#!/usr/bin/env bats # KNEL-Football System Tests - Full Disk Encryption Verification # Tests for FDE configuration and runtime behavior # Copyright © 2026 Known Element Enterprises LLC # License: GNU Affero General Public License v3.0 only # These tests verify FDE configuration and behavior # Test: Verify encryption setup script exists @test "Encryption setup script exists" { [ -f "config/hooks/installed/encryption-setup.sh" ] } @test "Encryption setup script is executable" { [ -x "config/hooks/installed/encryption-setup.sh" ] } @test "Encryption validation script exists" { [ -f "config/hooks/installed/encryption-validation.sh" ] } # Test: Verify LUKS2 configuration @test "Encryption uses LUKS2 format" { grep -q "luks2\|LUKS2" config/hooks/installed/encryption-setup.sh } @test "Encryption uses AES-256-XTS cipher" { grep -q "aes-xts\|aes_xts\|AES-256-XTS" config/hooks/installed/encryption-setup.sh } @test "Encryption uses 512-bit key" { grep -q "512" config/hooks/installed/encryption-setup.sh } # Test: Verify encryption components @test "Encryption setup includes cryptsetup" { grep -q "cryptsetup" config/hooks/installed/encryption-setup.sh } @test "Encryption setup configures initramfs" { grep -q "initramfs" config/hooks/installed/encryption-setup.sh } @test "Encryption setup configures crypttab" { grep -q "crypttab" config/hooks/installed/encryption-setup.sh } @test "Encryption setup includes dm-crypt module" { grep -q "dm_crypt" config/hooks/installed/encryption-setup.sh } # Test: Verify encryption helper scripts are created @test "Encryption setup creates check-encryption.sh" { grep -q "check-encryption.sh" config/hooks/installed/encryption-setup.sh } @test "Encryption setup creates manage-encryption-keys.sh" { grep -q "manage-encryption-keys.sh" config/hooks/installed/encryption-setup.sh } @test "Encryption setup creates systemd service" { grep -q "knel-encryption-check.service" config/hooks/installed/encryption-setup.sh } # Test: Verify preseed has crypto partitioning @test "Preseed has crypto configuration" { [ -f "config/includes.installer/preseed.cfg" ] grep -q "crypto\|Crypto\|encrypted\|luks" config/includes.installer/preseed.cfg || true } # Test: Verify encryption README is created @test "Encryption setup creates README with recovery info" { grep -q "README.txt" config/hooks/installed/encryption-setup.sh grep -q "recovery\|Recovery" config/hooks/installed/encryption-setup.sh } # Test: Verify password policy is configured @test "Password policy script exists" { [ -f "src/security-hardening.sh" ] } @test "Password policy requires 14+ characters" { grep -q "minlen = 14\|minlen=14" src/security-hardening.sh } @test "Password policy requires character classes" { grep -q "dcredit = -1\|ucredit = -1\|lcredit = -1\|ocredit = -1" src/security-hardening.sh } @test "Password policy enforces complexity" { grep -q "enforcing = 1\|enforcing=1" src/security-hardening.sh } # Runtime FDE tests (require VM) # These are placeholders for manual verification @test "FDE passphrase prompt appears at boot (requires VM)" { # This test requires VM console access if ! virsh domstate knel-football-test 2>/dev/null | grep -q "running"; then skip "VM not running - start with ./run.sh test:iso create" fi # FDE prompt verification requires console access skip "Requires manual verification: watch for 'Please unlock disk' prompt" } @test "Encryption status check works (requires VM)" { # This test requires running system if ! virsh domstate knel-football-test 2>/dev/null | grep -q "running"; then skip "VM not running - start with ./run.sh test:iso create" fi # Would need to run check-encryption.sh inside VM skip "Requires running system with check-encryption.sh" } @test "Wrong passphrase rejected (requires VM)" { # This test requires manual verification skip "Requires manual verification: try wrong passphrase at boot" } @test "Correct passphrase accepted (requires VM)" { # This test requires manual verification skip "Requires manual verification: enter correct passphrase at boot" } @test "System boots after decryption (requires VM)" { # This test requires manual verification skip "Requires manual verification: system reaches login prompt" }