Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(417)

Issues Search
    My Issues | Starred     Open | Closed | All

Unified Diff: server/auth/authdb/snapshot_test.go

Issue 2386643003: auth: Make luci-go services trust signatures produced by the token server. (Closed)
Patch Set: add tests Created 4 years, 2 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View side-by-side diff with in-line comments
Download patch
« no previous file with comments | « server/auth/authdb/snapshot.go ('k') | server/auth/authtest/db.go » ('j') | no next file with comments »
Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
Index: server/auth/authdb/snapshot_test.go
diff --git a/server/auth/authdb/snapshot_test.go b/server/auth/authdb/snapshot_test.go
index 3cf24084a6ca29665770cca77887a8da8d060e9c..ee5e640eebc363446db8d7fab5761f7246fab694 100644
--- a/server/auth/authdb/snapshot_test.go
+++ b/server/auth/authdb/snapshot_test.go
@@ -5,13 +5,18 @@
package authdb
import (
+ "encoding/json"
"net"
+ "net/http"
"testing"
"golang.org/x/net/context"
"github.com/luci/luci-go/server/auth/identity"
+ "github.com/luci/luci-go/server/auth/internal"
"github.com/luci/luci-go/server/auth/service/protocol"
+ "github.com/luci/luci-go/server/auth/signing"
+ "github.com/luci/luci-go/server/auth/signing/signingtest"
"github.com/luci/luci-go/server/secrets"
. "github.com/smartystreets/goconvey/convey"
@@ -132,6 +137,73 @@ func TestSnapshotDB(t *testing.T) {
})
})
+ Convey("GetCertificates works", t, func(c C) {
+ db, err := NewSnapshotDB(&protocol.AuthDB{
+ OauthClientId: strPtr("primary-client-id"),
+ OauthAdditionalClientIds: []string{
+ "additional-client-id-1",
+ "additional-client-id-2",
+ },
+ TokenServerUrl: strPtr("http://token-server"),
+ }, "http://auth-service", 1234)
+ So(err, ShouldBeNil)
+
+ authService := signingtest.NewSigner(0, &signing.ServiceInfo{
+ AppID: "auth-service",
+ ServiceAccountName: "auth-service-account@example.com",
+ })
+
+ tokenService := signingtest.NewSigner(1, &signing.ServiceInfo{
+ AppID: "token-server",
+ ServiceAccountName: "token-server-account@example.com",
+ })
+
+ calls := 0
+
+ ctx := context.Background()
+ ctx = internal.WithTestTransport(ctx, func(r *http.Request, body string) (int, string) {
+ calls++
+ var certs *signing.PublicCertificates
+ var err error
+ switch r.URL.String() {
+ case "http://auth-service/auth/api/v1/server/certificates":
+ certs, err = authService.Certificates(ctx)
+ case "http://token-server/auth/api/v1/server/certificates":
+ certs, err = tokenService.Certificates(ctx)
+ default:
+ return 404, "Wrong URL"
+ }
+ if err != nil {
+ panic(err)
+ }
+ blob, err := json.Marshal(certs)
+ if err != nil {
+ panic(err)
+ }
+ return 200, string(blob)
+ })
+
+ good := []identity.Identity{
+ "service:auth-service",
+ "service:token-server",
+ "user:auth-service-account@example.com",
+ "user:token-server-account@example.com",
+ }
+ for _, ident := range good {
+ certs, err := db.GetCertificates(ctx, ident)
+ So(err, ShouldBeNil)
+ So(certs, ShouldNotBeNil)
+ }
+
+ // Fetched two bundles, once.
+ So(calls, ShouldEqual, 2)
+
+ // For unknown signer returns (nil, nil).
+ certs, err := db.GetCertificates(ctx, "service:unknown")
+ So(err, ShouldBeNil)
+ So(certs, ShouldBeNil)
+ })
+
Convey("IsInWhitelist works", t, func() {
c := context.Background()
db, err := NewSnapshotDB(&protocol.AuthDB{
« no previous file with comments | « server/auth/authdb/snapshot.go ('k') | server/auth/authtest/db.go » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698