nixos/oslogin: put mockuser and mockadmin in constants, rename

This allows us to change them easily without search/replacing.
Afterwards, we rename them to look a bit more like they are on GCP.

2 files changed, 19 insertions, 13 deletions

diff --git a/nixos/tests/google-oslogin/default.nix b/nixos/tests/google-oslogin/default.nix
index 1977e92e987..97783c81f39 100644
--- a/nixos/tests/google-oslogin/default.nix
+++ b/nixos/tests/google-oslogin/default.nix
@@ -22,6 +22,8 @@ in {
     client = { ... }: {};
   };
   testScript =  ''
+    MOCKUSER = "mockuser_nixos_org"
+    MOCKADMIN = "mockadmin_nixos_org"
     start_all()
 
     server.wait_for_unit("mock-google-metadata.service")
@@ -29,10 +31,10 @@ in {
 
     # mockserver should return a non-expired ssh key for both mockuser and mockadmin
     server.succeed(
-        '${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockuser | grep -q "${snakeOilPublicKey}"'
+        f'${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys {MOCKUSER} | grep -q "${snakeOilPublicKey}"'
     )
     server.succeed(
-        '${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockadmin | grep -q "${snakeOilPublicKey}"'
+        f'${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys {MOCKADMIN} | grep -q "${snakeOilPublicKey}"'
     )
 
     # install snakeoil ssh key on the client, and provision .ssh/config file
@@ -50,20 +52,22 @@ in {
     client.fail("ssh ghost@server 'true'")
 
     # we should be able to connect as mockuser
-    client.succeed("ssh mockuser@server 'true'")
+    client.succeed(f"ssh {MOCKUSER}@server 'true'")
     # but we shouldn't be able to sudo
     client.fail(
-        "ssh mockuser@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"
+        f"ssh {MOCKUSER}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"
     )
 
     # we should also be able to log in as mockadmin
-    client.succeed("ssh mockadmin@server 'true'")
+    client.succeed(f"ssh {MOCKADMIN}@server 'true'")
     # pam_oslogin_admin.so should now have generated a sudoers file
-    server.succeed("find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/mockadmin'")
+    server.succeed(
+        f"find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/{MOCKADMIN}'"
+    )
 
     # and we should be able to sudo
     client.succeed(
-        "ssh mockadmin@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"
+        f"ssh {MOCKADMIN}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"
     )
   '';
   })
diff --git a/nixos/tests/google-oslogin/server.py b/nixos/tests/google-oslogin/server.py
index eb0c77982d0..5ea9bbd2c96 100644
--- a/nixos/tests/google-oslogin/server.py
+++ b/nixos/tests/google-oslogin/server.py
@@ -11,6 +11,8 @@ from urllib.parse import urlparse, parse_qs
 from typing import Dict
 
 SNAKEOIL_PUBLIC_KEY = os.environ['SNAKEOIL_PUBLIC_KEY']
+MOCKUSER="mockuser_nixos_org"
+MOCKADMIN="mockadmin_nixos_org"
 
 
 def w(msg: bytes):
@@ -88,11 +90,11 @@ class ReqHandler(BaseHTTPRequestHandler):
         # users endpoint
         if pu.path == "/computeMetadata/v1/oslogin/users":
             # mockuser and mockadmin are allowed to login, both use the same snakeoil public key
-            if params.get('username') == ['mockuser'] or params.get('uid') == ["1009719690"]:
-                username = "mockuser"
+            if params.get('username') == [MOCKUSER] or params.get('uid') == ["1009719690"]:
+                username = MOCKUSER
                 uid = "1009719690"
-            elif params.get('username') == ['mockadmin'] or params.get('uid') == ["1009719691"]:
-                username = "mockadmin"
+            elif params.get('username') == [MOCKADMIN] or params.get('uid') == ["1009719691"]:
+                username = MOCKADMIN
                 uid = "1009719691"
             else:
                 self._send_404()
@@ -106,7 +108,7 @@ class ReqHandler(BaseHTTPRequestHandler):
             # is user allowed to login?
             if params.get("policy") == ["login"]:
                 # mockuser and mockadmin are allowed to login
-                if params.get('email') == [gen_email("mockuser")] or params.get('email') == [gen_email("mockadmin")]:
+                if params.get('email') == [gen_email(MOCKUSER)] or params.get('email') == [gen_email(MOCKADMIN)]:
                     self._send_json_success()
                     return
                 self._send_json_success(False)
@@ -114,7 +116,7 @@ class ReqHandler(BaseHTTPRequestHandler):
             # is user allowed to become root?
             elif params.get("policy") == ["adminLogin"]:
                 # only mockadmin is allowed to become admin
-                self._send_json_success((params['email'] == [gen_email("mockadmin")]))
+                self._send_json_success((params['email'] == [gen_email(MOCKADMIN)]))
                 return
             # send 404 for other policies
             else: