| OLD | NEW |
|---|
| 1 // Copyright 2016 The LUCI Authors. All rights reserved. | 1 // Copyright 2016 The LUCI Authors. All rights reserved. |
| 2 // Use of this source code is governed under the Apache License, Version 2.0 | 2 // Use of this source code is governed under the Apache License, Version 2.0 |
| 3 // that can be found in the LICENSE file. | 3 // that can be found in the LICENSE file. |
| 4 | 4 |
| 5 package authdb | 5 package authdb |
| 6 | 6 |
| 7 import ( | 7 import ( |
| 8 "encoding/json" |
| 8 "net" | 9 "net" |
| 10 "net/http" |
| 9 "testing" | 11 "testing" |
| 10 | 12 |
| 11 "golang.org/x/net/context" | 13 "golang.org/x/net/context" |
| 12 | 14 |
| 13 "github.com/luci/luci-go/server/auth/identity" | 15 "github.com/luci/luci-go/server/auth/identity" |
| 16 "github.com/luci/luci-go/server/auth/internal" |
| 14 "github.com/luci/luci-go/server/auth/service/protocol" | 17 "github.com/luci/luci-go/server/auth/service/protocol" |
| 18 "github.com/luci/luci-go/server/auth/signing" |
| 19 "github.com/luci/luci-go/server/auth/signing/signingtest" |
| 15 "github.com/luci/luci-go/server/secrets" | 20 "github.com/luci/luci-go/server/secrets" |
| 16 | 21 |
| 17 . "github.com/smartystreets/goconvey/convey" | 22 . "github.com/smartystreets/goconvey/convey" |
| 18 ) | 23 ) |
| 19 | 24 |
| 20 func TestSnapshotDB(t *testing.T) { | 25 func TestSnapshotDB(t *testing.T) { |
| 21 Convey("IsAllowedOAuthClientID works", t, func() { | 26 Convey("IsAllowedOAuthClientID works", t, func() { |
| 22 c := context.Background() | 27 c := context.Background() |
| 23 db, err := NewSnapshotDB(&protocol.AuthDB{ | 28 db, err := NewSnapshotDB(&protocol.AuthDB{ |
| 24 OauthClientId: strPtr("primary-client-id"), | 29 OauthClientId: strPtr("primary-client-id"), |
| (...skipping 100 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 125 "secret-2": { | 130 "secret-2": { |
| 126 Current: secrets.NamedBlob{Blob: []byte("current
")}, | 131 Current: secrets.NamedBlob{Blob: []byte("current
")}, |
| 127 Previous: []secrets.NamedBlob{ | 132 Previous: []secrets.NamedBlob{ |
| 128 {Blob: []byte("prev1")}, | 133 {Blob: []byte("prev1")}, |
| 129 {Blob: []byte("prev2")}, | 134 {Blob: []byte("prev2")}, |
| 130 }, | 135 }, |
| 131 }, | 136 }, |
| 132 }) | 137 }) |
| 133 }) | 138 }) |
| 134 | 139 |
| 140 Convey("GetCertificates works", t, func(c C) { |
| 141 db, err := NewSnapshotDB(&protocol.AuthDB{ |
| 142 OauthClientId: strPtr("primary-client-id"), |
| 143 OauthAdditionalClientIds: []string{ |
| 144 "additional-client-id-1", |
| 145 "additional-client-id-2", |
| 146 }, |
| 147 TokenServerUrl: strPtr("http://token-server"), |
| 148 }, "http://auth-service", 1234) |
| 149 So(err, ShouldBeNil) |
| 150 |
| 151 authService := signingtest.NewSigner(0, &signing.ServiceInfo{ |
| 152 AppID: "auth-service", |
| 153 ServiceAccountName: "auth-service-account@example.com", |
| 154 }) |
| 155 |
| 156 tokenService := signingtest.NewSigner(1, &signing.ServiceInfo{ |
| 157 AppID: "token-server", |
| 158 ServiceAccountName: "token-server-account@example.com", |
| 159 }) |
| 160 |
| 161 calls := 0 |
| 162 |
| 163 ctx := context.Background() |
| 164 ctx = internal.WithTestTransport(ctx, func(r *http.Request, body
string) (int, string) { |
| 165 calls++ |
| 166 var certs *signing.PublicCertificates |
| 167 var err error |
| 168 switch r.URL.String() { |
| 169 case "http://auth-service/auth/api/v1/server/certificate
s": |
| 170 certs, err = authService.Certificates(ctx) |
| 171 case "http://token-server/auth/api/v1/server/certificate
s": |
| 172 certs, err = tokenService.Certificates(ctx) |
| 173 default: |
| 174 return 404, "Wrong URL" |
| 175 } |
| 176 if err != nil { |
| 177 panic(err) |
| 178 } |
| 179 blob, err := json.Marshal(certs) |
| 180 if err != nil { |
| 181 panic(err) |
| 182 } |
| 183 return 200, string(blob) |
| 184 }) |
| 185 |
| 186 good := []identity.Identity{ |
| 187 "service:auth-service", |
| 188 "service:token-server", |
| 189 "user:auth-service-account@example.com", |
| 190 "user:token-server-account@example.com", |
| 191 } |
| 192 for _, ident := range good { |
| 193 certs, err := db.GetCertificates(ctx, ident) |
| 194 So(err, ShouldBeNil) |
| 195 So(certs, ShouldNotBeNil) |
| 196 } |
| 197 |
| 198 // Fetched two bundles, once. |
| 199 So(calls, ShouldEqual, 2) |
| 200 |
| 201 // For unknown signer returns (nil, nil). |
| 202 certs, err := db.GetCertificates(ctx, "service:unknown") |
| 203 So(err, ShouldBeNil) |
| 204 So(certs, ShouldBeNil) |
| 205 }) |
| 206 |
| 135 Convey("IsInWhitelist works", t, func() { | 207 Convey("IsInWhitelist works", t, func() { |
| 136 c := context.Background() | 208 c := context.Background() |
| 137 db, err := NewSnapshotDB(&protocol.AuthDB{ | 209 db, err := NewSnapshotDB(&protocol.AuthDB{ |
| 138 IpWhitelistAssignments: []*protocol.AuthIPWhitelistAssig
nment{ | 210 IpWhitelistAssignments: []*protocol.AuthIPWhitelistAssig
nment{ |
| 139 { | 211 { |
| 140 Identity: strPtr("user:abc@example.co
m"), | 212 Identity: strPtr("user:abc@example.co
m"), |
| 141 IpWhitelist: strPtr("whitelist"), | 213 IpWhitelist: strPtr("whitelist"), |
| 142 }, | 214 }, |
| 143 }, | 215 }, |
| 144 IpWhitelists: []*protocol.AuthIPWhitelist{ | 216 IpWhitelists: []*protocol.AuthIPWhitelist{ |
| (...skipping 74 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... |
| 219 }, | 291 }, |
| 220 }, | 292 }, |
| 221 }, "http://auth-service", 1234) | 293 }, "http://auth-service", 1234) |
| 222 | 294 |
| 223 b.ResetTimer() | 295 b.ResetTimer() |
| 224 | 296 |
| 225 for i := 0; i < b.N; i++ { | 297 for i := 0; i < b.N; i++ { |
| 226 db.IsMember(c, "user:somedude@example.com", "outer") | 298 db.IsMember(c, "user:somedude@example.com", "outer") |
| 227 } | 299 } |
| 228 } | 300 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2386643003:
auth: Make luci-go services trust signatures produced by the token server. (Closed)
