feat(worker): box-user script builders + username sanitizer
This commit is contained in:
@@ -0,0 +1,79 @@
|
||||
import { describe, expect, it } from 'vitest';
|
||||
|
||||
import {
|
||||
buildBoxInitScript,
|
||||
buildClearPasswordCommand,
|
||||
buildSudoPolicyScript,
|
||||
linuxUsername,
|
||||
} from '../../src/runtime/box-user';
|
||||
|
||||
describe('linuxUsername', () => {
|
||||
it('lowercases and passes through simple names', () => {
|
||||
expect(linuxUsername('gabriel')).toBe('gabriel');
|
||||
expect(linuxUsername('Gabriel')).toBe('gabriel');
|
||||
});
|
||||
it('replaces invalid characters with dashes', () => {
|
||||
expect(linuxUsername('g@b r!el')).toBe('g-b-r-el');
|
||||
});
|
||||
it('prefixes names that do not start with [a-z_]', () => {
|
||||
expect(linuxUsername('1337')).toBe('u1337');
|
||||
expect(linuxUsername('-dash')).toBe('u-dash');
|
||||
});
|
||||
it('truncates to 32 chars and falls back to spoon', () => {
|
||||
expect(linuxUsername('a'.repeat(40))).toHaveLength(32);
|
||||
expect(linuxUsername('')).toBe('spoon');
|
||||
expect(linuxUsername('@@@')).toBe('u---');
|
||||
});
|
||||
});
|
||||
|
||||
describe('buildBoxInitScript', () => {
|
||||
const script = buildBoxInitScript({
|
||||
username: 'gabriel',
|
||||
home: '/home/Gabriel',
|
||||
});
|
||||
it('creates the user idempotently with uid 1000 at the given home', () => {
|
||||
expect(script).toContain("id -u 'gabriel'");
|
||||
expect(script).toContain('useradd');
|
||||
expect(script).toContain('-u 1000');
|
||||
expect(script).toContain("-d '/home/Gabriel'");
|
||||
expect(script).toContain('-s /bin/bash');
|
||||
});
|
||||
it('adds wheel membership', () => {
|
||||
expect(script).toContain("usermod -aG wheel 'gabriel'");
|
||||
});
|
||||
it('chowns the home once, guarded by the marker', () => {
|
||||
expect(script).toContain('/home/Gabriel/.spoon/chown-v1');
|
||||
expect(script).toContain("chown -R 1000:1000 '/home/Gabriel'");
|
||||
});
|
||||
});
|
||||
|
||||
describe('buildSudoPolicyScript', () => {
|
||||
it('installs a visudo-validated NOPASSWD drop-in when no password is set', () => {
|
||||
const script = buildSudoPolicyScript({
|
||||
username: 'gabriel',
|
||||
passwordSet: false,
|
||||
});
|
||||
expect(script).toContain('gabriel ALL=(ALL) NOPASSWD:ALL');
|
||||
expect(script).toContain('visudo -c');
|
||||
expect(script).toContain('/etc/sudoers.d/spoon-box');
|
||||
expect(script).toContain('chmod 0440');
|
||||
});
|
||||
it('removes the drop-in when a password is set', () => {
|
||||
const script = buildSudoPolicyScript({
|
||||
username: 'gabriel',
|
||||
passwordSet: true,
|
||||
});
|
||||
expect(script).toContain('rm -f /etc/sudoers.d/spoon-box');
|
||||
expect(script).not.toContain('NOPASSWD');
|
||||
});
|
||||
});
|
||||
|
||||
describe('password commands', () => {
|
||||
it('clears via passwd -d', () => {
|
||||
expect(buildClearPasswordCommand('gabriel')).toEqual([
|
||||
'passwd',
|
||||
'-d',
|
||||
'gabriel',
|
||||
]);
|
||||
});
|
||||
});
|
||||
Reference in New Issue
Block a user