public/nixpkgs
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

nixos/oslogin: put mockuser and mockadmin in constants, rename

Browse Source 
This allows us to change them easily without search/replacing.
Afterwards, we rename them to look a bit more like they are on GCP.
This commit is contained in:
Florian Klink 2020-04-01 16:21:38 +02:00
parent f38e45c2e0
commit 21da5c4f6f
2 changed files with 19 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

18
nixos/tests/google-oslogin/default.nix
View File

@ -22,6 +22,8 @@ in {
client = { ... }: {}; client = { ... }: {};
}; };
testScript = '' testScript = ''
MOCKUSER = "mockuser_nixos_org"
MOCKADMIN = "mockadmin_nixos_org"
start_all() start_all()
server.wait_for_unit("mock-google-metadata.service") server.wait_for_unit("mock-google-metadata.service")
@ -29,10 +31,10 @@ in {
# mockserver should return a non-expired ssh key for both mockuser and mockadmin # mockserver should return a non-expired ssh key for both mockuser and mockadmin
server.succeed( server.succeed(
'${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockuser | grep -q "${snakeOilPublicKey}"' f'${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys {MOCKUSER} | grep -q "${snakeOilPublicKey}"'
) )
server.succeed( server.succeed(
'${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockadmin | grep -q "${snakeOilPublicKey}"' f'${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys {MOCKADMIN} | grep -q "${snakeOilPublicKey}"'
) )
# install snakeoil ssh key on the client, and provision .ssh/config file # install snakeoil ssh key on the client, and provision .ssh/config file
@ -50,20 +52,22 @@ in {
client.fail("ssh ghost@server 'true'") client.fail("ssh ghost@server 'true'")
# we should be able to connect as mockuser # we should be able to connect as mockuser
client.succeed("ssh mockuser@server 'true'") client.succeed(f"ssh {MOCKUSER}@server 'true'")
# but we shouldn't be able to sudo # but we shouldn't be able to sudo
client.fail( client.fail(
"ssh mockuser@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'" f"ssh {MOCKUSER}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"
) )
# we should also be able to log in as mockadmin # we should also be able to log in as mockadmin
client.succeed("ssh mockadmin@server 'true'") client.succeed(f"ssh {MOCKADMIN}@server 'true'")
# pam_oslogin_admin.so should now have generated a sudoers file # pam_oslogin_admin.so should now have generated a sudoers file
server.succeed("find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/mockadmin'") server.succeed(
f"find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/{MOCKADMIN}'"
)
# and we should be able to sudo # and we should be able to sudo
client.succeed( client.succeed(
"ssh mockadmin@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'" f"ssh {MOCKADMIN}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"
) )
''; '';
}) })

14
nixos/tests/google-oslogin/server.py
View File

@ -11,6 +11,8 @@ from urllib.parse import urlparse, parse_qs
from typing import Dict from typing import Dict
SNAKEOIL_PUBLIC_KEY = os.environ['SNAKEOIL_PUBLIC_KEY'] SNAKEOIL_PUBLIC_KEY = os.environ['SNAKEOIL_PUBLIC_KEY']
MOCKUSER="mockuser_nixos_org"
MOCKADMIN="mockadmin_nixos_org"
def w(msg: bytes): def w(msg: bytes):
@ -88,11 +90,11 @@ class ReqHandler(BaseHTTPRequestHandler):
# users endpoint # users endpoint
if pu.path == "/computeMetadata/v1/oslogin/users": if pu.path == "/computeMetadata/v1/oslogin/users":
# mockuser and mockadmin are allowed to login, both use the same snakeoil public key # mockuser and mockadmin are allowed to login, both use the same snakeoil public key
if params.get('username') == ['mockuser'] or params.get('uid') == ["1009719690"]: if params.get('username') == [MOCKUSER] or params.get('uid') == ["1009719690"]:
username = "mockuser" username = MOCKUSER
uid = "1009719690" uid = "1009719690"
elif params.get('username') == ['mockadmin'] or params.get('uid') == ["1009719691"]: elif params.get('username') == [MOCKADMIN] or params.get('uid') == ["1009719691"]:
username = "mockadmin" username = MOCKADMIN
uid = "1009719691" uid = "1009719691"
else: else:
self._send_404() self._send_404()
@ -106,7 +108,7 @@ class ReqHandler(BaseHTTPRequestHandler):
# is user allowed to login? # is user allowed to login?
if params.get("policy") == ["login"]: if params.get("policy") == ["login"]:
# mockuser and mockadmin are allowed to login # mockuser and mockadmin are allowed to login
if params.get('email') == [gen_email("mockuser")] or params.get('email') == [gen_email("mockadmin")]: if params.get('email') == [gen_email(MOCKUSER)] or params.get('email') == [gen_email(MOCKADMIN)]:
self._send_json_success() self._send_json_success()
return return
self._send_json_success(False) self._send_json_success(False)
@ -114,7 +116,7 @@ class ReqHandler(BaseHTTPRequestHandler):
# is user allowed to become root? # is user allowed to become root?
elif params.get("policy") == ["adminLogin"]: elif params.get("policy") == ["adminLogin"]:
# only mockadmin is allowed to become admin # only mockadmin is allowed to become admin
self._send_json_success((params['email'] == [gen_email("mockadmin")])) self._send_json_success((params['email'] == [gen_email(MOCKADMIN)]))
return return
# send 404 for other policies # send 404 for other policies
else: else: