diff options
-rw-r--r-- | nixos/modules/security/pam.nix | 3 | ||||
-rw-r--r-- | nixos/tests/all-tests.nix | 5 | ||||
-rw-r--r-- | nixos/tests/pam/pam-file-contents.nix | 25 | ||||
-rw-r--r-- | nixos/tests/pam/pam-oath-login.nix (renamed from nixos/tests/pam-oath-login.nix) | 2 | ||||
-rw-r--r-- | nixos/tests/pam/pam-u2f.nix (renamed from nixos/tests/pam-u2f.nix) | 2 | ||||
-rw-r--r-- | nixos/tests/pam/test_chfn.py | 27 |
6 files changed, 60 insertions, 4 deletions
diff --git a/nixos/modules/security/pam.nix b/nixos/modules/security/pam.nix index 70bce783a90b..b03bf290fd23 100644 --- a/nixos/modules/security/pam.nix +++ b/nixos/modules/security/pam.nix @@ -401,6 +401,9 @@ let }; + # The resulting /etc/pam.d/* file contents are verified in + # nixos/tests/pam/pam-file-contents.nix. Please update tests there when + # changing the derivation. config = { name = mkDefault name; setLoginUid = mkDefault cfg.startSession; diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix index b8219416dc42..5afe05c1b727 100644 --- a/nixos/tests/all-tests.nix +++ b/nixos/tests/all-tests.nix @@ -343,8 +343,9 @@ in osrm-backend = handleTest ./osrm-backend.nix {}; overlayfs = handleTest ./overlayfs.nix {}; packagekit = handleTest ./packagekit.nix {}; - pam-oath-login = handleTest ./pam-oath-login.nix {}; - pam-u2f = handleTest ./pam-u2f.nix {}; + pam-file-contents = handleTest ./pam/pam-file-contents.nix {}; + pam-oath-login = handleTest ./pam/pam-oath-login.nix {}; + pam-u2f = handleTest ./pam/pam-u2f.nix {}; pantalaimon = handleTest ./matrix/pantalaimon.nix {}; pantheon = handleTest ./pantheon.nix {}; paperless-ng = handleTest ./paperless-ng.nix {}; diff --git a/nixos/tests/pam/pam-file-contents.nix b/nixos/tests/pam/pam-file-contents.nix new file mode 100644 index 000000000000..86c61003aeb6 --- /dev/null +++ b/nixos/tests/pam/pam-file-contents.nix @@ -0,0 +1,25 @@ +let + name = "pam"; +in +import ../make-test-python.nix ({ pkgs, ... }: { + + nodes.machine = { ... }: { + imports = [ ../../modules/profiles/minimal.nix ]; + + krb5.enable = true; + + users = { + mutableUsers = false; + users = { + user = { + isNormalUser = true; + }; + }; + }; + }; + + testScript = builtins.replaceStrings + [ "@@pam_ccreds@@" "@@pam_krb5@@" ] + [ pkgs.pam_ccreds.outPath pkgs.pam_krb5.outPath ] + (builtins.readFile ./test_chfn.py); +}) diff --git a/nixos/tests/pam-oath-login.nix b/nixos/tests/pam/pam-oath-login.nix index 6d48199eda97..597596b211b1 100644 --- a/nixos/tests/pam-oath-login.nix +++ b/nixos/tests/pam/pam-oath-login.nix @@ -1,4 +1,4 @@ -import ./make-test-python.nix ({ ... }: +import ../make-test-python.nix ({ ... }: let oathSnakeoilSecret = "cdd4083ef8ff1fa9178c6d46bfb1a3"; diff --git a/nixos/tests/pam-u2f.nix b/nixos/tests/pam/pam-u2f.nix index f492baa9e139..0ac6ac17be82 100644 --- a/nixos/tests/pam-u2f.nix +++ b/nixos/tests/pam/pam-u2f.nix @@ -1,4 +1,4 @@ -import ./make-test-python.nix ({ ... }: +import ../make-test-python.nix ({ ... }: { name = "pam-u2f"; diff --git a/nixos/tests/pam/test_chfn.py b/nixos/tests/pam/test_chfn.py new file mode 100644 index 000000000000..b108a9423caf --- /dev/null +++ b/nixos/tests/pam/test_chfn.py @@ -0,0 +1,27 @@ +expected_lines = { + "account required pam_unix.so", + "account sufficient @@pam_krb5@@/lib/security/pam_krb5.so", + "auth [default=die success=done] @@pam_ccreds@@/lib/security/pam_ccreds.so action=validate use_first_pass", + "auth [default=ignore success=1 service_err=reset] @@pam_krb5@@/lib/security/pam_krb5.so use_first_pass", + "auth required pam_deny.so", + "auth sufficient @@pam_ccreds@@/lib/security/pam_ccreds.so action=store use_first_pass", + "auth sufficient pam_rootok.so", + "auth sufficient pam_unix.so likeauth try_first_pass", + "password sufficient @@pam_krb5@@/lib/security/pam_krb5.so use_first_pass", + "password sufficient pam_unix.so nullok sha512", + "session optional @@pam_krb5@@/lib/security/pam_krb5.so", + "session required pam_env.so conffile=/etc/pam/environment readenv=0", + "session required pam_unix.so", +} +actual_lines = set(machine.succeed("cat /etc/pam.d/chfn").splitlines()) + +missing_lines = expected_lines - actual_lines +extra_lines = actual_lines - expected_lines +non_functional_lines = set([line for line in extra_lines if (line == "" or line.startswith("#"))]) +unexpected_functional_lines = extra_lines - non_functional_lines + +with subtest("All expected lines are in the file"): + assert not missing_lines, f"Missing lines: {missing_lines}" + +with subtest("All remaining lines are empty or comments"): + assert not unexpected_functional_lines, f"Unexpected lines: {unexpected_functional_lines}" |