···
3
-
password = "foobarfoo";
4
-
newPass = "barfoobar";
2
+
username = "test-homed-user";
3
+
initialPassword = "foobarfoo";
4
+
newPassword = "barfoobar";
9
-
{ config, pkgs, ... }:
11
-
services.homed.enable = true;
13
-
users.users.test-normal-user = {
14
-
extraGroups = [ "wheel" ];
15
-
isNormalUser = true;
16
-
initialPassword = password;
15
+
homed.enable = true;
16
+
openssh.enable = true;
19
+
# Prevent nixbld users from showing up as regular users, required for
22
+
experimental-features = [ "auto-allocate-uids" ];
23
+
auto-allocate-uids = true;
20
-
def switchTTY(number):
21
-
machine.send_key(f"alt-f{number}")
22
-
machine.wait_until_succeeds(f"[ $(fgconsole) = {number} ]")
23
-
machine.wait_for_unit(f"getty@tty{number}.service")
24
-
machine.wait_until_succeeds(f"pgrep -f 'agetty.*tty{number}'")
26
-
machine.wait_for_unit("multi-user.target")
31
+
homed.enable = true;
32
+
userdbd.silenceHighSystemUsers = true;
28
-
# Smoke test to make sure the pam changes didn't break regular users.
29
-
machine.wait_until_succeeds("pgrep -f 'agetty.*tty1'")
30
-
with subtest("login as regular user"):
32
-
machine.wait_until_tty_matches("2", "login: ")
33
-
machine.send_chars("test-normal-user\n")
34
-
machine.wait_until_tty_matches("2", "login: test-normal-user")
35
-
machine.wait_until_tty_matches("2", "Password: ")
36
-
machine.send_chars("${password}\n")
37
-
machine.wait_until_succeeds("pgrep -u test-normal-user bash")
38
-
machine.send_chars("whoami > /tmp/1\n")
39
-
machine.wait_for_file("/tmp/1")
40
-
assert "test-normal-user" in machine.succeed("cat /tmp/1")
35
+
# Regular user, should prevent first boot prompt
36
+
users.users.test-normal-user = {
37
+
extraGroups = [ "wheel" ];
38
+
isNormalUser = true;
39
+
inherit initialPassword;
42
-
with subtest("create homed encrypted user"):
43
-
# TODO: Figure out how to pass password manually.
45
-
# This environment variable is used for homed internal testing
46
-
# and is not documented.
47
-
machine.succeed("NEWPASSWORD=${password} homectl create --shell=/run/current-system/sw/bin/bash --storage=luks -G wheel test-homed-user")
47
+
with subtest("create systemd-homed user on first boot prompt"):
48
+
machine.wait_for_unit("systemd-homed.service")
49
+
machine.wait_until_tty_matches("1", "-- Press any key to proceed --")
50
+
machine.send_chars(" ")
51
+
machine.wait_until_tty_matches("1", "Please enter user name")
52
+
machine.send_chars("${username}\n")
53
+
machine.wait_until_tty_matches("1", "Please enter an auxiliary group")
54
+
machine.send_chars("wheel\n")
55
+
machine.wait_until_tty_matches("1", "Please enter an auxiliary group")
56
+
machine.send_chars("\n")
57
+
machine.wait_until_tty_matches("1", "Please enter the shell to use")
58
+
machine.send_chars("/bin/sh\n")
59
+
machine.wait_until_tty_matches("1", "Please enter new password")
60
+
machine.send_chars("${initialPassword}\n")
61
+
machine.wait_until_tty_matches("1", "(repeat)")
62
+
machine.send_chars("${initialPassword}\n")
with subtest("login as homed user"):
51
-
machine.wait_until_tty_matches("3", "login: ")
52
-
machine.send_chars("test-homed-user\n")
53
-
machine.wait_until_tty_matches("3", "login: test-homed-user")
54
-
machine.wait_until_tty_matches("3", "Password: ")
55
-
machine.send_chars("${password}\n")
56
-
machine.wait_until_succeeds("pgrep -t tty3 -u test-homed-user bash")
65
+
machine.wait_until_tty_matches("1", "login: ")
66
+
machine.send_chars("${username}\n")
67
+
machine.wait_until_tty_matches("1", "Password: ")
68
+
machine.send_chars("${initialPassword}\n")
69
+
machine.wait_until_succeeds("pgrep -u ${username} -t tty1 sh")
machine.send_chars("whoami > /tmp/2\n")
machine.wait_for_file("/tmp/2")
59
-
assert "test-homed-user" in machine.succeed("cat /tmp/2")
72
+
assert "${username}" in machine.succeed("cat /tmp/2")
74
+
# Smoke test to make sure the pam changes didn't break regular users.
75
+
# Since homed is also enabled in the sshClient, it also tests the first
76
+
# boot prompt did not occur.
77
+
with subtest("login as regular user"):
78
+
sshClient.wait_until_tty_matches("1", "login: ")
79
+
sshClient.send_chars("test-normal-user\n")
80
+
sshClient.wait_until_tty_matches("1", "Password: ")
81
+
sshClient.send_chars("${initialPassword}\n")
82
+
sshClient.wait_until_succeeds("pgrep -u test-normal-user bash")
83
+
sshClient.send_chars("whoami > /tmp/1\n")
84
+
sshClient.wait_for_file("/tmp/1")
85
+
assert "test-normal-user" in sshClient.succeed("cat /tmp/1")
87
+
with subtest("add homed ssh authorized key"):
88
+
sshClient.send_chars('ssh-keygen -t ed25519 -f /tmp/id_ed25519 -N ""\n')
89
+
sshClient.wait_for_file("/tmp/id_ed25519.pub")
90
+
public_key = sshClient.succeed('cat /tmp/id_ed25519.pub')
91
+
public_key = public_key.strip()
92
+
machine.succeed(f"homectl update ${username} --offline --ssh-authorized-keys '{public_key}'")
93
+
machine.succeed("userdbctl ssh-authorized-keys ${username} | grep ed25519")
with subtest("change homed user password"):
63
-
machine.wait_until_tty_matches("4", "login: ")
64
-
machine.send_chars("test-homed-user\n")
65
-
machine.wait_until_tty_matches("4", "login: test-homed-user")
66
-
machine.wait_until_tty_matches("4", "Password: ")
67
-
machine.send_chars("${password}\n")
68
-
machine.wait_until_succeeds("pgrep -t tty4 -u test-homed-user bash")
69
-
machine.send_chars("passwd\n")
96
+
machine.send_chars("passwd; echo $? > /tmp/3\n")
# homed does it in a weird order, it asks for new passes, then it asks
73
-
machine.send_chars("${newPass}\n")
75
-
machine.send_chars("${newPass}\n")
99
+
machine.wait_until_tty_matches("1", "New password: ")
100
+
machine.send_chars("${newPassword}\n")
101
+
machine.wait_until_tty_matches("1", "Retype new password: ")
102
+
machine.send_chars("${newPassword}\n")
103
+
#machine.wait_until_tty_matches("1", "Password: ")
77
-
machine.send_chars("${password}\n")
78
-
machine.wait_until_fails("pgrep -t tty4 passwd")
81
-
def not_logged_in_tty5():
82
-
machine.fail("pgrep -t tty5 bash")
105
+
machine.send_chars("${initialPassword}\n")
106
+
machine.wait_for_file("/tmp/3")
107
+
assert "0\n" == machine.succeed("cat /tmp/3")
85
-
with not_logged_in_tty5: # type: ignore[union-attr]
86
-
machine.wait_until_tty_matches("5", "login: ")
87
-
machine.send_chars("test-homed-user\n")
88
-
machine.wait_until_tty_matches("5", "login: test-homed-user")
89
-
machine.wait_until_tty_matches("5", "Password: ")
90
-
machine.send_chars("${password}\n")
91
-
machine.wait_until_tty_matches("5", "Password incorrect or not sufficient for authentication of user test-homed-user.")
92
-
machine.wait_until_tty_matches("5", "Sorry, try again: ")
93
-
machine.send_chars("${newPass}\n")
94
-
machine.send_chars("whoami > /tmp/4\n")
109
+
with subtest("escalate to root from homed user"):
110
+
# Also tests the user is in wheel.
111
+
machine.send_chars("sudo id | tee /tmp/4\n")
112
+
machine.wait_until_tty_matches("1", "password for ${username}")
113
+
machine.send_chars("${newPassword}\n")
machine.wait_for_file("/tmp/4")
96
-
assert "test-homed-user" in machine.succeed("cat /tmp/4")
115
+
machine.wait_until_succeeds("grep uid=0 /tmp/4")
98
-
with subtest("homed user should be in wheel according to NSS"):
99
-
machine.succeed("userdbctl group wheel -s io.systemd.NameServiceSwitch | grep test-homed-user")
117
+
with subtest("log out and deactivate homed user's home area"):
118
+
machine.send_chars("exit\n")
119
+
machine.wait_until_succeeds("homectl inspect ${username} | grep 'State: inactive'")
121
+
with subtest("ssh as homed user"):
122
+
sshClient.send_chars("ssh -o StrictHostKeyChecking=no -i /tmp/id_ed25519 ${username}@machine\n")
123
+
sshClient.wait_until_tty_matches("1", "Please enter password for user")
124
+
sshClient.send_chars("${newPassword}\n")
125
+
machine.wait_until_succeeds("pgrep -u ${username} sh")
126
+
sshClient.send_chars("whoami > /tmp/5\n")
127
+
machine.wait_for_file("/tmp/5")
128
+
assert "${username}" in machine.succeed("cat /tmp/5")
129
+
sshClient.send_chars("exit\n") # ssh
130
+
sshClient.send_chars("exit\n") # sh
pyrox.dev