nixos/tests/mutable-users.nix


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

# Mutable users tests.

import ./make-test-python.nix ({ pkgs, ...} : {
  name = "mutable-users";
  meta = with pkgs.lib.maintainers; {
    maintainers = [ gleber ];
  };

  nodes = {
    machine = { ... }: {
      users.mutableUsers = false;
    };
    mutable = { ... }: {
      users.mutableUsers = true;
      users.users.dry-test.isNormalUser = true;
    };
  };

  testScript = {nodes, ...}: let
    immutableSystem = nodes.machine.config.system.build.toplevel;
    mutableSystem = nodes.mutable.config.system.build.toplevel;
  in ''
    machine.start()
    machine.wait_for_unit("default.target")

    # Machine starts in immutable mode. Add a user and test if reactivating
    # configuration removes the user.
    with subtest("Machine in immutable mode"):
        assert "foobar" not in machine.succeed("cat /etc/passwd")
        machine.succeed("sudo useradd foobar")
        assert "foobar" in machine.succeed("cat /etc/passwd")
        machine.succeed(
            "${immutableSystem}/bin/switch-to-configuration test"
        )
        assert "foobar" not in machine.succeed("cat /etc/passwd")

    # In immutable mode passwd is not wrapped, while in mutable mode it is
    # wrapped.
    with subtest("Password is wrapped in mutable mode"):
        assert "/run/current-system/" in machine.succeed("which passwd")
        machine.succeed(
            "${mutableSystem}/bin/switch-to-configuration test"
        )
        assert "/run/wrappers/" in machine.succeed("which passwd")

    with subtest("dry-activation does not change files"):
        machine.succeed('test -e /home/dry-test')  # home was created
        machine.succeed('rm -rf /home/dry-test')

        files_to_check = ['/etc/group',
                          '/etc/passwd',
                          '/etc/shadow',
                          '/etc/subuid',
                          '/etc/subgid',
                          '/var/lib/nixos/uid-map',
                          '/var/lib/nixos/gid-map',
                          '/var/lib/nixos/declarative-groups',
                          '/var/lib/nixos/declarative-users'
                         ]
        expected_hashes = {}
        expected_stats = {}
        for file in files_to_check:
            expected_hashes[file] = machine.succeed(f"sha256sum {file}")
            expected_stats[file] = machine.succeed(f"stat {file}")

        machine.succeed("/run/current-system/bin/switch-to-configuration dry-activate")

        machine.fail('test -e /home/dry-test')  # home was not recreated
        for file in files_to_check:
            assert machine.succeed(f"sha256sum {file}") == expected_hashes[file]
            assert machine.succeed(f"stat {file}") == expected_stats[file]
  '';
})