pyrox.dev
1# Some tests to ensure sudo is working properly.
2{ pkgs, ... }:
3let
4 password = "helloworld";
5in
6{
7 name = "sudo-rs";
8 meta.maintainers = pkgs.sudo-rs.meta.maintainers;
9
10 nodes.machine =
11 { lib, ... }:
12 {
13 environment.systemPackages = [ pkgs.faketty ];
14 users.groups = {
15 foobar = { };
16 barfoo = { };
17 baz = {
18 gid = 1337;
19 };
20 };
21 users.users = {
22 test0 = {
23 isNormalUser = true;
24 extraGroups = [ "wheel" ];
25 };
26 test1 = {
27 isNormalUser = true;
28 password = password;
29 };
30 test2 = {
31 isNormalUser = true;
32 extraGroups = [ "foobar" ];
33 password = password;
34 };
35 test3 = {
36 isNormalUser = true;
37 extraGroups = [ "barfoo" ];
38 };
39 test4 = {
40 isNormalUser = true;
41 extraGroups = [ "baz" ];
42 };
43 test5 = {
44 isNormalUser = true;
45 };
46 };
47
48 security.sudo-rs = {
49 enable = true;
50 wheelNeedsPassword = false;
51
52 extraRules = [
53 # SUDOERS SYNTAX CHECK (Test whether the module produces a valid output;
54 # errors being detected by the visudo checks.
55
56 # These should not create any entries
57 {
58 users = [ "notest1" ];
59 commands = [ ];
60 }
61 {
62 commands = [
63 {
64 command = "ALL";
65 options = [ ];
66 }
67 ];
68 }
69
70 # Test defining commands with the options syntax, though not setting any options
71 {
72 users = [ "notest2" ];
73 commands = [
74 {
75 command = "ALL";
76 options = [ ];
77 }
78 ];
79 }
80
81 # CONFIGURATION FOR TEST CASES
82 {
83 users = [ "test1" ];
84 groups = [ "foobar" ];
85 commands = [ "ALL" ];
86 }
87 {
88 groups = [
89 "barfoo"
90 1337
91 ];
92 commands = [
93 {
94 command = "ALL";
95 options = [ "NOPASSWD" ];
96 }
97 ];
98 }
99 {
100 users = [ "test5" ];
101 commands = [
102 {
103 command = "ALL";
104 options = [ "NOPASSWD" ];
105 }
106 ];
107 runAs = "test1:barfoo";
108 }
109 ];
110 };
111 };
112
113 nodes.strict =
114 { ... }:
115 {
116 environment.systemPackages = [ pkgs.faketty ];
117 users.users = {
118 admin = {
119 isNormalUser = true;
120 extraGroups = [ "wheel" ];
121 };
122 noadmin = {
123 isNormalUser = true;
124 };
125 };
126
127 security.sudo-rs = {
128 enable = true;
129 wheelNeedsPassword = false;
130 execWheelOnly = true;
131 };
132 };
133
134 testScript = # python
135 ''
136 with subtest("users in wheel group should have passwordless sudo"):
137 machine.succeed('faketty -- su - test0 -c "sudo -u root true"')
138
139 with subtest("test1 user should have sudo with password"):
140 machine.succeed('faketty -- su - test1 -c "echo ${password} | sudo -S -u root true"')
141
142 with subtest("test1 user should not be able to use sudo without password"):
143 machine.fail('faketty -- su - test1 -c "sudo -n -u root true"')
144
145 with subtest("users in group 'foobar' should be able to use sudo with password"):
146 machine.succeed('faketty -- su - test2 -c "echo ${password} | sudo -S -u root true"')
147
148 with subtest("users in group 'barfoo' should be able to use sudo without password"):
149 machine.succeed("sudo -u test3 sudo -n -u root true")
150
151 with subtest("users in group 'baz' (GID 1337)"):
152 machine.succeed("sudo -u test4 sudo -n -u root echo true")
153
154 with subtest("test5 user should be able to run commands under test1"):
155 machine.succeed("sudo -u test5 sudo -n -u test1 true")
156
157 with subtest("test5 user should not be able to run commands under root"):
158 machine.fail("sudo -u test5 sudo -n -u root true 2>/dev/null")
159
160 with subtest("users in wheel should be able to run sudo despite execWheelOnly"):
161 strict.succeed('faketty -- su - admin -c "sudo -u root true"')
162
163 with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"):
164 strict.fail('faketty -- su - noadmin -c "sudo --help"')
165 '';
166}