pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / google-oslogin / default.nix
at 23.11-beta 2.4 kB view raw
1import ../make-test-python.nix ({ pkgs, ... } : 2let 3 inherit (import ./../ssh-keys.nix pkgs) 4 snakeOilPrivateKey snakeOilPublicKey; 5 6 # don't check host keys or known hosts, use the snakeoil ssh key 7 ssh-config = builtins.toFile "ssh.conf" '' 8 UserKnownHostsFile=/dev/null 9 StrictHostKeyChecking=no 10 IdentityFile=~/.ssh/id_snakeoil 11 ''; 12in { 13 name = "google-oslogin"; 14 meta = with pkgs.lib.maintainers; { 15 maintainers = [ adisbladis flokli ]; 16 }; 17 18 nodes = { 19 # the server provides both the the mocked google metadata server and the ssh server 20 server = (import ./server.nix pkgs); 21 22 client = { ... }: {}; 23 }; 24 testScript = '' 25 MOCKUSER = "mockuser_nixos_org" 26 MOCKADMIN = "mockadmin_nixos_org" 27 start_all() 28 29 server.wait_for_unit("mock-google-metadata.service") 30 server.wait_for_open_port(80) 31 32 # mockserver should return a non-expired ssh key for both mockuser and mockadmin 33 server.succeed( 34 f'${pkgs.google-guest-oslogin}/bin/google_authorized_keys {MOCKUSER} | grep -q "${snakeOilPublicKey}"' 35 ) 36 server.succeed( 37 f'${pkgs.google-guest-oslogin}/bin/google_authorized_keys {MOCKADMIN} | grep -q "${snakeOilPublicKey}"' 38 ) 39 40 # install snakeoil ssh key on the client, and provision .ssh/config file 41 client.succeed("mkdir -p ~/.ssh") 42 client.succeed( 43 "cat ${snakeOilPrivateKey} > ~/.ssh/id_snakeoil" 44 ) 45 client.succeed("chmod 600 ~/.ssh/id_snakeoil") 46 client.succeed("cp ${ssh-config} ~/.ssh/config") 47 48 client.wait_for_unit("network.target") 49 server.wait_for_unit("sshd.service") 50 51 # we should not be able to connect as non-existing user 52 client.fail("ssh ghost@server 'true'") 53 54 # we should be able to connect as mockuser 55 client.succeed(f"ssh {MOCKUSER}@server 'true'") 56 # but we shouldn't be able to sudo 57 client.fail( 58 f"ssh {MOCKUSER}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'" 59 ) 60 61 # we should also be able to log in as mockadmin 62 client.succeed(f"ssh {MOCKADMIN}@server 'true'") 63 # pam_oslogin_admin.so should now have generated a sudoers file 64 server.succeed( 65 f"find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/{MOCKADMIN}'" 66 ) 67 68 # and we should be able to sudo 69 client.succeed( 70 f"ssh {MOCKADMIN}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'" 71 ) 72 ''; 73 }) 74