| OLD | NEW |
|---|
| (Empty) | |
| 1 // Copyright 2017 The LUCI Authors. |
| 2 // |
| 3 // Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 // you may not use this file except in compliance with the License. |
| 5 // You may obtain a copy of the License at |
| 6 // |
| 7 // http://www.apache.org/licenses/LICENSE-2.0 |
| 8 // |
| 9 // Unless required by applicable law or agreed to in writing, software |
| 10 // distributed under the License is distributed on an "AS IS" BASIS, |
| 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 // See the License for the specific language governing permissions and |
| 13 // limitations under the License. |
| 14 |
| 15 package serviceaccounts |
| 16 |
| 17 import ( |
| 18 "encoding/base64" |
| 19 "testing" |
| 20 |
| 21 "github.com/golang/protobuf/proto" |
| 22 "golang.org/x/net/context" |
| 23 |
| 24 "github.com/luci/luci-go/server/auth/signing" |
| 25 "github.com/luci/luci-go/server/auth/signing/signingtest" |
| 26 "github.com/luci/luci-go/tokenserver/api" |
| 27 |
| 28 . "github.com/smartystreets/goconvey/convey" |
| 29 ) |
| 30 |
| 31 func TestSignGrant(t *testing.T) { |
| 32 Convey("Works", t, func() { |
| 33 ctx := context.Background() |
| 34 signer := signingtest.NewSigner(0, nil) |
| 35 |
| 36 original := &tokenserver.OAuthTokenGrantBody{ |
| 37 TokenId: 123, |
| 38 ServiceAccount: "email@example.com", |
| 39 Proxy: "user:someone@example.com", |
| 40 EndUser: "user:someone-else@example.com", |
| 41 } |
| 42 |
| 43 tok, err := SignGrant(ctx, signer, original) |
| 44 So(err, ShouldBeNil) |
| 45 So(tok, ShouldEqual, `Ck4IexIRZW1haWxAZXhhbXBsZS5jb20aGHVzZXI6c2
9tZW9uZUB`+ |
| 46 `leGFtcGxlLmNvbSIddXNlcjpzb21lb25lLWVsc2VAZXhhbXBsZS5jb2
0SKGY5ZGE1YTBkM`+ |
| 47 `DkwM2JkYTU4YzZkNjY0ZTM4NTJhODljMjgzZDdmZTkaQIuW0EtCsdP3
xNRgnQcWb5DkTvb`+ |
| 48 `8Y6xwJLJAQ04PflFeCdBXBxvqVgHbGflYD9OZlNGhUeE40pFpGBPOt4
KGxCI`) |
| 49 |
| 50 envelope, back, err := deserializeForTest(ctx, tok, signer) |
| 51 So(err, ShouldBeNil) |
| 52 So(back, ShouldResemble, original) |
| 53 So(envelope.KeyId, ShouldEqual, "f9da5a0d0903bda58c6d664e3852a89
c283d7fe9") |
| 54 }) |
| 55 } |
| 56 |
| 57 func deserializeForTest(c context.Context, tok string, signer signing.Signer) (*
tokenserver.OAuthTokenGrantEnvelope, *tokenserver.OAuthTokenGrantBody, error) { |
| 58 blob, err := base64.RawURLEncoding.DecodeString(tok) |
| 59 if err != nil { |
| 60 return nil, nil, err |
| 61 } |
| 62 env := &tokenserver.OAuthTokenGrantEnvelope{} |
| 63 if err = proto.Unmarshal(blob, env); err != nil { |
| 64 return nil, nil, err |
| 65 } |
| 66 |
| 67 // See tokensigning.Signer. We prepend tokenSigningContext (+ \x00) befo
re |
| 68 // a message to be signed. |
| 69 bytesToCheck := []byte(tokenSigningContext) |
| 70 bytesToCheck = append(bytesToCheck, 0) |
| 71 bytesToCheck = append(bytesToCheck, env.TokenBody...) |
| 72 |
| 73 certs, err := signer.Certificates(c) |
| 74 if err != nil { |
| 75 return nil, nil, err |
| 76 } |
| 77 if err = certs.CheckSignature(env.KeyId, bytesToCheck, env.Pkcs1Sha256Si
g); err != nil { |
| 78 return nil, nil, err |
| 79 } |
| 80 |
| 81 body := &tokenserver.OAuthTokenGrantBody{} |
| 82 if err = proto.Unmarshal(env.TokenBody, body); err != nil { |
| 83 return nil, nil, err |
| 84 } |
| 85 return env, body, nil |
| 86 } |
| OLD | NEW |
|---|
Chromium Code Reviews
Issue 2991413002:
tokenserver: Implement MintOAuthTokenGrant RPC. (Closed)
