From fdf270a89e22ca9b0171153479cfda0c7922699e Mon Sep 17 00:00:00 2001
From: Dan Nicholson <dbn@endlessos.org>
Date: Tue, 30 Jul 2024 18:20:13 -0600
Subject: [PATCH] test: extend firstboot testing

Several features were not being tested or weren't being evaluated thoroughly.

(cherry picked from commit 38688bbc8ffb16a449a41cab344c27f6b1e74cd3)
---
 test/units/TEST-74-AUX-UTILS.firstboot.sh | 62 +++++++++++++++++++++--
 1 file changed, 57 insertions(+), 5 deletions(-)

diff --git a/test/units/TEST-74-AUX-UTILS.firstboot.sh b/test/units/TEST-74-AUX-UTILS.firstboot.sh
index 7bab009d52..2569ad8816 100755
--- a/test/units/TEST-74-AUX-UTILS.firstboot.sh
+++ b/test/units/TEST-74-AUX-UTILS.firstboot.sh
@@ -14,6 +14,7 @@ fi
 at_exit() {
     if [[ -n "${ROOT:-}" ]]; then
         ls -lR "$ROOT"
+        grep -r . "$ROOT/etc" || :
         rm -fr "$ROOT"
     fi
 
@@ -83,13 +84,27 @@ grep -q "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa" "$ROOT/etc/machine-id"
 rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow"
 systemd-firstboot --root="$ROOT" --root-password=foo
 grep -q "^root:x:0:0:" "$ROOT/etc/passwd"
-grep -q "^root:" "$ROOT/etc/shadow"
+grep -q "^root:[^!*]" "$ROOT/etc/shadow"
 rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow"
 echo "foo" >root.passwd
 systemd-firstboot --root="$ROOT" --root-password-file=root.passwd
 grep -q "^root:x:0:0:" "$ROOT/etc/passwd"
-grep -q "^root:" "$ROOT/etc/shadow"
+grep -q "^root:[^!*]" "$ROOT/etc/shadow"
 rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow" root.passwd
+# If /etc/passwd and /etc/shadow exist, they will only be updated if the shadow
+# password is !unprovisioned.
+echo "root:x:0:0:root:/root:/bin/sh" >"$ROOT/etc/passwd"
+echo "root:!test:::::::" >"$ROOT/etc/shadow"
+systemd-firstboot --root="$ROOT" --root-password=foo
+grep -q "^root:x:0:0:" "$ROOT/etc/passwd"
+grep -q "^root:!test:" "$ROOT/etc/shadow"
+rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow"
+echo "root:x:0:0:root:/root:/bin/sh" >"$ROOT/etc/passwd"
+echo "root:!unprovisioned:::::::" >"$ROOT/etc/shadow"
+systemd-firstboot --root="$ROOT" --root-password=foo
+grep -q "^root:x:0:0:" "$ROOT/etc/passwd"
+grep -q "^root:[^!*]" "$ROOT/etc/shadow"
+rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow"
 # Set the shell together with the password, as firstboot won't touch
 # /etc/passwd if it already exists
 systemd-firstboot --root="$ROOT" --root-password-hashed="$ROOT_HASHED_PASSWORD1" --root-shell=/bin/fooshell
@@ -176,8 +191,9 @@ mkdir -p "$ROOT/bin"
 touch "$ROOT/bin/fooshell" "$ROOT/bin/barshell"
 # Temporarily disable pipefail to avoid `echo: write error: Broken pipe
 set +o pipefail
-# We can do only limited testing here, since it's all an interactive stuff,
-# so --prompt and --prompt-root-password are skipped on purpose
+# We can do only limited testing here, since it's all an interactive stuff, so
+# --prompt is skipped on purpose and only limited --prompt-root-password
+# testing can be done.
 echo -ne "\nfoo\nbar\n" | systemd-firstboot --root="$ROOT" --prompt-locale
 grep -q "LANG=foo" "$ROOT$LOCALE_PATH"
 grep -q "LC_MESSAGES=bar" "$ROOT$LOCALE_PATH"
@@ -193,6 +209,11 @@ echo -ne "\nEurope/Berlin\n" | systemd-firstboot --root="$ROOT" --prompt-timezon
 readlink "$ROOT/etc/localtime" | grep -q "Europe/Berlin$"
 echo -ne "\nfoobar\n" | systemd-firstboot --root="$ROOT" --prompt-hostname
 grep -q "foobar" "$ROOT/etc/hostname"
+# With no root password provided, a locked account should be created.
+systemd-firstboot --root="$ROOT" --prompt-root-password </dev/null
+grep -q "^root:!\*:0:0:" "$ROOT/etc/passwd"
+grep -q "^root:!\*:" "$ROOT/etc/shadow"
+rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow"
 echo -ne "\n/bin/fooshell\n" | systemd-firstboot --root="$ROOT" --prompt-root-shell
 grep -q "^root:.*:0:0:.*:/bin/fooshell$" "$ROOT/etc/passwd"
 # Existing files should not get overwritten
@@ -204,15 +225,46 @@ grep -q "^root:.*:0:0:.*:/bin/barshell$" "$ROOT/etc/passwd"
 # Re-enable pipefail
 set -o pipefail
 
+# --prompt-* options with credentials. Unfortunately, with --root the
+# --systemd.firstboot kernel command line option is ignored, so that can't be
+# --tested.
+rm -fr "$ROOT"
+mkdir -p "$ROOT/bin"
+touch "$ROOT/bin/fooshell" "$ROOT/bin/barshell"
+systemd-run --wait --pipe --service-type=exec \
+    -p SetCredential=firstboot.locale:foo \
+    -p SetCredential=firstboot.locale-messages:bar \
+    -p SetCredential=firstboot.keymap:foo \
+    -p SetCredential=firstboot.timezone:Europe/Berlin \
+    -p SetCredential=passwd.hashed-password.root:"$ROOT_HASHED_PASSWORD1" \
+    -p SetCredential=passwd.shell.root:/bin/fooshell \
+    systemd-firstboot \
+    --root="$ROOT" \
+    --prompt-locale \
+    --prompt-keymap \
+    --prompt-timezone \
+    --prompt-root-password \
+    --prompt-root-shell \
+    </dev/null
+grep -q "LANG=foo" "$ROOT$LOCALE_PATH"
+grep -q "LC_MESSAGES=bar" "$ROOT$LOCALE_PATH"
+grep -q "KEYMAP=foo" "$ROOT/etc/vconsole.conf"
+readlink "$ROOT/etc/localtime" | grep -q "Europe/Berlin$"
+grep -q "^root:x:0:0:.*:/bin/fooshell$" "$ROOT/etc/passwd"
+grep -q "^root:$ROOT_HASHED_PASSWORD1:" "$ROOT/etc/shadow"
+
 # Assorted tests
 rm -fr "$ROOT"
 mkdir "$ROOT"
 
 systemd-firstboot --root="$ROOT" --setup-machine-id
 grep -E "[a-z0-9]{32}" "$ROOT/etc/machine-id"
+rm -fv "$ROOT/etc/machine-id"
 
 systemd-firstboot --root="$ROOT" --delete-root-password
-diff <(echo) <(awk -F: '/^root/ { print $2; }' "$ROOT/etc/shadow")
+grep -q "^root::0:0:" "$ROOT/etc/passwd"
+grep -q "^root::" "$ROOT/etc/shadow"
+rm -fv "$ROOT/etc/passwd" "$ROOT/etc/shadow"
 
 (! systemd-firstboot --root="$ROOT" --root-shell=/bin/nonexistentshell)
 (! systemd-firstboot --root="$ROOT" --machine-id=invalidmachineid)
-- 
2.25.1