From 2ed8b2997ca893b8cb1764caf34815a91a8b1ab7 Mon Sep 17 00:00:00 2001
From: Justin Cormack <justin.cormack@docker.com>
Date: Tue, 22 Aug 2017 13:23:27 +0100
Subject: [PATCH] Add a test for Wireguard

This is based on the example, but modified so that it can work as a test.

It is slightly less convenient running services as tests as the output is
sent to log files, so we have an `onshutdown` container that checks to see
if the test passed.

Signed-off-by: Justin Cormack <justin.cormack@docker.com>
---
 .../cases/040_packages/023_wireguard/check.sh | 27 ++++++
 .../023_wireguard/test-wireguard.yml          | 90 +++++++++++++++++++
 test/cases/040_packages/023_wireguard/test.sh | 23 +++++
 3 files changed, 140 insertions(+)
 create mode 100755 test/cases/040_packages/023_wireguard/check.sh
 create mode 100644 test/cases/040_packages/023_wireguard/test-wireguard.yml
 create mode 100644 test/cases/040_packages/023_wireguard/test.sh

diff --git a/test/cases/040_packages/023_wireguard/check.sh b/test/cases/040_packages/023_wireguard/check.sh
new file mode 100755
index 000000000..c0ad28a0d
--- /dev/null
+++ b/test/cases/040_packages/023_wireguard/check.sh
@@ -0,0 +1,27 @@
+#!/bin/sh
+
+function success {
+	printf "wireguard test suite PASSED\n" >&1
+	exit 0
+}
+
+function failed {
+	printf "wireguard test suite FAILED\n" >&1
+	exit 1
+}
+
+if [ "$1" = "shutdown" ]
+then
+	[ -f /tmp/ok ] && success
+	failed
+	exit 0
+fi
+
+# Nginx may not be up immediately as service startup is async
+for s in $(seq 1 10)
+do
+	wget -O - http://192.168.2.1/ && echo "success" > /tmp/ok && halt
+	sleep 1
+done
+
+halt
diff --git a/test/cases/040_packages/023_wireguard/test-wireguard.yml b/test/cases/040_packages/023_wireguard/test-wireguard.yml
new file mode 100644
index 000000000..51b08a290
--- /dev/null
+++ b/test/cases/040_packages/023_wireguard/test-wireguard.yml
@@ -0,0 +1,90 @@
+kernel:
+  image: linuxkit/kernel:4.9.43
+  cmdline: "console=ttyS0"
+init:
+  - linuxkit/init:2122f8b7202b383c1be0a91a02122b0c078ca6ac
+  - linuxkit/runc:a1b564248a0d0b118c11e61db9f84ecf41dd2d2a
+  - linuxkit/containerd:8e4aa6c09e9bceee8300a315c23e0333e187f5fa
+  - linuxkit/ca-certificates:e44b0a66df5a102c0e220f0066b0d904710dcb10
+onboot:
+  - name: dhcpcd
+    image: linuxkit/dhcpcd:f3f5413abb78fae9020e35bd4788fa93df4530b7
+    command: ["/sbin/dhcpcd", "--nobackground", "-f", "/dhcpcd.conf", "-1"]
+  - name: wg0
+    image: linuxkit/ip:b084fd2ada446015e00e43a441bb0ae41ff8b227
+    net: new
+    binds:
+      - /etc/wireguard:/etc/wireguard
+    command: ["sh", "-c", "ip link set dev wg0 up; ip address add dev wg0 192.168.2.1/24; wg setconf wg0 /etc/wireguard/wg0.conf; wg show wg0"]
+    runtime:
+      interfaces:
+        - name: wg0
+          add: wireguard
+          createInRoot: true
+      bindNS:
+          net: /run/netns/wg0
+  - name: wg1
+    image: linuxkit/ip:b084fd2ada446015e00e43a441bb0ae41ff8b227
+    net: new
+    binds:
+      - /etc/wireguard:/etc/wireguard
+    command: ["sh", "-c", "ip link set dev wg1 up; ip address add dev wg1 192.168.2.2/24; wg setconf wg1 /etc/wireguard/wg1.conf; wg show wg1"]
+    runtime:
+      interfaces:
+        - name: wg1
+          add: wireguard
+          createInRoot: true
+      bindNS:
+          net: /run/netns/wg1
+onshutdown:
+  - name: test2
+    image: alpine:3.6
+    binds:
+      - /tmp:/tmp
+      - /check.sh:/check.sh
+    command: ["sh", "./check.sh", "shutdown"]
+services:
+  - name: nginx
+    image: nginx:alpine
+    net: /run/netns/wg0
+    capabilities:
+     - CAP_NET_BIND_SERVICE
+     - CAP_CHOWN
+     - CAP_SETUID
+     - CAP_SETGID
+     - CAP_DAC_OVERRIDE
+  - name: test
+    image: alpine:3.6
+    net: /run/netns/wg1
+    pid: host
+    capabilities:
+      - CAP_KILL
+    binds:
+      - /tmp:/tmp
+      - /check.sh:/check.sh
+    command: ["sh", "./check.sh"]
+files:
+  - path: etc/wireguard/wg0.conf
+    contents: |
+      [Interface] 
+      PrivateKey = KG7EKkHDkp7THfW5mOXcZzo3RbGAjq+ARMfJGFm5G1s=
+      ListenPort = 51820
+      [Peer] 
+      PublicKey = ZP7h1OjA1oIAmsAvMKujp2RAAC/f0kY814b3Xq6j/0Y=
+      AllowedIPs = 0.0.0.0/0
+      Endpoint = 127.0.0.1:51821
+  - path: etc/wireguard/wg1.conf
+    contents: |
+      [Interface]
+      PrivateKey = SCGCKDuTm4PMOw+LXdK/2s8mxnv145QHOohKRq3vc2A=
+      ListenPort = 51821
+      [Peer]
+      PublicKey = AcS5t3PC5nL/oj0sYhc3yFpDlRaXoJ0mfEq6iq0rFF4=
+      AllowedIPs = 0.0.0.0/0
+      Endpoint = 127.0.0.1:51820
+  - path: check.sh
+    source: ./check.sh
+trust:
+  org:
+    - linuxkit
+    - library
diff --git a/test/cases/040_packages/023_wireguard/test.sh b/test/cases/040_packages/023_wireguard/test.sh
new file mode 100644
index 000000000..b328662b0
--- /dev/null
+++ b/test/cases/040_packages/023_wireguard/test.sh
@@ -0,0 +1,23 @@
+#!/bin/sh
+# SUMMARY: Check that wireguard works
+# LABELS:
+# REPEAT:
+
+set -e
+
+# Source libraries. Uncomment if needed/defined
+#. "${RT_LIB}"
+. "${RT_PROJECT_ROOT}/_lib/lib.sh"
+
+clean_up() {
+	find . -depth -iname "test-wireguard*" -not -iname "*.yml" -exec rm -rf {} \;
+}
+trap clean_up EXIT
+
+# Test code goes here
+moby build -output kernel+initrd test-wireguard.yml
+RESULT="$(linuxkit run test-wireguard)"
+echo "${RESULT}"
+echo "${RESULT}" | grep -q "suite PASSED"
+
+exit 0