diff options
author | Victor Engmark <victor@engmark.name> | 2021-11-27 21:04:28 +1300 |
---|---|---|
committer | Artturin <Artturin@artturin.com> | 2021-11-27 20:36:50 +0200 |
commit | 3b2e6e72faff6255230b17991eb545824b00630f (patch) | |
tree | 6880ce4bf2c8f2518c75835bb64ff59806cc9bb2 /nixos/tests/pam | |
parent | 595543a3149b64a809da8fb4fdabbd6800d29ad4 (diff) |
tests: Move all PAM tests into a separate directory
As per <https://github.com/NixOS/nixpkgs/pull/146467#issuecomment-972743535>.
Diffstat (limited to 'nixos/tests/pam')
-rw-r--r-- | nixos/tests/pam/pam-file-contents.nix (renamed from nixos/tests/pam/default.nix) | 0 | ||||
-rw-r--r-- | nixos/tests/pam/pam-oath-login.nix | 108 | ||||
-rw-r--r-- | nixos/tests/pam/pam-u2f.nix | 25 |
3 files changed, 133 insertions, 0 deletions
diff --git a/nixos/tests/pam/default.nix b/nixos/tests/pam/pam-file-contents.nix index 86c61003aeb6e..86c61003aeb6e 100644 --- a/nixos/tests/pam/default.nix +++ b/nixos/tests/pam/pam-file-contents.nix diff --git a/nixos/tests/pam/pam-oath-login.nix b/nixos/tests/pam/pam-oath-login.nix new file mode 100644 index 0000000000000..597596b211b11 --- /dev/null +++ b/nixos/tests/pam/pam-oath-login.nix @@ -0,0 +1,108 @@ +import ../make-test-python.nix ({ ... }: + +let + oathSnakeoilSecret = "cdd4083ef8ff1fa9178c6d46bfb1a3"; + + # With HOTP mode the password is calculated based on a counter of + # how many passwords have been made. In this env, we'll always be on + # the 0th counter, so the password is static. + # + # Generated in nix-shell -p oathToolkit + # via: oathtool -v -d6 -w10 cdd4083ef8ff1fa9178c6d46bfb1a3 + # and picking a the first 4: + oathSnakeOilPassword1 = "143349"; + oathSnakeOilPassword2 = "801753"; + + alicePassword = "foobar"; + # Generated via: mkpasswd -m sha-512 and passing in "foobar" + hashedAlicePassword = "$6$MsMrE1q.1HrCgTS$Vq2e/uILzYjSN836TobAyN9xh9oi7EmCmucnZID25qgPoibkw8qTCugiAPnn4eCGvn1A.7oEBFJaaGUaJsQQY."; + +in +{ + name = "pam-oath-login"; + + machine = + { ... }: + { + security.pam.oath = { + enable = true; + }; + + users.users.alice = { + isNormalUser = true; + name = "alice"; + uid = 1000; + hashedPassword = hashedAlicePassword; + extraGroups = [ "wheel" ]; + createHome = true; + home = "/home/alice"; + }; + + + systemd.services.setupOathSnakeoilFile = { + wantedBy = [ "default.target" ]; + before = [ "default.target" ]; + unitConfig = { + type = "oneshot"; + RemainAfterExit = true; + }; + script = '' + touch /etc/users.oath + chmod 600 /etc/users.oath + chown root /etc/users.oath + echo "HOTP/E/6 alice - ${oathSnakeoilSecret}" > /etc/users.oath + ''; + }; + }; + + testScript = '' + def switch_to_tty(tty_number): + machine.fail(f"pgrep -f 'agetty.*tty{tty_number}'") + machine.send_key(f"alt-f{tty_number}") + machine.wait_until_succeeds(f"[ $(fgconsole) = {tty_number} ]") + machine.wait_for_unit(f"getty@tty{tty_number}.service") + machine.wait_until_succeeds(f"pgrep -f 'agetty.*tty{tty_number}'") + + + def enter_user_alice(tty_number): + machine.wait_until_tty_matches(tty_number, "login: ") + machine.send_chars("alice\n") + machine.wait_until_tty_matches(tty_number, "login: alice") + machine.wait_until_succeeds("pgrep login") + machine.wait_until_tty_matches(tty_number, "One-time password") + + + machine.wait_for_unit("multi-user.target") + machine.wait_until_succeeds("pgrep -f 'agetty.*tty1'") + machine.screenshot("postboot") + + with subtest("Invalid password"): + switch_to_tty(2) + enter_user_alice(2) + + machine.send_chars("${oathSnakeOilPassword1}\n") + machine.wait_until_tty_matches(2, "Password: ") + machine.send_chars("blorg\n") + machine.wait_until_tty_matches(2, "Login incorrect") + + with subtest("Invalid oath token"): + switch_to_tty(3) + enter_user_alice(3) + + machine.send_chars("000000\n") + machine.wait_until_tty_matches(3, "Login incorrect") + machine.wait_until_tty_matches(3, "login:") + + with subtest("Happy path: Both passwords are mandatory to get us in"): + switch_to_tty(4) + enter_user_alice(4) + + machine.send_chars("${oathSnakeOilPassword2}\n") + machine.wait_until_tty_matches(4, "Password: ") + machine.send_chars("${alicePassword}\n") + + machine.wait_until_succeeds("pgrep -u alice bash") + machine.send_chars("touch done4\n") + machine.wait_for_file("/home/alice/done4") + ''; +}) diff --git a/nixos/tests/pam/pam-u2f.nix b/nixos/tests/pam/pam-u2f.nix new file mode 100644 index 0000000000000..0ac6ac17be823 --- /dev/null +++ b/nixos/tests/pam/pam-u2f.nix @@ -0,0 +1,25 @@ +import ../make-test-python.nix ({ ... }: + +{ + name = "pam-u2f"; + + machine = + { ... }: + { + security.pam.u2f = { + control = "required"; + cue = true; + debug = true; + enable = true; + interactive = true; + }; + }; + + testScript = + '' + machine.wait_for_unit("multi-user.target") + machine.succeed( + 'egrep "auth required .*/lib/security/pam_u2f.so.*debug.*interactive.*cue" /etc/pam.d/ -R' + ) + ''; +}) |