8 files changed, 290 insertions, 0 deletions

diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..98b9106
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,28 @@
+Tests: upstream-simulation-test-suite
+Depends: @builddeps@, build-essential, ca-certificates, tzdata-legacy, wget
+Restrictions: isolation-container, build-needed, skippable, needs-root, needs-internet
+
+Tests: time-sources-from-dhcp-servers
+Depends: @, isc-dhcp-server, isc-dhcp-client, iproute2, kmod
+Restrictions: isolation-machine, needs-root
+
+Features: test-name=run_system_tests
+Test-Command: debian/tests/upstream-system-tests
+Depends: @builddeps@
+Restrictions: build-needed, isolation-container, needs-root
+
+Features: test-name=run_destructive_system_tests
+Test-Command: debian/tests/upstream-system-tests -d 1[0-9][0-9]-*
+Depends: @, @builddeps@, ethtool
+Restrictions: build-needed, isolation-machine, needs-root
+
+Tests: fragmented-configuration
+Restrictions: isolation-container, needs-root
+
+Tests: dynamically-add-source
+Depends: @, dpkg-dev
+Restrictions: isolation-container, needs-root, skippable
+
+Tests: ntp-server-and-nts-auth
+Depends: @, dpkg-dev, gnutls-bin
+Restrictions: isolation-container, needs-root, skippable
diff --git a/debian/tests/dynamically-add-source b/debian/tests/dynamically-add-source
new file mode 100644
index 0000000..1e4c160
--- /dev/null
+++ b/debian/tests/dynamically-add-source
@@ -0,0 +1,27 @@
+#!/bin/sh
+# Make sure that NTP sources from /etc/chrony/sources.d are usable.
+
+set -e
+
+. debian/tests/helper-functions
+
+server_addr="192.0.2.1"
+
+printf "Preparing chronyd configuration: "
+__no_system_clock_control
+__restart_chronyd && __test_ok || __test_skip
+
+printf "Adding a dummy server to the list of NTP sources: "
+printf "server $server_addr\n" > /etc/chrony/sources.d/dummy-server.sources && __test_ok || __test_fail
+
+printf "Reloading NTP sources: "
+__reload_sources
+
+printf "Checking for dummy server availability: "
+__check_sources "$server_addr"
+
+printf "Checking for dummy server availability after restarting chronyd: "
+__restart_chronyd
+__check_sources "$server_addr"
+
+exit 0
diff --git a/debian/tests/fragmented-configuration b/debian/tests/fragmented-configuration
new file mode 100644
index 0000000..2135df3
--- /dev/null
+++ b/debian/tests/fragmented-configuration
@@ -0,0 +1,17 @@
+#!/bin/sh
+# Make sure that fragmented configuration works as expected.
+
+set -e
+
+. debian/tests/helper-functions
+
+printf 'Setting "authselectmode prefer" as authentication policy: '
+echo "authselectmode prefer" > /etc/chrony/conf.d/authentication-policy.conf && __test_ok || __test_fail
+
+printf "Restart chronyd: "
+systemctl --quiet restart chrony.service && __test_ok || __test_fail
+
+printf "Checking that chronyd uses the defined authentication policy: "
+chronyd -p | grep -q "authselectmode prefer" && __test_ok || __test_fail
+
+exit 0
diff --git a/debian/tests/helper-functions b/debian/tests/helper-functions
new file mode 100644
index 0000000..7df6ee9
--- /dev/null
+++ b/debian/tests/helper-functions
@@ -0,0 +1,53 @@
+__no_system_clock_control() {
+    if ! dpkg-vendor --derives-from Ubuntu; then
+        sed -i '/^DAEMON_OPTS=/s/"\(.*\)"/"\1 -x"/' /etc/default/chrony
+        mkdir -p /etc/systemd/system/chrony.service.d
+        cat <<EOF > /etc/systemd/system/chrony.service.d/override.conf
+[Unit]
+ConditionCapability=
+EOF
+        systemctl daemon-reload
+    fi
+}
+
+__test_fail() {
+    printf 'FAIL\n' >&2
+    return 1
+}
+
+__test_ok() {
+    printf 'OK\n'
+    return 0
+}
+
+__test_skip() {
+    [ -n "$1" ] && printf 'SKIP: (%s)\n' "$1" || printf 'SKIP\n'
+    exit 77
+}
+
+__reload_sources() {
+    chronyc reload sources > /dev/null 2>&1 && __test_ok || __test_fail
+}
+
+__restart_chronyd() {
+    systemctl --quiet restart chrony.service
+    rc=$?
+    sleep 3
+    return $rc
+}
+
+__check_sources() {
+    chronyc sources | grep -q "$1" && __test_ok || __test_fail
+}
+
+__check_auth() {
+    chronyc -c authdata | grep -q "$1" && __test_ok || __test_fail
+}
+
+# Ubuntu's default config is fully populated causing issues with the test
+# If any of those tests run on Ubuntu, clear some and restart the daemon
+# to pick this up before entering the tests.
+if grep -q "^pool.*ubuntu.pool.ntp.org" /etc/chrony/chrony.conf; then
+    sudo sed -i -e '/^pool.*ubuntu.pool.ntp.org/d' /etc/chrony/chrony.conf
+    __restart_chronyd
+fi
diff --git a/debian/tests/ntp-server-and-nts-auth b/debian/tests/ntp-server-and-nts-auth
new file mode 100644
index 0000000..b7d8877
--- /dev/null
+++ b/debian/tests/ntp-server-and-nts-auth
@@ -0,0 +1,59 @@
+#!/bin/sh
+# Check that chronyd is able to authenticate NTP packets when NTS is enabled
+# on the server.
+
+set -e
+
+. debian/tests/helper-functions
+
+cert_dir="/var/lib/chrony"
+cert_template="$cert_dir/cert.cfg"
+cert_file="$cert_dir/server.crt"
+priv_key="$cert_dir/server.key"
+server_addr="127.0.1.1"
+server_name="chrony-nts-test"
+
+create_cert_template() {
+    printf "Creating certificate template: "
+    cat <<EOF > "$cert_template"
+cn = "$server_name"
+serial = 001
+activation_date = "$(date -d '1 year ago' +'%Y-%m-%d') 00:00:00 UTC"
+expiration_date = "$(date -d '1 year' +'%Y-%m-%d') 00:00:00 UTC"
+signing_key
+encryption_key
+EOF
+}
+
+generate_cert() {
+    printf "Generating self-signed certificate: "
+    certtool --generate-privkey --key-type=ed25519 --outfile "$priv_key" > /dev/null 2>&1
+    certtool --generate-self-signed --load-privkey "$priv_key" --template "$cert_template" \
+        --outfile "$cert_file" > /dev/null 2>&1
+}
+
+server_config() {
+    printf "Preparing chronyd configuration: "
+    cat <<EOF > /etc/chrony/conf.d/local-server-config.conf
+server $server_name nts minpoll -6 maxpoll -6
+ntsserverkey $priv_key
+ntsservercert $cert_file
+ntstrustedcerts $cert_file
+EOF
+
+    __no_system_clock_control
+    __restart_chronyd
+}
+
+echo "$server_addr $server_name" >> /etc/hosts
+
+create_cert_template && __test_ok || __test_skip "unable to create certificate template"
+
+generate_cert && __test_ok || __test_skip "unable to generate self-signed certificate"
+
+server_config && __test_ok || __test_skip
+
+printf "Checking if server authenticates NTP packets: "
+__check_auth "$server_addr,NTS"
+
+exit 0
diff --git a/debian/tests/time-sources-from-dhcp-servers b/debian/tests/time-sources-from-dhcp-servers
new file mode 100644
index 0000000..f5e7899
--- /dev/null
+++ b/debian/tests/time-sources-from-dhcp-servers
@@ -0,0 +1,44 @@
+#!/bin/sh
+# Ensure that NTP servers obtained from DHCP are made available to chronyd and
+# that they are removed when releasing the DHCP lease.
+
+set -e
+
+prepare_iface() {
+    modprobe dummy
+    ip link add name dummy0 type dummy
+    ip address add 192.168.1.1/24 dev dummy0
+    ip link set dev dummy0 up
+}
+
+dhcpd_config() {
+cat <<EOF > /etc/dhcp/dhcpd.conf
+default-lease-time 600;
+max-lease-time 7200;
+authorative;
+
+subnet 192.168.1.0 netmask 255.255.255.0 {
+    option subnet-mask              255.255.255.0;
+    option broadcast-address        192.168.1.255;
+    option ntp-servers              192.168.1.50;
+    range 192.168.1.42 192.168.1.100;
+}
+EOF
+
+sed -i '/INTERFACESv4=/s/".*"/"dummy0"/' /etc/default/isc-dhcp-server
+}
+
+chk_time_src() {
+    chronyc -n sources | grep -q -F '192.168.1.50'
+}
+
+printf "Preparing the dummy network interface and dhcpd configuration…\n"
+if prepare_iface && dhcpd_config; then
+    systemctl restart isc-dhcp-server && dhclient dummy0 && printf "Done!\n\n"
+fi
+
+printf "Check if the NTP server is made available to chronyd…\n"
+chk_time_src && printf "SUCCESS!\n\n"
+
+printf "Release the current lease and check if the NTP server has been correctly removed…\n"
+dhclient -r dummy0 > /dev/null 2>&1 && ! chk_time_src && printf "SUCCESS!\n\n"
diff --git a/debian/tests/upstream-simulation-test-suite b/debian/tests/upstream-simulation-test-suite
new file mode 100644
index 0000000..427c710
--- /dev/null
+++ b/debian/tests/upstream-simulation-test-suite
@@ -0,0 +1,38 @@
+#!/bin/sh
+# Upstream makes use of “clknetsim” to test how well “chronyd” controls the
+# system clocks in various conditions. Due to “clknetsim” not being available
+# in Debian, let’s use autopkgtest facility to build it in a container and
+# test “chronyd” from there.
+
+set -e
+
+testdir="$PWD/test/simulation"
+clknetsim_ver=5d1dc05
+clknetsim_src=https://github.com/mlichvar/clknetsim/archive/"$clknetsim_ver"/clknetsim-"$clknetsim_ver".tar.gz
+clknetsim_archive=$(basename "$clknetsim_src")
+
+export CLKNETSIM_PATH="$AUTOPKGTEST_TMP"
+
+# Always use the same seed to get deterministic results
+export CLKNETSIM_RANDOM_SEED=24508
+
+DEB_HOST_MULTIARCH=$(dpkg-architecture -qDEB_HOST_MULTIARCH)
+
+# The simulation tests are only supported on Linux.
+dpkg-architecture -ilinux-any || exit 77
+
+prepare_clknetsim() {
+    wget -P "$CLKNETSIM_PATH" "$clknetsim_src" 2>&1 || exit 77
+    tar -xvzf "$CLKNETSIM_PATH"/"$clknetsim_archive" \
+        -C "$CLKNETSIM_PATH" --strip-components=1 2>&1 || exit 77
+
+    if [ ! -x "$CLKNETSIM_PATH/clknetsim" ] && [ ! -e "$CLKNETSIM_PATH/clknetsim.so" ]; then
+        make -C "$CLKNETSIM_PATH" 2>&1
+    fi
+}
+
+run_test() {
+    cd "$testdir" && ./run
+}
+
+prepare_clknetsim && run_test
diff --git a/debian/tests/upstream-system-tests b/debian/tests/upstream-system-tests
new file mode 100755
index 0000000..bd28a0c
--- /dev/null
+++ b/debian/tests/upstream-system-tests
@@ -0,0 +1,24 @@
+#!/bin/sh
+# Run the upstream system tests in a container. Destructive tests will be run in
+# a VM as they may adjust/step the system clock, block the RTC, etc.
+# In case of failure, test’s logs will be put into the directory specified by
+# the $AUTOPKGTEST_ARTIFACTS environment variable.
+
+set -e
+
+testdir=$PWD/test/system
+logdir="$testdir/tmp/*"
+
+# some tests need chrony installed, but make sure to avoid the test daemon is
+# fighting with the systems chrony service over the clock
+systemctl stop chrony.service 2>/dev/null || true
+
+run_test() {
+     cd "$testdir" && ./run "$@"
+}
+
+artifacts() {
+    cp $logdir "$AUTOPKGTEST_ARTIFACTS" && exit 1
+}
+
+run_test "$@" || artifacts