pyrox.dev / nixpkgs
lol
fork atom

nixos/tests: add google-oslogin test

Florian Klink 0f46188c 04f3562f

options
unified split
Changed files
+178
nixos
tests
all-tests.nix
google-oslogin
default.nix
server.nix
server.py
+1
nixos/tests/all-tests.nix 
···

       
81

       
81

       
 

       
  gitlab = handleTest ./gitlab.nix {};


     

       
82

       
82

       
 

       
  gitolite = handleTest ./gitolite.nix {};


     

       
83

       
83

       
 

       
  gjs = handleTest ./gjs.nix {};


     

       

       
84

       
+

       
  google-oslogin = handleTest ./google-oslogin {};


     

       
84

       
85

       
 

       
  gnome3 = handleTestOn ["x86_64-linux"] ./gnome3.nix {}; # libsmbios is unsupported on aarch64


     

       
85

       
86

       
 

       
  gnome3-gdm = handleTestOn ["x86_64-linux"] ./gnome3-gdm.nix {}; # libsmbios is unsupported on aarch64


     

       
86

       
87

       
 

       
  gocd-agent = handleTest ./gocd-agent.nix {};
+52
nixos/tests/google-oslogin/default.nix 
···

       

       
1

       
+

       
import ../make-test.nix ({ pkgs, ... } :


     

       

       
2

       
+

       
let


     

       

       
3

       
+

       
  inherit (import ./../ssh-keys.nix pkgs)


     

       

       
4

       
+

       
    snakeOilPrivateKey snakeOilPublicKey;


     

       

       
5

       
+

       
in {


     

       

       
6

       
+

       
  name = "google-oslogin";


     

       

       
7

       
+

       
  meta = with pkgs.stdenv.lib.maintainers; {


     

       

       
8

       
+

       
    maintainers = [ adisbladis flokli ];


     

       

       
9

       
+

       
  };


     

       

       
10

       
+

       



     

       

       
11

       
+

       
  nodes = {


     

       

       
12

       
+

       
    # the server provides both the the mocked google metadata server and the ssh server


     

       

       
13

       
+

       
    server = (import ./server.nix pkgs);


     

       

       
14

       
+

       



     

       

       
15

       
+

       
    client = { ... }: {};


     

       

       
16

       
+

       
  };


     

       

       
17

       
+

       
  testScript =  ''


     

       

       
18

       
+

       
    startAll;


     

       

       
19

       
+

       



     

       

       
20

       
+

       
    $server->waitForUnit("mock-google-metadata.service");


     

       

       
21

       
+

       
    $server->waitForOpenPort(80);


     

       

       
22

       
+

       



     

       

       
23

       
+

       
    # mockserver should return a non-expired ssh key for both mockuser and mockadmin


     

       

       
24

       
+

       
    $server->succeed('${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockuser | grep -q "${snakeOilPublicKey}"');


     

       

       
25

       
+

       
    $server->succeed('${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockadmin | grep -q "${snakeOilPublicKey}"');


     

       

       
26

       
+

       



     

       

       
27

       
+

       
    # install snakeoil ssh key on the client


     

       

       
28

       
+

       
    $client->succeed("mkdir -p ~/.ssh");


     

       

       
29

       
+

       
    $client->succeed("cat ${snakeOilPrivateKey} > ~/.ssh/id_snakeoil");


     

       

       
30

       
+

       
    $client->succeed("chmod 600 ~/.ssh/id_snakeoil");


     

       

       
31

       
+

       



     

       

       
32

       
+

       
    $client->waitForUnit("network.target");


     

       

       
33

       
+

       
    $server->waitForUnit("sshd.service");


     

       

       
34

       
+

       



     

       

       
35

       
+

       
    # we should not be able to connect as non-existing user


     

       

       
36

       
+

       
    $client->fail("ssh -o User=ghost -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil 'true'");


     

       

       
37

       
+

       



     

       

       
38

       
+

       
    # we should be able to connect as mockuser


     

       

       
39

       
+

       
    $client->succeed("ssh -o User=mockuser -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil 'true'");


     

       

       
40

       
+

       
    # but we shouldn't be able to sudo


     

       

       
41

       
+

       
    $client->fail("ssh -o User=mockuser -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'");


     

       

       
42

       
+

       



     

       

       
43

       
+

       
    # we should also be able to log in as mockadmin


     

       

       
44

       
+

       
    $client->succeed("ssh -o User=mockadmin -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil 'true'");


     

       

       
45

       
+

       
    # pam_oslogin_admin.so should now have generated a sudoers file


     

       

       
46

       
+

       
    $server->succeed("find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/mockadmin'");


     

       

       
47

       
+

       



     

       

       
48

       
+

       
    # and we should be able to sudo


     

       

       
49

       
+

       
    $client->succeed("ssh -o User=mockadmin -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'");


     

       

       
50

       
+

       
  '';


     

       

       
51

       
+

       
  })


     

       

       
52

       
+
+29
nixos/tests/google-oslogin/server.nix 
···

       

       
1

       
+

       
{ pkgs, ... }:


     

       

       
2

       
+

       
let


     

       

       
3

       
+

       
  inherit (import ./../ssh-keys.nix pkgs)


     

       

       
4

       
+

       
    snakeOilPrivateKey snakeOilPublicKey;


     

       

       
5

       
+

       
in {


     

       

       
6

       
+

       
  networking.firewall.allowedTCPPorts = [ 80 ];


     

       

       
7

       
+

       



     

       

       
8

       
+

       
  systemd.services.mock-google-metadata = {


     

       

       
9

       
+

       
    description = "Mock Google metadata service";


     

       

       
10

       
+

       
    serviceConfig.Type = "simple";


     

       

       
11

       
+

       
    serviceConfig.ExecStart = "${pkgs.python3}/bin/python ${./server.py}";


     

       

       
12

       
+

       
    environment = {


     

       

       
13

       
+

       
      SNAKEOIL_PUBLIC_KEY = snakeOilPublicKey;


     

       

       
14

       
+

       
    };


     

       

       
15

       
+

       
    wantedBy = [ "multi-user.target" ];


     

       

       
16

       
+

       
    after = [ "network.target" ];


     

       

       
17

       
+

       
  };


     

       

       
18

       
+

       



     

       

       
19

       
+

       
  services.openssh.enable = true;


     

       

       
20

       
+

       
  services.openssh.challengeResponseAuthentication = false;


     

       

       
21

       
+

       
  services.openssh.passwordAuthentication = false;


     

       

       
22

       
+

       



     

       

       
23

       
+

       
  security.googleOsLogin.enable = true;


     

       

       
24

       
+

       



     

       

       
25

       
+

       
  # Mock google service


     

       

       
26

       
+

       
  networking.extraHosts = ''


     

       

       
27

       
+

       
    127.0.0.1 metadata.google.internal


     

       

       
28

       
+

       
  '';


     

       

       
29

       
+

       
}
+96
nixos/tests/google-oslogin/server.py 
···

       

       
1

       
+

       
#!/usr/bin/env python3


     

       

       
2

       
+

       
import json


     

       

       
3

       
+

       
import sys


     

       

       
4

       
+

       
import time


     

       

       
5

       
+

       
import os


     

       

       
6

       
+

       
import hashlib


     

       

       
7

       
+

       
import base64


     

       

       
8

       
+

       



     

       

       
9

       
+

       
from http.server import BaseHTTPRequestHandler, HTTPServer


     

       

       
10

       
+

       
from typing import Dict


     

       

       
11

       
+

       



     

       

       
12

       
+

       
SNAKEOIL_PUBLIC_KEY = os.environ['SNAKEOIL_PUBLIC_KEY']


     

       

       
13

       
+

       



     

       

       
14

       
+

       



     

       

       
15

       
+

       
def w(msg):


     

       

       
16

       
+

       
    sys.stderr.write(f"{msg}\n")


     

       

       
17

       
+

       
    sys.stderr.flush()


     

       

       
18

       
+

       



     

       

       
19

       
+

       



     

       

       
20

       
+

       
def gen_fingerprint(pubkey):


     

       

       
21

       
+

       
    decoded_key = base64.b64decode(pubkey.encode("ascii").split()[1])


     

       

       
22

       
+

       
    return hashlib.sha256(decoded_key).hexdigest()


     

       

       
23

       
+

       



     

       

       
24

       
+

       
def gen_email(username):


     

       

       
25

       
+

       
    """username seems to be a 21 characters long number string, so mimic that in a reproducible way"""


     

       

       
26

       
+

       
    return str(int(hashlib.sha256(username.encode()).hexdigest(), 16))[0:21]


     

       

       
27

       
+

       



     

       

       
28

       
+

       
def gen_mockuser(username: str, uid: str, gid: str, home_directory: str, snakeoil_pubkey: str) -> Dict:


     

       

       
29

       
+

       
    snakeoil_pubkey_fingerprint = gen_fingerprint(snakeoil_pubkey)


     

       

       
30

       
+

       
    # seems to be a 21 characters long numberstring, so mimic that in a reproducible way


     

       

       
31

       
+

       
    email = gen_email(username)


     

       

       
32

       
+

       
    return {


     

       

       
33

       
+

       
        "loginProfiles": [


     

       

       
34

       
+

       
            {


     

       

       
35

       
+

       
                "name": email,


     

       

       
36

       
+

       
                "posixAccounts": [


     

       

       
37

       
+

       
                    {


     

       

       
38

       
+

       
                        "primary": True,


     

       

       
39

       
+

       
                        "username": username,


     

       

       
40

       
+

       
                        "uid": uid,


     

       

       
41

       
+

       
                        "gid": gid,


     

       

       
42

       
+

       
                        "homeDirectory": home_directory,


     

       

       
43

       
+

       
                        "operatingSystemType": "LINUX"


     

       

       
44

       
+

       
                    }


     

       

       
45

       
+

       
                ],


     

       

       
46

       
+

       
                "sshPublicKeys": {


     

       

       
47

       
+

       
                    snakeoil_pubkey_fingerprint: {


     

       

       
48

       
+

       
                        "key": snakeoil_pubkey,


     

       

       
49

       
+

       
                        "expirationTimeUsec": str((time.time() + 600) * 1000000),  # 10 minutes in the future


     

       

       
50

       
+

       
                        "fingerprint": snakeoil_pubkey_fingerprint


     

       

       
51

       
+

       
                    }


     

       

       
52

       
+

       
                }


     

       

       
53

       
+

       
            }


     

       

       
54

       
+

       
        ]


     

       

       
55

       
+

       
    }


     

       

       
56

       
+

       



     

       

       
57

       
+

       



     

       

       
58

       
+

       
class ReqHandler(BaseHTTPRequestHandler):


     

       

       
59

       
+

       
    def _send_json_ok(self, data):


     

       

       
60

       
+

       
        self.send_response(200)


     

       

       
61

       
+

       
        self.send_header('Content-type', 'application/json')


     

       

       
62

       
+

       
        self.end_headers()


     

       

       
63

       
+

       
        out = json.dumps(data).encode()


     

       

       
64

       
+

       
        w(out)


     

       

       
65

       
+

       
        self.wfile.write(out)


     

       

       
66

       
+

       



     

       

       
67

       
+

       
    def do_GET(self):


     

       

       
68

       
+

       
        p = str(self.path)


     

       

       
69

       
+

       
        # mockuser and mockadmin are allowed to login, both use the same snakeoil public key


     

       

       
70

       
+

       
        if p == '/computeMetadata/v1/oslogin/users?username=mockuser' \


     

       

       
71

       
+

       
            or p == '/computeMetadata/v1/oslogin/users?uid=1009719690':


     

       

       
72

       
+

       
            self._send_json_ok(gen_mockuser(username='mockuser', uid='1009719690', gid='1009719690',


     

       

       
73

       
+

       
                                            home_directory='/home/mockuser', snakeoil_pubkey=SNAKEOIL_PUBLIC_KEY))


     

       

       
74

       
+

       
        elif p == '/computeMetadata/v1/oslogin/users?username=mockadmin' \


     

       

       
75

       
+

       
            or p == '/computeMetadata/v1/oslogin/users?uid=1009719691':


     

       

       
76

       
+

       
            self._send_json_ok(gen_mockuser(username='mockadmin', uid='1009719691', gid='1009719691',


     

       

       
77

       
+

       
                                            home_directory='/home/mockadmin', snakeoil_pubkey=SNAKEOIL_PUBLIC_KEY))


     

       

       
78

       
+

       



     

       

       
79

       
+

       
        # mockuser is allowed to login


     

       

       
80

       
+

       
        elif p == f"/computeMetadata/v1/oslogin/authorize?email={gen_email('mockuser')}&policy=login":


     

       

       
81

       
+

       
            self._send_json_ok({'success': True})


     

       

       
82

       
+

       



     

       

       
83

       
+

       
        # mockadmin may also become root


     

       

       
84

       
+

       
        elif p == f"/computeMetadata/v1/oslogin/authorize?email={gen_email('mockadmin')}&policy=login" or p == f"/computeMetadata/v1/oslogin/authorize?email={gen_email('mockadmin')}&policy=adminLogin":


     

       

       
85

       
+

       
            self._send_json_ok({'success': True})


     

       

       
86

       
+

       
        else:


     

       

       
87

       
+

       
            sys.stderr.write(f"Unhandled path: {p}\n")


     

       

       
88

       
+

       
            sys.stderr.flush()


     

       

       
89

       
+

       
            self.send_response(501)


     

       

       
90

       
+

       
            self.end_headers()


     

       

       
91

       
+

       
            self.wfile.write(b'')


     

       

       
92

       
+

       



     

       

       
93

       
+

       



     

       

       
94

       
+

       
if __name__ == '__main__':


     

       

       
95

       
+

       
    s = HTTPServer(('0.0.0.0', 80), ReqHandler)


     

       

       
96

       
+

       
    s.serve_forever()