Merge pull request #146467 from l0b0/test-pam-d-generation

author: Artturi <Artturin@artturin.com> 2021-11-27 22:32:46 +0200
committer: GitHub <noreply@github.com> 2021-11-27 22:32:46 +0200
commit: 16eb003524804f7c6d6f522a238e8ab2557eedf9 (patch)
tree: 7b12fef2502ff22aab20d3a3b672a6e06b4411a5 /nixos
parent: 9c191ebcdfe917043195c54ab6ae8e934434fe7b (diff)
parent: dcb941f3ede938c01b82ea6be4aa148eb479a413 (diff)
download: nixlib-16eb003524804f7c6d6f522a238e8ab2557eedf9.tar
nixlib-16eb003524804f7c6d6f522a238e8ab2557eedf9.tar.gz
nixlib-16eb003524804f7c6d6f522a238e8ab2557eedf9.tar.bz2
nixlib-16eb003524804f7c6d6f522a238e8ab2557eedf9.tar.lz
nixlib-16eb003524804f7c6d6f522a238e8ab2557eedf9.tar.xz
nixlib-16eb003524804f7c6d6f522a238e8ab2557eedf9.tar.zst
nixlib-16eb003524804f7c6d6f522a238e8ab2557eedf9.zip
6 files changed, 60 insertions, 4 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix
index 70bce783a90b..b03bf290fd23 100644
--- a/nixos/modules/security/pam.nix
+++ b/nixos/modules/security/pam.nix
@@ -401,6 +401,9 @@ let
 
     };
 
+    # The resulting /etc/pam.d/* file contents are verified in
+    # nixos/tests/pam/pam-file-contents.nix. Please update tests there when
+    # changing the derivation.
     config = {
       name = mkDefault name;
       setLoginUid = mkDefault cfg.startSession;
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
index b8219416dc42..5afe05c1b727 100644
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -343,8 +343,9 @@ in
   osrm-backend = handleTest ./osrm-backend.nix {};
   overlayfs = handleTest ./overlayfs.nix {};
   packagekit = handleTest ./packagekit.nix {};
-  pam-oath-login = handleTest ./pam-oath-login.nix {};
-  pam-u2f = handleTest ./pam-u2f.nix {};
+  pam-file-contents = handleTest ./pam/pam-file-contents.nix {};
+  pam-oath-login = handleTest ./pam/pam-oath-login.nix {};
+  pam-u2f = handleTest ./pam/pam-u2f.nix {};
   pantalaimon = handleTest ./matrix/pantalaimon.nix {};
   pantheon = handleTest ./pantheon.nix {};
   paperless-ng = handleTest ./paperless-ng.nix {};
diff --git a/nixos/tests/pam/pam-file-contents.nix b/nixos/tests/pam/pam-file-contents.nix
new file mode 100644
index 000000000000..86c61003aeb6
--- /dev/null
+++ b/nixos/tests/pam/pam-file-contents.nix
@@ -0,0 +1,25 @@
+let
+  name = "pam";
+in
+import ../make-test-python.nix ({ pkgs, ... }: {
+
+  nodes.machine = { ... }: {
+    imports = [ ../../modules/profiles/minimal.nix ];
+
+    krb5.enable = true;
+
+    users = {
+      mutableUsers = false;
+      users = {
+        user = {
+          isNormalUser = true;
+        };
+      };
+    };
+  };
+
+  testScript = builtins.replaceStrings
+    [ "@@pam_ccreds@@" "@@pam_krb5@@" ]
+    [ pkgs.pam_ccreds.outPath pkgs.pam_krb5.outPath ]
+    (builtins.readFile ./test_chfn.py);
+})
diff --git a/nixos/tests/pam-oath-login.nix b/nixos/tests/pam/pam-oath-login.nix
index 6d48199eda97..597596b211b1 100644
--- a/nixos/tests/pam-oath-login.nix
+++ b/nixos/tests/pam/pam-oath-login.nix
@@ -1,4 +1,4 @@
-import ./make-test-python.nix ({ ... }:
+import ../make-test-python.nix ({ ... }:
 
 let
   oathSnakeoilSecret = "cdd4083ef8ff1fa9178c6d46bfb1a3";
diff --git a/nixos/tests/pam-u2f.nix b/nixos/tests/pam/pam-u2f.nix
index f492baa9e139..0ac6ac17be82 100644
--- a/nixos/tests/pam-u2f.nix
+++ b/nixos/tests/pam/pam-u2f.nix
@@ -1,4 +1,4 @@
-import ./make-test-python.nix ({ ... }:
+import ../make-test-python.nix ({ ... }:
 
 {
   name = "pam-u2f";
diff --git a/nixos/tests/pam/test_chfn.py b/nixos/tests/pam/test_chfn.py
new file mode 100644
index 000000000000..b108a9423caf
--- /dev/null
+++ b/nixos/tests/pam/test_chfn.py
@@ -0,0 +1,27 @@
+expected_lines = {
+    "account required pam_unix.so",
+    "account sufficient @@pam_krb5@@/lib/security/pam_krb5.so",
+    "auth [default=die success=done] @@pam_ccreds@@/lib/security/pam_ccreds.so action=validate use_first_pass",
+    "auth [default=ignore success=1 service_err=reset] @@pam_krb5@@/lib/security/pam_krb5.so use_first_pass",
+    "auth required pam_deny.so",
+    "auth sufficient @@pam_ccreds@@/lib/security/pam_ccreds.so action=store use_first_pass",
+    "auth sufficient pam_rootok.so",
+    "auth sufficient pam_unix.so   likeauth try_first_pass",
+    "password sufficient @@pam_krb5@@/lib/security/pam_krb5.so use_first_pass",
+    "password sufficient pam_unix.so nullok sha512",
+    "session optional @@pam_krb5@@/lib/security/pam_krb5.so",
+    "session required pam_env.so conffile=/etc/pam/environment readenv=0",
+    "session required pam_unix.so",
+}
+actual_lines = set(machine.succeed("cat /etc/pam.d/chfn").splitlines())
+
+missing_lines = expected_lines - actual_lines
+extra_lines = actual_lines - expected_lines
+non_functional_lines = set([line for line in extra_lines if (line == "" or line.startswith("#"))])
+unexpected_functional_lines = extra_lines - non_functional_lines
+
+with subtest("All expected lines are in the file"):
+    assert not missing_lines, f"Missing lines: {missing_lines}"
+
+with subtest("All remaining lines are empty or comments"):
+    assert not unexpected_functional_lines, f"Unexpected lines: {unexpected_functional_lines}"
author	Artturi <Artturin@artturin.com>	2021-11-27 22:32:46 +0200
committer	GitHub <noreply@github.com>	2021-11-27 22:32:46 +0200
commit	16eb003524804f7c6d6f522a238e8ab2557eedf9 (patch)
tree	7b12fef2502ff22aab20d3a3b672a6e06b4411a5 /nixos
parent	9c191ebcdfe917043195c54ab6ae8e934434fe7b (diff)
parent	dcb941f3ede938c01b82ea6be4aa148eb479a413 (diff)
download	nixlib-16eb003524804f7c6d6f522a238e8ab2557eedf9.tar nixlib-16eb003524804f7c6d6f522a238e8ab2557eedf9.tar.gz nixlib-16eb003524804f7c6d6f522a238e8ab2557eedf9.tar.bz2 nixlib-16eb003524804f7c6d6f522a238e8ab2557eedf9.tar.lz nixlib-16eb003524804f7c6d6f522a238e8ab2557eedf9.tar.xz nixlib-16eb003524804f7c6d6f522a238e8ab2557eedf9.tar.zst nixlib-16eb003524804f7c6d6f522a238e8ab2557eedf9.zip