Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Correct password option docs and add related tests #310484

Merged
merged 4 commits into from
Dec 22, 2024

Conversation

fidgetingbits
Copy link
Contributor

Description of changes

This attempts to clarify the true behavior of password option overrides, as the documentation seems to be wrong (and appears to have been for at least 10 years). These docs also clarify systemd-sysusers quirks that I coincidentally noticed someone happened to file recently here as well.

The relevant option docs have been updated, but more importantly I created two new tests to try to show the true behavior of the overrides in their current form. This way if anything ever changes on this front it will be caught and docs can be updated accordingly.

If you want to run the tests I added, you will have to change the maintainer for now as my being added to maintainers is pending this PR being merged.

I've not used Nix for very long, so would appreciate someone who has dealt with this code in the past to validate what I've found. @nikstur and @NeQuissimus, perhaps you could both take a look as I've repurposed some of your tests that touch the same areas, so I suspect you'll both be familiar.

Things done

  • Built on platform(s)
    • x86_64-linux
    • aarch64-linux
    • x86_64-darwin
    • aarch64-darwin
  • For non-Linux: Is sandboxing enabled in nix.conf? (See Nix manual)
    • sandbox = relaxed
    • sandbox = true
  • Tested, as applicable:
  • Tested compilation of all packages that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review rev HEAD". Note: all changes have to be committed, also see nixpkgs-review usage
  • Tested basic functionality of all binary files (usually in ./result/bin/)
  • 24.05 Release Notes (or backporting 23.05 and 23.11 Release notes)
    • (Package updates) Added a release notes entry if the change is major or breaking
    • (Module updates) Added a release notes entry if the change is significant
    • (Module addition) Added a release notes entry if adding a new NixOS module
  • Fits CONTRIBUTING.md.

Add a 👍 reaction to pull requests you find important.

@github-actions github-actions bot added 6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` labels May 10, 2024
@ofborg ofborg bot added 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 labels May 10, 2024
@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/3958

@wegank wegank added the 2.status: merge conflict This PR has merge conflicts with the target branch label Nov 1, 2024
@fidgetingbits
Copy link
Contributor Author

fidgetingbits commented Nov 10, 2024

@Ma27 any thoughts on this PR or know who should review it? I just noticed today you recently made some recent changes that lead to a merge conflict (which I have yet to fix), so just pinging to see if you want to take a look or have an idea who to ping to get this reviewed.

@Ma27
Copy link
Member

Ma27 commented Nov 10, 2024

Last times I touched this part, it was kinda hard to find anybody who felt responsible.
Given that this seems to be a correctness fix mostly, I'll try to take a look soonish.

@fidgetingbits fidgetingbits force-pushed the clarify-password-option-overrides branch from 00147d2 to 47580a1 Compare November 12, 2024 13:39
@fidgetingbits fidgetingbits removed the 2.status: merge conflict This PR has merge conflicts with the target branch label Nov 12, 2024
@fidgetingbits
Copy link
Contributor Author

Merge conflicts should be fixed now

nixos/modules/config/users-groups.nix Outdated Show resolved Hide resolved
nixos/modules/config/users-groups.nix Outdated Show resolved Hide resolved
nixos/modules/config/users-groups.nix Outdated Show resolved Hide resolved
nixos/modules/config/users-groups.nix Outdated Show resolved Hide resolved
@fidgetingbits fidgetingbits force-pushed the clarify-password-option-overrides branch from 47580a1 to b572dd2 Compare November 14, 2024 00:29
@fidgetingbits
Copy link
Contributor Author

Just a note that to run the tests I added you can run the following from nixpkgs root folder: nix-build . -A nixosTests.password-option-override-ordering and nix-build . -A nixosTests.systemd-sysusers-password-option-override-ordering.

Looks like the latter is failing now due to a new assertion about user types, so I will have to investigate.

@fidgetingbits
Copy link
Contributor Author

Looks like there are more aggressive asserts that helps with some of the systemd-sysusers stuff, so I removed a couple of assertions from that test that no longer will run. Also changed the user type and added groups to ensure other new assertions pass so the test actually runs.

I've left the changes as separate commit now for sake of reference, but can squash them before merge.

Copy link
Member

@Ma27 Ma27 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oof thank you for investing time into this! Using NixOS for almost 8 years now and I had no idea how much of a mess that is...

nixos/tests/password-option-override-ordering.nix Outdated Show resolved Hide resolved
nixos/tests/password-option-override-ordering.nix Outdated Show resolved Hide resolved
nixos/modules/config/users-groups.nix Outdated Show resolved Hide resolved
nixos/modules/config/users-groups.nix Outdated Show resolved Hide resolved
@Ma27
Copy link
Member

Ma27 commented Nov 23, 2024

Also asked in the nixos-systemd Matrix channel for more reviewers for the systemd-sysusers part.

@Ma27 Ma27 added the backport release-24.11 Backport PR automatically label Nov 23, 2024
@Ma27
Copy link
Member

Ma27 commented Nov 23, 2024

I'd really like to see this in 24.11 when it's good to go: this isn't a behavioral fix, but clarifies the current behavior in both warnings and the manual (and locks it down with a test).

@fidgetingbits
Copy link
Contributor Author

I've purposefully not rebased commits for now to make diffing of feedback a bit easier. I added an additional test to so we can track where mutableUsers = true and mutableUsers = false differ, which there seems to be one difference for user.greg test, which I still need to investigate.

@fidgetingbits
Copy link
Contributor Author

I still need to add the clearer wording for the greg case with mutableUsers difference, but otherwise all other feedback should be addressed now.

Copy link

@EmergentMind EmergentMind left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Some suggestions to add clarity and improve some grammar.

I also reviewed the various cases of precedence depending on the values of mutable and/or sysUsers. All the option descriptions and related tests appear to be consistent.

nixos/modules/config/users-groups.nix Outdated Show resolved Hide resolved
nixos/modules/config/users-groups.nix Outdated Show resolved Hide resolved
nixos/modules/config/users-groups.nix Outdated Show resolved Hide resolved
nixos/modules/config/users-groups.nix Outdated Show resolved Hide resolved
@ofborg ofborg bot added 2.status: merge conflict This PR has merge conflicts with the target branch and removed 2.status: merge conflict This PR has merge conflicts with the target branch labels Nov 26, 2024
@fidgetingbits
Copy link
Contributor Author

fidgetingbits commented Nov 28, 2024

I took a stab at rewording the whole thing based on EmergentMind's feedback and because I found myself getting confused reading it even though I'm working on it. That allowed me to de-duplicate some text from other options, which makes passwordDescription the single source of truth, which will be nice for future tweaks.

One part I didn't include which I considered putting at the end of passwordDescription is:

    If [](#opt-systemd.sysusers.enable) is `true`, then the order of password is:
    `initialPassword` -> `initialHashedPassword` -> `hashedPasswordFile`

Since technically that order still matches what is shown earlier (just with password, hashedPassword, hashedPasswordFile omitted), I wasn't sure if I should explicitly include it or not. Happy to add it if others thing it's worth.

@fidgetingbits
Copy link
Contributor Author

Good for another review pass I think. In order to fix the assert warning being wrong, and make it harder to mess up the override order text in various places, I tried to deduplicate it all and use some variable expansion to help generate it in various places.

Copy link

@EmergentMind EmergentMind left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rewording and de-duplication is a big improvement for clarity. Nice work.

@nixos-discourse
Copy link

This pull request has been mentioned on NixOS Discourse. There might be relevant details there:

https://discourse.nixos.org/t/prs-ready-for-review/3032/4905

@fidgetingbits fidgetingbits requested a review from Ma27 December 2, 2024 15:39
@Ma27
Copy link
Member

Ma27 commented Dec 2, 2024

It's on my radar and I still have the tab open.

Copy link
Member

@Ma27 Ma27 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM otherwise.
Please reword your commit messages to follow the contribution guidelines.

nixos/modules/config/users-groups.nix Show resolved Hide resolved
@fidgetingbits fidgetingbits force-pushed the clarify-password-option-overrides branch from 9b1696b to 4d1ff6e Compare December 15, 2024 03:44
Testing showed that the existing documentation regarding password override
ordering was incorrect. This commit corrects the errors and refactors
the way the text is constructed to make updating future ordering
changes significantly easier.
This commit adds two new tests to show that the ordering of password
overrides documentation in nixos/modules/config/user-groups.nix is
correct. The override behavior differs depending on whether a system
has systemd-sysusers enabled, so there are two tests.
@fidgetingbits fidgetingbits force-pushed the clarify-password-option-overrides branch from 4d1ff6e to b84fb1e Compare December 15, 2024 04:26
Ma27 added 2 commits December 22, 2024 15:32
Otherwise the evaluation warnings have a two or even three lines of
whitespace between paragraphs.
…fy SetCredential check

It was kinda weird to assert that the clear-text password was
in the unit when the hashed password was the effective one.

This change makes it explicit that both are in there and the latter
takes precedence.
Copy link
Member

@Ma27 Ma27 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pushed two small fixes (one for the whitespace, one for an assertion in the sysusers test - details are in the messages). LGTM now.

@Ma27 Ma27 merged commit 601a97f into NixOS:master Dec 22, 2024
24 of 25 checks passed
@nix-backports
Copy link

nix-backports bot commented Dec 22, 2024

Successfully created backport PR for release-24.11:

@fidgetingbits
Copy link
Contributor Author

Thanks a lot for all your help working through this!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
6.topic: nixos Issues or PRs affecting NixOS modules, or package usability issues specific to NixOS 8.has: module (update) This PR changes an existing module in `nixos/` 10.rebuild-darwin: 0 This PR does not cause any packages to rebuild on Darwin 10.rebuild-linux: 1-10 backport release-24.11 Backport PR automatically
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants