diff options
| author | Florian Klink <flokli@flokli.de> | 2018-12-12 13:59:08 +0100 |
|---|---|---|
| committer | Florian Klink <flokli@flokli.de> | 2018-12-21 17:52:37 +0100 |
| commit | 0f46188ca10c2112e4af826233d203165ead17f4 (patch) | |
| tree | 059c559a728c2fd5722150d30a1a2b7b3e3c0527 /nixos/tests/google-oslogin/default.nix | |
| parent | 04f3562fc46aee7bcc963156eff56f37c6fe2b14 (diff) | |
| download | nixpkgs-0f46188ca10c2112e4af826233d203165ead17f4.tar nixpkgs-0f46188ca10c2112e4af826233d203165ead17f4.tar.gz nixpkgs-0f46188ca10c2112e4af826233d203165ead17f4.tar.bz2 nixpkgs-0f46188ca10c2112e4af826233d203165ead17f4.tar.lz nixpkgs-0f46188ca10c2112e4af826233d203165ead17f4.tar.xz nixpkgs-0f46188ca10c2112e4af826233d203165ead17f4.tar.zst nixpkgs-0f46188ca10c2112e4af826233d203165ead17f4.zip | |
nixos/tests: add google-oslogin test
Diffstat (limited to 'nixos/tests/google-oslogin/default.nix')
| -rw-r--r-- | nixos/tests/google-oslogin/default.nix | 52 |
1 files changed, 52 insertions, 0 deletions
diff --git a/nixos/tests/google-oslogin/default.nix b/nixos/tests/google-oslogin/default.nix new file mode 100644 index 00000000000..3b84bba3f98 --- /dev/null +++ b/nixos/tests/google-oslogin/default.nix @@ -0,0 +1,52 @@ +import ../make-test.nix ({ pkgs, ... } : +let + inherit (import ./../ssh-keys.nix pkgs) + snakeOilPrivateKey snakeOilPublicKey; +in { + name = "google-oslogin"; + meta = with pkgs.stdenv.lib.maintainers; { + maintainers = [ adisbladis flokli ]; + }; + + nodes = { + # the server provides both the the mocked google metadata server and the ssh server + server = (import ./server.nix pkgs); + + client = { ... }: {}; + }; + testScript = '' + startAll; + + $server->waitForUnit("mock-google-metadata.service"); + $server->waitForOpenPort(80); + + # mockserver should return a non-expired ssh key for both mockuser and mockadmin + $server->succeed('${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockuser | grep -q "${snakeOilPublicKey}"'); + $server->succeed('${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockadmin | grep -q "${snakeOilPublicKey}"'); + + # install snakeoil ssh key on the client + $client->succeed("mkdir -p ~/.ssh"); + $client->succeed("cat ${snakeOilPrivateKey} > ~/.ssh/id_snakeoil"); + $client->succeed("chmod 600 ~/.ssh/id_snakeoil"); + + $client->waitForUnit("network.target"); + $server->waitForUnit("sshd.service"); + + # we should not be able to connect as non-existing user + $client->fail("ssh -o User=ghost -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil 'true'"); + + # we should be able to connect as mockuser + $client->succeed("ssh -o User=mockuser -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil 'true'"); + # but we shouldn't be able to sudo + $client->fail("ssh -o User=mockuser -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"); + + # we should also be able to log in as mockadmin + $client->succeed("ssh -o User=mockadmin -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil 'true'"); + # pam_oslogin_admin.so should now have generated a sudoers file + $server->succeed("find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/mockadmin'"); + + # and we should be able to sudo + $client->succeed("ssh -o User=mockadmin -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"); + ''; + }) + |