):
+        machine.wait_for_unit(unit)
    assert_no_failure(unit)


@@ -41,13 +42,63 @@ def wait_for_open_port(address, port):
        retry(is_port_open)


+### Test runner
+
+tests = OrderedDict()
+
+
+def test(name):
+    def x(fn):
+        tests[name] = fn
+
+    return x
+
+
 def run_tests():
-    # Don't execute the following test suite when this script is running in interactive mode
-    if is_interactive:
-        raise Exception()
+    enabled = enabled_tests.copy()
+    to_run = []
+    for test in tests:
+        if test in enabled:
+            enabled.remove(test)
+            to_run.append(test)
+    if enabled:
+        raise RuntimeError(f"The following tests are enabled but not defined: {enabled}")
+    machine.connect()  # Visually separate boot output from the test output
+    for test in to_run:
+        with log.nested(f"test: {test}"):
+            tests[test]()

-    test_security()

+def run_test(test):
+    tests[test]()
+
+
+### Tests
+# All tests are executed in the order they are defined here
+
+
+@test("security")
+def _():
+    assert_running("setup-secrets")
+    # Unused secrets should be inaccessible
+    succeed('[[ $(stat -c "%U:%G %a" /secrets/dummy) = "root:root 440" ]]')
+
+    if "secure-node" in enabled_tests:
+        # Access to '/proc' should be restricted
+        machine.succeed("grep -Fq hidepid=2 /proc/mounts")
+
+        machine.wait_for_unit("bitcoind")
+        # `systemctl status` run by unprivileged users shouldn't leak cgroup info
+        assert_matches(
+            "sudo -u electrs systemctl status bitcoind 2>&1 >/dev/null",
+            "Failed to dump process list for 'bitcoind.service', ignoring: Access denied",
+        )
+        # The 'operator' with group 'proc' has full access
+        assert_full_match("sudo -u operator systemctl status bitcoind 2>&1 >/dev/null", "")
+
+
+@test("bitcoind")
+def _():
    assert_running("bitcoind")
    machine.wait_until_succeeds("bitcoin-cli getnetworkinfo")
    assert_matches("su operator -c 'bitcoin-cli getnetworkinfo' | jq", '"version"')
@@ -59,6 +110,10 @@ def run_tests():
        log_has_string("bitcoind", "RPC User public not allowed to call method stop")
    )

+
+# Impure: Stops electrs
+@test("electrs")
+def _():
    assert_running("electrs")
    wait_for_open_port(ip("electrs"), 4224)  # prometeus metrics provider
    # Check RPC connection to bitcoind
@@ -66,18 +121,30 @@ def run_tests():
    # Stop electrs from spamming the test log with 'wait for bitcoind sync' messages
    succeed("systemctl stop electrs")

+
+@test("liquidd")
+def _():
    assert_running("liquidd")
    machine.wait_until_succeeds("elements-cli getnetworkinfo")
    assert_matches("su operator -c 'elements-cli getnetworkinfo' | jq", '"version"')
    succeed("su operator -c 'liquidswap-cli --help'")

+
+@test("clightning")
+def _():
    assert_running("clightning")
    assert_matches("su operator -c 'lightning-cli getinfo' | jq", '"id"')

+
+@test("lnd")
+def _():
    assert_running("lnd")
    assert_matches("su operator -c 'lncli getinfo' | jq", '"version"')
    assert_no_failure("lnd")

+
+@test("lightning-loop")
+def _():
    assert_running("lightning-loop")
    assert_matches("su operator -c 'loop --version'", "version")
    # Check that lightning-loop fails with the right error, making sure
@@ -89,6 +156,9 @@ def run_tests():
        )
    )

+
+@test("btcpayserver")
+def _():
    assert_running("nbxplorer")
    machine.wait_until_succeeds(log_has_string("nbxplorer", "BTC: RPC connection successful"))
    wait_for_open_port(ip("nbxplorer"), 24444)
@@ -103,11 +173,17 @@ def run_tests():
        '"version"',
    )

+
+@test("spark-wallet")
+def _():
    assert_running("spark-wallet")
    wait_for_open_port(ip("spark-wallet"), 9737)
    spark_auth = re.search("login=(.*)", succeed("cat /secrets/spark-wallet-login"))[1]
    assert_matches(f"curl -s {spark_auth}@{ip('spark-wallet')}:9737", "Spark")

+
+@test("lightning-charge")
+def _():
    assert_running("lightning-charge")
    wait_for_open_port(ip("lightning-charge"), 9112)
    machine.wait_until_succeeds(f"nc -z {ip('lightning-charge')} 9112")
@@ -116,12 +192,16 @@ def run_tests():
        f"curl -s api-token:{charge_auth}@{ip('lightning-charge')}:9112/info | jq", '"id"'
    )

+
+@test("nanopos")
+def _():
    assert_running("nanopos")
    wait_for_open_port(ip("nanopos"), 9116)
    assert_matches(f"curl {ip('nanopos')}:9116", "tshirt")

-    assert_running("onion-chef")

+@test("joinmarket")
+def _():
    assert_running("joinmarket")
    machine.wait_until_succeeds(
        log_has_string("joinmarket", "P2EPDaemonServerProtocolFactory starting on 27184")
@@ -130,6 +210,11 @@ def run_tests():
        log_has_string("joinmarket-yieldgenerator", "Failure to get blockheight",)
    )

+
+@test("secure-node")
+def _():
+    assert_running("onion-chef")
+
    # FIXME: use 'wait_for_unit' because 'create-web-index' always fails during startup due
    # to incomplete unit dependencies.
    # 'create-web-index' implicitly tests 'nodeinfo'.
@@ -139,30 +224,62 @@ def run_tests():
    assert_matches(f"curl {ip('nginx')}", "nix-bitcoin")
    assert_matches(f"curl -L {ip('nginx')}/store", "tshirt")

-    machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist"))
-    assert_no_failure("bitcoind-import-banlist")

-    ### Additional tests
+# Run this test before the following tests that shut down services
+# (and their corresponding network namespaces).
+@test("netns-isolation")
+def _():
+    ping_bitcoind = "ip netns exec nb-bitcoind ping -c 1 -w 1"
+    ping_nanopos = "ip netns exec nb-nanopos ping -c 1 -w 1"
+    ping_nbxplorer = "ip netns exec nb-nbxplorer ping -c 1 -w 1"

-    # Current time in µs
-    pre_restart = succeed("date +%s.%6N").rstrip()
-
-    # Sanity-check system by restarting all services
-    succeed(
-        "systemctl restart bitcoind clightning lnd lightning-loop spark-wallet lightning-charge nanopos liquidd"
+    # Positive ping tests (non-exhaustive)
+    machine.succeed(
+        "%s %s &&" % (ping_bitcoind, ip("bitcoind"))
+        + "%s %s &&" % (ping_bitcoind, ip("clightning"))
+        + "%s %s &&" % (ping_bitcoind, ip("lnd"))
+        + "%s %s &&" % (ping_bitcoind, ip("liquidd"))
+        + "%s %s &&" % (ping_bitcoind, ip("nbxplorer"))
+        + "%s %s &&" % (ping_nbxplorer, ip("btcpayserver"))
+        + "%s %s &&" % (ping_nanopos, ip("lightning-charge"))
+        + "%s %s &&" % (ping_nanopos, ip("nanopos"))
+        + "%s %s" % (ping_nanopos, ip("nginx"))
    )

-    # Now that the bitcoind restart triggered a banlist import restart, check that
-    # re-importing already banned addresses works
-    machine.wait_until_succeeds(
-        log_has_string(f"bitcoind-import-banlist --since=@{pre_restart}", "Importing node banlist")
+    # Negative ping tests (non-exhaustive)
+    machine.fail(
+        "%s %s ||" % (ping_bitcoind, ip("spark-wallet"))
+        + "%s %s ||" % (ping_bitcoind, ip("lightning-loop"))
+        + "%s %s ||" % (ping_bitcoind, ip("lightning-charge"))
+        + "%s %s ||" % (ping_bitcoind, ip("nanopos"))
+        + "%s %s ||" % (ping_bitcoind, ip("recurring-donations"))
+        + "%s %s ||" % (ping_bitcoind, ip("nginx"))
+        + "%s %s ||" % (ping_nanopos, ip("bitcoind"))
+        + "%s %s ||" % (ping_nanopos, ip("clightning"))
+        + "%s %s ||" % (ping_nanopos, ip("lnd"))
+        + "%s %s ||" % (ping_nanopos, ip("lightning-loop"))
+        + "%s %s ||" % (ping_nanopos, ip("liquidd"))
+        + "%s %s ||" % (ping_nanopos, ip("electrs"))
+        + "%s %s ||" % (ping_nanopos, ip("spark-wallet"))
+        + "%s %s ||" % (ping_nanopos, ip("recurring-donations"))
+        + "%s %s" % (ping_nanopos, ip("btcpayserver"))
    )
-    assert_no_failure("bitcoind-import-banlist")

-    prestop()
+    # test that netns-exec can't be run for unauthorized namespace
+    machine.fail("netns-exec nb-electrs ip a")

-    ### Test duplicity
+    # test that netns-exec drops capabilities
+    assert_full_match(
+        "su operator -c 'netns-exec nb-bitcoind capsh --print | grep Current '", "Current: =\n"
+    )

+    # test that netns-exec can not be executed by users that are not operator
+    machine.fail("sudo -u clightning netns-exec nb-bitcoind ip a")
+
+
+# Impure: stops bitcoind (and dependent services)
+@test("backups")
+def _():
    succeed("systemctl stop bitcoind")
    succeed("systemctl start duplicity")
    machine.wait_until_succeeds(log_has_string("duplicity", "duplicity.service: Succeeded."))
@@ -181,23 +298,50 @@ def run_tests():
    assert "var/backup/postgresql/btcpaydb.sql.gz" in files


-def test_security():
-    assert_running("setup-secrets")
-    # Unused secrets should be inaccessible
-    succeed('[[ $(stat -c "%U:%G %a" /secrets/dummy) = "root:root 440" ]]')
+# Impure: restarts services
+@test("banlist-and-restart")
+def _():
+    machine.wait_until_succeeds(log_has_string("bitcoind-import-banlist", "Importing node banlist"))
+    assert_no_failure("bitcoind-import-banlist")

-    # Access to '/proc' should be restricted
-    machine.succeed("grep -Fq hidepid=2 /proc/mounts")
+    # Current time in µs
+    pre_restart = succeed("date +%s.%6N").rstrip()

-    machine.wait_for_unit("bitcoind")
-    # `systemctl status` run by unprivileged users shouldn't leak cgroup info
-    assert_matches(
-        "sudo -u electrs systemctl status bitcoind 2>&1 >/dev/null",
-        "Failed to dump process list for 'bitcoind.service', ignoring: Access denied",
+    # Sanity-check system by restarting all services
+    succeed(
+        "systemctl restart bitcoind clightning lnd lightning-loop spark-wallet lightning-charge nanopos liquidd"
    )
-    # The 'operator' with group 'proc' has full access
-    assert_full_match("sudo -u operator systemctl status bitcoind 2>&1 >/dev/null", "")
+
+    # Now that the bitcoind restart triggered a banlist import restart, check that
+    # re-importing already banned addresses works
+    machine.wait_until_succeeds(
+        log_has_string(f"bitcoind-import-banlist --since=@{pre_restart}", "Importing node banlist")
+    )
+    assert_no_failure("bitcoind-import-banlist")


-def ip(_):
-    return "127.0.0.1"
+if "netns-isolation" in enabled_tests:
+    netns_ips = {
+        "bitcoind": "169.254.1.12",
+        "clightning": "169.254.1.13",
+        "lnd": "169.254.1.14",
+        "liquidd": "169.254.1.15",
+        "electrs": "169.254.1.16",
+        "spark-wallet": "169.254.1.17",
+        "lightning-charge": "169.254.1.18",
+        "nanopos": "169.254.1.19",
+        "recurring-donations": "169.254.1.20",
+        "nginx": "169.254.1.21",
+        "lightning-loop": "169.254.1.22",
+        "nbxplorer": "169.254.1.23",
+        "btcpayserver": "169.254.1.24",
+    }
+
+    def ip(netns):
+        return netns_ips[netns]
+
+
+else:
+
+    def ip(_):
+        return "127.0.0.1"