pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / systemd-sysusers-password-option-override-ordering.nix
at 25.11-pre 2.8 kB view raw
1{ 2 lib, 3 pkgs ? import ../.., 4 ... 5}: 6let 7 password = "test"; 8 hashedPassword = "$y$j9T$wLgKY231.8j.ciV2MfEXe1$P0k5j3bCwHgnwW0Ive3w4knrgpiA4TzhCYLAnHvDZ51"; # test 9 hashedPassword1 = "$y$j9T$s8TyQJtNImvobhGM5Nlez0$3E8/O8EVGuA4sr1OQmrzi8GrRcy/AEhj454JjAn72A2"; # test 10 11 hashedPasswordFile = pkgs.writeText "hashed-password" hashedPassword1; 12in 13{ 14 name = "systemd-sysusers-password-option-override-ordering"; 15 16 meta.maintainers = with lib.maintainers; [ fidgetingbits ]; 17 18 nodes.machine = { 19 systemd.sysusers.enable = true; 20 system.etc.overlay.enable = true; 21 boot.initrd.systemd.enable = true; 22 23 users.mutableUsers = true; 24 25 # NOTE: Below given A -> B it implies B overrides A . Each entry below builds off the next 26 27 users.users.root = { 28 hashedPasswordFile = lib.mkForce null; 29 initialHashedPassword = password; 30 }; 31 32 users.groups.test = { }; 33 34 # initialPassword -> initialHashedPassword 35 users.users.alice = { 36 isSystemUser = true; 37 group = "test"; 38 initialPassword = password; 39 initialHashedPassword = hashedPassword; 40 }; 41 42 # initialPassword -> initialHashedPassword -> hashedPasswordFile 43 users.users.bob = { 44 isSystemUser = true; 45 group = "test"; 46 initialPassword = password; 47 initialHashedPassword = hashedPassword; 48 hashedPasswordFile = hashedPasswordFile.outPath; 49 }; 50 }; 51 52 testScript = '' 53 machine.wait_for_unit("systemd-sysusers.service") 54 55 with subtest("systemd-sysusers.service contains the credentials"): 56 sysusers_service = machine.succeed("systemctl cat systemd-sysusers.service") 57 print(sysusers_service) 58 # Both are in the unit, but the hashed password takes precedence as shown below. 59 assert "SetCredential=passwd.plaintext-password.alice:${password}" in sysusers_service 60 assert "SetCredential=passwd.hashed-password.alice:${hashedPassword}" in sysusers_service 61 62 with subtest("Correct mode on the password files"): 63 assert machine.succeed("stat -c '%a' /etc/passwd") == "644\n" 64 assert machine.succeed("stat -c '%a' /etc/group") == "644\n" 65 assert machine.succeed("stat -c '%a' /etc/shadow") == "0\n" 66 assert machine.succeed("stat -c '%a' /etc/gshadow") == "0\n" 67 68 with subtest("alice user has correct password"): 69 print(machine.succeed("getent shadow alice")) 70 assert "${hashedPassword}" in machine.succeed("getent shadow alice"), "alice user password is not correct" 71 72 with subtest("bob user has new password after switching to new generation"): 73 print(machine.succeed("getent passwd bob")) 74 print(machine.succeed("getent shadow bob")) 75 assert "${hashedPassword1}" in machine.succeed("getent shadow bob"), "bob user password is not correct" 76 ''; 77}