aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--flake.nix2
-rw-r--r--tests/nixos/authorization.nix79
2 files changed, 81 insertions, 0 deletions
diff --git a/flake.nix b/flake.nix
index 0325f33b1..7f0b738f8 100644
--- a/flake.nix
+++ b/flake.nix
@@ -499,6 +499,8 @@
};
# System tests.
+ tests.authorization = runNixOSTestFor "x86_64-linux" ./tests/nixos/authorization.nix;
+
tests.remoteBuilds = runNixOSTestFor "x86_64-linux" ./tests/nixos/remote-builds.nix;
tests.nix-copy-closure = runNixOSTestFor "x86_64-linux" ./tests/nixos/nix-copy-closure.nix;
diff --git a/tests/nixos/authorization.nix b/tests/nixos/authorization.nix
new file mode 100644
index 000000000..7e8744dd9
--- /dev/null
+++ b/tests/nixos/authorization.nix
@@ -0,0 +1,79 @@
+{
+ name = "authorization";
+
+ nodes.machine = {
+ virtualisation.writableStore = true;
+ # TODO add a test without allowed-users setting. allowed-users is uncommon among NixOS users.
+ nix.settings.allowed-users = ["alice" "bob"];
+ nix.settings.trusted-users = ["alice"];
+
+ users.users.alice.isNormalUser = true;
+ users.users.bob.isNormalUser = true;
+ users.users.mallory.isNormalUser = true;
+
+ nix.settings.experimental-features = "nix-command";
+ };
+
+ testScript =
+ let
+ pathFour = "/nix/store/20xfy868aiic0r0flgzq4n5dq1yvmxkn-four";
+ in
+ ''
+ machine.wait_for_unit("multi-user.target")
+ machine.succeed("""
+ exec 1>&2
+ echo kSELDhobKaF8/VdxIxdP7EQe+Q > one
+ diff $(nix store add-file one) one
+ """)
+ machine.succeed("""
+ su --login alice -c '
+ set -x
+ cd ~
+ echo ehHtmfuULXYyBV6NBk6QUi8iE0 > two
+ ls
+ diff $(echo $(nix store add-file two)) two' 1>&2
+ """)
+ machine.succeed("""
+ su --login bob -c '
+ set -x
+ cd ~
+ echo 0Jw8RNp7cK0W2AdNbcquofcOVk > three
+ diff $(nix store add-file three) three
+ ' 1>&2
+ """)
+
+ # We're going to check that a path is not created
+ machine.succeed("""
+ ! [[ -e ${pathFour} ]]
+ """)
+ machine.succeed("""
+ su --login mallory -c '
+ set -x
+ cd ~
+ echo 5mgtDj0ohrWkT50TLR0f4tIIxY > four;
+ (! nix store add-file four 2>&1) | grep -F "cannot open connection to remote store"
+ (! nix store add-file four 2>&1) | grep -F "Connection reset by peer"
+ ! [[ -e ${pathFour} ]]
+ ' 1>&2
+ """)
+
+ # Check that the file _can_ be added, and matches the expected path we were checking
+ machine.succeed("""
+ exec 1>&2
+ echo 5mgtDj0ohrWkT50TLR0f4tIIxY > four
+ four="$(nix store add-file four)"
+ diff $four four
+ diff <(echo $four) <(echo ${pathFour})
+ """)
+
+ machine.succeed("""
+ su --login alice -c 'nix-store --verify --repair'
+ """)
+
+ machine.succeed("""
+ set -x
+ su --login bob -c '(! nix-store --verify --repair 2>&1)' | tee diag 1>&2
+ grep -F "you are not privileged to repair paths" diag
+ """)
+ '';
+}