nixos/tests/google-oslogin/default.nix at 25.11-pre · pyrox.dev/nixpkgs

pyrox.dev / nixpkgs
lol
nixpkgs / nixos / tests / google-oslogin / default.nix
at 25.11-pre 2.5 kB view raw
 1import ../make-test-python.nix (
 2  { pkgs, ... }:
 3  let
 4    inherit (import ./../ssh-keys.nix pkgs)
 5      snakeOilPrivateKey
 6      snakeOilPublicKey
 7      ;
 8
 9    # don't check host keys or known hosts, use the snakeoil ssh key
10    ssh-config = builtins.toFile "ssh.conf" ''
11      UserKnownHostsFile=/dev/null
12      StrictHostKeyChecking=no
13      IdentityFile=~/.ssh/id_snakeoil
14    '';
15  in
16  {
17    name = "google-oslogin";
18    meta = with pkgs.lib.maintainers; {
19      maintainers = [ ];
20    };
21
22    nodes = {
23      # the server provides both the the mocked google metadata server and the ssh server
24      server = (import ./server.nix pkgs);
25
26      client = { ... }: { };
27    };
28    testScript = ''
29      MOCKUSER = "mockuser_nixos_org"
30      MOCKADMIN = "mockadmin_nixos_org"
31      start_all()
32
33      server.wait_for_unit("mock-google-metadata.service")
34      server.wait_for_open_port(80)
35
36      # mockserver should return a non-expired ssh key for both mockuser and mockadmin
37      server.succeed(
38          f'${pkgs.google-guest-oslogin}/bin/google_authorized_keys {MOCKUSER} | grep -q "${snakeOilPublicKey}"'
39      )
40      server.succeed(
41          f'${pkgs.google-guest-oslogin}/bin/google_authorized_keys {MOCKADMIN} | grep -q "${snakeOilPublicKey}"'
42      )
43
44      # install snakeoil ssh key on the client, and provision .ssh/config file
45      client.succeed("mkdir -p ~/.ssh")
46      client.succeed(
47          "cat ${snakeOilPrivateKey} > ~/.ssh/id_snakeoil"
48      )
49      client.succeed("chmod 600 ~/.ssh/id_snakeoil")
50      client.succeed("cp ${ssh-config} ~/.ssh/config")
51
52      client.wait_for_unit("network.target")
53      server.wait_for_unit("sshd.service")
54
55      # we should not be able to connect as non-existing user
56      client.fail("ssh ghost@server 'true'")
57
58      # we should be able to connect as mockuser
59      client.succeed(f"ssh {MOCKUSER}@server 'true'")
60      # but we shouldn't be able to sudo
61      client.fail(
62          f"ssh {MOCKUSER}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"
63      )
64
65      # we should also be able to log in as mockadmin
66      client.succeed(f"ssh {MOCKADMIN}@server 'true'")
67      # pam_oslogin_admin.so should now have generated a sudoers file
68      server.succeed(
69          f"find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/{MOCKADMIN}'"
70      )
71
72      # and we should be able to sudo
73      client.succeed(
74          f"ssh {MOCKADMIN}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"
75      )
76    '';
77  }
78)