···

       
613
       
 
       
  gokapi = runTest ./gokapi.nix;

     

       
614
       
 
       
  gollum = runTest ./gollum.nix;

     

       
615
       
 
       
  gonic = runTest ./gonic.nix;

     

       
616
       
-
       
  google-oslogin = handleTest ./google-oslogin { };

     

       
617
       
 
       
  gopro-tool = runTest ./gopro-tool.nix;

     

       
618
       
 
       
  goss = runTest ./goss.nix;

     

       
619
       
 
       
  gotenberg = runTest ./gotenberg.nix;

     

···

       
613
       
 
       
  gokapi = runTest ./gokapi.nix;

     

       
614
       
 
       
  gollum = runTest ./gollum.nix;

     

       
615
       
 
       
  gonic = runTest ./gonic.nix;

     

       
616
       
+
       
  google-oslogin = runTest ./google-oslogin;

     

       
617
       
 
       
  gopro-tool = runTest ./gopro-tool.nix;

     

       
618
       
 
       
  goss = runTest ./goss.nix;

     

       
619
       
 
       
  gotenberg = runTest ./gotenberg.nix;

     

···

       
1
       
-
       
import ../make-test-python.nix (

     

       
2
       
-
       
  { pkgs, ... }:

     

       
3
       
-
       
  let

     

       
4
       
-
       
    inherit (import ./../ssh-keys.nix pkgs)

     

       
5
       
-
       
      snakeOilPrivateKey

     

       
6
       
-
       
      snakeOilPublicKey

     

       
7
       
-
       
      ;

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
0
       
 
       

     

       
8
       
 
       


     

       
9
       
-
       
    # don't check host keys or known hosts, use the snakeoil ssh key

     

       
10
       
-
       
    ssh-config = builtins.toFile "ssh.conf" ''

     

       
11
       
-
       
      UserKnownHostsFile=/dev/null

     

       
12
       
-
       
      StrictHostKeyChecking=no

     

       
13
       
-
       
      IdentityFile=~/.ssh/id_snakeoil

     

       
14
       
-
       
    '';

     

       
15
       
-
       
  in

     

       
16
       
-
       
  {

     

       
17
       
-
       
    name = "google-oslogin";

     

       
18
       
-
       
    meta = with pkgs.lib.maintainers; {

     

       
19
       
-
       
      maintainers = [ ];

     

       
20
       
-
       
    };

     

       
21
       
 
       


     

       
22
       
-
       
    nodes = {

     

       
23
       
-
       
      # the server provides both the the mocked google metadata server and the ssh server

     

       
24
       
-
       
      server = (import ./server.nix pkgs);

     

       
25
       
 
       


     

       
26
       
-
       
      client = { ... }: { };

     

       
27
       
-
       
    };

     

       
28
       
-
       
    testScript = ''

     

       
29
       
-
       
      MOCKUSER = "mockuser_nixos_org"

     

       
30
       
-
       
      MOCKADMIN = "mockadmin_nixos_org"

     

       
31
       
-
       
      start_all()

     

       
32
       
 
       


     

       
33
       
-
       
      server.wait_for_unit("mock-google-metadata.service")

     

       
34
       
-
       
      server.wait_for_open_port(80)

     

       
35
       
 
       


     

       
36
       
-
       
      # mockserver should return a non-expired ssh key for both mockuser and mockadmin

     

       
37
       
-
       
      server.succeed(

     

       
38
       
-
       
          f'${pkgs.google-guest-oslogin}/bin/google_authorized_keys {MOCKUSER} | grep -q "${snakeOilPublicKey}"'

     

       
39
       
-
       
      )

     

       
40
       
-
       
      server.succeed(

     

       
41
       
-
       
          f'${pkgs.google-guest-oslogin}/bin/google_authorized_keys {MOCKADMIN} | grep -q "${snakeOilPublicKey}"'

     

       
42
       
-
       
      )

     

       
43
       
 
       


     

       
44
       
-
       
      # install snakeoil ssh key on the client, and provision .ssh/config file

     

       
45
       
-
       
      client.succeed("mkdir -p ~/.ssh")

     

       
46
       
-
       
      client.succeed(

     

       
47
       
-
       
          "cat ${snakeOilPrivateKey} > ~/.ssh/id_snakeoil"

     

       
48
       
-
       
      )

     

       
49
       
-
       
      client.succeed("chmod 600 ~/.ssh/id_snakeoil")

     

       
50
       
-
       
      client.succeed("cp ${ssh-config} ~/.ssh/config")

     

       
51
       
 
       


     

       
52
       
-
       
      client.wait_for_unit("network.target")

     

       
53
       
-
       
      server.wait_for_unit("sshd.service")

     

       
54
       
 
       


     

       
55
       
-
       
      # we should not be able to connect as non-existing user

     

       
56
       
-
       
      client.fail("ssh ghost@server 'true'")

     

       
57
       
 
       


     

       
58
       
-
       
      # we should be able to connect as mockuser

     

       
59
       
-
       
      client.succeed(f"ssh {MOCKUSER}@server 'true'")

     

       
60
       
-
       
      # but we shouldn't be able to sudo

     

       
61
       
-
       
      client.fail(

     

       
62
       
-
       
          f"ssh {MOCKUSER}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"

     

       
63
       
-
       
      )

     

       
64
       
 
       


     

       
65
       
-
       
      # we should also be able to log in as mockadmin

     

       
66
       
-
       
      client.succeed(f"ssh {MOCKADMIN}@server 'true'")

     

       
67
       
-
       
      # pam_oslogin_admin.so should now have generated a sudoers file

     

       
68
       
-
       
      server.succeed(

     

       
69
       
-
       
          f"find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/{MOCKADMIN}'"

     

       
70
       
-
       
      )

     

       
71
       
 
       


     

       
72
       
-
       
      # and we should be able to sudo

     

       
73
       
-
       
      client.succeed(

     

       
74
       
-
       
          f"ssh {MOCKADMIN}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"

     

       
75
       
-
       
      )

     

       
76
       
-
       
    '';

     

       
77
       
-
       
  }

     

       
78
       
-
       
)

     

···

       
1
       
+
       
{

     

       
2
       
+
       
  lib,

     

       
3
       
+
       
  pkgs,

     

       
4
       
+
       
  hostPkgs,

     

       
5
       
+
       
  ...

     

       
6
       
+
       
}:

     

       
7
       
+
       
let

     

       
8
       
+
       
  inherit (import ./../ssh-keys.nix hostPkgs)

     

       
9
       
+
       
    snakeOilPrivateKey

     

       
10
       
+
       
    snakeOilPublicKey

     

       
11
       
+
       
    ;

     

       
12
       
 
       


     

       
13
       
+
       
  # don't check host keys or known hosts, use the snakeoil ssh key

     

       
14
       
+
       
  ssh-config = builtins.toFile "ssh.conf" ''

     

       
15
       
+
       
    UserKnownHostsFile=/dev/null

     

       
16
       
+
       
    StrictHostKeyChecking=no

     

       
17
       
+
       
    IdentityFile=~/.ssh/id_snakeoil

     

       
18
       
+
       
  '';

     

       
19
       
+
       
in

     

       
20
       
+
       
{

     

       
21
       
+
       
  name = "google-oslogin";

     

       
22
       
+
       
  meta = with lib.maintainers; {

     

       
23
       
+
       
    maintainers = [ ];

     

       
24
       
+
       
  };

     

       
25
       
 
       


     

       
26
       
+
       
  nodes = {

     

       
27
       
+
       
    # the server provides both the the mocked google metadata server and the ssh server

     

       
28
       
+
       
    server = ./server.nix;

     

       
29
       
 
       


     

       
30
       
+
       
    client = { ... }: { };

     

       
31
       
+
       
  };

     

       
32
       
+
       
  testScript = ''

     

       
33
       
+
       
    MOCKUSER = "mockuser_nixos_org"

     

       
34
       
+
       
    MOCKADMIN = "mockadmin_nixos_org"

     

       
35
       
+
       
    start_all()

     

       
36
       
 
       


     

       
37
       
+
       
    server.wait_for_unit("mock-google-metadata.service")

     

       
38
       
+
       
    server.wait_for_open_port(80)

     

       
39
       
 
       


     

       
40
       
+
       
    # mockserver should return a non-expired ssh key for both mockuser and mockadmin

     

       
41
       
+
       
    server.succeed(

     

       
42
       
+
       
        f'${pkgs.google-guest-oslogin}/bin/google_authorized_keys {MOCKUSER} | grep -q "${snakeOilPublicKey}"'

     

       
43
       
+
       
    )

     

       
44
       
+
       
    server.succeed(

     

       
45
       
+
       
        f'${pkgs.google-guest-oslogin}/bin/google_authorized_keys {MOCKADMIN} | grep -q "${snakeOilPublicKey}"'

     

       
46
       
+
       
    )

     

       
47
       
 
       


     

       
48
       
+
       
    # install snakeoil ssh key on the client, and provision .ssh/config file

     

       
49
       
+
       
    client.succeed("mkdir -p ~/.ssh")

     

       
50
       
+
       
    client.succeed(

     

       
51
       
+
       
        "cat ${snakeOilPrivateKey} > ~/.ssh/id_snakeoil"

     

       
52
       
+
       
    )

     

       
53
       
+
       
    client.succeed("chmod 600 ~/.ssh/id_snakeoil")

     

       
54
       
+
       
    client.succeed("cp ${ssh-config} ~/.ssh/config")

     

       
55
       
 
       


     

       
56
       
+
       
    client.wait_for_unit("network.target")

     

       
57
       
+
       
    server.wait_for_unit("sshd.service")

     

       
58
       
 
       


     

       
59
       
+
       
    # we should not be able to connect as non-existing user

     

       
60
       
+
       
    client.fail("ssh ghost@server 'true'")

     

       
61
       
 
       


     

       
62
       
+
       
    # we should be able to connect as mockuser

     

       
63
       
+
       
    client.succeed(f"ssh {MOCKUSER}@server 'true'")

     

       
64
       
+
       
    # but we shouldn't be able to sudo

     

       
65
       
+
       
    client.fail(

     

       
66
       
+
       
        f"ssh {MOCKUSER}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"

     

       
67
       
+
       
    )

     

       
68
       
 
       


     

       
69
       
+
       
    # we should also be able to log in as mockadmin

     

       
70
       
+
       
    client.succeed(f"ssh {MOCKADMIN}@server 'true'")

     

       
71
       
+
       
    # pam_oslogin_admin.so should now have generated a sudoers file

     

       
72
       
+
       
    server.succeed(

     

       
73
       
+
       
        f"find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/{MOCKADMIN}'"

     

       
74
       
+
       
    )

     

       
75
       
 
       


     

       
76
       
+
       
    # and we should be able to sudo

     

       
77
       
+
       
    client.succeed(

     

       
78
       
+
       
        f"ssh {MOCKADMIN}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"

     

       
79
       
+
       
    )

     

       
80
       
+
       
  '';

     

       
81
       
+
       
}

     

       
0