appengine/auth_service/config_test.py - Issue 2224163003: auth: Fix delegation.cfg config validation.

Side by Side Diff: appengine/auth_service/config_test.py

Issue 2224163003: auth: Fix delegation.cfg config validation. (Closed) Base URL: https://chromium.googlesource.com/external/github.com/luci/luci-py@master

Patch Set: Created 4 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

View unified diff | Download patch

OLD	NEW
1 #!/usr/bin/env python	1 #!/usr/bin/env python

2 # Copyright 2015 The LUCI Authors. All rights reserved.	2 # Copyright 2015 The LUCI Authors. All rights reserved.

3 # Use of this source code is governed under the Apache License, Version 2.0	3 # Use of this source code is governed under the Apache License, Version 2.0

4 # that can be found in the LICENSE file.	4 # that can be found in the LICENSE file.

5	5

6 import datetime	6 import datetime

7 import logging	7 import logging

8 import sys	8 import sys

9 import unittest	9 import unittest

10	10

(...skipping 445 matching lines...) Expand 10 before \| Expand all \| Expand 10 after Loading...
456 def call_validate_delegation_config(r):	456 def call_validate_delegation_config(r):

457 ctx = validation_context.Context()	457 ctx = validation_context.Context()

458 conf = config_pb2.DelegationConfig(rules=[r])	458 conf = config_pb2.DelegationConfig(rules=[r])

459 config.validate_delegation_config(conf, ctx)	459 config.validate_delegation_config(conf, ctx)

460 return [m.text for m in ctx.messages]	460 return [m.text for m in ctx.messages]

461	461

462 def test_validate_delegation_config_ok(self):	462 def test_validate_delegation_config_ok(self):

463 # Good one.	463 # Good one.

464 msg = self.call_validate_delegation_config(	464 msg = self.call_validate_delegation_config(

465 config_pb2.DelegationConfig.Rule(	465 config_pb2.DelegationConfig.Rule(

466 user_id=['service:abc'],	466 user_id=['service:abc', 'group:group'],

467 target_service=['service:def'],	467 target_service=['service:def'],

468 max_validity_duration=3600,	468 max_validity_duration=3600,

469 allowed_to_impersonate=['user:a@a.com', 'bot:*', 'group:abc']))	469 allowed_to_impersonate=['user:a@a.com', 'bot:*', 'group:abc']))

470 self.assertEqual([], msg)	470 self.assertEqual([], msg)

471	471

472 def test_validate_delegation_config_user_id(self):	472 def test_validate_delegation_config_user_id(self):

473 # Empty user_id list.	473 # Empty user_id list.

474 msg = self.call_validate_delegation_config(	474 msg = self.call_validate_delegation_config(

475 config_pb2.DelegationConfig.Rule(	475 config_pb2.DelegationConfig.Rule(

476 target_service=['service:def'],	476 target_service=['service:def'],

477 max_validity_duration=3600,	477 max_validity_duration=3600,

478 allowed_to_impersonate=['user:a@a.com', 'bot:*', 'group:abc']))	478 allowed_to_impersonate=['user:a@a.com', 'bot:*', 'group:abc']))

479 self.assertEqual(['rules #0: missing user_id field'], msg)	479 self.assertEqual(['rules #0: missing user_id field'], msg)

480	480

481 # Bad user_id.	481 # Bad user_id.

482 msg = self.call_validate_delegation_config(	482 msg = self.call_validate_delegation_config(

483 config_pb2.DelegationConfig.Rule(	483 config_pb2.DelegationConfig.Rule(

484 user_id=['wat'],	484 user_id=['wat'],

485 target_service=['service:def'],	485 target_service=['service:def'],

486 max_validity_duration=3600,	486 max_validity_duration=3600,

487 allowed_to_impersonate=['user:a@a.com', 'bot:*', 'group:abc']))	487 allowed_to_impersonate=['user:a@a.com', 'bot:*', 'group:abc']))

488 self.assertEqual([	488 self.assertEqual([

489 'rules #0: bad identity string "wat" in user_id: '	489 'rules #0: user_id: not a valid identity "wat": '

490 'Missing \':\' separator in Identity string'	490 'Missing \':\' separator in Identity string'

491 ], msg)	491 ], msg)

492	492

493 # Star + redundant entries.

494 msg = self.call_validate_delegation_config(

495 config_pb2.DelegationConfig.Rule(

496 user_id=['*', 'user:a@a.com'],

497 target_service=['service:def'],

498 max_validity_duration=3600,

499 allowed_to_impersonate=['user:a@a.com', 'bot:*', 'group:abc']))

500 self.assertEqual(

501 ['rules #0: redundant entries in user_id, it has "*"" already'], msg)

502

503 def test_validate_delegation_config_target_service(self):	493 def test_validate_delegation_config_target_service(self):

504 # Empty target_service list.	494 # Empty target_service list.

505 msg = self.call_validate_delegation_config(	495 msg = self.call_validate_delegation_config(

506 config_pb2.DelegationConfig.Rule(	496 config_pb2.DelegationConfig.Rule(

507 user_id=['service:abc'],	497 user_id=['service:abc'],

508 max_validity_duration=3600,	498 max_validity_duration=3600,

509 allowed_to_impersonate=['user:a@a.com', 'bot:*', 'group:abc']))	499 allowed_to_impersonate=['user:a@a.com', 'bot:*', 'group:abc']))

510 self.assertEqual(['rules #0: missing target_service field'], msg)	500 self.assertEqual(['rules #0: missing target_service field'], msg)

511	501

512 # Bad target_service.	502 # Bad target_service.

513 msg = self.call_validate_delegation_config(	503 msg = self.call_validate_delegation_config(

514 config_pb2.DelegationConfig.Rule(	504 config_pb2.DelegationConfig.Rule(

515 user_id=['service:abc'],	505 user_id=['service:abc'],

516 target_service=['wat'],	506 target_service=['wat'],

517 max_validity_duration=3600,	507 max_validity_duration=3600,

518 allowed_to_impersonate=['user:a@a.com', 'bot:*', 'group:abc']))	508 allowed_to_impersonate=['user:a@a.com', 'bot:*', 'group:abc']))

519 self.assertEqual([	509 self.assertEqual([

520 'rules #0: bad identity string "wat" in target_service: '	510 'rules #0: target_service: bad identity string "wat": '

521 'Missing \':\' separator in Identity string'	511 'Missing \':\' separator in Identity string'

522 ], msg)	512 ], msg)

523	513

524 # Star + redundant entries.	514 # Star + redundant entries.

525 msg = self.call_validate_delegation_config(	515 msg = self.call_validate_delegation_config(

526 config_pb2.DelegationConfig.Rule(	516 config_pb2.DelegationConfig.Rule(

527 user_id=['service:abc'],	517 user_id=['service:abc'],

528 target_service=['*', 'service:def'],	518 target_service=['*', 'service:def'],

529 max_validity_duration=3600,	519 max_validity_duration=3600,

530 allowed_to_impersonate=['user:a@a.com', 'bot:*', 'group:abc']))	520 allowed_to_impersonate=['user:a@a.com', 'bot:*', 'group:abc']))

(...skipping 19 matching lines...) Expand all Loading...
550 target_service=['*'],	540 target_service=['*'],

551 max_validity_duration=3600,	541 max_validity_duration=3600,

552 allowed_to_impersonate=[uid]))	542 allowed_to_impersonate=[uid]))

553 # Good cases.	543 # Good cases.

554 self.assertEqual([], call('group:abc'))	544 self.assertEqual([], call('group:abc'))

555 self.assertEqual([], call('group:external/abc'))	545 self.assertEqual([], call('group:external/abc'))

556 self.assertEqual([], call('user:*'))	546 self.assertEqual([], call('user:*'))

557 self.assertEqual([], call('service:abc'))	547 self.assertEqual([], call('service:abc'))

558 # Bad cases.	548 # Bad cases.

559 self.assertEqual(	549 self.assertEqual(

560 ['rules #0: not a valid group name: bad\\name'],	550 ['rules #0: allowed_to_impersonate: not a valid group name: bad\\name'],

561 call('group:bad\\name'))	551 call('group:bad\\name'))

562 self.assertEqual([	552 self.assertEqual([

563 'rules #0: not a valid identity glob "hmm:*": '	553 'rules #0: allowed_to_impersonate: not a valid identity glob "hmm:*": '

564 'Invalid Identity kind: hmm'	554 'Invalid Identity kind: hmm'

565 ], call('hmm:*'))	555 ], call('hmm:*'))

566 self.assertEqual([	556 self.assertEqual([

567 'rules #0: not a valid identity glob "*": Missing \':\' '	557 'rules #0: allowed_to_impersonate: not a valid identity "a@a.com": '

568 'separator in IdentityGlob string'	558 'Missing \':\' separator in Identity string'

569 ], call('*'))

570 self.assertEqual([

571 'rules #0: not a valid identity "a@a.com": Missing \':\' '

572 'separator in Identity string'

573 ], call('a@a.com'))	559 ], call('a@a.com'))

574	560

575 def test_update_service_config(self):	561 def test_update_service_config(self):

576 # Missing.	562 # Missing.

577 self.assertIsNone(config._get_service_config('abc.cfg'))	563 self.assertIsNone(config._get_service_config('abc.cfg'))

578 self.assertIsNone(config._get_service_config_rev('abc.cfg'))	564 self.assertIsNone(config._get_service_config_rev('abc.cfg'))

579 # Updated.	565 # Updated.

580 rev = config.Revision('rev', 'url')	566 rev = config.Revision('rev', 'url')

581 self.assertTrue(config._update_service_config('abc.cfg', rev, 'body'))	567 self.assertTrue(config._update_service_config('abc.cfg', rev, 'body'))

582 self.assertEqual('body', config._get_service_config('abc.cfg'))	568 self.assertEqual('body', config._get_service_config('abc.cfg'))

(...skipping 20 matching lines...) Expand all Loading...
603 self.assertEqual(1, len(proto.rules))	589 self.assertEqual(1, len(proto.rules))

604	590

605	591

606 if __name__ == '__main__':	592 if __name__ == '__main__':

607 if '-v' in sys.argv:	593 if '-v' in sys.argv:

608 unittest.TestCase.maxDiff = None	594 unittest.TestCase.maxDiff = None

609 logging.basicConfig(level=logging.DEBUG)	595 logging.basicConfig(level=logging.DEBUG)

610 else:	596 else:

611 logging.basicConfig(level=logging.FATAL)	597 logging.basicConfig(level=logging.FATAL)

612 unittest.main()	598 unittest.main()

OLD	NEW

« no previous file with comments | « appengine/auth_service/config.py ('k') | no next file » | no next file with comments »