From 865787ef3273566fe5b979638e3a0bbf08836595 Mon Sep 17 00:00:00 2001
From: aszlig <aszlig@redmoonstudios.org>
Date: Fri, 27 Jun 2014 08:34:59 +0200
Subject: [PATCH] nixos/tests/openssh: Test configured auth keys.

So far the test only uses an authorized key that is copied over to the
target machine instead of being set by the target's configuration.

Now, we cover both cases.

Signed-off-by: aszlig <aszlig@redmoonstudios.org>
---
 nixos/tests/openssh.nix | 48 +++++++++++++++++++++++++++++++++--------
 1 file changed, 39 insertions(+), 9 deletions(-)

diff --git a/nixos/tests/openssh.nix b/nixos/tests/openssh.nix
index 0b9714c275d..d4ce95e49f7 100644
--- a/nixos/tests/openssh.nix
+++ b/nixos/tests/openssh.nix
@@ -1,4 +1,21 @@
-import ./make-test.nix ({ pkgs, ... }: {
+import ./make-test.nix ({ pkgs, ... }:
+
+let
+  snakeOilPrivateKey = pkgs.writeText "privkey.snakeoil" ''
+    -----BEGIN EC PRIVATE KEY-----
+    MHcCAQEEIHQf/khLvYrQ8IOika5yqtWvI0oquHlpRLTZiJy5dRJmoAoGCCqGSM49
+    AwEHoUQDQgAEKF0DYGbBwbj06tA3fd/+yP44cvmwmHBWXZCKbS+RQlAKvLXMWkpN
+    r1lwMyJZoSGgBHoUahoYjTh9/sJL7XLJtA==
+    -----END EC PRIVATE KEY-----
+  '';
+
+  snakeOilPublicKey = pkgs.lib.concatStrings [
+    "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHA"
+    "yNTYAAABBBChdA2BmwcG49OrQN33f/sj+OHL5sJhwVl2Qim0vkUJQCry1zFpKTa"
+    "9ZcDMiWaEhoAR6FGoaGI04ff7CS+1yybQ= sakeoil"
+  ];
+
+in {
 
   nodes = {
 
@@ -9,6 +26,9 @@ import ./make-test.nix ({ pkgs, ... }: {
         services.openssh.enable = true;
         security.pam.services.sshd.limits =
           [ { domain = "*"; item = "memlock"; type = "-"; value = 1024; } ];
+        users.extraUsers.root.openssh.authorizedKeys.keys = [
+          snakeOilPublicKey
+        ];
       };
 
     client =
@@ -23,15 +43,25 @@ import ./make-test.nix ({ pkgs, ... }: {
 
     $server->waitForUnit("sshd");
 
-    $server->succeed("mkdir -m 700 /root/.ssh");
-    $server->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys");
+    subtest "manual-authkey", sub {
+      $server->succeed("mkdir -m 700 /root/.ssh");
+      $server->copyFileFromHost("key.pub", "/root/.ssh/authorized_keys");
 
-    $client->succeed("mkdir -m 700 /root/.ssh");
-    $client->copyFileFromHost("key", "/root/.ssh/id_dsa");
-    $client->succeed("chmod 600 /root/.ssh/id_dsa");
+      $client->succeed("mkdir -m 700 /root/.ssh");
+      $client->copyFileFromHost("key", "/root/.ssh/id_dsa");
+      $client->succeed("chmod 600 /root/.ssh/id_dsa");
 
-    $client->waitForUnit("network.target");
-    $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2");
-    $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024");
+      $client->waitForUnit("network.target");
+      $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'echo hello world' >&2");
+      $client->succeed("ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server 'ulimit -l' | grep 1024");
+    };
+
+    subtest "configured-authkey", sub {
+      $client->succeed("cat ${snakeOilPrivateKey} > privkey.snakeoil");
+      $client->succeed("chmod 600 privkey.snakeoil");
+      $client->succeed("ssh -o UserKnownHostsFile=/dev/null" .
+                       " -o StrictHostKeyChecking=no -i privkey.snakeoil" .
+                       " server true");
+    };
   '';
 })