Merge pull request #179 from memorysafety/user-list-negated-group

user_list: test group negation
trifectatechfoundation · Apr 3, 2023 · c9afb25 · c9afb25
2 parents 31a3ec2 + a311252
commit c9afb25
Showing 1 changed file with 58 additions and 1 deletion.
diff --git a/test-framework/sudo-compliance-tests/src/sudoers/user_list.rs b/test-framework/sudo-compliance-tests/src/sudoers/user_list.rs
@@ -1,7 +1,7 @@
 //! Test the first component of the user specification: `<user_list> ALL=(ALL:ALL) ALL`
 
 use pretty_assertions::assert_eq;
-use sudo_test::{Command, Env};
+use sudo_test::{Command, Env, User};
 
 use crate::{Result, PAMD_SUDO_PAM_PERMIT, USERNAME};
 
@@ -236,3 +236,60 @@ User_Alias ADMINS = %users, !ghost
 
     Ok(())
 }
+
+#[test]
+fn negated_subgroup() -> Result<()> {
+    let env = Env("%users, !%rustaceans ALL=(ALL:ALL) ALL")
+        // use PAM to avoid password prompts
+        .file("/etc/pam.d/sudo", PAMD_SUDO_PAM_PERMIT)
+        // the primary group of all new users is `users`
+        .group("rustaceans")
+        .user(User("ferris").secondary_group("rustaceans"))
+        .user("ghost")
+        .build()?;
+
+    Command::new("sudo")
+        .arg("true")
+        .as_user("ghost")
+        .exec(&env)?
+        .assert_success()?;
+
+    let output = Command::new("sudo")
+        .arg("true")
+        .as_user("ferris")
+        .exec(&env)?;
+
+    assert!(!output.status().success());
+    assert_eq!(Some(1), output.status().code());
+
+    if sudo_test::is_original_sudo() {
+        assert_contains!(output.stderr(), "ferris is not in the sudoers file");
+    }
+
+    Ok(())
+}
+
+#[test]
+fn negated_supergroup() -> Result<()> {
+    let env = Env("%rustaceans, !%users ALL=(ALL:ALL) ALL")
+        // use PAM to avoid password prompts
+        .file("/etc/pam.d/sudo", PAMD_SUDO_PAM_PERMIT)
+        // the primary group of all new users is `users`
+        .group("rustaceans")
+        .user(User("ferris").secondary_group("rustaceans"))
+        .user("ghost")
+        .build()?;
+
+    for user in ["ferris", "ghost"] {
+        let output = Command::new("sudo").arg("true").as_user(user).exec(&env)?;
+
+        assert!(!output.status().success());
+        assert_eq!(Some(1), output.status().code());
+
+        if sudo_test::is_original_sudo() {
+            assert_contains!(output.stderr(), " is not in the sudoers file");
+        }
+    }
+
+    Ok(())
+}