Add a basic daemon authorization test
This commit is contained in:
parent
895dfc656a
commit
72b18f05a2
2 changed files with 81 additions and 0 deletions
|
@ -499,6 +499,8 @@
|
|||
};
|
||||
|
||||
# System tests.
|
||||
tests.authorization = runNixOSTestFor "x86_64-linux" ./tests/nixos/authorization.nix;
|
||||
|
||||
tests.remoteBuilds = runNixOSTestFor "x86_64-linux" ./tests/nixos/remote-builds.nix;
|
||||
|
||||
tests.nix-copy-closure = runNixOSTestFor "x86_64-linux" ./tests/nixos/nix-copy-closure.nix;
|
||||
|
|
79
tests/nixos/authorization.nix
Normal file
79
tests/nixos/authorization.nix
Normal file
|
@ -0,0 +1,79 @@
|
|||
{
|
||||
name = "authorization";
|
||||
|
||||
nodes.machine = {
|
||||
virtualisation.writableStore = true;
|
||||
# TODO add a test without allowed-users setting. allowed-users is uncommon among NixOS users.
|
||||
nix.settings.allowed-users = ["alice" "bob"];
|
||||
nix.settings.trusted-users = ["alice"];
|
||||
|
||||
users.users.alice.isNormalUser = true;
|
||||
users.users.bob.isNormalUser = true;
|
||||
users.users.mallory.isNormalUser = true;
|
||||
|
||||
nix.settings.experimental-features = "nix-command";
|
||||
};
|
||||
|
||||
testScript =
|
||||
let
|
||||
pathFour = "/nix/store/20xfy868aiic0r0flgzq4n5dq1yvmxkn-four";
|
||||
in
|
||||
''
|
||||
machine.wait_for_unit("multi-user.target")
|
||||
machine.succeed("""
|
||||
exec 1>&2
|
||||
echo kSELDhobKaF8/VdxIxdP7EQe+Q > one
|
||||
diff $(nix store add-file one) one
|
||||
""")
|
||||
machine.succeed("""
|
||||
su --login alice -c '
|
||||
set -x
|
||||
cd ~
|
||||
echo ehHtmfuULXYyBV6NBk6QUi8iE0 > two
|
||||
ls
|
||||
diff $(echo $(nix store add-file two)) two' 1>&2
|
||||
""")
|
||||
machine.succeed("""
|
||||
su --login bob -c '
|
||||
set -x
|
||||
cd ~
|
||||
echo 0Jw8RNp7cK0W2AdNbcquofcOVk > three
|
||||
diff $(nix store add-file three) three
|
||||
' 1>&2
|
||||
""")
|
||||
|
||||
# We're going to check that a path is not created
|
||||
machine.succeed("""
|
||||
! [[ -e ${pathFour} ]]
|
||||
""")
|
||||
machine.succeed("""
|
||||
su --login mallory -c '
|
||||
set -x
|
||||
cd ~
|
||||
echo 5mgtDj0ohrWkT50TLR0f4tIIxY > four;
|
||||
(! diff $(nix store add-file four) four 2>&1) | grep -F "cannot open connection to remote store"
|
||||
(! diff $(nix store add-file four) four 2>&1) | grep -F "Connection reset by peer"
|
||||
! [[ -e ${pathFour} ]]
|
||||
' 1>&2
|
||||
""")
|
||||
|
||||
# Check that the file _can_ be added, and matches the expected path we were checking
|
||||
machine.succeed("""
|
||||
exec 1>&2
|
||||
echo 5mgtDj0ohrWkT50TLR0f4tIIxY > four
|
||||
four="$(nix store add-file four)"
|
||||
diff $four four
|
||||
diff <(echo $four) <(echo ${pathFour})
|
||||
""")
|
||||
|
||||
machine.succeed("""
|
||||
su --login alice -c 'nix-store --verify --repair'
|
||||
""")
|
||||
|
||||
machine.succeed("""
|
||||
set -x
|
||||
su --login bob -c '(! nix-store --verify --repair 2>&1)' | tee diag 1>&2
|
||||
grep -F "you are not privileged to repair paths" diag
|
||||
""")
|
||||
'';
|
||||
}
|
Loading…
Reference in a new issue