Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(100)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: tokenserver/appengine/impl/serviceaccounts/config_test.go

Issue 2997433002: tokenserver: Validate and parse service_accounts.cfg rules. (Closed)
Patch Set: tokenserver: Validate and parse service_accounts.cfg rules. Created 3 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « tokenserver/appengine/impl/serviceaccounts/config.go ('k') | tokenserver/appengine/impl/serviceaccounts/config_validation.go » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
1 // Copyright 2017 The LUCI Authors. 1 // Copyright 2017 The LUCI Authors.
2 // 2 //
3 // Licensed under the Apache License, Version 2.0 (the "License"); 3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License. 4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at 5 // You may obtain a copy of the License at
6 // 6 //
7 // http://www.apache.org/licenses/LICENSE-2.0 7 // http://www.apache.org/licenses/LICENSE-2.0
8 // 8 //
9 // Unless required by applicable law or agreed to in writing, software 9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS, 10 // distributed under the License is distributed on an "AS IS" BASIS,
11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
12 // See the License for the specific language governing permissions and 12 // See the License for the specific language governing permissions and
13 // limitations under the License. 13 // limitations under the License.
14 14
15 package serviceaccounts 15 package serviceaccounts
16 16
17 import ( 17 import (
18 "sort"
18 "testing" 19 "testing"
19 20
20 "github.com/golang/protobuf/proto" 21 "github.com/golang/protobuf/proto"
21 22
22 "github.com/luci/luci-go/tokenserver/api/admin/v1" 23 "github.com/luci/luci-go/tokenserver/api/admin/v1"
23 "github.com/luci/luci-go/tokenserver/appengine/impl/utils/policy" 24 "github.com/luci/luci-go/tokenserver/appengine/impl/utils/policy"
24 25
25 . "github.com/smartystreets/goconvey/convey" 26 . "github.com/smartystreets/goconvey/convey"
26 ) 27 )
27 28
28 func TestRules(t *testing.T) { 29 func TestRules(t *testing.T) {
29 t.Parallel() 30 t.Parallel()
30 31
31 Convey("Loads", t, func() { 32 Convey("Loads", t, func() {
32 cfg, err := loadConfig(` 33 cfg, err := loadConfig(`
33 rules { 34 rules {
34 name: "rule 1" 35 name: "rule 1"
35 owner: "developer@example.com" 36 owner: "developer@example.com"
36 service_account: "abc@robots.com" 37 service_account: "abc@robots.com"
37 » » » » allowed_scope: "https://scope" 38 » » » » service_account: "def@robots.com"
39 » » » » allowed_scope: "https://www.googleapis.com/scope 1"
40 » » » » allowed_scope: "https://www.googleapis.com/scope 2"
38 end_user: "user:abc@example.com" 41 end_user: "user:abc@example.com"
39 » » » » end_user: "group:group-name" 42 » » » » end_user: "group:enduser-group"
40 proxy: "user:proxy@example.com" 43 proxy: "user:proxy@example.com"
41 » » » » max_grant_validity_duration: 3600 44 » » » » proxy: "group:proxy-group"
45 » » » }
46 » » » rules {
47 » » » » name: "rule 2"
48 » » » » service_account: "xyz@robots.com"
42 } 49 }
43 `) 50 `)
44 So(err, ShouldBeNil) 51 So(err, ShouldBeNil)
45 So(cfg, ShouldNotBeNil) 52 So(cfg, ShouldNotBeNil)
53
54 rule := cfg.Rule("abc@robots.com")
55 So(rule, ShouldNotBeNil)
56 So(rule.Rule.Name, ShouldEqual, "rule 1")
57
58 scopes := rule.AllowedScopes.ToSlice()
59 sort.Strings(scopes)
60 So(scopes, ShouldResemble, []string{
61 "https://www.googleapis.com/scope1",
62 "https://www.googleapis.com/scope2",
63 })
64
65 So(rule.EndUsers.ToStrings(), ShouldResemble, []string{
66 "group:enduser-group",
67 "user:abc@example.com",
68 })
69 So(rule.Proxies.ToStrings(), ShouldResemble, []string{
70 "group:proxy-group",
71 "user:proxy@example.com",
72 })
73 So(rule.Rule.MaxGrantValidityDuration, ShouldEqual, 24*3600)
74
75 So(cfg.Rule("def@robots.com").Rule.Name, ShouldEqual, "rule 1")
76 So(cfg.Rule("xyz@robots.com").Rule.Name, ShouldEqual, "rule 2")
77 So(cfg.Rule("unknown@robots.com"), ShouldBeNil)
46 }) 78 })
47 } 79 }
48 80
49 func loadConfig(text string) (*Rules, error) { 81 func loadConfig(text string) (*Rules, error) {
50 cfg := &admin.ServiceAccountsPermissions{} 82 cfg := &admin.ServiceAccountsPermissions{}
51 err := proto.UnmarshalText(text, cfg) 83 err := proto.UnmarshalText(text, cfg)
52 if err != nil { 84 if err != nil {
53 return nil, err 85 return nil, err
54 } 86 }
55 rules, err := prepareRules(policy.ConfigBundle{serviceAccountsCfg: cfg}, "fake-revision") 87 rules, err := prepareRules(policy.ConfigBundle{serviceAccountsCfg: cfg}, "fake-revision")
56 if err != nil { 88 if err != nil {
57 return nil, err 89 return nil, err
58 } 90 }
59 return rules.(*Rules), nil 91 return rules.(*Rules), nil
60 } 92 }
OLDNEW
« no previous file with comments | « tokenserver/appengine/impl/serviceaccounts/config.go ('k') | tokenserver/appengine/impl/serviceaccounts/config_validation.go » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698