178 lines
5.7 KiB
Nix
178 lines
5.7 KiB
Nix
|
import ./make-test-python.nix ({ pkgs, lib, ... }:
|
||
|
|
||
|
let
|
||
|
dbUser = "nixos_auth";
|
||
|
dbPassword = "topsecret123";
|
||
|
dbName = "auth";
|
||
|
|
||
|
mysqlUsername = "mysqltest";
|
||
|
mysqlPassword = "topsecretmysqluserpassword123";
|
||
|
mysqlGroup = "mysqlusers";
|
||
|
|
||
|
localUsername = "localtest";
|
||
|
localPassword = "topsecretlocaluserpassword123";
|
||
|
|
||
|
mysqlInit = pkgs.writeText "mysqlInit" ''
|
||
|
CREATE USER '${dbUser}'@'localhost' IDENTIFIED BY '${dbPassword}';
|
||
|
CREATE DATABASE ${dbName};
|
||
|
GRANT ALL PRIVILEGES ON ${dbName}.* TO '${dbUser}'@'localhost';
|
||
|
FLUSH PRIVILEGES;
|
||
|
|
||
|
USE ${dbName};
|
||
|
CREATE TABLE `groups` (
|
||
|
rowid int(11) NOT NULL auto_increment,
|
||
|
gid int(11) NOT NULL,
|
||
|
name char(255) NOT NULL,
|
||
|
PRIMARY KEY (rowid)
|
||
|
);
|
||
|
|
||
|
CREATE TABLE `users` (
|
||
|
name varchar(255) NOT NULL,
|
||
|
uid int(11) NOT NULL auto_increment,
|
||
|
gid int(11) NOT NULL,
|
||
|
password varchar(255) NOT NULL,
|
||
|
PRIMARY KEY (uid),
|
||
|
UNIQUE (name)
|
||
|
) AUTO_INCREMENT=5000;
|
||
|
|
||
|
INSERT INTO `users` (name, uid, gid, password) VALUES
|
||
|
('${mysqlUsername}', 5000, 5000, SHA2('${mysqlPassword}', 256));
|
||
|
INSERT INTO `groups` (name, gid) VALUES ('${mysqlGroup}', 5000);
|
||
|
'';
|
||
|
in
|
||
|
{
|
||
|
name = "auth-mysql";
|
||
|
meta.maintainers = with lib.maintainers; [ netali ];
|
||
|
|
||
|
nodes.machine =
|
||
|
{ ... }:
|
||
|
{
|
||
|
services.mysql = {
|
||
|
enable = true;
|
||
|
package = pkgs.mariadb;
|
||
|
settings.mysqld.bind-address = "127.0.0.1";
|
||
|
initialScript = mysqlInit;
|
||
|
};
|
||
|
|
||
|
users.users.${localUsername} = {
|
||
|
isNormalUser = true;
|
||
|
password = localPassword;
|
||
|
};
|
||
|
|
||
|
security.pam.services.login.makeHomeDir = true;
|
||
|
|
||
|
users.mysql = {
|
||
|
enable = true;
|
||
|
host = "127.0.0.1";
|
||
|
user = dbUser;
|
||
|
database = dbName;
|
||
|
passwordFile = "${builtins.toFile "dbPassword" dbPassword}";
|
||
|
pam = {
|
||
|
table = "users";
|
||
|
userColumn = "name";
|
||
|
passwordColumn = "password";
|
||
|
passwordCrypt = "sha256";
|
||
|
disconnectEveryOperation = true;
|
||
|
};
|
||
|
nss = {
|
||
|
getpwnam = ''
|
||
|
SELECT name, 'x', uid, gid, name, CONCAT('/home/', name), "/run/current-system/sw/bin/bash" \
|
||
|
FROM users \
|
||
|
WHERE name='%1$s' \
|
||
|
LIMIT 1
|
||
|
'';
|
||
|
getpwuid = ''
|
||
|
SELECT name, 'x', uid, gid, name, CONCAT('/home/', name), "/run/current-system/sw/bin/bash" \
|
||
|
FROM users \
|
||
|
WHERE id=%1$u \
|
||
|
LIMIT 1
|
||
|
'';
|
||
|
getspnam = ''
|
||
|
SELECT name, password, 1, 0, 99999, 7, 0, -1, 0 \
|
||
|
FROM users \
|
||
|
WHERE name='%1$s' \
|
||
|
LIMIT 1
|
||
|
'';
|
||
|
getpwent = ''
|
||
|
SELECT name, 'x', uid, gid, name, CONCAT('/home/', name), "/run/current-system/sw/bin/bash" \
|
||
|
FROM users
|
||
|
'';
|
||
|
getspent = ''
|
||
|
SELECT name, password, 1, 0, 99999, 7, 0, -1, 0 \
|
||
|
FROM users
|
||
|
'';
|
||
|
getgrnam = ''
|
||
|
SELECT name, 'x', gid FROM groups WHERE name='%1$s' LIMIT 1
|
||
|
'';
|
||
|
getgrgid = ''
|
||
|
SELECT name, 'x', gid FROM groups WHERE gid='%1$u' LIMIT 1
|
||
|
'';
|
||
|
getgrent = ''
|
||
|
SELECT name, 'x', gid FROM groups
|
||
|
'';
|
||
|
memsbygid = ''
|
||
|
SELECT name FROM users WHERE gid=%1$u
|
||
|
'';
|
||
|
gidsbymem = ''
|
||
|
SELECT gid FROM users WHERE name='%1$s'
|
||
|
'';
|
||
|
};
|
||
|
};
|
||
|
};
|
||
|
|
||
|
testScript = ''
|
||
|
def switch_to_tty(tty_number):
|
||
|
machine.fail(f"pgrep -f 'agetty.*tty{tty_number}'")
|
||
|
machine.send_key(f"alt-f{tty_number}")
|
||
|
machine.wait_until_succeeds(f"[ $(fgconsole) = {tty_number} ]")
|
||
|
machine.wait_for_unit(f"getty@tty{tty_number}.service")
|
||
|
machine.wait_until_succeeds(f"pgrep -f 'agetty.*tty{tty_number}'")
|
||
|
|
||
|
|
||
|
def try_login(tty_number, username, password):
|
||
|
machine.wait_until_tty_matches(tty_number, "login: ")
|
||
|
machine.send_chars(f"{username}\n")
|
||
|
machine.wait_until_tty_matches(tty_number, f"login: {username}")
|
||
|
machine.wait_until_succeeds("pgrep login")
|
||
|
machine.wait_until_tty_matches(tty_number, "Password: ")
|
||
|
machine.send_chars(f"{password}\n")
|
||
|
|
||
|
|
||
|
machine.wait_for_unit("multi-user.target")
|
||
|
machine.wait_for_unit("mysql.service")
|
||
|
machine.wait_until_succeeds("pgrep -f 'agetty.*tty1'")
|
||
|
|
||
|
with subtest("Local login"):
|
||
|
switch_to_tty("2")
|
||
|
try_login("2", "${localUsername}", "${localPassword}")
|
||
|
|
||
|
machine.wait_until_succeeds("pgrep -u ${localUsername} bash")
|
||
|
machine.send_chars("id > local_id.txt\n")
|
||
|
machine.wait_for_file("/home/${localUsername}/local_id.txt")
|
||
|
machine.succeed("cat /home/${localUsername}/local_id.txt | grep 'uid=1000(${localUsername}) gid=100(users) groups=100(users)'")
|
||
|
|
||
|
with subtest("Local incorrect login"):
|
||
|
switch_to_tty("3")
|
||
|
try_login("3", "${localUsername}", "wrongpassword")
|
||
|
|
||
|
machine.wait_until_tty_matches("3", "Login incorrect")
|
||
|
machine.wait_until_tty_matches("3", "login:")
|
||
|
|
||
|
with subtest("MySQL login"):
|
||
|
switch_to_tty("4")
|
||
|
try_login("4", "${mysqlUsername}", "${mysqlPassword}")
|
||
|
|
||
|
machine.wait_until_succeeds("pgrep -u ${mysqlUsername} bash")
|
||
|
machine.send_chars("id > mysql_id.txt\n")
|
||
|
machine.wait_for_file("/home/${mysqlUsername}/mysql_id.txt")
|
||
|
machine.succeed("cat /home/${mysqlUsername}/mysql_id.txt | grep 'uid=5000(${mysqlUsername}) gid=5000(${mysqlGroup}) groups=5000(${mysqlGroup})'")
|
||
|
|
||
|
with subtest("MySQL incorrect login"):
|
||
|
switch_to_tty("5")
|
||
|
try_login("5", "${mysqlUsername}", "wrongpassword")
|
||
|
|
||
|
machine.wait_until_tty_matches("5", "Login incorrect")
|
||
|
machine.wait_until_tty_matches("5", "login:")
|
||
|
'';
|
||
|
})
|