1 import ../make-test-python.nix ({ pkgs, ... } :
3 inherit (import ./../ssh-keys.nix pkgs)
4 snakeOilPrivateKey snakeOilPublicKey;
6 # don't check host keys or known hosts, use the snakeoil ssh key
7 ssh-config = builtins.toFile "ssh.conf" ''
8 UserKnownHostsFile=/dev/null
9 StrictHostKeyChecking=no
10 IdentityFile=~/.ssh/id_snakeoil
13 name = "google-oslogin";
14 meta = with pkgs.lib.maintainers; {
15 maintainers = [ flokli ];
19 # the server provides both the the mocked google metadata server and the ssh server
20 server = (import ./server.nix pkgs);
25 MOCKUSER = "mockuser_nixos_org"
26 MOCKADMIN = "mockadmin_nixos_org"
29 server.wait_for_unit("mock-google-metadata.service")
30 server.wait_for_open_port(80)
32 # mockserver should return a non-expired ssh key for both mockuser and mockadmin
34 f'${pkgs.google-guest-oslogin}/bin/google_authorized_keys {MOCKUSER} | grep -q "${snakeOilPublicKey}"'
37 f'${pkgs.google-guest-oslogin}/bin/google_authorized_keys {MOCKADMIN} | grep -q "${snakeOilPublicKey}"'
40 # install snakeoil ssh key on the client, and provision .ssh/config file
41 client.succeed("mkdir -p ~/.ssh")
43 "cat ${snakeOilPrivateKey} > ~/.ssh/id_snakeoil"
45 client.succeed("chmod 600 ~/.ssh/id_snakeoil")
46 client.succeed("cp ${ssh-config} ~/.ssh/config")
48 client.wait_for_unit("network.target")
49 server.wait_for_unit("sshd.service")
51 # we should not be able to connect as non-existing user
52 client.fail("ssh ghost@server 'true'")
54 # we should be able to connect as mockuser
55 client.succeed(f"ssh {MOCKUSER}@server 'true'")
56 # but we shouldn't be able to sudo
58 f"ssh {MOCKUSER}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"
61 # we should also be able to log in as mockadmin
62 client.succeed(f"ssh {MOCKADMIN}@server 'true'")
63 # pam_oslogin_admin.so should now have generated a sudoers file
65 f"find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/{MOCKADMIN}'"
68 # and we should be able to sudo
70 f"ssh {MOCKADMIN}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"