From 21da5c4f6f8a63475545751aee53552ee9bc72eb Mon Sep 17 00:00:00 2001 From: Florian Klink Date: Wed, 1 Apr 2020 16:21:38 +0200 Subject: [PATCH] nixos/oslogin: put mockuser and mockadmin in constants, rename This allows us to change them easily without search/replacing. Afterwards, we rename them to look a bit more like they are on GCP. --- nixos/tests/google-oslogin/default.nix | 18 +++++++++++------- nixos/tests/google-oslogin/server.py | 14 ++++++++------ 2 files changed, 19 insertions(+), 13 deletions(-) diff --git a/nixos/tests/google-oslogin/default.nix b/nixos/tests/google-oslogin/default.nix index 1977e92e9877..97783c81f397 100644 --- a/nixos/tests/google-oslogin/default.nix +++ b/nixos/tests/google-oslogin/default.nix @@ -22,6 +22,8 @@ in { client = { ... }: {}; }; testScript = '' + MOCKUSER = "mockuser_nixos_org" + MOCKADMIN = "mockadmin_nixos_org" start_all() server.wait_for_unit("mock-google-metadata.service") @@ -29,10 +31,10 @@ in { # mockserver should return a non-expired ssh key for both mockuser and mockadmin server.succeed( - '${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockuser | grep -q "${snakeOilPublicKey}"' + f'${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys {MOCKUSER} | grep -q "${snakeOilPublicKey}"' ) server.succeed( - '${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockadmin | grep -q "${snakeOilPublicKey}"' + f'${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys {MOCKADMIN} | grep -q "${snakeOilPublicKey}"' ) # install snakeoil ssh key on the client, and provision .ssh/config file @@ -50,20 +52,22 @@ in { client.fail("ssh ghost@server 'true'") # we should be able to connect as mockuser - client.succeed("ssh mockuser@server 'true'") + client.succeed(f"ssh {MOCKUSER}@server 'true'") # but we shouldn't be able to sudo client.fail( - "ssh mockuser@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'" + f"ssh {MOCKUSER}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'" ) # we should also be able to log in as mockadmin - client.succeed("ssh mockadmin@server 'true'") + client.succeed(f"ssh {MOCKADMIN}@server 'true'") # pam_oslogin_admin.so should now have generated a sudoers file - server.succeed("find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/mockadmin'") + server.succeed( + f"find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/{MOCKADMIN}'" + ) # and we should be able to sudo client.succeed( - "ssh mockadmin@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'" + f"ssh {MOCKADMIN}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'" ) ''; }) diff --git a/nixos/tests/google-oslogin/server.py b/nixos/tests/google-oslogin/server.py index eb0c77982d01..5ea9bbd2c96b 100644 --- a/nixos/tests/google-oslogin/server.py +++ b/nixos/tests/google-oslogin/server.py @@ -11,6 +11,8 @@ from urllib.parse import urlparse, parse_qs from typing import Dict SNAKEOIL_PUBLIC_KEY = os.environ['SNAKEOIL_PUBLIC_KEY'] +MOCKUSER="mockuser_nixos_org" +MOCKADMIN="mockadmin_nixos_org" def w(msg: bytes): @@ -88,11 +90,11 @@ class ReqHandler(BaseHTTPRequestHandler): # users endpoint if pu.path == "/computeMetadata/v1/oslogin/users": # mockuser and mockadmin are allowed to login, both use the same snakeoil public key - if params.get('username') == ['mockuser'] or params.get('uid') == ["1009719690"]: - username = "mockuser" + if params.get('username') == [MOCKUSER] or params.get('uid') == ["1009719690"]: + username = MOCKUSER uid = "1009719690" - elif params.get('username') == ['mockadmin'] or params.get('uid') == ["1009719691"]: - username = "mockadmin" + elif params.get('username') == [MOCKADMIN] or params.get('uid') == ["1009719691"]: + username = MOCKADMIN uid = "1009719691" else: self._send_404() @@ -106,7 +108,7 @@ class ReqHandler(BaseHTTPRequestHandler): # is user allowed to login? if params.get("policy") == ["login"]: # mockuser and mockadmin are allowed to login - if params.get('email') == [gen_email("mockuser")] or params.get('email') == [gen_email("mockadmin")]: + if params.get('email') == [gen_email(MOCKUSER)] or params.get('email') == [gen_email(MOCKADMIN)]: self._send_json_success() return self._send_json_success(False) @@ -114,7 +116,7 @@ class ReqHandler(BaseHTTPRequestHandler): # is user allowed to become root? elif params.get("policy") == ["adminLogin"]: # only mockadmin is allowed to become admin - self._send_json_success((params['email'] == [gen_email("mockadmin")])) + self._send_json_success((params['email'] == [gen_email(MOCKADMIN)])) return # send 404 for other policies else: