Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nixos/google-oslogin: bump package, make tests more readable #86319

Merged
merged 3 commits into from Apr 29, 2020
Merged

nixos/google-oslogin: bump package, make tests more readable #86319

merged 3 commits into from Apr 29, 2020

Conversation

flokli
Copy link
Contributor

@flokli flokli commented Apr 29, 2020

Motivation for this change

The OSLogin packages have been moved into a separate repositories, and received some more releases in the meantime. Also, the mockserver we use in the tests was refactored to be a bit more extensible.

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS linux)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nixpkgs-review --run "nixpkgs-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Ensured that relevant documentation is up to date
  • Fits CONTRIBUTING.md.

@flokli
google-compute-engine-oslogin: 1.5.3 -> 20200325.00
5506463 
Google moved their oslogin guest tools to another repository.
Point src to there, and bump to the latest version
There's now a Makefile, so we can avoid having our own custom
installPhase, and we also get manpages.

I successfully ran the oslogin tests, so assuming the google cloud
metadata server still behaves like in our test, logins should work.
I saw a nscd segfault, not sure if it's caused by this or was already
the case before.
It'd be great if someone could test this on an actual VM.
@flokli
nixos/google-oslogin: improve mock server
f38e45c 
some slightly better error handling for nonexistent users, less parsing
of URLs and query strings by hand.
@flokli
nixos/oslogin: put mockuser and mockadmin in constants, rename
21da5c4 
This allows us to change them easily without search/replacing.
Afterwards, we rename them to look a bit more like they are on GCP.
@flokli
Copy link
Contributor Author

flokli commented Apr 29, 2020

@GrahamcOfBorg test google-oslogin

@flokli flokli mentioned this pull request Apr 29, 2020
Closed
10 tasks
@flokli
Copy link
Contributor Author

flokli commented Apr 29, 2020
edited

For posterity: I also tried to include a test testing additional group memberships (which should also have become possible in the meantime), but couldn't get it to work yet.

If someone wants to pick this up in the future, below patch might help:

commit a51b74d7c3631a076b558d32a1c5a26608b2df1c
Author: Florian Klink <flokli@flokli.de>
Date:   Wed Apr 29 14:36:21 2020 +0200

    nixos/oslogin: add group support

diff --git a/nixos/tests/google-oslogin/default.nix b/nixos/tests/google-oslogin/default.nix
index 97783c81f39..8de932f3f70 100644
--- a/nixos/tests/google-oslogin/default.nix
+++ b/nixos/tests/google-oslogin/default.nix
@@ -69,6 +69,11 @@ in {
     client.succeed(
         f"ssh {MOCKADMIN}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'root'"
     )
+
+    # mockadmin should be part of the foogrp group
+    client.succeed(
+        f"ssh {MOCKADMIN}@server '/run/wrappers/bin/sudo /run/current-system/sw/bin/id' | grep -q 'foogrp'"
+    )
   '';
   })
 
diff --git a/nixos/tests/google-oslogin/server.py b/nixos/tests/google-oslogin/server.py
index 5ea9bbd2c96..410b534f5b1 100644
--- a/nixos/tests/google-oslogin/server.py
+++ b/nixos/tests/google-oslogin/server.py
@@ -102,6 +102,16 @@ class ReqHandler(BaseHTTPRequestHandler):
 
             self._send_json_ok(gen_mockuser(username=username, uid=uid, gid=uid, home_directory=f"/home/{username}", snakeoil_pubkey=SNAKEOIL_PUBLIC_KEY))
             return
+        # groups endpoint
+        elif pu.path == "/computeMetadata/v1/oslogin/groups":
+            if params.get('email') == [gen_email(MOCKUSER)]:
+                groups = []
+            elif params.get('email') == [gen_email(MOCKADMIN)]:
+                groups = [dict(gid=8000, name="foogrp")]
+            else:
+                self._send_404()
+            data = dict(nextPageToken=0, posixGroups=groups)
+            self._send_json_ok(data)
 
         # authorize endpoint
         elif pu.path == "/computeMetadata/v1/oslogin/authorize":

@flokli flokli merged commit c2c30d9 into NixOS:master Apr 29, 2020
@flokli flokli deleted the google-oslogin branch April 29, 2020 14:47
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@zimbatm zimbatm zimbatm approved these changes

@adisbladis adisbladis Awaiting requested review from adisbladis

Assignees
No one assigned
Labels
6.topic: nixos 10.rebuild-darwin: 0 10.rebuild-linux: 1-10 10.rebuild-linux: 1 11.by: package-maintainer
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@flokli @zimbatm