nixosTests.google-oslogin: handleTest -> runTest

2025-07-09 00:16:41 +08:00
parent 7b09056b8f
commit cdab66d5b8
2 changed files with 71 additions and 68 deletions
--- a/nixos/tests/all-tests.nix
+++ b/nixos/tests/all-tests.nix
@@ -613,7 +613,7 @@ in
  gokapi = runTest ./gokapi.nix;
  gollum = runTest ./gollum.nix;
  gonic = runTest ./gonic.nix;
-  google-oslogin = handleTest ./google-oslogin { };
+  google-oslogin = runTest ./google-oslogin;
  gopro-tool = runTest ./gopro-tool.nix;
  goss = runTest ./goss.nix;
  gotenberg = runTest ./gotenberg.nix;
--- a/nixos/tests/google-oslogin/default.nix
+++ b/nixos/tests/google-oslogin/default.nix
@@ -1,78 +1,81 @@
-import ../make-test-python.nix (
+{
-  { pkgs, ... }:
+  lib,
-  let
+  pkgs,
-    inherit (import ./../ssh-keys.nix pkgs)
+  hostPkgs,
-      snakeOilPrivateKey
+  ...
-      snakeOilPublicKey
+}:
-      ;
+let
  inherit (import ./../ssh-keys.nix hostPkgs)
    snakeOilPrivateKey
    snakeOilPublicKey
    ;
-    # don't check host keys or known hosts, use the snakeoil ssh key
+  # don't check host keys or known hosts, use the snakeoil ssh key
-    ssh-config = builtins.toFile "ssh.conf" ''
+  ssh-config = builtins.toFile "ssh.conf" ''
-      UserKnownHostsFile=/dev/null
+    UserKnownHostsFile=/dev/null
-      StrictHostKeyChecking=no
+    StrictHostKeyChecking=no
-      IdentityFile=~/.ssh/id_snakeoil
+    IdentityFile=~/.ssh/id_snakeoil
-    '';
+  '';
-  in
+in
-  {
+{
-    name = "google-oslogin";
+  name = "google-oslogin";
-    meta = with pkgs.lib.maintainers; {
+  meta = with lib.maintainers; {
-      maintainers = [ ];
+    maintainers = [ ];
-    };
+  };
-    nodes = {
+  nodes = {
-      # the server provides both the the mocked google metadata server and the ssh server
+    # the server provides both the the mocked google metadata server and the ssh server
-      server = (import ./server.nix pkgs);
+    server = ./server.nix;
-      client = { ... }: { };
+    client = { ... }: { };
-    };
+  };
-    testScript = ''
+  testScript = ''
-      MOCKUSER = "mockuser_nixos_org"
+    MOCKUSER = "mockuser_nixos_org"
-      MOCKADMIN = "mockadmin_nixos_org"
+    MOCKADMIN = "mockadmin_nixos_org"
-      start_all()
+    start_all()
-      server.wait_for_unit("mock-google-metadata.service")
+    server.wait_for_unit("mock-google-metadata.service")
-      server.wait_for_open_port(80)
+    server.wait_for_open_port(80)
-      # mockserver should return a non-expired ssh key for both mockuser and mockadmin
+    # mockserver should return a non-expired ssh key for both mockuser and mockadmin
-      server.succeed(
+    server.succeed(
-          f'${pkgs.google-guest-oslogin}/bin/google_authorized_keys {MOCKUSER} | grep -q "${snakeOilPublicKey}"'
+        f'${pkgs.google-guest-oslogin}/bin/google_authorized_keys {MOCKUSER} | grep -q "${snakeOilPublicKey}"'
-      )
+    )
-      server.succeed(
+    server.succeed(
-          f'${pkgs.google-guest-oslogin}/bin/google_authorized_keys {MOCKADMIN} | grep -q "${snakeOilPublicKey}"'
+        f'${pkgs.google-guest-oslogin}/bin/google_authorized_keys {MOCKADMIN} | grep -q "${snakeOilPublicKey}"'
-      )
+    )
-      # install snakeoil ssh key on the client, and provision .ssh/config file
+    # install snakeoil ssh key on the client, and provision .ssh/config file
-      client.succeed("mkdir -p ~/.ssh")
+    client.succeed("mkdir -p ~/.ssh")
-      client.succeed(
+    client.succeed(
-          "cat ${snakeOilPrivateKey} > ~/.ssh/id_snakeoil"
+        "cat ${snakeOilPrivateKey} > ~/.ssh/id_snakeoil"
-      )
+    )
-      client.succeed("chmod 600 ~/.ssh/id_snakeoil")
+    client.succeed("chmod 600 ~/.ssh/id_snakeoil")
-      client.succeed("cp ${ssh-config} ~/.ssh/config")
+    client.succeed("cp ${ssh-config} ~/.ssh/config")
-      client.wait_for_unit("network.target")
+    client.wait_for_unit("network.target")
-      server.wait_for_unit("sshd.service")
+    server.wait_for_unit("sshd.service")
-      # we should not be able to connect as non-existing user
+    # we should not be able to connect as non-existing user
-      client.fail("ssh ghost@server 'true'")
+    client.fail("ssh ghost@server 'true'")
-      # we should be able to connect as mockuser
+    # we should be able to connect as mockuser
-      client.succeed(f"ssh {MOCKUSER}@server 'true'")
+    client.succeed(f"ssh {MOCKUSER}@server 'true'")
-      # but we shouldn't be able to sudo
+    # but we shouldn't be able to sudo
-      client.fail(
+    client.fail(
-          f"ssh {MOCKUSER}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"
+        f"ssh {MOCKUSER}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"
-      )
+    )
-      # we should also be able to log in as mockadmin
+    # we should also be able to log in as mockadmin
-      client.succeed(f"ssh {MOCKADMIN}@server 'true'")
+    client.succeed(f"ssh {MOCKADMIN}@server 'true'")
-      # pam_oslogin_admin.so should now have generated a sudoers file
+    # pam_oslogin_admin.so should now have generated a sudoers file
-      server.succeed(
+    server.succeed(
-          f"find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/{MOCKADMIN}'"
+        f"find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/{MOCKADMIN}'"
-      )
+    )
-      # and we should be able to sudo
+    # and we should be able to sudo
-      client.succeed(
+    client.succeed(
-          f"ssh {MOCKADMIN}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"
+        f"ssh {MOCKADMIN}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"
-      )
+    )
-    '';
+  '';
-  }
+}
 )