commit 21da5c4f6f8a63475545751aee53552ee9bc72eb · pyrox.dev/nixpkgs

+11 -7

nixos/tests/google-oslogin/default.nix

···

       22
       22
        
           client = { ... }: {};

     

       23
       23
        
         };

     

       24
       24
        
         testScript =  ''

     

       25
       25
       +
           MOCKUSER = "mockuser_nixos_org"

     

       26
       26
       +
           MOCKADMIN = "mockadmin_nixos_org"

     

       25
       27
        
           start_all()

     

       26
       28
        
       

     

       27
       29
        
           server.wait_for_unit("mock-google-metadata.service")

     
···

       29
       31
        
       

     

       30
       32
        
           # mockserver should return a non-expired ssh key for both mockuser and mockadmin

     

       31
       33
        
           server.succeed(

     

       32
       32
       -
               '${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockuser | grep -q "${snakeOilPublicKey}"'

     

       34
       34
       +
               f'${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys {MOCKUSER} | grep -q "${snakeOilPublicKey}"'

     

       33
       35
        
           )

     

       34
       36
        
           server.succeed(

     

       35
       35
       -
               '${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockadmin | grep -q "${snakeOilPublicKey}"'

     

       37
       37
       +
               f'${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys {MOCKADMIN} | grep -q "${snakeOilPublicKey}"'

     

       36
       38
        
           )

     

       37
       39
        
       

     

       38
       40
        
           # install snakeoil ssh key on the client, and provision .ssh/config file

     
···

       50
       52
        
           client.fail("ssh ghost@server 'true'")

     

       51
       53
        
       

     

       52
       54
        
           # we should be able to connect as mockuser

     

       53
       53
       -
           client.succeed("ssh mockuser@server 'true'")

     

       55
       55
       +
           client.succeed(f"ssh {MOCKUSER}@server 'true'")

     

       54
       56
        
           # but we shouldn't be able to sudo

     

       55
       57
        
           client.fail(

     

       56
       56
       -
               "ssh mockuser@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"

     

       58
       58
       +
               f"ssh {MOCKUSER}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"

     

       57
       59
        
           )

     

       58
       60
        
       

     

       59
       61
        
           # we should also be able to log in as mockadmin

     

       60
       60
       -
           client.succeed("ssh mockadmin@server 'true'")

     

       62
       62
       +
           client.succeed(f"ssh {MOCKADMIN}@server 'true'")

     

       61
       63
        
           # pam_oslogin_admin.so should now have generated a sudoers file

     

       62
       62
       -
           server.succeed("find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/mockadmin'")

     

       64
       64
       +
           server.succeed(

     

       65
       65
       +
               f"find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/{MOCKADMIN}'"

     

       66
       66
       +
           )

     

       63
       67
        
       

     

       64
       68
        
           # and we should be able to sudo

     

       65
       69
        
           client.succeed(

     

       66
       66
       -
               "ssh mockadmin@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"

     

       70
       70
       +
               f"ssh {MOCKADMIN}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"

     

       67
       71
        
           )

     

       68
       72
        
         '';

     

       69
       73
        
         })

+8 -6

nixos/tests/google-oslogin/server.py

···

       11
       11
        
       from typing import Dict

     

       12
       12
        
       

     

       13
       13
        
       SNAKEOIL_PUBLIC_KEY = os.environ['SNAKEOIL_PUBLIC_KEY']

     

       14
       14
       +
       MOCKUSER="mockuser_nixos_org"

     

       15
       15
       +
       MOCKADMIN="mockadmin_nixos_org"

     

       14
       16
        
       

     

       15
       17
        
       

     

       16
       18
        
       def w(msg: bytes):

     
···

       88
       90
        
               # users endpoint

     

       89
       91
        
               if pu.path == "/computeMetadata/v1/oslogin/users":

     

       90
       92
        
                   # mockuser and mockadmin are allowed to login, both use the same snakeoil public key

     

       91
       91
       -
                   if params.get('username') == ['mockuser'] or params.get('uid') == ["1009719690"]:

     

       92
       92
       -
                       username = "mockuser"

     

       93
       93
       +
                   if params.get('username') == [MOCKUSER] or params.get('uid') == ["1009719690"]:

     

       94
       94
       +
                       username = MOCKUSER

     

       93
       95
        
                       uid = "1009719690"

     

       94
       94
       -
                   elif params.get('username') == ['mockadmin'] or params.get('uid') == ["1009719691"]:

     

       95
       95
       -
                       username = "mockadmin"

     

       96
       96
       +
                   elif params.get('username') == [MOCKADMIN] or params.get('uid') == ["1009719691"]:

     

       97
       97
       +
                       username = MOCKADMIN

     

       96
       98
        
                       uid = "1009719691"

     

       97
       99
        
                   else:

     

       98
       100
        
                       self._send_404()

     
···

       106
       108
        
                   # is user allowed to login?

     

       107
       109
        
                   if params.get("policy") == ["login"]:

     

       108
       110
        
                       # mockuser and mockadmin are allowed to login

     

       109
       109
       -
                       if params.get('email') == [gen_email("mockuser")] or params.get('email') == [gen_email("mockadmin")]:

     

       111
       111
       +
                       if params.get('email') == [gen_email(MOCKUSER)] or params.get('email') == [gen_email(MOCKADMIN)]:

     

       110
       112
        
                           self._send_json_success()

     

       111
       113
        
                           return

     

       112
       114
        
                       self._send_json_success(False)

     
···

       114
       116
        
                   # is user allowed to become root?

     

       115
       117
        
                   elif params.get("policy") == ["adminLogin"]:

     

       116
       118
        
                       # only mockadmin is allowed to become admin

     

       117
       117
       -
                       self._send_json_success((params['email'] == [gen_email("mockadmin")]))

     

       119
       119
       +
                       self._send_json_success((params['email'] == [gen_email(MOCKADMIN)]))

     

       118
       120
        
                       return

     

       119
       121
        
                   # send 404 for other policies

     

       120
       122
        
                   else: