Merge pull request #74851 from tfc/nixos-test-ldap-python

nixosTests.[open]ldap: port to python

nixos/tests/ldap.nix

@@ -1,4 +1,4 @@
-import ./make-test.nix ({ pkgs, lib, ...} :
+import ./make-test-python.nix ({ pkgs, lib, ...} :
 
 let
   unlines = lib.concatStringsSep "\n";
@@ -288,108 +288,118 @@ in
 
     client1 = mkClient true; # use nss_pam_ldapd
     client2 = mkClient false; # use nss_ldap and pam_ldap
-
   };
 
   testScript = ''
-    $server->start;
+    def expect_script(*commands):
-    $server->waitForUnit("default.target");
+        script = ";".join(commands)
+        return f"${pkgs.expect}/bin/expect -c '{script}'"
 
-    subtest "slapd", sub {
-      subtest "auth as database admin with SASL and check a POSIX account", sub {
-        $server->succeed(join ' ', 'test',
-         '"$(ldapsearch -LLL -H ldapi:// -Y EXTERNAL',
-             '-b \'uid=${ldapUser},ou=accounts,ou=posix,${dbSuffix}\' ',
-             '-s base uidNumber |',
-           'sed -ne \'s/^uidNumber: \\(.*\\)/\\1/p\' ',
-         ')" -eq ${toString ldapUserId}');
-      };
-      subtest "auth as database admin with password and check a POSIX account", sub {
-        $server->succeed(join ' ', 'test',
-         '"$(ldapsearch -LLL -H ldap://server',
-             '-D \'cn=admin,${dbSuffix}\' -w \'${dbAdminPwd}\' ',
-             '-b \'uid=${ldapUser},ou=accounts,ou=posix,${dbSuffix}\' ',
-             '-s base uidNumber |',
-           'sed -ne \'s/^uidNumber: \\(.*\\)/\\1/p\' ',
-         ')" -eq ${toString ldapUserId}');
-      };
-    };
 
-    $client1->start;
+    server.start()
-    $client1->waitForUnit("default.target");
+    server.wait_for_unit("default.target")
 
-    subtest "password", sub {
+    with subtest("slapd: auth as database admin with SASL and check a POSIX account"):
-      subtest "su with password to a POSIX account", sub {
+        server.succeed(
-        $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';',
+            'test "$(ldapsearch -LLL -H ldapi:// -Y EXTERNAL '
-          'spawn su "${ldapUser}"',
+            + "-b 'uid=${ldapUser},ou=accounts,ou=posix,${dbSuffix}' "
-          'expect "Password:"',
+            + "-s base uidNumber | "
-          'send "${ldapUserPwd}\n"',
+            + "sed -ne 's/^uidNumber: \\(.*\\)/\\1/p')\" -eq ${toString ldapUserId}"
-          'expect "*"',
+        )
-          'send "whoami\n"',
-          'expect -ex "${ldapUser}" {exit}',
-          'exit 1' . "'");
-      };
-      subtest "change password of a POSIX account as root", sub {
-        $client1->succeed("chpasswd <<<'${ldapUser}:new-password'");
-        $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';',
-          'spawn su "${ldapUser}"',
-          'expect "Password:"',
-          'send "new-password\n"',
-          'expect "*"',
-          'send "whoami\n"',
-          'expect -ex "${ldapUser}" {exit}',
-          'exit 1' . "'");
-        $client1->succeed('chpasswd <<<\'${ldapUser}:${ldapUserPwd}\' ');
-      };
-      subtest "change password of a POSIX account from itself", sub {
-        $client1->succeed('chpasswd <<<\'${ldapUser}:${ldapUserPwd}\' ');
-        $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';',
-          'spawn su --login ${ldapUser} -c passwd',
-          'expect "Password: "',
-          'send "${ldapUserPwd}\n"',
-          'expect "(current) UNIX password: "',
-          'send "${ldapUserPwd}\n"',
-          'expect "New password: "',
-          'send "new-password\n"',
-          'expect "Retype new password: "',
-          'send "new-password\n"',
-          'expect "passwd: password updated successfully" {exit}',
-          'exit 1' . "'");
-        $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';',
-          'spawn su "${ldapUser}"',
-          'expect "Password:"',
-          'send "${ldapUserPwd}\n"',
-          'expect "su: Authentication failure" {exit}',
-          'exit 1' . "'");
-        $client1->succeed("${pkgs.expect}/bin/expect -c '" . join ';',
-          'spawn su "${ldapUser}"',
-          'expect "Password:"',
-          'send "new-password\n"',
-          'expect "*"',
-          'send "whoami\n"',
-          'expect -ex "${ldapUser}" {exit}',
-          'exit 1' . "'");
-        $client1->succeed('chpasswd <<<\'${ldapUser}:${ldapUserPwd}\' ');
-      };
-    };
 
-    $client2->start;
+    with subtest("slapd: auth as database admin with password and check a POSIX account"):
-    $client2->waitForUnit("default.target");
+        server.succeed(
+            "test \"$(ldapsearch -LLL -H ldap://server -D 'cn=admin,${dbSuffix}' "
+            + "-w '${dbAdminPwd}' -b 'uid=${ldapUser},ou=accounts,ou=posix,${dbSuffix}' "
+            + "-s base uidNumber | "
+            + "sed -ne 's/^uidNumber: \\(.*\\)/\\1/p')\" -eq ${toString ldapUserId}"
+        )
 
-    subtest "NSS", sub {
+    client1.start()
-        $client1->succeed("test \"\$(id -u '${ldapUser}')\" -eq ${toString ldapUserId}");
+    client1.wait_for_unit("default.target")
-        $client1->succeed("test \"\$(id -u -n '${ldapUser}')\" = '${ldapUser}'");
-        $client1->succeed("test \"\$(id -g '${ldapUser}')\" -eq ${toString ldapGroupId}");
-        $client1->succeed("test \"\$(id -g -n '${ldapUser}')\" = '${ldapGroup}'");
-        $client2->succeed("test \"\$(id -u '${ldapUser}')\" -eq ${toString ldapUserId}");
-        $client2->succeed("test \"\$(id -u -n '${ldapUser}')\" = '${ldapUser}'");
-        $client2->succeed("test \"\$(id -g '${ldapUser}')\" -eq ${toString ldapGroupId}");
-        $client2->succeed("test \"\$(id -g -n '${ldapUser}')\" = '${ldapGroup}'");
-    };
 
-    subtest "PAM", sub {
+    with subtest("password: su with password to a POSIX account"):
-        $client1->succeed("echo ${ldapUserPwd} | su -l '${ldapUser}' -c true");
+        client1.succeed(
-        $client2->succeed("echo ${ldapUserPwd} | su -l '${ldapUser}' -c true");
+            expect_script(
-    };
+                'spawn su "${ldapUser}"',
+                'expect "Password:"',
+                'send "${ldapUserPwd}\n"',
+                'expect "*"',
+                'send "whoami\n"',
+                'expect -ex "${ldapUser}" {exit}',
+                "exit 1",
+            )
+        )
+
+    with subtest("password: change password of a POSIX account as root"):
+        client1.succeed(
+            "chpasswd <<<'${ldapUser}:new-password'",
+            expect_script(
+                'spawn su "${ldapUser}"',
+                'expect "Password:"',
+                'send "new-password\n"',
+                'expect "*"',
+                'send "whoami\n"',
+                'expect -ex "${ldapUser}" {exit}',
+                "exit 1",
+            ),
+            "chpasswd <<<'${ldapUser}:${ldapUserPwd}'",
+        )
+
+    with subtest("password: change password of a POSIX account from itself"):
+        client1.succeed(
+            "chpasswd <<<'${ldapUser}:${ldapUserPwd}' ",
+            expect_script(
+                "spawn su --login ${ldapUser} -c passwd",
+                'expect "Password: "',
+                'send "${ldapUserPwd}\n"',
+                'expect "(current) UNIX password: "',
+                'send "${ldapUserPwd}\n"',
+                'expect "New password: "',
+                'send "new-password\n"',
+                'expect "Retype new password: "',
+                'send "new-password\n"',
+                'expect "passwd: password updated successfully" {exit}',
+                "exit 1",
+            ),
+            expect_script(
+                'spawn su "${ldapUser}"',
+                'expect "Password:"',
+                'send "${ldapUserPwd}\n"',
+                'expect "su: Authentication failure" {exit}',
+                "exit 1",
+            ),
+            expect_script(
+                'spawn su "${ldapUser}"',
+                'expect "Password:"',
+                'send "new-password\n"',
+                'expect "*"',
+                'send "whoami\n"',
+                'expect -ex "${ldapUser}" {exit}',
+                "exit 1",
+            ),
+            "chpasswd <<<'${ldapUser}:${ldapUserPwd}'",
+        )
+
+    client2.start()
+    client2.wait_for_unit("default.target")
+
+    with subtest("NSS"):
+        client1.succeed(
+            "test \"$(id -u    '${ldapUser}')\" -eq ${toString ldapUserId}",
+            "test \"$(id -u -n '${ldapUser}')\" =  '${ldapUser}'",
+            "test \"$(id -g    '${ldapUser}')\" -eq ${toString ldapGroupId}",
+            "test \"$(id -g -n '${ldapUser}')\" =  '${ldapGroup}'",
+            "test \"$(id -u    '${ldapUser}')\" -eq ${toString ldapUserId}",
+            "test \"$(id -u -n '${ldapUser}')\" =  '${ldapUser}'",
+            "test \"$(id -g    '${ldapUser}')\" -eq ${toString ldapGroupId}",
+            "test \"$(id -g -n '${ldapUser}')\" =  '${ldapGroup}'",
+        )
+
+    with subtest("PAM"):
+        client1.succeed(
+            "echo ${ldapUserPwd} | su -l '${ldapUser}' -c true",
+            "echo ${ldapUserPwd} | su -l '${ldapUser}' -c true",
+        )
   '';
 })

nixos/tests/openldap.nix

@@ -1,4 +1,4 @@
-import ./make-test.nix {
+import ./make-test-python.nix {
   name = "openldap";
 
   machine = { pkgs, ... }: {
@@ -24,8 +24,10 @@ import ./make-test.nix {
   };
 
   testScript = ''
-    $machine->waitForUnit('openldap.service');
+    machine.wait_for_unit("openldap.service")
-    $machine->succeed('systemctl status openldap.service');
+    machine.succeed(
-    $machine->succeed('ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"');
+        "systemctl status openldap.service",
+        'ldapsearch -LLL -D "cn=root,dc=example" -w notapassword -b "dc=example"',
+    )
   '';
 }