| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2016 The LUCI Authors. All rights reserved. |
| 2 // Use of this source code is governed under the Apache License, Version 2.0 |
| 3 // that can be found in the LICENSE file. |
| 4 |
| 5 package delegation |
| 6 |
| 7 import ( |
| 8 "testing" |
| 9 |
| 10 "github.com/golang/protobuf/proto" |
| 11 |
| 12 admin "github.com/luci/luci-go/tokenserver/api/admin/v1" |
| 13 |
| 14 . "github.com/luci/luci-go/common/testing/assertions" |
| 15 . "github.com/smartystreets/goconvey/convey" |
| 16 ) |
| 17 |
| 18 func TestValidation(t *testing.T) { |
| 19 cases := []struct { |
| 20 Cfg string |
| 21 Errors []string |
| 22 }{ |
| 23 { |
| 24 // No errors, "normal looking" config. |
| 25 Cfg: ` |
| 26 rules { |
| 27 name: "rule 1" |
| 28 requestor: "user:some-app@appspot.gservi
ceaccount.com" |
| 29 target_service: "service:some-service" |
| 30 allowed_to_impersonate: "group:some-grou
p" |
| 31 allowed_audience: "REQUESTOR" |
| 32 max_validity_duration: 86400 |
| 33 } |
| 34 |
| 35 rules { |
| 36 name: "rule 2" |
| 37 requestor: "group:some-group" |
| 38 target_service: "*" |
| 39 allowed_to_impersonate: "group:another-g
roup" |
| 40 allowed_audience: "*" |
| 41 max_validity_duration: 86400 |
| 42 } |
| 43 `, |
| 44 }, |
| 45 |
| 46 { |
| 47 // Duplicate names. |
| 48 Cfg: ` |
| 49 rules { |
| 50 name: "rule 1" |
| 51 requestor: "user:some-app@appspot.gservi
ceaccount.com" |
| 52 target_service: "service:some-service" |
| 53 allowed_to_impersonate: "group:some-grou
p" |
| 54 allowed_audience: "REQUESTOR" |
| 55 max_validity_duration: 86400 |
| 56 } |
| 57 |
| 58 rules { |
| 59 name: "rule 1" |
| 60 requestor: "group:some-group" |
| 61 target_service: "*" |
| 62 allowed_to_impersonate: "group:another-g
roup" |
| 63 allowed_audience: "*" |
| 64 max_validity_duration: 86400 |
| 65 } |
| 66 `, |
| 67 Errors: []string{`rule #2 ("rule 1"): the rule with such
name is already defined`}, |
| 68 }, |
| 69 |
| 70 { |
| 71 // Missing required fields. |
| 72 Cfg: ` |
| 73 rules { |
| 74 } |
| 75 `, |
| 76 Errors: []string{ |
| 77 `'name' is required`, |
| 78 `'requestor' is required`, |
| 79 `'allowed_to_impersonate' is required`, |
| 80 `'allowed_audience' is required`, |
| 81 `'target_service' is required`, |
| 82 `'max_validity_duration' is required`, |
| 83 }, |
| 84 }, |
| 85 |
| 86 { |
| 87 // Validity duration out of range. |
| 88 Cfg: ` |
| 89 rules { |
| 90 name: "rule 1" |
| 91 requestor: "user:some-app@appspot.gservi
ceaccount.com" |
| 92 target_service: "service:some-service" |
| 93 allowed_to_impersonate: "group:some-grou
p" |
| 94 allowed_audience: "REQUESTOR" |
| 95 max_validity_duration: -1 |
| 96 } |
| 97 rules { |
| 98 name: "rule 2" |
| 99 requestor: "user:some-app@appspot.gservi
ceaccount.com" |
| 100 target_service: "service:some-service" |
| 101 allowed_to_impersonate: "group:some-grou
p" |
| 102 allowed_audience: "REQUESTOR" |
| 103 max_validity_duration: 86401 |
| 104 } |
| 105 `, |
| 106 Errors: []string{ |
| 107 `rule #1 ("rule 1"): 'max_validity_duration' mus
t be positive`, |
| 108 `rule #2 ("rule 2"): 'max_validity_duration' mus
t be smaller than 86401`, |
| 109 }, |
| 110 }, |
| 111 |
| 112 { |
| 113 // Bad requestor. |
| 114 Cfg: ` |
| 115 rules { |
| 116 name: "rule 1" |
| 117 requestor: "user:some-app@appspot.gservi
ceaccount.com" # ok |
| 118 requestor: "service:blah" # ok |
| 119 requestor: "group:some-group" # ok |
| 120 requestor: "*" # not ok |
| 121 requestor: "some junk" # not ok |
| 122 requestor: "group:" # not ok |
| 123 target_service: "service:some-service" |
| 124 allowed_to_impersonate: "group:some-grou
p" |
| 125 allowed_audience: "REQUESTOR" |
| 126 max_validity_duration: 3600 |
| 127 } |
| 128 `, |
| 129 Errors: []string{ |
| 130 `bad 'requestor' - auth: bad identity string "*"
`, |
| 131 `bad 'requestor' - auth: bad identity string "so
me junk"`, |
| 132 `bad 'requestor' - bad group entry "group:"`, |
| 133 }, |
| 134 }, |
| 135 |
| 136 { |
| 137 // Bad allowed_to_impersonate. |
| 138 Cfg: ` |
| 139 rules { |
| 140 name: "rule 1" |
| 141 requestor: "user:some-app@appspot.gservi
ceaccount.com" |
| 142 target_service: "service:some-service" |
| 143 allowed_to_impersonate: "user:abc@exampl
e.com" # ok |
| 144 allowed_to_impersonate: "group:some-grou
p" # ok |
| 145 allowed_to_impersonate: "REQUESTOR" # ok |
| 146 allowed_to_impersonate: "*" # not OK |
| 147 allowed_audience: "REQUESTOR" |
| 148 max_validity_duration: 86400 |
| 149 } |
| 150 `, |
| 151 Errors: []string{ |
| 152 `bad 'allowed_to_impersonate' - auth: bad identi
ty string "*"`, |
| 153 }, |
| 154 }, |
| 155 |
| 156 { |
| 157 // Bad allowed_audience. |
| 158 Cfg: ` |
| 159 rules { |
| 160 name: "rule 1" |
| 161 requestor: "user:some-app@appspot.gservi
ceaccount.com" |
| 162 target_service: "service:some-service" |
| 163 allowed_to_impersonate: "user:abc@exampl
e.com" |
| 164 allowed_audience: "REQUESTOR" # ok |
| 165 allowed_audience: "*" # ok |
| 166 allowed_audience: "user:abc@example.com"
# ok |
| 167 allowed_audience: "group:abc" # ok |
| 168 allowed_audience: "some junk" # not ok |
| 169 max_validity_duration: 86400 |
| 170 } |
| 171 `, |
| 172 Errors: []string{ |
| 173 `bad 'allowed_audience' - auth: bad identity str
ing "some junk"`, |
| 174 }, |
| 175 }, |
| 176 |
| 177 { |
| 178 // Bad target_service. |
| 179 Cfg: ` |
| 180 rules { |
| 181 name: "rule 1" |
| 182 requestor: "user:some-app@appspot.gservi
ceaccount.com" |
| 183 target_service: "service:some-service" #
ok |
| 184 target_service: "user:abc@example.com" #
not ok |
| 185 target_service: "group:some-group" # not
ok |
| 186 allowed_to_impersonate: "user:abc@exampl
e.com" |
| 187 allowed_audience: "REQUESTOR" |
| 188 max_validity_duration: 86400 |
| 189 } |
| 190 `, |
| 191 Errors: []string{ |
| 192 `bad 'target_service' - identity of kind "user"
is not allowed here`, |
| 193 `bad 'target_service' - group entries are not al
lowe`, |
| 194 }, |
| 195 }, |
| 196 } |
| 197 |
| 198 Convey("Validation works", t, func(c C) { |
| 199 for idx, cs := range cases { |
| 200 c.Printf("Case #%d\n", idx) |
| 201 cfg := &admin.DelegationPermissions{} |
| 202 err := proto.UnmarshalText(cs.Cfg, cfg) |
| 203 So(err, ShouldBeNil) |
| 204 merr := ValidateConfig(cfg) |
| 205 So(len(merr), ShouldEqual, len(cs.Errors)) |
| 206 for i, err := range merr { |
| 207 So(err, ShouldErrLike, cs.Errors[i]) |
| 208 } |
| 209 } |
| 210 }) |
| 211 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2413683004:
token-server: Delegation config import, validation and evaluation. (Closed)
