aboutsummaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorRobert Hensing <robert@roberthensing.nl>2023-02-07 16:36:10 +0100
committerRobert Hensing <robert@roberthensing.nl>2023-02-07 16:43:09 +0100
commit72b18f05a22f46f383e0476262dc363ac0318aa6 (patch)
tree84945b55f4161c6dbd4ffdd099fd6445723703ca /tests
parent895dfc656a21f6252ddf48df0d1f215effa04ecb (diff)
Add a basic daemon authorization test
Diffstat (limited to 'tests')
-rw-r--r--tests/nixos/authorization.nix79
1 files changed, 79 insertions, 0 deletions
diff --git a/tests/nixos/authorization.nix b/tests/nixos/authorization.nix
new file mode 100644
index 000000000..4b13ec65e
--- /dev/null
+++ b/tests/nixos/authorization.nix
@@ -0,0 +1,79 @@
+{
+ name = "authorization";
+
+ nodes.machine = {
+ virtualisation.writableStore = true;
+ # TODO add a test without allowed-users setting. allowed-users is uncommon among NixOS users.
+ nix.settings.allowed-users = ["alice" "bob"];
+ nix.settings.trusted-users = ["alice"];
+
+ users.users.alice.isNormalUser = true;
+ users.users.bob.isNormalUser = true;
+ users.users.mallory.isNormalUser = true;
+
+ nix.settings.experimental-features = "nix-command";
+ };
+
+ testScript =
+ let
+ pathFour = "/nix/store/20xfy868aiic0r0flgzq4n5dq1yvmxkn-four";
+ in
+ ''
+ machine.wait_for_unit("multi-user.target")
+ machine.succeed("""
+ exec 1>&2
+ echo kSELDhobKaF8/VdxIxdP7EQe+Q > one
+ diff $(nix store add-file one) one
+ """)
+ machine.succeed("""
+ su --login alice -c '
+ set -x
+ cd ~
+ echo ehHtmfuULXYyBV6NBk6QUi8iE0 > two
+ ls
+ diff $(echo $(nix store add-file two)) two' 1>&2
+ """)
+ machine.succeed("""
+ su --login bob -c '
+ set -x
+ cd ~
+ echo 0Jw8RNp7cK0W2AdNbcquofcOVk > three
+ diff $(nix store add-file three) three
+ ' 1>&2
+ """)
+
+ # We're going to check that a path is not created
+ machine.succeed("""
+ ! [[ -e ${pathFour} ]]
+ """)
+ machine.succeed("""
+ su --login mallory -c '
+ set -x
+ cd ~
+ echo 5mgtDj0ohrWkT50TLR0f4tIIxY > four;
+ (! diff $(nix store add-file four) four 2>&1) | grep -F "cannot open connection to remote store"
+ (! diff $(nix store add-file four) four 2>&1) | grep -F "Connection reset by peer"
+ ! [[ -e ${pathFour} ]]
+ ' 1>&2
+ """)
+
+ # Check that the file _can_ be added, and matches the expected path we were checking
+ machine.succeed("""
+ exec 1>&2
+ echo 5mgtDj0ohrWkT50TLR0f4tIIxY > four
+ four="$(nix store add-file four)"
+ diff $four four
+ diff <(echo $four) <(echo ${pathFour})
+ """)
+
+ machine.succeed("""
+ su --login alice -c 'nix-store --verify --repair'
+ """)
+
+ machine.succeed("""
+ set -x
+ su --login bob -c '(! nix-store --verify --repair 2>&1)' | tee diag 1>&2
+ grep -F "you are not privileged to repair paths" diag
+ """)
+ '';
+}