From a311252162cbc9ba7feff3647fda34aeee695673 Mon Sep 17 00:00:00 2001
From: Jorge Aparicio <jorge.aparicio@ferrous-systems.com>
Date: Mon, 3 Apr 2023 15:52:20 +0200
Subject: [PATCH] user_list: test group negation

---
 .../src/sudoers/user_list.rs                  | 59 ++++++++++++++++++-
 1 file changed, 58 insertions(+), 1 deletion(-)

diff --git a/test-framework/sudo-compliance-tests/src/sudoers/user_list.rs b/test-framework/sudo-compliance-tests/src/sudoers/user_list.rs
index 39f0a6e01..cab75bd14 100644
--- a/test-framework/sudo-compliance-tests/src/sudoers/user_list.rs
+++ b/test-framework/sudo-compliance-tests/src/sudoers/user_list.rs
@@ -1,7 +1,7 @@
 //! Test the first component of the user specification: `<user_list> ALL=(ALL:ALL) ALL`
 
 use pretty_assertions::assert_eq;
-use sudo_test::{Command, Env};
+use sudo_test::{Command, Env, User};
 
 use crate::{Result, PAMD_SUDO_PAM_PERMIT, USERNAME};
 
@@ -236,3 +236,60 @@ User_Alias ADMINS = %users, !ghost
 
     Ok(())
 }
+
+#[test]
+fn negated_subgroup() -> Result<()> {
+    let env = Env("%users, !%rustaceans ALL=(ALL:ALL) ALL")
+        // use PAM to avoid password prompts
+        .file("/etc/pam.d/sudo", PAMD_SUDO_PAM_PERMIT)
+        // the primary group of all new users is `users`
+        .group("rustaceans")
+        .user(User("ferris").secondary_group("rustaceans"))
+        .user("ghost")
+        .build()?;
+
+    Command::new("sudo")
+        .arg("true")
+        .as_user("ghost")
+        .exec(&env)?
+        .assert_success()?;
+
+    let output = Command::new("sudo")
+        .arg("true")
+        .as_user("ferris")
+        .exec(&env)?;
+
+    assert!(!output.status().success());
+    assert_eq!(Some(1), output.status().code());
+
+    if sudo_test::is_original_sudo() {
+        assert_contains!(output.stderr(), "ferris is not in the sudoers file");
+    }
+
+    Ok(())
+}
+
+#[test]
+fn negated_supergroup() -> Result<()> {
+    let env = Env("%rustaceans, !%users ALL=(ALL:ALL) ALL")
+        // use PAM to avoid password prompts
+        .file("/etc/pam.d/sudo", PAMD_SUDO_PAM_PERMIT)
+        // the primary group of all new users is `users`
+        .group("rustaceans")
+        .user(User("ferris").secondary_group("rustaceans"))
+        .user("ghost")
+        .build()?;
+
+    for user in ["ferris", "ghost"] {
+        let output = Command::new("sudo").arg("true").as_user(user).exec(&env)?;
+
+        assert!(!output.status().success());
+        assert_eq!(Some(1), output.status().code());
+
+        if sudo_test::is_original_sudo() {
+            assert_contains!(output.stderr(), " is not in the sudoers file");
+        }
+    }
+
+    Ok(())
+}