public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge pull request #74851 from tfc/nixos-test-ldap-python

Browse Source 
nixosTests.[open]ldap: port to python
This commit is contained in:
Florian Klink 2019-12-04 16:54:51 +01:00 committed by GitHub
commit afd8bb3aef
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
2 changed files with 111 additions and 99 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

138
nixos/tests/ldap.nix
View File

@ -1,4 +1,4 @@
import ./make-test.nix ({ pkgs, lib, ...} : import ./make-test-python.nix ({ pkgs, lib, ...} :
let let
unlines = lib.concatStringsSep "\n"; unlines = lib.concatStringsSep "\n";
@ -288,63 +288,69 @@ in
client1 = mkClient true; # use nss_pam_ldapd client1 = mkClient true; # use nss_pam_ldapd
client2 = mkClient false; # use nss_ldap and pam_ldap client2 = mkClient false; # use nss_ldap and pam_ldap
}; };
testScript = '' testScript = ''
$server->start; def expect_script(*commands):
$server->waitForUnit("default.target"); script = ";".join(commands)
return f"${pkgs.expect}/bin/expect -c '{script}'"
subtest "slapd", sub {
subtest "auth as database admin with SASL and check a POSIX account", sub {
$server->succeed(join ' ', 'test',
'"$(ldapsearch -LLL -H ldapi:// -Y EXTERNAL',
'-b \'uid=${ldapUser},ou=accounts,ou=posix,${dbSuffix}\' ',
'-s base uidNumber |',
'sed -ne \'s/^uidNumber: \\(.*\\)/\\1/p\' ',
')" -eq ${toString ldapUserId}');
};
subtest "auth as database admin with password and check a POSIX account", sub {
$server->succeed(join ' ', 'test',
'"$(ldapsearch -LLL -H ldap://server',
'-D \'cn=admin,${dbSuffix}\' -w \'${dbAdminPwd}\' ',
'-b \'uid=${ldapUser},ou=accounts,ou=posix,${dbSuffix}\' ',
'-s base uidNumber |',
'sed -ne \'s/^uidNumber: \\(.*\\)/\\1/p\' ',
')" -eq ${toString ldapUserId}');
};
};
$client1->start; server.start()
$client1->waitForUnit("default.target"); server.wait_for_unit("default.target")
subtest "password", sub { with subtest("slapd: auth as database admin with SASL and check a POSIX account"):
subtest "su with password to a POSIX account", sub { server.succeed(
$client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';', 'test "$(ldapsearch -LLL -H ldapi:// -Y EXTERNAL '
+ "-b 'uid=${ldapUser},ou=accounts,ou=posix,${dbSuffix}' "
+ "-s base uidNumber | "
+ "sed -ne 's/^uidNumber: \\(.*\\)/\\1/p')\" -eq ${toString ldapUserId}"
)
with subtest("slapd: auth as database admin with password and check a POSIX account"):
server.succeed(
"test \"$(ldapsearch -LLL -H ldap://server -D 'cn=admin,${dbSuffix}' "
+ "-w '${dbAdminPwd}' -b 'uid=${ldapUser},ou=accounts,ou=posix,${dbSuffix}' "
+ "-s base uidNumber | "
+ "sed -ne 's/^uidNumber: \\(.*\\)/\\1/p')\" -eq ${toString ldapUserId}"
)
client1.start()
client1.wait_for_unit("default.target")
with subtest("password: su with password to a POSIX account"):
client1.succeed(
expect_script(
'spawn su "${ldapUser}"', 'spawn su "${ldapUser}"',
'expect "Password:"', 'expect "Password:"',
'send "${ldapUserPwd}\n"', 'send "${ldapUserPwd}\n"',
'expect "*"', 'expect "*"',
'send "whoami\n"', 'send "whoami\n"',
'expect -ex "${ldapUser}" {exit}', 'expect -ex "${ldapUser}" {exit}',
'exit 1' . "'"); "exit 1",
}; )
subtest "change password of a POSIX account as root", sub { )
$client1->succeed("chpasswd <<<'${ldapUser}:new-password'");
$client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';', with subtest("password: change password of a POSIX account as root"):
client1.succeed(
"chpasswd <<<'${ldapUser}:new-password'",
expect_script(
'spawn su "${ldapUser}"', 'spawn su "${ldapUser}"',
'expect "Password:"', 'expect "Password:"',
'send "new-password\n"', 'send "new-password\n"',
'expect "*"', 'expect "*"',
'send "whoami\n"', 'send "whoami\n"',
'expect -ex "${ldapUser}" {exit}', 'expect -ex "${ldapUser}" {exit}',
'exit 1' . "'"); "exit 1",
$client1->succeed('chpasswd <<<\'${ldapUser}:${ldapUserPwd}\' '); ),
}; "chpasswd <<<'${ldapUser}:${ldapUserPwd}'",
subtest "change password of a POSIX account from itself", sub { )
$client1->succeed('chpasswd <<<\'${ldapUser}:${ldapUserPwd}\' ');
$client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';', with subtest("password: change password of a POSIX account from itself"):
'spawn su --login ${ldapUser} -c passwd', client1.succeed(
"chpasswd <<<'${ldapUser}:${ldapUserPwd}' ",
expect_script(
"spawn su --login ${ldapUser} -c passwd",
'expect "Password: "', 'expect "Password: "',
'send "${ldapUserPwd}\n"', 'send "${ldapUserPwd}\n"',
'expect "(current) UNIX password: "', 'expect "(current) UNIX password: "',
@ -354,42 +360,46 @@ in
'expect "Retype new password: "', 'expect "Retype new password: "',
'send "new-password\n"', 'send "new-password\n"',
'expect "passwd: password updated successfully" {exit}', 'expect "passwd: password updated successfully" {exit}',
'exit 1' . "'"); "exit 1",
$client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';', ),
expect_script(
'spawn su "${ldapUser}"', 'spawn su "${ldapUser}"',
'expect "Password:"', 'expect "Password:"',
'send "${ldapUserPwd}\n"', 'send "${ldapUserPwd}\n"',
'expect "su: Authentication failure" {exit}', 'expect "su: Authentication failure" {exit}',
'exit 1' . "'"); "exit 1",
$client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';', ),
expect_script(
'spawn su "${ldapUser}"', 'spawn su "${ldapUser}"',
'expect "Password:"', 'expect "Password:"',
'send "new-password\n"', 'send "new-password\n"',
'expect "*"', 'expect "*"',
'send "whoami\n"', 'send "whoami\n"',
'expect -ex "${ldapUser}" {exit}', 'expect -ex "${ldapUser}" {exit}',
'exit 1' . "'"); "exit 1",
$client1->succeed('chpasswd <<<\'${ldapUser}:${ldapUserPwd}\' '); ),
}; "chpasswd <<<'${ldapUser}:${ldapUserPwd}'",
}; )
$client2->start; client2.start()
$client2->waitForUnit("default.target"); client2.wait_for_unit("default.target")
subtest "NSS", sub { with subtest("NSS"):
$client1->succeed("test \"\$(id -u '${ldapUser}')\" -eq ${toString ldapUserId}"); client1.succeed(
$client1->succeed("test \"\$(id -u -n '${ldapUser}')\" = '${ldapUser}'"); "test \"$(id -u '${ldapUser}')\" -eq ${toString ldapUserId}",
$client1->succeed("test \"\$(id -g '${ldapUser}')\" -eq ${toString ldapGroupId}"); "test \"$(id -u -n '${ldapUser}')\" = '${ldapUser}'",
$client1->succeed("test \"\$(id -g -n '${ldapUser}')\" = '${ldapGroup}'"); "test \"$(id -g '${ldapUser}')\" -eq ${toString ldapGroupId}",
$client2->succeed("test \"\$(id -u '${ldapUser}')\" -eq ${toString ldapUserId}"); "test \"$(id -g -n '${ldapUser}')\" = '${ldapGroup}'",
$client2->succeed("test \"\$(id -u -n '${ldapUser}')\" = '${ldapUser}'"); "test \"$(id -u '${ldapUser}')\" -eq ${toString ldapUserId}",
$client2->succeed("test \"\$(id -g '${ldapUser}')\" -eq ${toString ldapGroupId}"); "test \"$(id -u -n '${ldapUser}')\" = '${ldapUser}'",
$client2->succeed("test \"\$(id -g -n '${ldapUser}')\" = '${ldapGroup}'"); "test \"$(id -g '${ldapUser}')\" -eq ${toString ldapGroupId}",
}; "test \"$(id -g -n '${ldapUser}')\" = '${ldapGroup}'",
)
subtest "PAM", sub { with subtest("PAM"):
$client1->succeed("echo ${ldapUserPwd} | su -l '${ldapUser}' -c true"); client1.succeed(
$client2->succeed("echo ${ldapUserPwd} | su -l '${ldapUser}' -c true"); "echo ${ldapUserPwd} | su -l '${ldapUser}' -c true",
}; "echo ${ldapUserPwd} | su -l '${ldapUser}' -c true",
)
''; '';
}) })

10
nixos/tests/openldap.nix
View File

@ -1,4 +1,4 @@
import ./make-test.nix { import ./make-test-python.nix {
name = "openldap"; name = "openldap";
machine = { pkgs, ... }: { machine = { pkgs, ... }: {
@ -24,8 +24,10 @@ import ./make-test.nix {
}; };
testScript = '' testScript = ''
$machine->waitForUnit('openldap.service'); machine.wait_for_unit("openldap.service")
$machine->succeed('systemctl status openldap.service'); machine.succeed(
$machine->succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"'); "systemctl status openldap.service",
'ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"',
)
''; '';
} }