Chromium Code Reviews Chromium Code Reviews
Issue 2997433002:
tokenserver: Validate and parse service_accounts.cfg rules. (Closed)
| OLD | NEW |
|---|---|
| 1 // Copyright 2017 The LUCI Authors. | 1 // Copyright 2017 The LUCI Authors. |
| 2 // | 2 // |
| 3 // Licensed under the Apache License, Version 2.0 (the "License"); | 3 // Licensed under the Apache License, Version 2.0 (the "License"); |
| 4 // you may not use this file except in compliance with the License. | 4 // you may not use this file except in compliance with the License. |
| 5 // You may obtain a copy of the License at | 5 // You may obtain a copy of the License at |
| 6 // | 6 // |
| 7 // http://www.apache.org/licenses/LICENSE-2.0 | 7 // http://www.apache.org/licenses/LICENSE-2.0 |
| 8 // | 8 // |
| 9 // Unless required by applicable law or agreed to in writing, software | 9 // Unless required by applicable law or agreed to in writing, software |
| 10 // distributed under the License is distributed on an "AS IS" BASIS, | 10 // distributed under the License is distributed on an "AS IS" BASIS, |
| 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| 12 // See the License for the specific language governing permissions and | 12 // See the License for the specific language governing permissions and |
| 13 // limitations under the License. | 13 // limitations under the License. |
| 14 | 14 |
| 15 package serviceaccounts | 15 package serviceaccounts |
| 16 | 16 |
| 17 import ( | 17 import ( |
| 18 "sort" | |
| 18 "testing" | 19 "testing" |
| 19 | 20 |
| 20 "github.com/golang/protobuf/proto" | 21 "github.com/golang/protobuf/proto" |
| 21 | 22 |
| 22 "github.com/luci/luci-go/tokenserver/api/admin/v1" | 23 "github.com/luci/luci-go/tokenserver/api/admin/v1" |
| 23 "github.com/luci/luci-go/tokenserver/appengine/impl/utils/policy" | 24 "github.com/luci/luci-go/tokenserver/appengine/impl/utils/policy" |
| 24 | 25 |
| 25 . "github.com/smartystreets/goconvey/convey" | 26 . "github.com/smartystreets/goconvey/convey" |
| 26 ) | 27 ) |
| 27 | 28 |
| 28 func TestRules(t *testing.T) { | 29 func TestRules(t *testing.T) { |
| 29 t.Parallel() | 30 t.Parallel() |
| 30 | 31 |
| 31 Convey("Loads", t, func() { | 32 Convey("Loads", t, func() { |
| 32 cfg, err := loadConfig(` | 33 cfg, err := loadConfig(` |
| 33 rules { | 34 rules { |
| 34 name: "rule 1" | 35 name: "rule 1" |
| 35 owner: "developer@example.com" | 36 owner: "developer@example.com" |
| 36 service_account: "abc@robots.com" | 37 service_account: "abc@robots.com" |
| 37 » » » » allowed_scope: "https://scope" | 38 » » » » service_account: "def@robots.com" |
| 39 » » » » allowed_scope: "https://www.googleapis.com/scope 1" | |
| 40 » » » » allowed_scope: "https://www.googleapis.com/scope 2" | |
| 38 end_user: "user:abc@example.com" | 41 end_user: "user:abc@example.com" |
| 39 end_user: "group:group-name" | 42 end_user: "group:group-name" |
| 40 proxy: "user:proxy@example.com" | 43 proxy: "user:proxy@example.com" |
| 41 » » » » max_grant_validity_duration: 3600 | 44 » » » » proxy: "group:zzz" |
|
smut
2017/08/04 23:07:36
Can you make this group:proxy-group or something,
Vadim Sh.
2017/08/04 23:37:52
Done.
| |
| 45 » » » } | |
| 46 » » » rules { | |
| 47 » » » » name: "rule 2" | |
| 48 » » » » service_account: "xyz@robots.com" | |
| 42 } | 49 } |
| 43 `) | 50 `) |
| 44 So(err, ShouldBeNil) | 51 So(err, ShouldBeNil) |
| 45 So(cfg, ShouldNotBeNil) | 52 So(cfg, ShouldNotBeNil) |
| 53 | |
| 54 rule := cfg.Rule("abc@robots.com") | |
| 55 So(rule, ShouldNotBeNil) | |
| 56 So(rule.Rule.Name, ShouldEqual, "rule 1") | |
| 57 | |
| 58 scopes := rule.AllowedScopes.ToSlice() | |
| 59 sort.Strings(scopes) | |
| 60 So(scopes, ShouldResemble, []string{ | |
| 61 "https://www.googleapis.com/scope1", | |
| 62 "https://www.googleapis.com/scope2", | |
| 63 }) | |
| 64 | |
| 65 So(rule.EndUsers.ToStrings(), ShouldResemble, []string{ | |
| 66 "group:group-name", | |
| 67 "user:abc@example.com", | |
| 68 }) | |
| 69 So(rule.Proxies.ToStrings(), ShouldResemble, []string{ | |
| 70 "group:zzz", | |
| 71 "user:proxy@example.com", | |
| 72 }) | |
| 73 So(rule.Rule.MaxGrantValidityDuration, ShouldEqual, 24*3600) | |
| 74 | |
| 75 So(cfg.Rule("def@robots.com").Rule.Name, ShouldEqual, "rule 1") | |
| 76 So(cfg.Rule("xyz@robots.com").Rule.Name, ShouldEqual, "rule 2") | |
| 77 So(cfg.Rule("unknown@robots.com"), ShouldBeNil) | |
| 46 }) | 78 }) |
| 47 } | 79 } |
| 48 | 80 |
| 49 func loadConfig(text string) (*Rules, error) { | 81 func loadConfig(text string) (*Rules, error) { |
| 50 cfg := &admin.ServiceAccountsPermissions{} | 82 cfg := &admin.ServiceAccountsPermissions{} |
| 51 err := proto.UnmarshalText(text, cfg) | 83 err := proto.UnmarshalText(text, cfg) |
| 52 if err != nil { | 84 if err != nil { |
| 53 return nil, err | 85 return nil, err |
| 54 } | 86 } |
| 55 rules, err := prepareRules(policy.ConfigBundle{serviceAccountsCfg: cfg}, "fake-revision") | 87 rules, err := prepareRules(policy.ConfigBundle{serviceAccountsCfg: cfg}, "fake-revision") |
| 56 if err != nil { | 88 if err != nil { |
| 57 return nil, err | 89 return nil, err |
| 58 } | 90 } |
| 59 return rules.(*Rules), nil | 91 return rules.(*Rules), nil |
| 60 } | 92 } |
| OLD | NEW |
