pyrox.dev
1import ./make-test-python.nix (
2 { lib, ... }:
3 {
4 name = "please";
5 meta.maintainers = [ ];
6
7 nodes.machine =
8 { ... }:
9 {
10 users.users = lib.mkMerge [
11 (lib.listToAttrs (
12 map (n: lib.nameValuePair n { isNormalUser = true; }) (lib.genList (x: "user${toString x}") 6)
13 ))
14 {
15 user0.extraGroups = [ "wheel" ];
16 }
17 ];
18
19 security.please = {
20 enable = true;
21 wheelNeedsPassword = false;
22 settings = {
23 user2_run_true_as_root = {
24 name = "user2";
25 target = "root";
26 rule = "/run/current-system/sw/bin/true";
27 require_pass = false;
28 };
29 user4_edit_etc_hosts_as_root = {
30 name = "user4";
31 type = "edit";
32 target = "root";
33 rule = "/etc/hosts";
34 editmode = 644;
35 require_pass = false;
36 };
37 };
38 };
39 };
40
41 testScript = ''
42 with subtest("root: can run anything by default"):
43 machine.succeed('please true')
44 with subtest("root: can edit anything by default"):
45 machine.succeed('EDITOR=cat pleaseedit /etc/hosts')
46
47 with subtest("user0: can run as root because it's in the wheel group"):
48 machine.succeed('su - user0 -c "please -u root true"')
49 with subtest("user1: cannot run as root because it's not in the wheel group"):
50 machine.fail('su - user1 -c "please -u root true"')
51
52 with subtest("user0: can edit as root"):
53 machine.succeed('su - user0 -c "EDITOR=cat pleaseedit /etc/hosts"')
54 with subtest("user1: cannot edit as root"):
55 machine.fail('su - user1 -c "EDITOR=cat pleaseedit /etc/hosts"')
56
57 with subtest("user2: can run 'true' as root"):
58 machine.succeed('su - user2 -c "please -u root true"')
59 with subtest("user3: cannot run 'true' as root"):
60 machine.fail('su - user3 -c "please -u root true"')
61
62 with subtest("user4: can edit /etc/hosts"):
63 machine.succeed('su - user4 -c "EDITOR=cat pleaseedit /etc/hosts"')
64 with subtest("user5: cannot edit /etc/hosts"):
65 machine.fail('su - user5 -c "EDITOR=cat pleaseedit /etc/hosts"')
66 '';
67 }
68)