depot/nixos/tests/ssh-agent-auth.nix

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

56 lines
1.9 KiB
Nix
Raw Normal View History

import ./make-test-python.nix ({ lib, pkgs, ... }:
let
inherit (import ./ssh-keys.nix pkgs) snakeOilPrivateKey snakeOilPublicKey;
in {
name = "ssh-agent-auth";
meta.maintainers = with lib.maintainers; [ nicoo ];
nodes = let nodeConfig = n: { ... }: {
users.users = {
admin = {
isNormalUser = true;
extraGroups = [ "wheel" ];
openssh.authorizedKeys.keys = [ snakeOilPublicKey ];
};
foo.isNormalUser = true;
};
security.pam.sshAgentAuth = {
# Must be specified, as nixpkgs CI expects everything to eval without warning
authorizedKeysFiles = [ "/etc/ssh/authorized_keys.d/%u" ];
enable = true;
};
security.${lib.replaceStrings [ "_" ] [ "-" ] n} = {
enable = true;
wheelNeedsPassword = true; # We are checking `pam_ssh_agent_auth(8)` works for a sudoer
};
# Necessary for pam_ssh_agent_auth >_>'
services.openssh.enable = true;
};
in lib.genAttrs [ "sudo" "sudo_rs" ] nodeConfig;
testScript = let
privateKeyPath = "/home/admin/.ssh/id_ecdsa";
userScript = pkgs.writeShellScript "test-script" ''
set -e
ssh-add -q ${privateKeyPath}
# faketty needed to ensure `sudo` doesn't write to the controlling PTY,
# which would break the test-driver's line-oriented protocol.
${lib.getExe pkgs.faketty} sudo -u foo -- id -un
'';
in ''
for vm in (sudo, sudo_rs):
sudo_impl = vm.name.replace("_", "-")
with subtest(f"wheel user can auth with ssh-agent for {sudo_impl}"):
vm.copy_from_host("${snakeOilPrivateKey}", "${privateKeyPath}")
vm.succeed("chmod -R 0700 /home/admin")
vm.succeed("chown -R admin:users /home/admin")
# Run `userScript` in an environment with an SSH-agent available
assert vm.succeed("sudo -u admin -- ssh-agent ${userScript} 2>&1").strip() == "foo"
'';
}
)