1 files changed, 61 insertions, 0 deletions

diff --git a/libexec/nuageinit/tests/addsudo.lua b/libexec/nuageinit/tests/addsudo.lua
new file mode 100644
index 000000000000..7fc5865d83f4
--- /dev/null
+++ b/libexec/nuageinit/tests/addsudo.lua
@@ -0,0 +1,61 @@
+#!/usr/libexec/flua
+---
+-- SPDX-License-Identifier: BSD-2-Clause
+--
+-- Copyright (c) 2026 Baptiste Daroussin <bapt@FreeBSD.org>
+
+local n = require("nuage")
+
+local root = os.getenv("NUAGE_FAKE_ROOTDIR")
+if not root then
+	root = ""
+end
+
+local function get_localbase()
+	local f = io.popen("sysctl -in user.localbase 2> /dev/null")
+	local lb = f:read("*l")
+	f:close()
+	if lb == nil or lb:len() == 0 then
+		lb = "/usr/local"
+	end
+	return lb
+end
+
+local function read_sudoers()
+	local path = root .. get_localbase() .. "/etc/sudoers.d/90-nuageinit-users"
+	local f = io.open(path, "r")
+	if not f then
+		return nil
+	end
+	local content = f:read("*a")
+	f:close()
+	return content
+end
+
+-- test with a single string rule
+n.addsudo({ name = "testuser", sudo = "ALL=(ALL) NOPASSWD:ALL" })
+local content = read_sudoers()
+if not content then
+	n.err("sudoers file not created")
+end
+if content ~= "testuser ALL=(ALL) NOPASSWD:ALL\n" then
+	n.err("unexpected sudoers content for string rule: '" .. content .. "'")
+end
+
+-- remove file for next test
+os.remove(root .. get_localbase() .. "/etc/sudoers.d/90-nuageinit-users")
+
+-- test with a table of rules
+n.addsudo({
+	name = "testuser",
+	sudo = { "ALL=(ALL) NOPASSWD:/usr/sbin/pw", "ALL=(ALL) ALL" }
+})
+content = read_sudoers()
+if not content then
+	n.err("sudoers file not created for table")
+end
+if content ~= "testuser ALL=(ALL) NOPASSWD:/usr/sbin/pw\ntestuser ALL=(ALL) ALL\n" then
+	n.err("unexpected sudoers content for table: '" .. content .. "'")
+end
+
+os.exit(0)