nixos/tests/systemd-homed.nix at master · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / systemd-homed.nix
at master 5.2 kB view raw
  1let
  2  username = "test-homed-user";
  3  initialPassword = "foobarfoo";
  4  newPassword = "barfoobar";
  5in
  6
  7{
  8  name = "systemd-homed";
  9
 10  nodes = {
 11    machine =
 12      { ... }:
 13      {
 14        services = {
 15          homed.enable = true;
 16          openssh.enable = true;
 17        };
 18
 19        # Prevent nixbld users from showing up as regular users, required for
 20        # first boot prompt
 21        nix.settings = {
 22          experimental-features = [ "auto-allocate-uids" ];
 23          auto-allocate-uids = true;
 24        };
 25      };
 26
 27    sshClient =
 28      { pkgs, ... }:
 29      {
 30        services = {
 31          homed.enable = true;
 32          userdbd.silenceHighSystemUsers = true;
 33        };
 34
 35        # Regular user, should prevent first boot prompt
 36        users.users.test-normal-user = {
 37          extraGroups = [ "wheel" ];
 38          isNormalUser = true;
 39          inherit initialPassword;
 40        };
 41      };
 42  };
 43
 44  testScript = ''
 45    start_all()
 46
 47    with subtest("create systemd-homed user on first boot prompt"):
 48      machine.wait_for_unit("systemd-homed.service")
 49      machine.wait_until_tty_matches("1", "-- Press any key to proceed --")
 50      machine.send_chars(" ")
 51      machine.wait_until_tty_matches("1", "Please enter user name")
 52      machine.send_chars("${username}\n")
 53      machine.wait_until_tty_matches("1", "Please enter an auxiliary group")
 54      machine.send_chars("wheel\n")
 55      machine.wait_until_tty_matches("1", "Please enter an auxiliary group")
 56      machine.send_chars("\n")
 57      machine.wait_until_tty_matches("1", "Please enter the shell to use")
 58      machine.send_chars("/bin/sh\n")
 59      machine.wait_until_tty_matches("1", "Please enter new password")
 60      machine.send_chars("${initialPassword}\n")
 61      machine.wait_until_tty_matches("1", "(repeat)")
 62      machine.send_chars("${initialPassword}\n")
 63
 64    with subtest("login as homed user"):
 65      machine.wait_until_tty_matches("1", "login: ")
 66      machine.send_chars("${username}\n")
 67      machine.wait_until_tty_matches("1", "Password: ")
 68      machine.send_chars("${initialPassword}\n")
 69      machine.wait_until_succeeds("pgrep -u ${username} -t tty1 sh")
 70      machine.send_chars("whoami > /tmp/2\n")
 71      machine.wait_for_file("/tmp/2")
 72      assert "${username}" in machine.succeed("cat /tmp/2")
 73
 74    # Smoke test to make sure the pam changes didn't break regular users.
 75    # Since homed is also enabled in the sshClient, it also tests the first
 76    # boot prompt did not occur.
 77    with subtest("login as regular user"):
 78      sshClient.wait_until_tty_matches("1", "login: ")
 79      sshClient.send_chars("test-normal-user\n")
 80      sshClient.wait_until_tty_matches("1", "Password: ")
 81      sshClient.send_chars("${initialPassword}\n")
 82      sshClient.wait_until_succeeds("pgrep -u test-normal-user bash")
 83      sshClient.send_chars("whoami > /tmp/1\n")
 84      sshClient.wait_for_file("/tmp/1")
 85      assert "test-normal-user" in sshClient.succeed("cat /tmp/1")
 86
 87    with subtest("add homed ssh authorized key"):
 88      sshClient.send_chars('ssh-keygen -t ed25519 -f /tmp/id_ed25519 -N ""\n')
 89      sshClient.wait_for_file("/tmp/id_ed25519.pub")
 90      public_key = sshClient.succeed('cat /tmp/id_ed25519.pub')
 91      public_key = public_key.strip()
 92      machine.succeed(f"homectl update ${username} --offline --ssh-authorized-keys '{public_key}'")
 93      machine.succeed("userdbctl ssh-authorized-keys ${username} | grep ed25519")
 94
 95    with subtest("change homed user password"):
 96      machine.send_chars("passwd; echo $? > /tmp/3\n")
 97      # homed does it in a weird order, it asks for new passes, then it asks
 98      # for the old one.
 99      machine.wait_until_tty_matches("1", "New password: ")
100      machine.send_chars("${newPassword}\n")
101      machine.wait_until_tty_matches("1", "Retype new password: ")
102      machine.send_chars("${newPassword}\n")
103      #machine.wait_until_tty_matches("1", "Password: ")
104      machine.sleep(4)
105      machine.send_chars("${initialPassword}\n")
106      machine.wait_for_file("/tmp/3")
107      assert "0\n" == machine.succeed("cat /tmp/3")
108
109    with subtest("escalate to root from homed user"):
110      # Also tests the user is in wheel.
111      machine.send_chars("sudo id | tee /tmp/4\n")
112      machine.wait_until_tty_matches("1", "password for ${username}")
113      machine.send_chars("${newPassword}\n")
114      machine.wait_for_file("/tmp/4")
115      machine.wait_until_succeeds("grep uid=0 /tmp/4")
116
117    with subtest("log out and deactivate homed user's home area"):
118      machine.send_chars("exit\n")
119      machine.wait_until_succeeds("homectl inspect ${username} | grep 'State: inactive'")
120
121    with subtest("ssh as homed user"):
122      sshClient.send_chars("ssh -o StrictHostKeyChecking=no -i /tmp/id_ed25519 ${username}@machine\n")
123      sshClient.wait_until_tty_matches("1", "Please enter password for user")
124      sshClient.send_chars("${newPassword}\n")
125      machine.wait_until_succeeds("pgrep -u ${username} sh")
126      sshClient.send_chars("whoami > /tmp/5\n")
127      machine.wait_for_file("/tmp/5")
128      assert "${username}" in machine.succeed("cat /tmp/5")
129      sshClient.send_chars("exit\n") # ssh
130      sshClient.send_chars("exit\n") # sh
131  '';
132}