From cfaaa524e3bc3f8f7cf97accfbc5dc87bb5f3fa9 Mon Sep 17 00:00:00 2001
From: Florian Klink <flokli@flokli.de>
Date: Sun, 24 Nov 2019 01:27:22 +0100
Subject: [PATCH] nixosTests.google-oslogin: port to python

also use a .ssh/config instead of passing the same options over and over
again
---
 nixos/tests/google-oslogin/default.nix | 54 +++++++++++++++++---------
 1 file changed, 36 insertions(+), 18 deletions(-)

diff --git a/nixos/tests/google-oslogin/default.nix b/nixos/tests/google-oslogin/default.nix
index 3b84bba3f98..1977e92e987 100644
--- a/nixos/tests/google-oslogin/default.nix
+++ b/nixos/tests/google-oslogin/default.nix
@@ -1,7 +1,14 @@
-import ../make-test.nix ({ pkgs, ... } :
+import ../make-test-python.nix ({ pkgs, ... } :
 let
   inherit (import ./../ssh-keys.nix pkgs)
     snakeOilPrivateKey snakeOilPublicKey;
+
+    # don't check host keys or known hosts, use the snakeoil ssh key
+    ssh-config = builtins.toFile "ssh.conf" ''
+      UserKnownHostsFile=/dev/null
+      StrictHostKeyChecking=no
+      IdentityFile=~/.ssh/id_snakeoil
+    '';
 in {
   name = "google-oslogin";
   meta = with pkgs.stdenv.lib.maintainers; {
@@ -15,38 +22,49 @@ in {
     client = { ... }: {};
   };
   testScript =  ''
-    startAll;
+    start_all()
 
-    $server->waitForUnit("mock-google-metadata.service");
-    $server->waitForOpenPort(80);
+    server.wait_for_unit("mock-google-metadata.service")
+    server.wait_for_open_port(80)
 
     # mockserver should return a non-expired ssh key for both mockuser and mockadmin
-    $server->succeed('${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockuser | grep -q "${snakeOilPublicKey}"');
-    $server->succeed('${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockadmin | grep -q "${snakeOilPublicKey}"');
+    server.succeed(
+        '${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockuser | grep -q "${snakeOilPublicKey}"'
+    )
+    server.succeed(
+        '${pkgs.google-compute-engine-oslogin}/bin/google_authorized_keys mockadmin | grep -q "${snakeOilPublicKey}"'
+    )
 
-    # install snakeoil ssh key on the client
-    $client->succeed("mkdir -p ~/.ssh");
-    $client->succeed("cat ${snakeOilPrivateKey} > ~/.ssh/id_snakeoil");
-    $client->succeed("chmod 600 ~/.ssh/id_snakeoil");
+    # install snakeoil ssh key on the client, and provision .ssh/config file
+    client.succeed("mkdir -p ~/.ssh")
+    client.succeed(
+        "cat ${snakeOilPrivateKey} > ~/.ssh/id_snakeoil"
+    )
+    client.succeed("chmod 600 ~/.ssh/id_snakeoil")
+    client.succeed("cp ${ssh-config} ~/.ssh/config")
 
-    $client->waitForUnit("network.target");
-    $server->waitForUnit("sshd.service");
+    client.wait_for_unit("network.target")
+    server.wait_for_unit("sshd.service")
 
     # we should not be able to connect as non-existing user
-    $client->fail("ssh -o User=ghost -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil 'true'");
+    client.fail("ssh ghost@server 'true'")
 
     # we should be able to connect as mockuser
-    $client->succeed("ssh -o User=mockuser -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil 'true'");
+    client.succeed("ssh mockuser@server 'true'")
     # but we shouldn't be able to sudo
-    $client->fail("ssh -o User=mockuser -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'");
+    client.fail(
+        "ssh mockuser@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"
+    )
 
     # we should also be able to log in as mockadmin
-    $client->succeed("ssh -o User=mockadmin -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil 'true'");
+    client.succeed("ssh mockadmin@server 'true'")
     # pam_oslogin_admin.so should now have generated a sudoers file
-    $server->succeed("find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/mockadmin'");
+    server.succeed("find /run/google-sudoers.d | grep -q '/run/google-sudoers.d/mockadmin'")
 
     # and we should be able to sudo
-    $client->succeed("ssh -o User=mockadmin -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no server -i ~/.ssh/id_snakeoil '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'");
+    client.succeed(
+        "ssh mockadmin@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"
+    )
   '';
   })