Skip to content

Commit b1680bd

Browse files
r-vdpr-vdp
committed
nixos/sudo-rs: use runTest to run the VM test
1 parent 4e17c95 commit b1680bd

File tree

2 files changed

+123
-126
lines changed

2 files changed

+123
-126
lines changed

nixos/tests/all-tests.nix

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -1051,7 +1051,7 @@ in {
10511051
stub-ld = handleTestOn [ "x86_64-linux" "aarch64-linux" ] ./stub-ld.nix {};
10521052
stunnel = handleTest ./stunnel.nix {};
10531053
sudo = handleTest ./sudo.nix {};
1054-
sudo-rs = handleTest ./sudo-rs.nix {};
1054+
sudo-rs = runTest ./sudo-rs.nix;
10551055
sunshine = handleTest ./sunshine.nix {};
10561056
suricata = handleTest ./suricata.nix {};
10571057
suwayomi-server = handleTest ./suwayomi-server.nix {};

nixos/tests/sudo-rs.nix

Lines changed: 122 additions & 125 deletions
Original file line numberDiff line numberDiff line change
@@ -1,140 +1,138 @@
11
# Some tests to ensure sudo is working properly.
22
{ pkgs, ... }:
33
let
4-
inherit (pkgs.lib) mkIf optionalString;
54
password = "helloworld";
65
in
7-
import ./make-test-python.nix (
8-
{ lib, pkgs, ... }:
9-
{
10-
name = "sudo-rs";
11-
meta.maintainers = pkgs.sudo-rs.meta.maintainers;
12-
13-
nodes.machine =
14-
{ lib, ... }:
15-
{
16-
environment.systemPackages = [ pkgs.faketty ];
17-
users.groups = {
18-
foobar = { };
19-
barfoo = { };
20-
baz = {
21-
gid = 1337;
22-
};
6+
{
7+
name = "sudo-rs";
8+
meta.maintainers = pkgs.sudo-rs.meta.maintainers;
9+
10+
nodes.machine =
11+
{ lib, ... }:
12+
{
13+
environment.systemPackages = [ pkgs.faketty ];
14+
users.groups = {
15+
foobar = { };
16+
barfoo = { };
17+
baz = {
18+
gid = 1337;
2319
};
24-
users.users = {
25-
test0 = {
26-
isNormalUser = true;
27-
extraGroups = [ "wheel" ];
28-
};
29-
test1 = {
30-
isNormalUser = true;
31-
password = password;
32-
};
33-
test2 = {
34-
isNormalUser = true;
35-
extraGroups = [ "foobar" ];
36-
password = password;
37-
};
38-
test3 = {
39-
isNormalUser = true;
40-
extraGroups = [ "barfoo" ];
41-
};
42-
test4 = {
43-
isNormalUser = true;
44-
extraGroups = [ "baz" ];
45-
};
46-
test5 = {
47-
isNormalUser = true;
48-
};
20+
};
21+
users.users = {
22+
test0 = {
23+
isNormalUser = true;
24+
extraGroups = [ "wheel" ];
4925
};
50-
51-
security.sudo-rs = {
52-
enable = true;
53-
wheelNeedsPassword = false;
54-
55-
extraRules = [
56-
# SUDOERS SYNTAX CHECK (Test whether the module produces a valid output;
57-
# errors being detected by the visudo checks.
58-
59-
# These should not create any entries
60-
{
61-
users = [ "notest1" ];
62-
commands = [ ];
63-
}
64-
{
65-
commands = [
66-
{
67-
command = "ALL";
68-
options = [ ];
69-
}
70-
];
71-
}
72-
73-
# Test defining commands with the options syntax, though not setting any options
74-
{
75-
users = [ "notest2" ];
76-
commands = [
77-
{
78-
command = "ALL";
79-
options = [ ];
80-
}
81-
];
82-
}
83-
84-
# CONFIGURATION FOR TEST CASES
85-
{
86-
users = [ "test1" ];
87-
groups = [ "foobar" ];
88-
commands = [ "ALL" ];
89-
}
90-
{
91-
groups = [
92-
"barfoo"
93-
1337
94-
];
95-
commands = [
96-
{
97-
command = "ALL";
98-
options = [ "NOPASSWD" ];
99-
}
100-
];
101-
}
102-
{
103-
users = [ "test5" ];
104-
commands = [
105-
{
106-
command = "ALL";
107-
options = [ "NOPASSWD" ];
108-
}
109-
];
110-
runAs = "test1:barfoo";
111-
}
112-
];
26+
test1 = {
27+
isNormalUser = true;
28+
password = password;
29+
};
30+
test2 = {
31+
isNormalUser = true;
32+
extraGroups = [ "foobar" ];
33+
password = password;
34+
};
35+
test3 = {
36+
isNormalUser = true;
37+
extraGroups = [ "barfoo" ];
38+
};
39+
test4 = {
40+
isNormalUser = true;
41+
extraGroups = [ "baz" ];
42+
};
43+
test5 = {
44+
isNormalUser = true;
11345
};
11446
};
11547

116-
nodes.strict =
117-
{ ... }:
118-
{
119-
environment.systemPackages = [ pkgs.faketty ];
120-
users.users = {
121-
admin = {
122-
isNormalUser = true;
123-
extraGroups = [ "wheel" ];
124-
};
125-
noadmin = {
126-
isNormalUser = true;
127-
};
48+
security.sudo-rs = {
49+
enable = true;
50+
wheelNeedsPassword = false;
51+
52+
extraRules = [
53+
# SUDOERS SYNTAX CHECK (Test whether the module produces a valid output;
54+
# errors being detected by the visudo checks.
55+
56+
# These should not create any entries
57+
{
58+
users = [ "notest1" ];
59+
commands = [ ];
60+
}
61+
{
62+
commands = [
63+
{
64+
command = "ALL";
65+
options = [ ];
66+
}
67+
];
68+
}
69+
70+
# Test defining commands with the options syntax, though not setting any options
71+
{
72+
users = [ "notest2" ];
73+
commands = [
74+
{
75+
command = "ALL";
76+
options = [ ];
77+
}
78+
];
79+
}
80+
81+
# CONFIGURATION FOR TEST CASES
82+
{
83+
users = [ "test1" ];
84+
groups = [ "foobar" ];
85+
commands = [ "ALL" ];
86+
}
87+
{
88+
groups = [
89+
"barfoo"
90+
1337
91+
];
92+
commands = [
93+
{
94+
command = "ALL";
95+
options = [ "NOPASSWD" ];
96+
}
97+
];
98+
}
99+
{
100+
users = [ "test5" ];
101+
commands = [
102+
{
103+
command = "ALL";
104+
options = [ "NOPASSWD" ];
105+
}
106+
];
107+
runAs = "test1:barfoo";
108+
}
109+
];
110+
};
111+
};
112+
113+
nodes.strict =
114+
{ ... }:
115+
{
116+
environment.systemPackages = [ pkgs.faketty ];
117+
users.users = {
118+
admin = {
119+
isNormalUser = true;
120+
extraGroups = [ "wheel" ];
128121
};
129-
130-
security.sudo-rs = {
131-
enable = true;
132-
wheelNeedsPassword = false;
133-
execWheelOnly = true;
122+
noadmin = {
123+
isNormalUser = true;
134124
};
135125
};
136126

137-
testScript = ''
127+
security.sudo-rs = {
128+
enable = true;
129+
wheelNeedsPassword = false;
130+
execWheelOnly = true;
131+
};
132+
};
133+
134+
testScript = # python
135+
''
138136
with subtest("users in wheel group should have passwordless sudo"):
139137
machine.succeed('faketty -- su - test0 -c "sudo -u root true"')
140138
@@ -165,5 +163,4 @@ import ./make-test-python.nix (
165163
with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"):
166164
strict.fail('faketty -- su - noadmin -c "sudo --help"')
167165
'';
168-
}
169-
)
166+
}

0 commit comments

Comments
 (0)