about summary refs log tree commit diff
path: root/nixos/tests/please.nix
blob: af825ae4b9b3c62d84a2d8aeb1777eba9a3efaaf (plain) (blame)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
import ./make-test-python.nix ({ lib, ... }:
{
  name = "please";
  meta.maintainers = with lib.maintainers; [ azahi ];

  nodes.machine =
    { ... }:
    {
      users.users = lib.mkMerge [
        (lib.listToAttrs (map
          (n: lib.nameValuePair n { isNormalUser = true; })
          (lib.genList (x: "user${toString x}") 6)))
        {
          user0.extraGroups = [ "wheel" ];
        }
      ];

      security.please = {
        enable = true;
        wheelNeedsPassword = false;
        settings = {
          user2_run_true_as_root = {
            name = "user2";
            target = "root";
            rule = "/run/current-system/sw/bin/true";
            require_pass = false;
          };
          user4_edit_etc_hosts_as_root = {
            name = "user4";
            type = "edit";
            target = "root";
            rule = "/etc/hosts";
            editmode = 644;
            require_pass = false;
          };
        };
      };
    };

  testScript = ''
    with subtest("root: can run anything by default"):
        machine.succeed('please true')
    with subtest("root: can edit anything by default"):
        machine.succeed('EDITOR=cat pleaseedit /etc/hosts')

    with subtest("user0: can run as root because it's in the wheel group"):
        machine.succeed('su - user0 -c "please -u root true"')
    with subtest("user1: cannot run as root because it's not in the wheel group"):
        machine.fail('su - user1 -c "please -u root true"')

    with subtest("user0: can edit as root"):
        machine.succeed('su - user0 -c "EDITOR=cat pleaseedit /etc/hosts"')
    with subtest("user1: cannot edit as root"):
        machine.fail('su - user1 -c "EDITOR=cat pleaseedit /etc/hosts"')

    with subtest("user2: can run 'true' as root"):
        machine.succeed('su - user2 -c "please -u root true"')
    with subtest("user3: cannot run 'true' as root"):
        machine.fail('su - user3 -c "please -u root true"')

    with subtest("user4: can edit /etc/hosts"):
        machine.succeed('su - user4 -c "EDITOR=cat pleaseedit /etc/hosts"')
    with subtest("user5: cannot edit /etc/hosts"):
        machine.fail('su - user5 -c "EDITOR=cat pleaseedit /etc/hosts"')
  '';
})