pyrox.dev / nixpkgs
lol
fork atom
nixpkgs / nixos / tests / google-oslogin / default.nix
at master 2.4 kB view raw
1{ 2 lib, 3 pkgs, 4 hostPkgs, 5 ... 6}: 7let 8 inherit (import ./../ssh-keys.nix hostPkgs) 9 snakeOilPrivateKey 10 snakeOilPublicKey 11 ; 12 13 # don't check host keys or known hosts, use the snakeoil ssh key 14 ssh-config = builtins.toFile "ssh.conf" '' 15 UserKnownHostsFile=/dev/null 16 StrictHostKeyChecking=no 17 IdentityFile=~/.ssh/id_snakeoil 18 ''; 19in 20{ 21 name = "google-oslogin"; 22 meta = with lib.maintainers; { 23 maintainers = [ ]; 24 }; 25 26 nodes = { 27 # the server provides both the the mocked google metadata server and the ssh server 28 server = ./server.nix; 29 30 client = { ... }: { }; 31 }; 32 testScript = '' 33 MOCKUSER = "mockuser_nixos_org" 34 MOCKADMIN = "mockadmin_nixos_org" 35 start_all() 36 37 server.wait_for_unit("mock-google-metadata.service") 38 server.wait_for_open_port(80) 39 40 # mockserver should return a non-expired ssh key for both mockuser and mockadmin 41 server.succeed( 42 f'${pkgs.google-guest-oslogin}/bin/google_authorized_keys {MOCKUSER} | grep -q "${snakeOilPublicKey}"' 43 ) 44 server.succeed( 45 f'${pkgs.google-guest-oslogin}/bin/google_authorized_keys {MOCKADMIN} | grep -q "${snakeOilPublicKey}"' 46 ) 47 48 # install snakeoil ssh key on the client, and provision .ssh/config file 49 client.succeed("mkdir -p ~/.ssh") 50 client.succeed( 51 "cat ${snakeOilPrivateKey} > ~/.ssh/id_snakeoil" 52 ) 53 client.succeed("chmod 600 ~/.ssh/id_snakeoil") 54 client.succeed("cp ${ssh-config} ~/.ssh/config") 55 56 client.wait_for_unit("network.target") 57 server.wait_for_unit("sshd.service") 58 59 # we should not be able to connect as non-existing user 60 client.fail("ssh ghost@server 'true'") 61 62 # we should be able to connect as mockuser 63 client.succeed(f"ssh {MOCKUSER}@server 'true'") 64 # but we shouldn't be able to sudo 65 client.fail( 66 f"ssh {MOCKUSER}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'" 67 ) 68 69 # we should also be able to log in as mockadmin 70 client.succeed(f"ssh {MOCKADMIN}@server 'true'") 71 # pam_oslogin_admin.so should now have generated a sudoers file 72 server.succeed( 73 f"find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/{MOCKADMIN}'" 74 ) 75 76 # and we should be able to sudo 77 client.succeed( 78 f"ssh {MOCKADMIN}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'" 79 ) 80 ''; 81}