summary refs log tree commit diff
path: root/nixos/tests/ldap.nix
diff options
context:
space:
mode:
Diffstat (limited to 'nixos/tests/ldap.nix')
-rw-r--r--nixos/tests/ldap.nix212
1 files changed, 111 insertions, 101 deletions
diff --git a/nixos/tests/ldap.nix b/nixos/tests/ldap.nix
index 665b9ee09b5..74b002fc00e 100644
--- a/nixos/tests/ldap.nix
+++ b/nixos/tests/ldap.nix
@@ -1,4 +1,4 @@
-import ./make-test.nix ({ pkgs, lib, ...} :
+import ./make-test-python.nix ({ pkgs, lib, ...} :
 
 let
   unlines = lib.concatStringsSep "\n";
@@ -288,108 +288,118 @@ in
 
     client1 = mkClient true; # use nss_pam_ldapd
     client2 = mkClient false; # use nss_ldap and pam_ldap
-
   };
 
   testScript = ''
-    $server->start;
-    $server->waitForUnit("default.target");
-
-    subtest "slapd", sub {
-      subtest "auth as database admin with SASL and check a POSIX account", sub {
-        $server->succeed(join ' ', 'test',
-         '"$(ldapsearch -LLL -H ldapi:// -Y EXTERNAL',
-             '-b \'uid=${ldapUser},ou=accounts,ou=posix,${dbSuffix}\' ',
-             '-s base uidNumber |',
-           'sed -ne \'s/^uidNumber: \\(.*\\)/\\1/p\' ',
-         ')" -eq ${toString ldapUserId}');
-      };
-      subtest "auth as database admin with password and check a POSIX account", sub {
-        $server->succeed(join ' ', 'test',
-         '"$(ldapsearch -LLL -H ldap://server',
-             '-D \'cn=admin,${dbSuffix}\' -w \'${dbAdminPwd}\' ',
-             '-b \'uid=${ldapUser},ou=accounts,ou=posix,${dbSuffix}\' ',
-             '-s base uidNumber |',
-           'sed -ne \'s/^uidNumber: \\(.*\\)/\\1/p\' ',
-         ')" -eq ${toString ldapUserId}');
-      };
-    };
-
-    $client1->start;
-    $client1->waitForUnit("default.target");
-
-    subtest "password", sub {
-      subtest "su with password to a POSIX account", sub {
-        $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';',
-          'spawn su "${ldapUser}"',
-          'expect "Password:"',
-          'send "${ldapUserPwd}\n"',
-          'expect "*"',
-          'send "whoami\n"',
-          'expect -ex "${ldapUser}" {exit}',
-          'exit 1' . "'");
-      };
-      subtest "change password of a POSIX account as root", sub {
-        $client1->succeed("chpasswd <<<'${ldapUser}:new-password'");
-        $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';',
-          'spawn su "${ldapUser}"',
-          'expect "Password:"',
-          'send "new-password\n"',
-          'expect "*"',
-          'send "whoami\n"',
-          'expect -ex "${ldapUser}" {exit}',
-          'exit 1' . "'");
-        $client1->succeed('chpasswd <<<\'${ldapUser}:${ldapUserPwd}\' ');
-      };
-      subtest "change password of a POSIX account from itself", sub {
-        $client1->succeed('chpasswd <<<\'${ldapUser}:${ldapUserPwd}\' ');
-        $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';',
-          'spawn su --login ${ldapUser} -c passwd',
-          'expect "Password: "',
-          'send "${ldapUserPwd}\n"',
-          'expect "(current) UNIX password: "',
-          'send "${ldapUserPwd}\n"',
-          'expect "New password: "',
-          'send "new-password\n"',
-          'expect "Retype new password: "',
-          'send "new-password\n"',
-          'expect "passwd: password updated successfully" {exit}',
-          'exit 1' . "'");
-        $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';',
-          'spawn su "${ldapUser}"',
-          'expect "Password:"',
-          'send "${ldapUserPwd}\n"',
-          'expect "su: Authentication failure" {exit}',
-          'exit 1' . "'");
-        $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';',
-          'spawn su "${ldapUser}"',
-          'expect "Password:"',
-          'send "new-password\n"',
-          'expect "*"',
-          'send "whoami\n"',
-          'expect -ex "${ldapUser}" {exit}',
-          'exit 1' . "'");
-        $client1->succeed('chpasswd <<<\'${ldapUser}:${ldapUserPwd}\' ');
-      };
-    };
-
-    $client2->start;
-    $client2->waitForUnit("default.target");
-
-    subtest "NSS", sub {
-        $client1->succeed("test \"\$(id -u '${ldapUser}')\" -eq ${toString ldapUserId}");
-        $client1->succeed("test \"\$(id -u -n '${ldapUser}')\" = '${ldapUser}'");
-        $client1->succeed("test \"\$(id -g '${ldapUser}')\" -eq ${toString ldapGroupId}");
-        $client1->succeed("test \"\$(id -g -n '${ldapUser}')\" = '${ldapGroup}'");
-        $client2->succeed("test \"\$(id -u '${ldapUser}')\" -eq ${toString ldapUserId}");
-        $client2->succeed("test \"\$(id -u -n '${ldapUser}')\" = '${ldapUser}'");
-        $client2->succeed("test \"\$(id -g '${ldapUser}')\" -eq ${toString ldapGroupId}");
-        $client2->succeed("test \"\$(id -g -n '${ldapUser}')\" = '${ldapGroup}'");
-    };
-
-    subtest "PAM", sub {
-        $client1->succeed("echo ${ldapUserPwd} | su -l '${ldapUser}' -c true");
-        $client2->succeed("echo ${ldapUserPwd} | su -l '${ldapUser}' -c true");
-    };
+    def expect_script(*commands):
+        script = ";".join(commands)
+        return f"${pkgs.expect}/bin/expect -c '{script}'"
+
+
+    server.start()
+    server.wait_for_unit("default.target")
+
+    with subtest("slapd: auth as database admin with SASL and check a POSIX account"):
+        server.succeed(
+            'test "$(ldapsearch -LLL -H ldapi:// -Y EXTERNAL '
+            + "-b 'uid=${ldapUser},ou=accounts,ou=posix,${dbSuffix}' "
+            + "-s base uidNumber | "
+            + "sed -ne 's/^uidNumber: \\(.*\\)/\\1/p')\" -eq ${toString ldapUserId}"
+        )
+
+    with subtest("slapd: auth as database admin with password and check a POSIX account"):
+        server.succeed(
+            "test \"$(ldapsearch -LLL -H ldap://server -D 'cn=admin,${dbSuffix}' "
+            + "-w '${dbAdminPwd}' -b 'uid=${ldapUser},ou=accounts,ou=posix,${dbSuffix}' "
+            + "-s base uidNumber | "
+            + "sed -ne 's/^uidNumber: \\(.*\\)/\\1/p')\" -eq ${toString ldapUserId}"
+        )
+
+    client1.start()
+    client1.wait_for_unit("default.target")
+
+    with subtest("password: su with password to a POSIX account"):
+        client1.succeed(
+            expect_script(
+                'spawn su "${ldapUser}"',
+                'expect "Password:"',
+                'send "${ldapUserPwd}\n"',
+                'expect "*"',
+                'send "whoami\n"',
+                'expect -ex "${ldapUser}" {exit}',
+                "exit 1",
+            )
+        )
+
+    with subtest("password: change password of a POSIX account as root"):
+        client1.succeed(
+            "chpasswd <<<'${ldapUser}:new-password'",
+            expect_script(
+                'spawn su "${ldapUser}"',
+                'expect "Password:"',
+                'send "new-password\n"',
+                'expect "*"',
+                'send "whoami\n"',
+                'expect -ex "${ldapUser}" {exit}',
+                "exit 1",
+            ),
+            "chpasswd <<<'${ldapUser}:${ldapUserPwd}'",
+        )
+
+    with subtest("password: change password of a POSIX account from itself"):
+        client1.succeed(
+            "chpasswd <<<'${ldapUser}:${ldapUserPwd}' ",
+            expect_script(
+                "spawn su --login ${ldapUser} -c passwd",
+                'expect "Password: "',
+                'send "${ldapUserPwd}\n"',
+                'expect "(current) UNIX password: "',
+                'send "${ldapUserPwd}\n"',
+                'expect "New password: "',
+                'send "new-password\n"',
+                'expect "Retype new password: "',
+                'send "new-password\n"',
+                'expect "passwd: password updated successfully" {exit}',
+                "exit 1",
+            ),
+            expect_script(
+                'spawn su "${ldapUser}"',
+                'expect "Password:"',
+                'send "${ldapUserPwd}\n"',
+                'expect "su: Authentication failure" {exit}',
+                "exit 1",
+            ),
+            expect_script(
+                'spawn su "${ldapUser}"',
+                'expect "Password:"',
+                'send "new-password\n"',
+                'expect "*"',
+                'send "whoami\n"',
+                'expect -ex "${ldapUser}" {exit}',
+                "exit 1",
+            ),
+            "chpasswd <<<'${ldapUser}:${ldapUserPwd}'",
+        )
+
+    client2.start()
+    client2.wait_for_unit("default.target")
+
+    with subtest("NSS"):
+        client1.succeed(
+            "test \"$(id -u    '${ldapUser}')\" -eq ${toString ldapUserId}",
+            "test \"$(id -u -n '${ldapUser}')\" =  '${ldapUser}'",
+            "test \"$(id -g    '${ldapUser}')\" -eq ${toString ldapGroupId}",
+            "test \"$(id -g -n '${ldapUser}')\" =  '${ldapGroup}'",
+            "test \"$(id -u    '${ldapUser}')\" -eq ${toString ldapUserId}",
+            "test \"$(id -u -n '${ldapUser}')\" =  '${ldapUser}'",
+            "test \"$(id -g    '${ldapUser}')\" -eq ${toString ldapGroupId}",
+            "test \"$(id -g -n '${ldapUser}')\" =  '${ldapGroup}'",
+        )
+
+    with subtest("PAM"):
+        client1.succeed(
+            "echo ${ldapUserPwd} | su -l '${ldapUser}' -c true",
+            "echo ${ldapUserPwd} | su -l '${ldapUser}' -c true",
+        )
   '';
 })
generated by cgit-pink 1.4.1 (git 2.36.1) at 2024-05-10 17:12:19 +0000