nixos/test/sssd-ldap: make tests actually check login, password change

2023-05-09 13:46:17 +03:00 · 2023-05-09 13:46:17 +03:00 · 20d707c8c4
commit 20d707c8c4
parent e2d538fead
1 changed files with 148 additions and 79 deletions
--- a/nixos/tests/sssd-ldap.nix
+++ b/nixos/tests/sssd-ldap.nix
@ -6,96 +6,165 @@ let
  ldapRootPassword = "foobar";
  testUser = "alice";
-in import ./make-test-python.nix ({pkgs, ...}: {
+  testPassword = "foobar";
-  name = "sssd-ldap";
+  testNewPassword = "barfoo";
 in
  import ./make-test-python.nix ({pkgs, ...}: {
    name = "sssd-ldap";
-  meta = with pkgs.lib.maintainers; {
+    meta = with pkgs.lib.maintainers; {
-    maintainers = [ bbigras ];
+      maintainers = [bbigras];
-  };
+    };
-  nodes.machine = { pkgs, ... }: {
+    nodes.machine = {pkgs, ...}: {
-    services.openldap = {
+      security.pam.services.systemd-user.makeHomeDir = true;
-      enable = true;
+      environment.etc."cert.pem".text = builtins.readFile ./common/acme/server/acme.test.cert.pem;
-      settings = {
+      environment.etc."key.pem".text = builtins.readFile ./common/acme/server/acme.test.key.pem;
-        children = {
+      services.openldap = {
-          "cn=schema".includes = [
+        enable = true;
-            "${pkgs.openldap}/etc/schema/core.ldif"
+        urlList = [ "ldap:///" "ldaps:///" ];
-            "${pkgs.openldap}/etc/schema/cosine.ldif"
+        settings = {
-            "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+          attrs = {
-            "${pkgs.openldap}/etc/schema/nis.ldif"
+            olcLogLevel = "conns config";
-          ];
+            olcTLSCACertificateFile = "/etc/cert.pem";
-          "olcDatabase={1}mdb" = {
+            olcTLSCertificateFile = "/etc/cert.pem";
-            attrs = {
+            olcTLSCertificateKeyFile = "/etc/key.pem";
-              objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
+            olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
-              olcDatabase = "{1}mdb";
+            olcTLSCRLCheck = "none";
-              olcDbDirectory = "/var/lib/openldap/db";
+            olcTLSVerifyClient = "never";
-              olcSuffix = dbSuffix;
+            olcTLSProtocolMin = "3.1";
-              olcRootDN = "cn=${ldapRootUser},${dbSuffix}";
+          };
-              olcRootPW = ldapRootPassword;
+          children = {
            "cn=schema".includes = [
              "${pkgs.openldap}/etc/schema/core.ldif"
              "${pkgs.openldap}/etc/schema/cosine.ldif"
              "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
              "${pkgs.openldap}/etc/schema/nis.ldif"
            ];
            "olcDatabase={1}mdb" = {
              attrs = {
                objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
                olcDatabase = "{1}mdb";
                olcDbDirectory = "/var/lib/openldap/db";
                olcSuffix = dbSuffix;
                olcRootDN = "cn=${ldapRootUser},${dbSuffix}";
                olcRootPW = ldapRootPassword;
                olcAccess = [
                  /*
                  custom access rules for userPassword attributes
                  */
                  ''
                    {0}to attrs=userPassword
                                      by self write
                                      by anonymous auth
                                      by * none''
                  /*
                  allow read on anything else
                  */
                  ''
                    {1}to *
                                      by * read''
                ];
              };
            };
          };
        };
        declarativeContents = {
          ${dbSuffix} = ''
            dn: ${dbSuffix}
            objectClass: top
            objectClass: dcObject
            objectClass: organization
            o: ${dbDomain}
            dn: ou=posix,${dbSuffix}
            objectClass: top
            objectClass: organizationalUnit
            dn: ou=accounts,ou=posix,${dbSuffix}
            objectClass: top
            objectClass: organizationalUnit
            dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix}
            objectClass: person
            objectClass: posixAccount
            userPassword: ${testPassword}
            homeDirectory: /home/${testUser}
            uidNumber: 1234
            gidNumber: 1234
            cn: ""
            sn: ""
          '';
        };
      };
      declarativeContents = {
        ${dbSuffix} = ''
          dn: ${dbSuffix}
          objectClass: top
          objectClass: dcObject
          objectClass: organization
          o: ${dbDomain}
-          dn: ou=posix,${dbSuffix}
+      services.sssd = {
-          objectClass: top
+        enable = true;
-          objectClass: organizationalUnit
+        # just for testing purposes, don't put this into the Nix store in production!
        environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=${ldapRootPassword}"}";
        config = ''
          [sssd]
          config_file_version = 2
          services = nss, pam, sudo
          domains = ${dbDomain}
-          dn: ou=accounts,ou=posix,${dbSuffix}
+          [domain/${dbDomain}]
-          objectClass: top
+          auth_provider = ldap
-          objectClass: organizationalUnit
+          id_provider = ldap
-
+          ldap_uri = ldaps://127.0.0.1:636
-          dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix}
+          ldap_tls_reqcert = allow
-          objectClass: person
+          ldap_tls_cacert = /etc/cert.pem
-          objectClass: posixAccount
+          ldap_search_base = ${dbSuffix}
-          # userPassword: somePasswordHash
+          ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix}
-          homeDirectory: /home/${testUser}
+          ldap_default_authtok_type = password
-          uidNumber: 1234
+          ldap_default_authtok = $LDAP_BIND_PW
          gidNumber: 1234
          cn: ""
          sn: ""
        '';
      };
    };
-    services.sssd = {
+    testScript = ''
-      enable = true;
+      machine.start()
-      # just for testing purposes, don't put this into the Nix store in production!
+      machine.wait_for_unit("openldap.service")
-      environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=${ldapRootPassword}"}";
+      machine.wait_for_unit("sssd.service")
-      config = ''
+      result = machine.execute("getent passwd ${testUser}")
-        [sssd]
+      if result[0] == 0:
-        config_file_version = 2
+        assert "${testUser}" in result[1]
-        services = nss, pam, sudo
+      else:
-        domains = ${dbDomain}
+        machine.wait_for_console_text("Backend is online")
        machine.succeed("getent passwd ${testUser}")
-        [domain/${dbDomain}]
+      with subtest("Log in as ${testUser}"):
-        auth_provider = ldap
+          machine.wait_until_tty_matches("1", "login: ")
-        id_provider = ldap
+          machine.send_chars("${testUser}\n")
-        ldap_uri = ldap://127.0.0.1:389
+          machine.wait_until_tty_matches("1", "login: ${testUser}")
-        ldap_search_base = ${dbSuffix}
+          machine.wait_until_succeeds("pgrep login")
-        ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix}
+          machine.wait_until_tty_matches("1", "Password: ")
-        ldap_default_authtok_type = password
+          machine.send_chars("${testPassword}\n")
-        ldap_default_authtok = $LDAP_BIND_PW
+          machine.wait_until_succeeds("pgrep -u ${testUser} bash")
-      '';
+          machine.send_chars("touch done\n")
-    };
+          machine.wait_for_file("/home/${testUser}/done")
  };
-  testScript = ''
+      with subtest("Change ${testUser}'s password"):
-    machine.start()
+          machine.send_chars("passwd\n")
-    machine.wait_for_unit("openldap.service")
+          machine.wait_until_tty_matches("1", "Current Password: ")
-    machine.wait_for_unit("sssd.service")
+          machine.send_chars("${testPassword}\n")
-    result = machine.execute("getent passwd ${testUser}")
+          machine.wait_until_tty_matches("1", "New Password: ")
-    if result[0] == 0:
+          machine.send_chars("${testNewPassword}\n")
-      assert "${testUser}" in result[1]
+          machine.wait_until_tty_matches("1", "Reenter new Password: ")
-    else:
+          machine.send_chars("${testNewPassword}\n")
-      machine.wait_for_console_text("Backend is online")
+          machine.wait_until_tty_matches("1", "passwd: password updated successfully")
-      machine.succeed("getent passwd ${testUser}")
+          machine.send_chars("exit\n")
-  '';
+
-})
+      with subtest("Log in as ${testUser} with new password"):
          machine.wait_until_tty_matches("1", "login: ")
          machine.send_chars("${testUser}\n")
          machine.wait_until_tty_matches("1", "login: ${testUser}")
          machine.wait_until_succeeds("pgrep login")
          machine.wait_until_tty_matches("1", "Password: ")
          machine.send_chars("${testNewPassword}\n")
          machine.wait_until_succeeds("pgrep -u ${testUser} bash")
          machine.send_chars("touch done2\n")
          machine.wait_for_file("/home/${testUser}/done2")
    '';
  })