nixpkgs/nixos/tests/sudo-rs.nix

# Some tests to ensure sudo is working properly.
{ pkgs, ... }:
let
  inherit (pkgs.lib) mkIf optionalString;
  password = "helloworld";
in
import ./make-test-python.nix (
  { lib, pkgs, ... }:
  {
    name = "sudo-rs";
    meta.maintainers = pkgs.sudo-rs.meta.maintainers;

    nodes.machine =
      { lib, ... }:
      {
        environment.systemPackages = [ pkgs.faketty ];
        users.groups = {
          foobar = { };
          barfoo = { };
          baz = {
            gid = 1337;
          };
        };
        users.users = {
          test0 = {
            isNormalUser = true;
            extraGroups = [ "wheel" ];
          };
          test1 = {
            isNormalUser = true;
            password = password;
          };
          test2 = {
            isNormalUser = true;
            extraGroups = [ "foobar" ];
            password = password;
          };
          test3 = {
            isNormalUser = true;
            extraGroups = [ "barfoo" ];
          };
          test4 = {
            isNormalUser = true;
            extraGroups = [ "baz" ];
          };
          test5 = {
            isNormalUser = true;
          };
        };

        security.sudo-rs = {
          enable = true;
          wheelNeedsPassword = false;

          extraRules = [
            # SUDOERS SYNTAX CHECK (Test whether the module produces a valid output;
            # errors being detected by the visudo checks.

            # These should not create any entries
            {
              users = [ "notest1" ];
              commands = [ ];
            }
            {
              commands = [
                {
                  command = "ALL";
                  options = [ ];
                }
              ];
            }

            # Test defining commands with the options syntax, though not setting any options
            {
              users = [ "notest2" ];
              commands = [
                {
                  command = "ALL";
                  options = [ ];
                }
              ];
            }

            # CONFIGURATION FOR TEST CASES
            {
              users = [ "test1" ];
              groups = [ "foobar" ];
              commands = [ "ALL" ];
            }
            {
              groups = [
                "barfoo"
                1337
              ];
              commands = [
                {
                  command = "ALL";
                  options = [ "NOPASSWD" ];
                }
              ];
            }
            {
              users = [ "test5" ];
              commands = [
                {
                  command = "ALL";
                  options = [ "NOPASSWD" ];
                }
              ];
              runAs = "test1:barfoo";
            }
          ];
        };
      };

    nodes.strict =
      { ... }:
      {
        environment.systemPackages = [ pkgs.faketty ];
        users.users = {
          admin = {
            isNormalUser = true;
            extraGroups = [ "wheel" ];
          };
          noadmin = {
            isNormalUser = true;
          };
        };

        security.sudo-rs = {
          enable = true;
          wheelNeedsPassword = false;
          execWheelOnly = true;
        };
      };

    testScript = ''
      with subtest("users in wheel group should have passwordless sudo"):
          machine.succeed('faketty -- su - test0 -c "sudo -u root true"')

      with subtest("test1 user should have sudo with password"):
          machine.succeed('faketty -- su - test1 -c "echo ${password} | sudo -S -u root true"')

      with subtest("test1 user should not be able to use sudo without password"):
          machine.fail('faketty -- su - test1 -c "sudo -n -u root true"')

      with subtest("users in group 'foobar' should be able to use sudo with password"):
          machine.succeed('faketty -- su - test2 -c "echo ${password} | sudo -S -u root true"')

      with subtest("users in group 'barfoo' should be able to use sudo without password"):
          machine.succeed("sudo -u test3 sudo -n -u root true")

      with subtest("users in group 'baz' (GID 1337)"):
          machine.succeed("sudo -u test4 sudo -n -u root echo true")

      with subtest("test5 user should be able to run commands under test1"):
          machine.succeed("sudo -u test5 sudo -n -u test1 true")

      with subtest("test5 user should not be able to run commands under root"):
          machine.fail("sudo -u test5 sudo -n -u root true 2>/dev/null")

      with subtest("users in wheel should be able to run sudo despite execWheelOnly"):
          strict.succeed('faketty -- su - admin -c "sudo -u root true"')

      with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"):
          strict.fail('faketty -- su - noadmin -c "sudo --help"')
    '';
  }
)
nixos/sudo: Add tests for sudo-rs too Duplicated sudo's testsuite for now, as its maintainer does not with to collaborate on testing effors; see #253876. Environment-related tests were removed, as sudo-rs does not support `(NO)SETENV` yet; see memorysafety/sudo-rs#760 2023-09-07 15:53:18 +00:00			`# Some tests to ensure sudo is working properly.`
nixosTests.sudo-rs: fix syntax 2023-09-20 11:58:08 +00:00			`{ pkgs, ... }:`
nixos/sudo: Add tests for sudo-rs too Duplicated sudo's testsuite for now, as its maintainer does not with to collaborate on testing effors; see #253876. Environment-related tests were removed, as sudo-rs does not support `(NO)SETENV` yet; see memorysafety/sudo-rs#760 2023-09-07 15:53:18 +00:00			`let`
			`inherit (pkgs.lib) mkIf optionalString;`
			`password = "helloworld";`
			`in`
			`import ./make-test-python.nix (`
			`{ lib, pkgs, ... }:`
			`{`
nixosTests.sudo-rs: use sudo-rs As the module was renamed, we need to use the new one 2023-09-21 13:12:00 +00:00			`name = "sudo-rs";`
nixos/sudo: Add tests for sudo-rs too Duplicated sudo's testsuite for now, as its maintainer does not with to collaborate on testing effors; see #253876. Environment-related tests were removed, as sudo-rs does not support `(NO)SETENV` yet; see memorysafety/sudo-rs#760 2023-09-07 15:53:18 +00:00			`meta.maintainers = pkgs.sudo-rs.meta.maintainers;`

			`nodes.machine =`
			`{ lib, ... }:`
			`{`
			`environment.systemPackages = [ pkgs.faketty ];`
			`users.groups = {`
			`foobar = { };`
			`barfoo = { };`
			`baz = {`
			`gid = 1337;`
			`};`
			`};`
			`users.users = {`
			`test0 = {`
			`isNormalUser = true;`
			`extraGroups = [ "wheel" ];`
			`};`
			`test1 = {`
			`isNormalUser = true;`
			`password = password;`
			`};`
			`test2 = {`
			`isNormalUser = true;`
			`extraGroups = [ "foobar" ];`
			`password = password;`
			`};`
			`test3 = {`
			`isNormalUser = true;`
			`extraGroups = [ "barfoo" ];`
			`};`
			`test4 = {`
			`isNormalUser = true;`
			`extraGroups = [ "baz" ];`
			`};`
			`test5 = {`
			`isNormalUser = true;`
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH 2024-12-10 19:26:33 +00:00			`};`
nixos/sudo: Add tests for sudo-rs too Duplicated sudo's testsuite for now, as its maintainer does not with to collaborate on testing effors; see #253876. Environment-related tests were removed, as sudo-rs does not support `(NO)SETENV` yet; see memorysafety/sudo-rs#760 2023-09-07 15:53:18 +00:00			`};`

nixosTests.sudo-rs: use sudo-rs As the module was renamed, we need to use the new one 2023-09-21 13:12:00 +00:00			`security.sudo-rs = {`
nixos/sudo: Add tests for sudo-rs too Duplicated sudo's testsuite for now, as its maintainer does not with to collaborate on testing effors; see #253876. Environment-related tests were removed, as sudo-rs does not support `(NO)SETENV` yet; see memorysafety/sudo-rs#760 2023-09-07 15:53:18 +00:00			`enable = true;`
			`wheelNeedsPassword = false;`

			`extraRules = [`
			`# SUDOERS SYNTAX CHECK (Test whether the module produces a valid output;`
			`# errors being detected by the visudo checks.`

			`# These should not create any entries`
			`{`
			`users = [ "notest1" ];`
			`commands = [ ];`
			`}`
			`{`
			`commands = [`
			`{`
			`command = "ALL";`
			`options = [ ];`
			`}`
			`];`
			`}`

			`# Test defining commands with the options syntax, though not setting any options`
			`{`
			`users = [ "notest2" ];`
			`commands = [`
			`{`
			`command = "ALL";`
			`options = [ ];`
			`}`
			`];`
			`}`

			`# CONFIGURATION FOR TEST CASES`
			`{`
			`users = [ "test1" ];`
			`groups = [ "foobar" ];`
			`commands = [ "ALL" ];`
			`}`
			`{`
			`groups = [`
			`"barfoo"`
			`1337`
			`];`
			`commands = [`
			`{`
			`command = "ALL";`
			`options = [ "NOPASSWD" ];`
			`}`
			`];`
			`}`
			`{`
			`users = [ "test5" ];`
			`commands = [`
			`{`
			`command = "ALL";`
			`options = [ "NOPASSWD" ];`
			`}`
			`];`
			`runAs = "test1:barfoo";`
			`}`
			`];`
			`};`
			`};`

			`nodes.strict =`
			`{ ... }:`
			`{`
			`environment.systemPackages = [ pkgs.faketty ];`
			`users.users = {`
			`admin = {`
			`isNormalUser = true;`
			`extraGroups = [ "wheel" ];`
			`};`
			`noadmin = {`
			`isNormalUser = true;`
			`};`
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH 2024-12-10 19:26:33 +00:00			`};`
nixos/sudo: Add tests for sudo-rs too Duplicated sudo's testsuite for now, as its maintainer does not with to collaborate on testing effors; see #253876. Environment-related tests were removed, as sudo-rs does not support `(NO)SETENV` yet; see memorysafety/sudo-rs#760 2023-09-07 15:53:18 +00:00
nixosTests.sudo-rs: use sudo-rs As the module was renamed, we need to use the new one 2023-09-21 13:12:00 +00:00			`security.sudo-rs = {`
nixos/sudo: Add tests for sudo-rs too Duplicated sudo's testsuite for now, as its maintainer does not with to collaborate on testing effors; see #253876. Environment-related tests were removed, as sudo-rs does not support `(NO)SETENV` yet; see memorysafety/sudo-rs#760 2023-09-07 15:53:18 +00:00			`enable = true;`
			`wheelNeedsPassword = false;`
			`execWheelOnly = true;`
treewide: format all inactive Nix files After final improvements to the official formatter implementation, this commit now performs the first treewide reformat of Nix files using it. This is part of the implementation of RFC 166. Only "inactive" files are reformatted, meaning only files that aren't being touched by any PR with activity in the past 2 months. This is to avoid conflicts for PRs that might soon be merged. Later we can do a full treewide reformat to get the rest, which should not cause as many conflicts. A CI check has already been running for some time to ensure that new and already-formatted files are formatted, so the files being reformatted here should also stay formatted. This commit was automatically created and can be verified using nix-build https://github.com/infinisil/treewide-nixpkgs-reformat-script/archive/a08b3a4d199c6124ac5b36a889d9099b4383463f.tar.gz \ --argstr baseRev b32a0943687d2a5094a6d92f25a4b6e16a76b5b7 result/bin/apply-formatting $NIXPKGS_PATH 2024-12-10 19:26:33 +00:00			`};`
nixos/sudo: Add tests for sudo-rs too Duplicated sudo's testsuite for now, as its maintainer does not with to collaborate on testing effors; see #253876. Environment-related tests were removed, as sudo-rs does not support `(NO)SETENV` yet; see memorysafety/sudo-rs#760 2023-09-07 15:53:18 +00:00			`};`

			`testScript = ''`
			`with subtest("users in wheel group should have passwordless sudo"):`
			`machine.succeed('faketty -- su - test0 -c "sudo -u root true"')`

			`with subtest("test1 user should have sudo with password"):`
			`machine.succeed('faketty -- su - test1 -c "echo ${password} \| sudo -S -u root true"')`

			`with subtest("test1 user should not be able to use sudo without password"):`
			`machine.fail('faketty -- su - test1 -c "sudo -n -u root true"')`

			`with subtest("users in group 'foobar' should be able to use sudo with password"):`
			`machine.succeed('faketty -- su - test2 -c "echo ${password} \| sudo -S -u root true"')`

			`with subtest("users in group 'barfoo' should be able to use sudo without password"):`
			`machine.succeed("sudo -u test3 sudo -n -u root true")`

			`with subtest("users in group 'baz' (GID 1337)"):`
			`machine.succeed("sudo -u test4 sudo -n -u root echo true")`

			`with subtest("test5 user should be able to run commands under test1"):`
			`machine.succeed("sudo -u test5 sudo -n -u test1 true")`

			`with subtest("test5 user should not be able to run commands under root"):`
nixosTests.sudo-rs: use sudo-rs As the module was renamed, we need to use the new one 2023-09-21 13:12:00 +00:00			`machine.fail("sudo -u test5 sudo -n -u root true 2>/dev/null")`
nixos/sudo: Add tests for sudo-rs too Duplicated sudo's testsuite for now, as its maintainer does not with to collaborate on testing effors; see #253876. Environment-related tests were removed, as sudo-rs does not support `(NO)SETENV` yet; see memorysafety/sudo-rs#760 2023-09-07 15:53:18 +00:00
			`with subtest("users in wheel should be able to run sudo despite execWheelOnly"):`
			`strict.succeed('faketty -- su - admin -c "sudo -u root true"')`

			`with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"):`
			`strict.fail('faketty -- su - noadmin -c "sudo --help"')`
nixosTests.sudo-rs: fix syntax 2023-09-20 11:58:08 +00:00			`'';`
nixos/sudo: Add tests for sudo-rs too Duplicated sudo's testsuite for now, as its maintainer does not with to collaborate on testing effors; see #253876. Environment-related tests were removed, as sudo-rs does not support `(NO)SETENV` yet; see memorysafety/sudo-rs#760 2023-09-07 15:53:18 +00:00			`}`
			`)`