pyrox.dev
1import ./make-test-python.nix ({ lib, ... }:
2{
3 name = "please";
4 meta.maintainers = with lib.maintainers; [ azahi ];
5
6 nodes.machine =
7 { ... }:
8 {
9 users.users = lib.mkMerge [
10 (lib.listToAttrs (map
11 (n: lib.nameValuePair n { isNormalUser = true; })
12 (lib.genList (x: "user${toString x}") 6)))
13 {
14 user0.extraGroups = [ "wheel" ];
15 }
16 ];
17
18 security.please = {
19 enable = true;
20 wheelNeedsPassword = false;
21 settings = {
22 user2_run_true_as_root = {
23 name = "user2";
24 target = "root";
25 rule = "/run/current-system/sw/bin/true";
26 require_pass = false;
27 };
28 user4_edit_etc_hosts_as_root = {
29 name = "user4";
30 type = "edit";
31 target = "root";
32 rule = "/etc/hosts";
33 editmode = 644;
34 require_pass = false;
35 };
36 };
37 };
38 };
39
40 testScript = ''
41 with subtest("root: can run anything by default"):
42 machine.succeed('please true')
43 with subtest("root: can edit anything by default"):
44 machine.succeed('EDITOR=cat pleaseedit /etc/hosts')
45
46 with subtest("user0: can run as root because it's in the wheel group"):
47 machine.succeed('su - user0 -c "please -u root true"')
48 with subtest("user1: cannot run as root because it's not in the wheel group"):
49 machine.fail('su - user1 -c "please -u root true"')
50
51 with subtest("user0: can edit as root"):
52 machine.succeed('su - user0 -c "EDITOR=cat pleaseedit /etc/hosts"')
53 with subtest("user1: cannot edit as root"):
54 machine.fail('su - user1 -c "EDITOR=cat pleaseedit /etc/hosts"')
55
56 with subtest("user2: can run 'true' as root"):
57 machine.succeed('su - user2 -c "please -u root true"')
58 with subtest("user3: cannot run 'true' as root"):
59 machine.fail('su - user3 -c "please -u root true"')
60
61 with subtest("user4: can edit /etc/hosts"):
62 machine.succeed('su - user4 -c "EDITOR=cat pleaseedit /etc/hosts"')
63 with subtest("user5: cannot edit /etc/hosts"):
64 machine.fail('su - user5 -c "EDITOR=cat pleaseedit /etc/hosts"')
65 '';
66})