Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(1)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: tokenserver/appengine/impl/serviceaccounts/rpc_inspect_oauth_token_grant_test.go

Issue 2993763002: tokenserver: Extract rules check into a separate function. (Closed)
Patch Set: more nits Created 3 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« tokenserver/appengine/impl/serviceaccounts/rpc_inspect_oauth_token_grant.go ('K') | « tokenserver/appengine/impl/serviceaccounts/rpc_inspect_oauth_token_grant.go ('k') | tokenserver/appengine/impl/serviceaccounts/rpc_mint_oauth_token_grant.go » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2017 The LUCI Authors. 1 // Copyright 2017 The LUCI Authors.
2 // 2 //
3 // Licensed under the Apache License, Version 2.0 (the "License"); 3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License. 4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at 5 // You may obtain a copy of the License at
6 // 6 //
7 // http://www.apache.org/licenses/LICENSE-2.0 7 // http://www.apache.org/licenses/LICENSE-2.0
8 // 8 //
9 // Unless required by applicable law or agreed to in writing, software 9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS, 10 // distributed under the License is distributed on an "AS IS" BASIS,
(...skipping 21 matching lines...) Expand all
32 32
33 . "github.com/smartystreets/goconvey/convey" 33 . "github.com/smartystreets/goconvey/convey"
34 ) 34 )
35 35
36 func TestInspectOAuthTokenGrant(t *testing.T) { 36 func TestInspectOAuthTokenGrant(t *testing.T) {
37 ctx := context.Background() 37 ctx := context.Background()
38 ctx, tc := testclock.UseTime(ctx, testclock.TestTimeUTC) 38 ctx, tc := testclock.UseTime(ctx, testclock.TestTimeUTC)
39 39
40 rpc := InspectOAuthTokenGrantRPC{ 40 rpc := InspectOAuthTokenGrantRPC{
41 Signer: signingtest.NewSigner(0, nil), 41 Signer: signingtest.NewSigner(0, nil),
42 Rules: func(context.Context) (*Rules, error) {
43 return loadConfig(`rules {
44 name: "rule 1"
45 service_account: "serviceaccount@robots.com"
46 proxy: "user:proxy@example.com"
47 end_user: "user:enduser@example.com"
48 max_grant_validity_duration: 7200
49 }`)
50 },
42 } 51 }
43 52
44 original := &tokenserver.OAuthTokenGrantBody{ 53 original := &tokenserver.OAuthTokenGrantBody{
45 TokenId: 123, 54 TokenId: 123,
46 ServiceAccount: "serviceaccount@robots.com", 55 ServiceAccount: "serviceaccount@robots.com",
47 Proxy: "user:proxy@example.com", 56 Proxy: "user:proxy@example.com",
48 EndUser: "user:enduser@example.com", 57 EndUser: "user:enduser@example.com",
49 IssuedAt: google.NewTimestamp(clock.Now(ctx)), 58 IssuedAt: google.NewTimestamp(clock.Now(ctx)),
50 ValidityDuration: 3600, 59 ValidityDuration: 3600,
51 } 60 }
52 61
62 matchingRule := &admin.ServiceAccountRule{
63 Name: "rule 1",
64 ServiceAccount: []string{"serviceaccount@robots.com"},
65 Proxy: []string{"user:proxy@example.com"},
66 EndUser: []string{"user:enduser@example.com"},
67 MaxGrantValidityDuration: 7200,
68 }
69
53 tok, _ := SignGrant(ctx, rpc.Signer, original) 70 tok, _ := SignGrant(ctx, rpc.Signer, original)
54 71
55 Convey("Happy path", t, func() { 72 Convey("Happy path", t, func() {
56 resp, err := rpc.InspectOAuthTokenGrant(ctx, &admin.InspectOAuth TokenGrantRequest{ 73 resp, err := rpc.InspectOAuthTokenGrant(ctx, &admin.InspectOAuth TokenGrantRequest{
57 Token: tok, 74 Token: tok,
58 }) 75 })
59 So(err, ShouldBeNil) 76 So(err, ShouldBeNil)
60 So(resp, ShouldResemble, &admin.InspectOAuthTokenGrantResponse{ 77 So(resp, ShouldResemble, &admin.InspectOAuthTokenGrantResponse{
61 » » » Valid: true, 78 » » » Valid: true,
62 » » » Signed: true, 79 » » » Signed: true,
63 » » » NonExpired: true, 80 » » » NonExpired: true,
64 » » » SigningKeyId: "f9da5a0d0903bda58c6d664e3852a89c283d7fe9" , 81 » » » SigningKeyId: "f9da5a0d0903bda58c6d664e3852a89c283d7fe 9",
65 » » » TokenBody: original, 82 » » » TokenBody: original,
83 » » » AllowedByRules: true,
84 » » » MatchingRule: matchingRule,
66 }) 85 })
67 }) 86 })
68 87
69 Convey("Not base64", t, func() { 88 Convey("Not base64", t, func() {
70 resp, err := rpc.InspectOAuthTokenGrant(ctx, &admin.InspectOAuth TokenGrantRequest{ 89 resp, err := rpc.InspectOAuthTokenGrant(ctx, &admin.InspectOAuth TokenGrantRequest{
71 Token: "@@@@@@@@@@@@@", 90 Token: "@@@@@@@@@@@@@",
72 }) 91 })
73 So(err, ShouldBeNil) 92 So(err, ShouldBeNil)
74 So(resp, ShouldResemble, &admin.InspectOAuthTokenGrantResponse{ 93 So(resp, ShouldResemble, &admin.InspectOAuthTokenGrantResponse{
75 InvalidityReason: "not base64 - illegal base64 data at i nput byte 0", 94 InvalidityReason: "not base64 - illegal base64 data at i nput byte 0",
(...skipping 21 matching lines...) Expand all
97 }) 116 })
98 So(err, ShouldBeNil) 117 So(err, ShouldBeNil)
99 118
100 So(resp, ShouldResemble, &admin.InspectOAuthTokenGrantResponse{ 119 So(resp, ShouldResemble, &admin.InspectOAuthTokenGrantResponse{
101 Valid: false, 120 Valid: false,
102 Signed: false, 121 Signed: false,
103 NonExpired: true, 122 NonExpired: true,
104 InvalidityReason: "bad signature - crypto/rsa: verificat ion error", 123 InvalidityReason: "bad signature - crypto/rsa: verificat ion error",
105 SigningKeyId: "f9da5a0d0903bda58c6d664e3852a89c283d7 fe9", 124 SigningKeyId: "f9da5a0d0903bda58c6d664e3852a89c283d7 fe9",
106 TokenBody: original, 125 TokenBody: original,
126 AllowedByRules: true,
127 MatchingRule: matchingRule,
107 }) 128 })
108 }) 129 })
109 130
131 Convey("Now allowed by rules", t, func() {
132 another := *original
133 another.ServiceAccount = "unknown@robots.com"
134 tok, _ := SignGrant(ctx, rpc.Signer, &another)
135
136 resp, err := rpc.InspectOAuthTokenGrant(ctx, &admin.InspectOAuth TokenGrantRequest{
137 Token: tok,
138 })
139 So(err, ShouldBeNil)
140 So(resp, ShouldResemble, &admin.InspectOAuthTokenGrantResponse{
141 Valid: false,
142 Signed: true,
143 NonExpired: true,
144 InvalidityReason: "not allowed by the rules",
145 SigningKeyId: "f9da5a0d0903bda58c6d664e3852a89c283d7 fe9",
146 TokenBody: &another,
147 })
148 })
149
110 Convey("Expired", t, func() { 150 Convey("Expired", t, func() {
111 tc.Add(2 * time.Hour) 151 tc.Add(2 * time.Hour)
112 152
113 resp, err := rpc.InspectOAuthTokenGrant(ctx, &admin.InspectOAuth TokenGrantRequest{ 153 resp, err := rpc.InspectOAuthTokenGrant(ctx, &admin.InspectOAuth TokenGrantRequest{
114 Token: tok, 154 Token: tok,
115 }) 155 })
116 So(err, ShouldBeNil) 156 So(err, ShouldBeNil)
117 157
118 So(resp, ShouldResemble, &admin.InspectOAuthTokenGrantResponse{ 158 So(resp, ShouldResemble, &admin.InspectOAuthTokenGrantResponse{
119 Valid: false, 159 Valid: false,
120 Signed: true, 160 Signed: true,
121 NonExpired: false, 161 NonExpired: false,
122 InvalidityReason: "expired", 162 InvalidityReason: "expired",
123 SigningKeyId: "f9da5a0d0903bda58c6d664e3852a89c283d7 fe9", 163 SigningKeyId: "f9da5a0d0903bda58c6d664e3852a89c283d7 fe9",
124 TokenBody: original, 164 TokenBody: original,
165 AllowedByRules: true,
166 MatchingRule: matchingRule,
125 }) 167 })
126 }) 168 })
127 } 169 }
OLDNEW
« tokenserver/appengine/impl/serviceaccounts/rpc_inspect_oauth_token_grant.go ('K') | « tokenserver/appengine/impl/serviceaccounts/rpc_inspect_oauth_token_grant.go ('k') | tokenserver/appengine/impl/serviceaccounts/rpc_mint_oauth_token_grant.go » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698