Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(564)

Side by Side Diff: tokenserver/appengine/impl/serviceaccounts/config_validation_test.go

Issue 2997433002: tokenserver: Validate and parse service_accounts.cfg rules. (Closed)
Patch Set: tokenserver: Validate and parse service_accounts.cfg rules. Created 3 years, 4 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
OLDNEW
1 // Copyright 2017 The LUCI Authors. 1 // Copyright 2017 The LUCI Authors.
2 // 2 //
3 // Licensed under the Apache License, Version 2.0 (the "License"); 3 // Licensed under the Apache License, Version 2.0 (the "License");
4 // you may not use this file except in compliance with the License. 4 // you may not use this file except in compliance with the License.
5 // You may obtain a copy of the License at 5 // You may obtain a copy of the License at
6 // 6 //
7 // http://www.apache.org/licenses/LICENSE-2.0 7 // http://www.apache.org/licenses/LICENSE-2.0
8 // 8 //
9 // Unless required by applicable law or agreed to in writing, software 9 // Unless required by applicable law or agreed to in writing, software
10 // distributed under the License is distributed on an "AS IS" BASIS, 10 // distributed under the License is distributed on an "AS IS" BASIS,
(...skipping 22 matching lines...) Expand all
33 cases := []struct { 33 cases := []struct {
34 Cfg string 34 Cfg string
35 Errors []string 35 Errors []string
36 }{ 36 }{
37 { 37 {
38 Cfg: ` 38 Cfg: `
39 rules { 39 rules {
40 name: "rule 1" 40 name: "rule 1"
41 owner: "developer@example.com" 41 owner: "developer@example.com"
42 service_account: "abc@robots.com" 42 service_account: "abc@robots.com"
43 » » » » » allowed_scope: "https://scope" 43 » » » » » allowed_scope: "https://www.googleapis.c om/scope"
44 end_user: "user:abc@example.com" 44 end_user: "user:abc@example.com"
45 » » » » » end_user: "group:group-name" 45 » » » » » end_user: "group:enduser-group"
46 proxy: "user:proxy@example.com" 46 proxy: "user:proxy@example.com"
47 proxy: "group:proxy-group"
47 max_grant_validity_duration: 3600 48 max_grant_validity_duration: 3600
48 } 49 }
49 50
50 rules { 51 rules {
51 name: "rule 2" 52 name: "rule 2"
52 owner: "developer@example.com" 53 owner: "developer@example.com"
53 service_account: "def@robots.com" 54 service_account: "def@robots.com"
54 » » » » » allowed_scope: "https://scope" 55 » » » » » allowed_scope: "https://www.googleapis.c om/scope"
55 end_user: "user:abc@example.com" 56 end_user: "user:abc@example.com"
56 » » » » » end_user: "group:group-name" 57 » » » » » end_user: "group:enduser-group"
57 proxy: "user:proxy@example.com" 58 proxy: "user:proxy@example.com"
59 proxy: "group:proxy-group"
58 max_grant_validity_duration: 3600 60 max_grant_validity_duration: 3600
59 } 61 }
60 `, 62 `,
61 }, 63 },
62 64
63 » » // TODO(vadimsh): Add more cases. 65 » » // Minimal config.
66 » » {
67 » » » Cfg: `
68 » » » » rules {
69 » » » » » name: "rule 1"
70 » » » » }
71 » » » `,
72 » » },
73
74 » » {
75 » » » Cfg: `
76 » » » » rules {
77 » » » » » name: "rule 1"
78 » » » » }
79 » » » » rules {
80 » » » » » name: "rule 1"
81 » » » » }
82 » » » `,
83 » » » Errors: []string{"two rules with identical name"},
84 » » },
85
86 » » {
87 » » » Cfg: `
88 » » » » rules {
89 » » » » » name: "rule 1"
90 » » » » » service_account: "abc@robots.com"
91 » » » » }
92 » » » » rules {
93 » » » » » name: "rule 2"
94 » » » » » service_account: "abc@robots.com"
95 » » » » }
96 » » » `,
97 » » » Errors: []string{"mentioned by more than one rule"},
98 » » },
99
100 » » {
101 » » » Cfg: `
102 » » » » rules {
103 » » » » » service_account: "abc@robots.com"
104 » » » » }
105 » » » `,
106 » » » Errors: []string{`"name" is required`},
107 » » },
108
109 » » {
110 » » » Cfg: `
111 » » » » rules {
112 » » » » » name: "rule 1"
113 » » » » » service_account: "not an email"
114 » » » » }
115 » » » `,
116 » » » Errors: []string{"bad value"},
117 » » },
118
119 » » {
120 » » » Cfg: `
121 » » » » rules {
122 » » » » » name: "rule 1"
123 » » » » » allowed_scope: "not a scope"
124 » » » » }
125 » » » `,
126 » » » Errors: []string{"bad scope"},
127 » » },
128
129 » » {
130 » » » Cfg: `
131 » » » » rules {
132 » » » » » name: "rule 1"
133 » » » » » end_user: "group:"
134 » » » » » end_user: "user:not an email"
135 » » » » }
136 » » » `,
137 » » » Errors: []string{"bad group entry", "bad value"},
138 » » },
139
140 » » {
141 » » » Cfg: `
142 » » » » rules {
143 » » » » » name: "rule 1"
144 » » » » » proxy: "group:"
145 » » » » » proxy: "user:not an email"
146 » » » » }
147 » » » `,
148 » » » Errors: []string{"bad group entry", "bad value"},
149 » » },
150
151 » » {
152 » » » Cfg: `
153 » » » » rules {
154 » » » » » name: "rule 1"
155 » » » » » max_grant_validity_duration: -1
156 » » » » }
157 » » » » rules {
158 » » » » » name: "rule 2"
159 » » » » » max_grant_validity_duration: 10000000
160 » » » » }
161 » » » `,
162 » » » Errors: []string{"must be positive", "must not exceed"},
163 » » },
64 } 164 }
65 165
66 Convey("Validation works", t, func(c C) { 166 Convey("Validation works", t, func(c C) {
67 for idx, cs := range cases { 167 for idx, cs := range cases {
68 c.Printf("Case #%d\n", idx) 168 c.Printf("Case #%d\n", idx)
69 169
70 cfg := &admin.ServiceAccountsPermissions{} 170 cfg := &admin.ServiceAccountsPermissions{}
71 err := proto.UnmarshalText(cs.Cfg, cfg) 171 err := proto.UnmarshalText(cs.Cfg, cfg)
72 So(err, ShouldBeNil) 172 So(err, ShouldBeNil)
73 173
74 ctx := validation.Context{} 174 ctx := validation.Context{}
75 validateConfigs(policy.ConfigBundle{serviceAccountsCfg: cfg}, &ctx) 175 validateConfigs(policy.ConfigBundle{serviceAccountsCfg: cfg}, &ctx)
76 verr := ctx.Finalize() 176 verr := ctx.Finalize()
77 177
78 if len(cs.Errors) == 0 { // no errors expected 178 if len(cs.Errors) == 0 { // no errors expected
79 So(verr, ShouldBeNil) 179 So(verr, ShouldBeNil)
80 } else { 180 } else {
81 verr := verr.(*validation.Error) 181 verr := verr.(*validation.Error)
82 So(len(verr.Errors), ShouldEqual, len(cs.Errors) ) 182 So(len(verr.Errors), ShouldEqual, len(cs.Errors) )
83 for i, err := range verr.Errors { 183 for i, err := range verr.Errors {
84 So(err, ShouldErrLike, cs.Errors[i]) 184 So(err, ShouldErrLike, cs.Errors[i])
85 } 185 }
86 } 186 }
87 } 187 }
88 }) 188 })
89 } 189 }
OLDNEW

Powered by Google App Engine
This is Rietveld 408576698