Unverified Commit 7cb22a0a authored by Maximilian Bosch's avatar Maximilian Bosch
Browse files

nixos/users-groups: dump values of password options if multiple options have definitions 

This was suggested since it might make it a little easier to identify
the places where the definitions come from.

Retrieving the effective definitions from the module-system seems
non-trivial, especially for submodules though, hence only the values are
shown for now.

I'd argue that especially the `password` option are mostly a convenience
thing for test setups. If the password is an actual secret, it should be
treated as such, i.e. `hashedPasswordFile` should be used.

For the `shadow` VM test, the new section of the warning looks like
this:

    The values of these options are:
    * users.users."leo".hashedPassword: "$6$ymzs8WINZ5wGwQcV$VC2S0cQiX8NVukOLymysTPn4v1zJoJp3NGyhnqyv/dAf4NWZsBWYveQcj6gEJr4ZUjRBRjM0Pj1L8TCQ8hUUp0"
    * users.users."leo".hashedPasswordFile: null
    * users.users."leo".password: null
    * users.users."leo".initialHashedPassword: "!"
    * users.users."leo".initialPassword: null
parent 1b42d286

nixos/modules/config/users-groups.nix

+18 −7
Original line number Diff line number Diff line
@@ -6,6 +6,7 @@ let 
    attrNames

    attrValues

    concatMap

    concatMapStringsSep

    concatStrings

    elem

    filter
@@ -13,6 +14,7 @@ let 
    flatten

    flip

    foldr

    generators

    getAttr

    hasAttr

    id
@@ -944,16 +946,18 @@ in { 


    warnings =

      flip concatMap (attrValues cfg.users) (user: let

        unambiguousPasswordConfiguration = 1 >= length (filter (x: x != null) ([

          user.hashedPassword

          user.hashedPasswordFile

          user.password

        passwordOptions = [

          "hashedPassword"

          "hashedPasswordFile"

          "password"

        ] ++ optionals cfg.mutableUsers [

          # For immutable users, initialHashedPassword is set to hashedPassword,

          # so using these options would always trigger the assertion.

          user.initialHashedPassword

          user.initialPassword

        ]));

          "initialHashedPassword"

          "initialPassword"

        ];

        unambiguousPasswordConfiguration = 1 >= length

          (filter (x: x != null) (map (flip getAttr user) passwordOptions));

      in optional (!unambiguousPasswordConfiguration) ''

        The user '${user.name}' has multiple of the options

        `hashedPassword`, `password`, `hashedPasswordFile`, `initialPassword`
@@ -961,6 +965,13 @@ in { 
        The options silently discard others by the order of precedence

        given above which can lead to surprising results. To resolve this warning,

        set at most one of the options above to a non-`null` value.



        The values of these options are:

        ${concatMapStringsSep

          "\n"

          (value:

            "* users.users.\"${user.name}\".${value}: ${generators.toPretty {} user.${value}}")

          passwordOptions}

      '')

      ++ filter (x: x != null) (

        flip mapAttrsToList cfg.users (_: user: