pyrox.dev
1# Some tests to ensure sudo is working properly.
2{ pkgs, ... }:
3let
4 inherit (pkgs.lib) mkIf optionalString;
5 password = "helloworld";
6in
7 import ./make-test-python.nix ({ lib, pkgs, ...} : {
8 name = "sudo-rs";
9 meta.maintainers = pkgs.sudo-rs.meta.maintainers;
10
11 nodes.machine =
12 { lib, ... }:
13 {
14 environment.systemPackages = [ pkgs.faketty ];
15 users.groups = { foobar = {}; barfoo = {}; baz = { gid = 1337; }; };
16 users.users = {
17 test0 = { isNormalUser = true; extraGroups = [ "wheel" ]; };
18 test1 = { isNormalUser = true; password = password; };
19 test2 = { isNormalUser = true; extraGroups = [ "foobar" ]; password = password; };
20 test3 = { isNormalUser = true; extraGroups = [ "barfoo" ]; };
21 test4 = { isNormalUser = true; extraGroups = [ "baz" ]; };
22 test5 = { isNormalUser = true; };
23 };
24
25 security.sudo.enable = false;
26
27 security.sudo-rs = {
28 enable = true;
29 package = pkgs.sudo-rs;
30 wheelNeedsPassword = false;
31
32 extraRules = [
33 # SUDOERS SYNTAX CHECK (Test whether the module produces a valid output;
34 # errors being detected by the visudo checks.
35
36 # These should not create any entries
37 { users = [ "notest1" ]; commands = [ ]; }
38 { commands = [ { command = "ALL"; options = [ ]; } ]; }
39
40 # Test defining commands with the options syntax, though not setting any options
41 { users = [ "notest2" ]; commands = [ { command = "ALL"; options = [ ]; } ]; }
42
43
44 # CONFIGURATION FOR TEST CASES
45 { users = [ "test1" ]; groups = [ "foobar" ]; commands = [ "ALL" ]; }
46 { groups = [ "barfoo" 1337 ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; }
47 { users = [ "test5" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; runAs = "test1:barfoo"; }
48 ];
49 };
50 };
51
52 nodes.strict = { ... }: {
53 environment.systemPackages = [ pkgs.faketty ];
54 users.users = {
55 admin = { isNormalUser = true; extraGroups = [ "wheel" ]; };
56 noadmin = { isNormalUser = true; };
57 };
58
59 security.sudo.enable = false;
60
61 security.sudo-rs = {
62 package = pkgs.sudo-rs;
63 enable = true;
64 wheelNeedsPassword = false;
65 execWheelOnly = true;
66 };
67 };
68
69 testScript =
70 ''
71 with subtest("users in wheel group should have passwordless sudo"):
72 machine.succeed('faketty -- su - test0 -c "sudo -u root true"')
73
74 with subtest("test1 user should have sudo with password"):
75 machine.succeed('faketty -- su - test1 -c "echo ${password} | sudo -S -u root true"')
76
77 with subtest("test1 user should not be able to use sudo without password"):
78 machine.fail('faketty -- su - test1 -c "sudo -n -u root true"')
79
80 with subtest("users in group 'foobar' should be able to use sudo with password"):
81 machine.succeed('faketty -- su - test2 -c "echo ${password} | sudo -S -u root true"')
82
83 with subtest("users in group 'barfoo' should be able to use sudo without password"):
84 machine.succeed("sudo -u test3 sudo -n -u root true")
85
86 with subtest("users in group 'baz' (GID 1337)"):
87 machine.succeed("sudo -u test4 sudo -n -u root echo true")
88
89 with subtest("test5 user should be able to run commands under test1"):
90 machine.succeed("sudo -u test5 sudo -n -u test1 true")
91
92 with subtest("test5 user should not be able to run commands under root"):
93 machine.fail("sudo -u test5 sudo -n -u root true 2>/dev/null")
94
95 with subtest("users in wheel should be able to run sudo despite execWheelOnly"):
96 strict.succeed('faketty -- su - admin -c "sudo -u root true"')
97
98 with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"):
99 strict.fail('faketty -- su - noadmin -c "sudo --help"')
100 '';
101 })