nixosTests.pam-pgsql: init

This commit is contained in:
Moraxyc 2025-12-16 19:46:07 +08:00
commit 012275a219
No known key found for this signature in database
GPG key ID: 5D0872C32F23C47A
3 changed files with 94 additions and 1 deletions

View file

@ -1195,6 +1195,7 @@ in
pam-file-contents = runTest ./pam/pam-file-contents.nix;
pam-lastlog = runTest ./pam/pam-lastlog.nix;
pam-oath-login = runTest ./pam/pam-oath-login.nix;
pam-pgsql = runTest ./pam/pam-pgsql.nix;
pam-u2f = runTest ./pam/pam-u2f.nix;
pam-ussh = runTest ./pam/pam-ussh.nix;
pam-zfs-key = runTest ./pam/zfs-key.nix;

View file

@ -0,0 +1,88 @@
{ lib, ... }:
let
dbName = "authdb";
dbUser = "authuser";
in
{
name = "pam-pgsql";
meta.maintainers = with lib.maintainers; [ moraxyc ];
nodes.machine =
{ lib, pkgs, ... }:
{
environment.systemPackages = with pkgs; [ pamtester ];
environment.etc."pam_pgsql.conf".text = lib.generators.toKeyValue { } {
connect = "host=/run/postgresql port=5432 dbname=${dbName} user=${dbUser} connect_timeout=15";
auth_query = "select password from account where username = %u";
acct_query = "select (expired = 'y' OR expired = '1'), (newtok = 'y' OR newtok = '1'), (password IS NULL OR password = '') from account where username = %u";
pwd_query = "update account set password = %p where username = %u";
pw_type = "crypt";
};
services.postgresql = {
enable = true;
authentication = ''
local ${dbName} ${dbUser} trust
'';
initialScript =
pkgs.writeText "init.psql"
# sql
''
CREATE USER ${dbUser};
CREATE DATABASE ${dbName} OWNER ${dbUser};
\c ${dbName}
-- https://github.com/pam-pgsql/pam-pgsql/blob/master/sample.sql
CREATE TABLE account (
username varchar(256) UNIQUE NOT NULL,
password varchar(200),
expired boolean,
newtok boolean
);
GRANT ALL PRIVILEGES ON TABLE account TO ${dbUser};
CREATE EXTENSION IF NOT EXISTS pgcrypto;
INSERT INTO account (username, password, expired, newtok)
VALUES (
'alice',
crypt('secret', gen_salt('bf')),
false,
false
);
'';
};
security.pam.services.pgsql-test.text =
let
pam-pgsql-so = "${pkgs.pam-pgsql}/lib/security/pam_pgsql.so";
in
''
auth required ${pam-pgsql-so}
account required ${pam-pgsql-so}
password required ${pam-pgsql-so}
session required ${pam-pgsql-so}
'';
};
testScript =
# python
''
start_all()
machine.wait_for_unit("postgresql-setup.service")
with subtest("Testing successful login..."):
machine.succeed("echo 'secret' | pamtester -v pgsql-test alice authenticate")
with subtest("Testing failed login..."):
machine.fail("echo 'wrongpass' | pamtester -v pgsql-test alice authenticate")
with subtest("Testing non-existent user..."):
machine.fail("echo 'secret' | pamtester -v pgsql-test bob authenticate")
with subtest("Testing expired user..."):
machine.succeed("psql -U ${dbUser} -d ${dbName} -c 'UPDATE account SET expired = TRUE;'")
machine.succeed("echo 'secret' | pamtester -v pgsql-test alice authenticate")
machine.fail("pamtester -v pgsql-test alice acct_mgmt")
'';
}

View file

@ -9,6 +9,7 @@
pam,
libxcrypt,
unstableGitUpdater,
nixosTests,
}:
stdenv.mkDerivation {
@ -35,7 +36,10 @@ stdenv.mkDerivation {
libxcrypt
];
passthru.updateScript = unstableGitUpdater { hardcodeZeroVersion = true; };
passthru = {
updateScript = unstableGitUpdater { hardcodeZeroVersion = true; };
tests = { inherit (nixosTests) pam-pgsql; };
};
meta = {
description = "Support to authenticate against PostgreSQL for PAM-enabled applications";