nixos/tests/systemd-homed.nix

   1 import ./make-test-python.nix ({ pkgs, lib, ... }:
   2 let
   3   password = "foobarfoo";
   4   newPass = "barfoobar";
   5 in
   6 {
   7   name = "systemd-homed";
   8   nodes.machine = { config, pkgs, ... }: {
   9     services.homed.enable = true;
  10
  11     users.users.test-normal-user = {
  12       extraGroups = [ "wheel" ];
  13       isNormalUser = true;
  14       initialPassword = password;
  15     };
  16   };
  17   testScript = ''
  18     def switchTTY(number):
  19       machine.send_key(f"alt-f{number}")
  20       machine.wait_until_succeeds(f"[ $(fgconsole) = {number} ]")
  21       machine.wait_for_unit(f"getty@tty{number}.service")
  22       machine.wait_until_succeeds(f"pgrep -f 'agetty.*tty{number}'")
  23
  24     machine.wait_for_unit("multi-user.target")
  25
  26     # Smoke test to make sure the pam changes didn't break regular users.
  27     machine.wait_until_succeeds("pgrep -f 'agetty.*tty1'")
  28     with subtest("login as regular user"):
  29       switchTTY(2)
  30       machine.wait_until_tty_matches("2", "login: ")
  31       machine.send_chars("test-normal-user\n")
  32       machine.wait_until_tty_matches("2", "login: test-normal-user")
  33       machine.wait_until_tty_matches("2", "Password: ")
  34       machine.send_chars("${password}\n")
  35       machine.wait_until_succeeds("pgrep -u test-normal-user bash")
  36       machine.send_chars("whoami > /tmp/1\n")
  37       machine.wait_for_file("/tmp/1")
  38       assert "test-normal-user" in machine.succeed("cat /tmp/1")
  39
  40     with subtest("create homed encrypted user"):
  41       # TODO: Figure out how to pass password manually.
  42       #
  43       # This environment variable is used for homed internal testing
  44       # and is not documented.
  45       machine.succeed("NEWPASSWORD=${password} homectl create --shell=/run/current-system/sw/bin/bash --storage=luks -G wheel test-homed-user")
  46
  47     with subtest("login as homed user"):
  48       switchTTY(3)
  49       machine.wait_until_tty_matches("3", "login: ")
  50       machine.send_chars("test-homed-user\n")
  51       machine.wait_until_tty_matches("3", "login: test-homed-user")
  52       machine.wait_until_tty_matches("3", "Password: ")
  53       machine.send_chars("${password}\n")
  54       machine.wait_until_succeeds("pgrep -t tty3 -u test-homed-user bash")
  55       machine.send_chars("whoami > /tmp/2\n")
  56       machine.wait_for_file("/tmp/2")
  57       assert "test-homed-user" in machine.succeed("cat /tmp/2")
  58
  59     with subtest("change homed user password"):
  60       switchTTY(4)
  61       machine.wait_until_tty_matches("4", "login: ")
  62       machine.send_chars("test-homed-user\n")
  63       machine.wait_until_tty_matches("4", "login: test-homed-user")
  64       machine.wait_until_tty_matches("4", "Password: ")
  65       machine.send_chars("${password}\n")
  66       machine.wait_until_succeeds("pgrep -t tty4 -u test-homed-user bash")
  67       machine.send_chars("passwd\n")
  68       # homed does it in a weird order, it asks for new passes, then it asks
  69       # for the old one.
  70       machine.sleep(2)
  71       machine.send_chars("${newPass}\n")
  72       machine.sleep(2)
  73       machine.send_chars("${newPass}\n")
  74       machine.sleep(4)
  75       machine.send_chars("${password}\n")
  76       machine.wait_until_fails("pgrep -t tty4 passwd")
  77
  78       @polling_condition
  79       def not_logged_in_tty5():
  80         machine.fail("pgrep -t tty5 bash")
  81
  82       switchTTY(5)
  83       with not_logged_in_tty5: # type: ignore[union-attr]
  84         machine.wait_until_tty_matches("5", "login: ")
  85         machine.send_chars("test-homed-user\n")
  86         machine.wait_until_tty_matches("5", "login: test-homed-user")
  87         machine.wait_until_tty_matches("5", "Password: ")
  88         machine.send_chars("${password}\n")
  89         machine.wait_until_tty_matches("5", "Password incorrect or not sufficient for authentication of user test-homed-user.")
  90         machine.wait_until_tty_matches("5", "Sorry, try again: ")
  91       machine.send_chars("${newPass}\n")
  92       machine.send_chars("whoami > /tmp/4\n")
  93       machine.wait_for_file("/tmp/4")
  94       assert "test-homed-user" in machine.succeed("cat /tmp/4")
  95
  96     with subtest("homed user should be in wheel according to NSS"):
  97       machine.succeed("userdbctl group wheel -s io.systemd.NameServiceSwitch | grep test-homed-user")
  98   '';
  99 })