nixos/sudo: Run tests with sudo-rs too.

Separated environment-related tests, and only run them with o.g. sudo, as sudo-rs does not support `(NO)SETENV` yet; see trifectatechfoundation/sudo-rs#760
nbraud · Sep 13, 2023 · 4242f33 · 4242f33
1 parent bd6ad6f
commit 4242f33
Show file tree

Hide file tree

Showing 3 changed files with 51 additions and 12 deletions.
diff --git a/nixos/tests/all-tests.nix b/nixos/tests/all-tests.nix
@@ -739,6 +739,7 @@ in {
   strongswan-swanctl = handleTest ./strongswan-swanctl.nix {};
   stunnel = handleTest ./stunnel.nix {};
   sudo = handleTest ./sudo.nix {};
+  sudo-rs = handleTest ./sudo.nix { sudo = pkgs.sudo-rs; };
   swap-file-btrfs = handleTest ./swap-file-btrfs.nix {};
   swap-partition = handleTest ./swap-partition.nix {};
   swap-random-encryption = handleTest ./swap-random-encryption.nix {};

diff --git a/nixos/tests/sudo.nix b/nixos/tests/sudo.nix
@@ -1,7 +1,9 @@
 # Some tests to ensure sudo is working properly.
-
+{ pkgs, sudo ? pkgs.sudo, ... }:
 let
+  inherit (pkgs.lib) mkIf optionalString;
   password = "helloworld";
+  usingMillersSudo = sudo.pname == pkgs.sudo.pname;
 in
   import ./make-test-python.nix ({ lib, pkgs, ...} : {
     name = "sudo";
@@ -22,9 +24,10 @@ in
 
         security.sudo = {
           enable = true;
+          package = sudo;
           wheelNeedsPassword = false;
 
-          extraConfig = ''
+          extraConfig = mkIf usingMillersSudo ''
             Defaults lecture="never"
           '';
 
@@ -42,8 +45,8 @@ in
 
             # CONFIGURATION FOR TEST CASES
             { users = [ "test1" ]; groups = [ "foobar" ]; commands = [ "ALL" ]; }
-            { groups = [ "barfoo" 1337 ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "NOSETENV" ]; } ]; }
-            { users = [ "test5" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" "SETENV" ]; } ]; runAs = "test1:barfoo"; }
+            { groups = [ "barfoo" 1337 ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; }
+            { users = [ "test5" ]; commands = [ { command = "ALL"; options = [ "NOPASSWD" ]; } ]; runAs = "test1:barfoo"; }
           ];
         };
       };
@@ -55,12 +58,42 @@ in
       };
 
       security.sudo = {
+        package = sudo;
         enable = true;
         wheelNeedsPassword = false;
         execWheelOnly = true;
       };
     };
 
+    nodes.env = { ... }: mkIf usingMillersSudo {
+      users.groups.barfoo = {};
+      users.users = {
+          test1 = { isNormalUser = true; };
+          test3 = { isNormalUser = true; extraGroups = [ "barfoo" ]; };
+          test5 = { isNormalUser = true; };
+      };
+
+      security.sudo = {
+        enable = true;
+        package = sudo;
+        wheelNeedsPassword = false;
+
+        extraConfig = mkIf usingMillersSudo ''
+          Defaults lecture="never"
+        '';
+
+        extraRules = [
+          { groups = [ "barfoo" ];
+            commands = [ { command = "ALL"; options = [ "NOPASSWD" "NOSETENV" ]; } ];
+          }
+          { users = [ "test5" ];
+            commands = [ { command = "ALL"; options = [ "NOPASSWD" "SETENV" ]; } ];
+            runAs = "test1:barfoo";
+          }
+        ];
+      };
+    };
+
     testScript =
       ''
         with subtest("users in wheel group should have passwordless sudo"):
@@ -87,16 +120,17 @@ in
         with subtest("test5 user should not be able to run commands under root"):
             machine.fail("sudo -u test5 sudo -n -u root true")
 
-        with subtest("test5 user should be able to keep their environment"):
-            machine.succeed("sudo -u test5 sudo -n -E -u test1 true")
-
-        with subtest("users in group 'barfoo' should not be able to keep their environment"):
-            machine.fail("sudo -u test3 sudo -n -E -u root true")
-
         with subtest("users in wheel should be able to run sudo despite execWheelOnly"):
             strict.succeed('su - admin -c "sudo -u root true"')
 
         with subtest("non-wheel users should be unable to run sudo thanks to execWheelOnly"):
             strict.fail('su - noadmin -c "sudo --help"')
-      '';
+      '' + (optionalString usingMillersSudo ''
+        with subtest("test5 user should be able to keep their environment"):
+            env.succeed("sudo -u test5 sudo -n -E -u test1 true")
+
+        with subtest("users in group 'barfoo' should not be able to keep their environment"):
+            env.fail("sudo -u test3 sudo -n -E -u root true")
+
+      '');
   })
diff --git a/pkgs/tools/security/sudo-rs/default.nix b/pkgs/tools/security/sudo-rs/default.nix
@@ -4,6 +4,7 @@
 , fetchpatch
 , installShellFiles
 , nix-update-script
+, nixosTests
 , pam
 , pandoc
 , rustPlatform
@@ -73,7 +74,10 @@ rustPlatform.buildRustPackage rec {
     "su::context::tests::invalid_shell"
   ];
 
-  passthru.updateScript = nix-update-script { };
+  passthru = {
+    updateScript = nix-update-script { };
+    tests = nixosTests.sudo-rs;
+  };
 
   meta = with lib; {
     description = "A memory safe implementation of sudo and su.";