mirror of
https://github.com/NixOS/nixpkgs.git
synced 2025-06-11 12:15:34 +03:00
b84fb1e5cd
This commit adds two new tests to show that the ordering of password overrides documentation in nixos/modules/config/user-groups.nix is correct. The override behavior differs depending on whether a system has systemd-sysusers enabled, so there are two tests.
77 lines
2.7 KiB
Nix
77 lines
2.7 KiB
Nix
{
|
|
lib,
|
|
pkgs ? import ../..,
|
|
...
|
|
}:
|
|
let
|
|
password = "test";
|
|
password1 = "test1";
|
|
hashedPassword = "$y$j9T$wLgKY231.8j.ciV2MfEXe1$P0k5j3bCwHgnwW0Ive3w4knrgpiA4TzhCYLAnHvDZ51"; # test
|
|
hashedPassword1 = "$y$j9T$s8TyQJtNImvobhGM5Nlez0$3E8/O8EVGuA4sr1OQmrzi8GrRcy/AEhj454JjAn72A2"; # test
|
|
hashed_sha512crypt = "$6$ymzs8WINZ5wGwQcV$VC2S0cQiX8NVukOLymysTPn4v1zJoJp3NGyhnqyv/dAf4NWZsBWYveQcj6gEJr4ZUjRBRjM0Pj1L8TCQ8hUUp0"; # meow
|
|
|
|
hashedPasswordFile = pkgs.writeText "hashed-password" hashedPassword1;
|
|
in
|
|
{
|
|
name = "systemd-sysusers-password-option-override-ordering";
|
|
|
|
meta.maintainers = with lib.maintainers; [ fidgetingbits ];
|
|
|
|
nodes.machine = {
|
|
systemd.sysusers.enable = true;
|
|
system.etc.overlay.enable = true;
|
|
boot.initrd.systemd.enable = true;
|
|
|
|
users.mutableUsers = true;
|
|
|
|
# NOTE: Below given A -> B it implies B overrides A . Each entry below builds off the next
|
|
|
|
users.users.root = {
|
|
hashedPasswordFile = lib.mkForce null;
|
|
initialHashedPassword = password;
|
|
};
|
|
|
|
users.groups.test = { };
|
|
|
|
# initialPassword -> initialHashedPassword
|
|
users.users.alice = {
|
|
isSystemUser = true;
|
|
group = "test";
|
|
initialPassword = password;
|
|
initialHashedPassword = hashedPassword;
|
|
};
|
|
|
|
# initialPassword -> initialHashedPassword -> hashedPasswordFile
|
|
users.users.bob = {
|
|
isSystemUser = true;
|
|
group = "test";
|
|
initialPassword = password;
|
|
initialHashedPassword = hashedPassword;
|
|
hashedPasswordFile = hashedPasswordFile.outPath;
|
|
};
|
|
};
|
|
|
|
testScript = ''
|
|
machine.wait_for_unit("systemd-sysusers.service")
|
|
|
|
with subtest("systemd-sysusers.service contains the credentials"):
|
|
sysusers_service = machine.succeed("systemctl cat systemd-sysusers.service")
|
|
print(sysusers_service)
|
|
assert "SetCredential=passwd.plaintext-password.alice:${password}" in sysusers_service
|
|
|
|
with subtest("Correct mode on the password files"):
|
|
assert machine.succeed("stat -c '%a' /etc/passwd") == "644\n"
|
|
assert machine.succeed("stat -c '%a' /etc/group") == "644\n"
|
|
assert machine.succeed("stat -c '%a' /etc/shadow") == "0\n"
|
|
assert machine.succeed("stat -c '%a' /etc/gshadow") == "0\n"
|
|
|
|
with subtest("alice user has correct password"):
|
|
print(machine.succeed("getent shadow alice"))
|
|
assert "${hashedPassword}" in machine.succeed("getent shadow alice"), "alice user password is not correct"
|
|
|
|
with subtest("bob user has new password after switching to new generation"):
|
|
print(machine.succeed("getent passwd bob"))
|
|
print(machine.succeed("getent shadow bob"))
|
|
assert "${hashedPassword1}" in machine.succeed("getent shadow bob"), "bob user password is not correct"
|
|
'';
|
|
}
|