nixos/test/sssd-ldap: nixpkgs-fmt

nixos/tests/sssd-ldap.nix

@@ -9,162 +9,162 @@ let
   testPassword = "foobar";
   testNewPassword = "barfoo";
 in
-  import ./make-test-python.nix ({pkgs, ...}: {
+import ./make-test-python.nix ({ pkgs, ... }: {
-    name = "sssd-ldap";
+  name = "sssd-ldap";
 
-    meta = with pkgs.lib.maintainers; {
+  meta = with pkgs.lib.maintainers; {
-      maintainers = [bbigras];
+    maintainers = [ bbigras ];
-    };
+  };
 
-    nodes.machine = {pkgs, ...}: {
+  nodes.machine = { pkgs, ... }: {
-      security.pam.services.systemd-user.makeHomeDir = true;
+    security.pam.services.systemd-user.makeHomeDir = true;
-      environment.etc."cert.pem".text = builtins.readFile ./common/acme/server/acme.test.cert.pem;
+    environment.etc."cert.pem".text = builtins.readFile ./common/acme/server/acme.test.cert.pem;
-      environment.etc."key.pem".text = builtins.readFile ./common/acme/server/acme.test.key.pem;
+    environment.etc."key.pem".text = builtins.readFile ./common/acme/server/acme.test.key.pem;
-      services.openldap = {
+    services.openldap = {
-        enable = true;
+      enable = true;
-        urlList = [ "ldap:///" "ldaps:///" ];
+      urlList = [ "ldap:///" "ldaps:///" ];
-        settings = {
+      settings = {
-          attrs = {
+        attrs = {
-            olcLogLevel = "conns config";
+          olcLogLevel = "conns config";
-            olcTLSCACertificateFile = "/etc/cert.pem";
+          olcTLSCACertificateFile = "/etc/cert.pem";
-            olcTLSCertificateFile = "/etc/cert.pem";
+          olcTLSCertificateFile = "/etc/cert.pem";
-            olcTLSCertificateKeyFile = "/etc/key.pem";
+          olcTLSCertificateKeyFile = "/etc/key.pem";
-            olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
+          olcTLSCipherSuite = "HIGH:MEDIUM:+3DES:+RC4:+aNULL";
-            olcTLSCRLCheck = "none";
+          olcTLSCRLCheck = "none";
-            olcTLSVerifyClient = "never";
+          olcTLSVerifyClient = "never";
-            olcTLSProtocolMin = "3.1";
+          olcTLSProtocolMin = "3.1";
-          };
+        };
-          children = {
+        children = {
-            "cn=schema".includes = [
+          "cn=schema".includes = [
-              "${pkgs.openldap}/etc/schema/core.ldif"
+            "${pkgs.openldap}/etc/schema/core.ldif"
-              "${pkgs.openldap}/etc/schema/cosine.ldif"
+            "${pkgs.openldap}/etc/schema/cosine.ldif"
-              "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
+            "${pkgs.openldap}/etc/schema/inetorgperson.ldif"
-              "${pkgs.openldap}/etc/schema/nis.ldif"
+            "${pkgs.openldap}/etc/schema/nis.ldif"
-            ];
+          ];
-            "olcDatabase={1}mdb" = {
+          "olcDatabase={1}mdb" = {
-              attrs = {
+            attrs = {
-                objectClass = ["olcDatabaseConfig" "olcMdbConfig"];
+              objectClass = [ "olcDatabaseConfig" "olcMdbConfig" ];
-                olcDatabase = "{1}mdb";
+              olcDatabase = "{1}mdb";
-                olcDbDirectory = "/var/lib/openldap/db";
+              olcDbDirectory = "/var/lib/openldap/db";
-                olcSuffix = dbSuffix;
+              olcSuffix = dbSuffix;
-                olcRootDN = "cn=${ldapRootUser},${dbSuffix}";
+              olcRootDN = "cn=${ldapRootUser},${dbSuffix}";
-                olcRootPW = ldapRootPassword;
+              olcRootPW = ldapRootPassword;
-                olcAccess = [
+              olcAccess = [
-                  /*
+                /*
                   custom access rules for userPassword attributes
                   */
-                  ''
+                ''
-                    {0}to attrs=userPassword
+                  {0}to attrs=userPassword
-                                      by self write
+                                    by self write
-                                      by anonymous auth
+                                    by anonymous auth
-                                      by * none''
+                                    by * none''
 
-                  /*
+                /*
                   allow read on anything else
                   */
-                  ''
+                ''
-                    {1}to *
+                  {1}to *
-                                      by * read''
+                                    by * read''
-                ];
+              ];
-              };
             };
           };
         };
-        declarativeContents = {
-          ${dbSuffix} = ''
-            dn: ${dbSuffix}
-            objectClass: top
-            objectClass: dcObject
-            objectClass: organization
-            o: ${dbDomain}
-
-            dn: ou=posix,${dbSuffix}
-            objectClass: top
-            objectClass: organizationalUnit
-
-            dn: ou=accounts,ou=posix,${dbSuffix}
-            objectClass: top
-            objectClass: organizationalUnit
-
-            dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix}
-            objectClass: person
-            objectClass: posixAccount
-            userPassword: ${testPassword}
-            homeDirectory: /home/${testUser}
-            uidNumber: 1234
-            gidNumber: 1234
-            cn: ""
-            sn: ""
-          '';
-        };
       };
+      declarativeContents = {
+        ${dbSuffix} = ''
+          dn: ${dbSuffix}
+          objectClass: top
+          objectClass: dcObject
+          objectClass: organization
+          o: ${dbDomain}
 
-      services.sssd = {
+          dn: ou=posix,${dbSuffix}
-        enable = true;
+          objectClass: top
-        # just for testing purposes, don't put this into the Nix store in production!
+          objectClass: organizationalUnit
-        environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=${ldapRootPassword}"}";
-        config = ''
-          [sssd]
-          config_file_version = 2
-          services = nss, pam, sudo
-          domains = ${dbDomain}
 
-          [domain/${dbDomain}]
+          dn: ou=accounts,ou=posix,${dbSuffix}
-          auth_provider = ldap
+          objectClass: top
-          id_provider = ldap
+          objectClass: organizationalUnit
-          ldap_uri = ldaps://127.0.0.1:636
+
-          ldap_tls_reqcert = allow
+          dn: uid=${testUser},ou=accounts,ou=posix,${dbSuffix}
-          ldap_tls_cacert = /etc/cert.pem
+          objectClass: person
-          ldap_search_base = ${dbSuffix}
+          objectClass: posixAccount
-          ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix}
+          userPassword: ${testPassword}
-          ldap_default_authtok_type = password
+          homeDirectory: /home/${testUser}
-          ldap_default_authtok = $LDAP_BIND_PW
+          uidNumber: 1234
+          gidNumber: 1234
+          cn: ""
+          sn: ""
         '';
       };
     };
 
-    testScript = ''
+    services.sssd = {
-      machine.start()
+      enable = true;
-      machine.wait_for_unit("openldap.service")
+      # just for testing purposes, don't put this into the Nix store in production!
-      machine.wait_for_unit("sssd.service")
+      environmentFile = "${pkgs.writeText "ldap-root" "LDAP_BIND_PW=${ldapRootPassword}"}";
-      result = machine.execute("getent passwd ${testUser}")
+      config = ''
-      if result[0] == 0:
+        [sssd]
-        assert "${testUser}" in result[1]
+        config_file_version = 2
-      else:
+        services = nss, pam, sudo
-        machine.wait_for_console_text("Backend is online")
+        domains = ${dbDomain}
-        machine.succeed("getent passwd ${testUser}")
 
-      with subtest("Log in as ${testUser}"):
+        [domain/${dbDomain}]
-          machine.wait_until_tty_matches("1", "login: ")
+        auth_provider = ldap
-          machine.send_chars("${testUser}\n")
+        id_provider = ldap
-          machine.wait_until_tty_matches("1", "login: ${testUser}")
+        ldap_uri = ldaps://127.0.0.1:636
-          machine.wait_until_succeeds("pgrep login")
+        ldap_tls_reqcert = allow
-          machine.wait_until_tty_matches("1", "Password: ")
+        ldap_tls_cacert = /etc/cert.pem
-          machine.send_chars("${testPassword}\n")
+        ldap_search_base = ${dbSuffix}
-          machine.wait_until_succeeds("pgrep -u ${testUser} bash")
+        ldap_default_bind_dn = cn=${ldapRootUser},${dbSuffix}
-          machine.send_chars("touch done\n")
+        ldap_default_authtok_type = password
-          machine.wait_for_file("/home/${testUser}/done")
+        ldap_default_authtok = $LDAP_BIND_PW
+      '';
+    };
+  };
 
-      with subtest("Change ${testUser}'s password"):
+  testScript = ''
-          machine.send_chars("passwd\n")
+    machine.start()
-          machine.wait_until_tty_matches("1", "Current Password: ")
+    machine.wait_for_unit("openldap.service")
-          machine.send_chars("${testPassword}\n")
+    machine.wait_for_unit("sssd.service")
-          machine.wait_until_tty_matches("1", "New Password: ")
+    result = machine.execute("getent passwd ${testUser}")
-          machine.send_chars("${testNewPassword}\n")
+    if result[0] == 0:
-          machine.wait_until_tty_matches("1", "Reenter new Password: ")
+      assert "${testUser}" in result[1]
-          machine.send_chars("${testNewPassword}\n")
+    else:
-          machine.wait_until_tty_matches("1", "passwd: password updated successfully")
+      machine.wait_for_console_text("Backend is online")
-          machine.send_chars("exit\n")
+      machine.succeed("getent passwd ${testUser}")
 
-      with subtest("Log in as ${testUser} with new password"):
+    with subtest("Log in as ${testUser}"):
-          machine.wait_until_tty_matches("1", "login: ")
+        machine.wait_until_tty_matches("1", "login: ")
-          machine.send_chars("${testUser}\n")
+        machine.send_chars("${testUser}\n")
-          machine.wait_until_tty_matches("1", "login: ${testUser}")
+        machine.wait_until_tty_matches("1", "login: ${testUser}")
-          machine.wait_until_succeeds("pgrep login")
+        machine.wait_until_succeeds("pgrep login")
-          machine.wait_until_tty_matches("1", "Password: ")
+        machine.wait_until_tty_matches("1", "Password: ")
-          machine.send_chars("${testNewPassword}\n")
+        machine.send_chars("${testPassword}\n")
-          machine.wait_until_succeeds("pgrep -u ${testUser} bash")
+        machine.wait_until_succeeds("pgrep -u ${testUser} bash")
-          machine.send_chars("touch done2\n")
+        machine.send_chars("touch done\n")
-          machine.wait_for_file("/home/${testUser}/done2")
+        machine.wait_for_file("/home/${testUser}/done")
-    '';
+
-  })
+    with subtest("Change ${testUser}'s password"):
+        machine.send_chars("passwd\n")
+        machine.wait_until_tty_matches("1", "Current Password: ")
+        machine.send_chars("${testPassword}\n")
+        machine.wait_until_tty_matches("1", "New Password: ")
+        machine.send_chars("${testNewPassword}\n")
+        machine.wait_until_tty_matches("1", "Reenter new Password: ")
+        machine.send_chars("${testNewPassword}\n")
+        machine.wait_until_tty_matches("1", "passwd: password updated successfully")
+        machine.send_chars("exit\n")
+
+    with subtest("Log in as ${testUser} with new password"):
+        machine.wait_until_tty_matches("1", "login: ")
+        machine.send_chars("${testUser}\n")
+        machine.wait_until_tty_matches("1", "login: ${testUser}")
+        machine.wait_until_succeeds("pgrep login")
+        machine.wait_until_tty_matches("1", "Password: ")
+        machine.send_chars("${testNewPassword}\n")
+        machine.wait_until_succeeds("pgrep -u ${testUser} bash")
+        machine.send_chars("touch done2\n")
+        machine.wait_for_file("/home/${testUser}/done2")
+  '';
+})