Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(68)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: server/auth/delegation/checker_test.go

Issue 2386643003: auth: Make luci-go services trust signatures produced by the token server. (Closed)
Patch Set: add tests Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « server/auth/delegation/checker.go ('k') | server/auth/delegation/minter_test.go » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2016 The LUCI Authors. All rights reserved. 1 // Copyright 2016 The LUCI Authors. All rights reserved.
2 // Use of this source code is governed under the Apache License, Version 2.0 2 // Use of this source code is governed under the Apache License, Version 2.0
3 // that can be found in the LICENSE file. 3 // that can be found in the LICENSE file.
4 4
5 package delegation 5 package delegation
6 6
7 import ( 7 import (
8 "encoding/base64" 8 "encoding/base64"
9 "os" 9 "os"
10 "strings" 10 "strings"
(...skipping 86 matching lines...) Expand 10 before | Expand all | Expand 10 after
97 _, err := CheckToken(c, CheckTokenParams{ 97 _, err := CheckToken(c, CheckTokenParams{
98 Token: strings.Repeat("aaaa", 10000), 98 Token: strings.Repeat("aaaa", 10000),
99 PeerID: "user:to@example.com", 99 PeerID: "user:to@example.com",
100 CertificatesProvider: minter, 100 CertificatesProvider: minter,
101 GroupsChecker: &fakeGroups{}, 101 GroupsChecker: &fakeGroups{},
102 OwnServiceIdentity: "service:service-id", 102 OwnServiceIdentity: "service:service-id",
103 }) 103 })
104 So(err, ShouldEqual, ErrMalformedDelegationToken) 104 So(err, ShouldEqual, ErrMalformedDelegationToken)
105 }) 105 })
106 106
107 Convey("Untrusted signer", t, func() {
108 tok := minter.mintToken(c, subtoken(c, "user:from@example.com", "user:to@example.com"))
109 minter.signerID = "service:nah-i-renamed-myself"
110 _, err := CheckToken(c, CheckTokenParams{
111 Token: tok,
112 PeerID: "user:to@example.com",
113 CertificatesProvider: minter,
114 GroupsChecker: &fakeGroups{},
115 OwnServiceIdentity: "service:service-id",
116 })
117 So(err, ShouldEqual, ErrUnsignedDelegationToken)
118 })
119
107 Convey("Bad signature", t, func() { 120 Convey("Bad signature", t, func() {
108 tok := minter.mintToken(c, subtoken(c, "user:from@example.com", "user:to@example.com")) 121 tok := minter.mintToken(c, subtoken(c, "user:from@example.com", "user:to@example.com"))
109 // An offset in serialized token that points to Subtoken field. Replace one 122 // An offset in serialized token that points to Subtoken field. Replace one
110 // byte there to "break" the signature. 123 // byte there to "break" the signature.
111 sigOffset := len(tok) - 10 124 sigOffset := len(tok) - 10
112 So(tok[sigOffset], ShouldNotEqual, 'A') 125 So(tok[sigOffset], ShouldNotEqual, 'A')
113 _, err := CheckToken(c, CheckTokenParams{ 126 _, err := CheckToken(c, CheckTokenParams{
114 Token: tok[:sigOffset] + "A" + tok[sigOff set+1:], 127 Token: tok[:sigOffset] + "A" + tok[sigOff set+1:],
115 PeerID: "user:to@example.com", 128 PeerID: "user:to@example.com",
116 CertificatesProvider: minter, 129 CertificatesProvider: minter,
(...skipping 64 matching lines...) Expand 10 before | Expand all | Expand 10 after
181 signerID string 194 signerID string
182 } 195 }
183 196
184 func newFakeTokenMinter() *fakeTokenMinter { 197 func newFakeTokenMinter() *fakeTokenMinter {
185 return &fakeTokenMinter{ 198 return &fakeTokenMinter{
186 signer: signingtest.NewSigner(0, nil), 199 signer: signingtest.NewSigner(0, nil),
187 signerID: "service:fake-signer", 200 signerID: "service:fake-signer",
188 } 201 }
189 } 202 }
190 203
191 func (f *fakeTokenMinter) GetAuthServiceCertificates(c context.Context) (*signin g.PublicCertificates, error) { 204 func (f *fakeTokenMinter) GetCertificates(c context.Context, id identity.Identit y) (*signing.PublicCertificates, error) {
205 » if string(id) != f.signerID {
206 » » return nil, nil
207 » }
192 return f.signer.Certificates(c) 208 return f.signer.Certificates(c)
193 } 209 }
194 210
195 func (f *fakeTokenMinter) mintToken(c context.Context, subtoken *messages.Subtok en) string { 211 func (f *fakeTokenMinter) mintToken(c context.Context, subtoken *messages.Subtok en) string {
196 blob, err := proto.Marshal(subtoken) 212 blob, err := proto.Marshal(subtoken)
197 if err != nil { 213 if err != nil {
198 panic(err) 214 panic(err)
199 } 215 }
200 keyID, sig, err := f.signer.SignBytes(c, blob) 216 keyID, sig, err := f.signer.SignBytes(c, blob)
201 if err != nil { 217 if err != nil {
(...skipping 15 matching lines...) Expand all
217 type fakeGroups struct { 233 type fakeGroups struct {
218 groups map[string]string // if nil == no group checks 234 groups map[string]string // if nil == no group checks
219 } 235 }
220 236
221 func (f *fakeGroups) IsMember(c context.Context, id identity.Identity, group str ing) (bool, error) { 237 func (f *fakeGroups) IsMember(c context.Context, id identity.Identity, group str ing) (bool, error) {
222 if f.groups == nil { 238 if f.groups == nil {
223 return true, nil 239 return true, nil
224 } 240 }
225 return f.groups[group] == string(id), nil 241 return f.groups[group] == string(id), nil
226 } 242 }
OLDNEW
« no previous file with comments | « server/auth/delegation/checker.go ('k') | server/auth/delegation/minter_test.go » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698