tokenserver/appengine/impl/serviceaccounts/config_validation_test.go - Issue 2997433002: tokenserver: Validate and parse service_accounts.cfg rules.

Side by Side Diff: tokenserver/appengine/impl/serviceaccounts/config_validation_test.go

Issue 2997433002: tokenserver: Validate and parse service_accounts.cfg rules. (Closed)

Patch Set: tokenserver: Validate and parse service_accounts.cfg rules. Created 3 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« no previous file with comments | « tokenserver/appengine/impl/serviceaccounts/config_validation.go ('k') | tokenserver/appengine/impl/serviceaccounts/rpc_import_service_accounts_configs_test.go » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
1 // Copyright 2017 The LUCI Authors.	1 // Copyright 2017 The LUCI Authors.

2 //	2 //

3 // Licensed under the Apache License, Version 2.0 (the "License");	3 // Licensed under the Apache License, Version 2.0 (the "License");

4 // you may not use this file except in compliance with the License.	4 // you may not use this file except in compliance with the License.

5 // You may obtain a copy of the License at	5 // You may obtain a copy of the License at

6 //	6 //

7 // http://www.apache.org/licenses/LICENSE-2.0	7 // http://www.apache.org/licenses/LICENSE-2.0

8 //	8 //

9 // Unless required by applicable law or agreed to in writing, software	9 // Unless required by applicable law or agreed to in writing, software

10 // distributed under the License is distributed on an "AS IS" BASIS,	10 // distributed under the License is distributed on an "AS IS" BASIS,

(...skipping 22 matching lines...) Expand all Loading...
33 cases := []struct {	33 cases := []struct {

34 Cfg string	34 Cfg string

35 Errors []string	35 Errors []string

36 }{	36 }{

37 {	37 {

38 Cfg: `	38 Cfg: `

39 rules {	39 rules {

40 name: "rule 1"	40 name: "rule 1"

41 owner: "developer@example.com"	41 owner: "developer@example.com"

42 service_account: "abc@robots.com"	42 service_account: "abc@robots.com"

43 » » » » » allowed_scope: "https://scope"	43 » » » » » allowed_scope: "https://www.googleapis.c om/scope"

44 end_user: "user:abc@example.com"	44 end_user: "user:abc@example.com"

45 » » » » » end_user: "group:group-name"	45 » » » » » end_user: "group:enduser-group"

46 proxy: "user:proxy@example.com"	46 proxy: "user:proxy@example.com"

	47 proxy: "group:proxy-group"

47 max_grant_validity_duration: 3600	48 max_grant_validity_duration: 3600

48 }	49 }

49	50

50 rules {	51 rules {

51 name: "rule 2"	52 name: "rule 2"

52 owner: "developer@example.com"	53 owner: "developer@example.com"

53 service_account: "def@robots.com"	54 service_account: "def@robots.com"

54 » » » » » allowed_scope: "https://scope"	55 » » » » » allowed_scope: "https://www.googleapis.c om/scope"

55 end_user: "user:abc@example.com"	56 end_user: "user:abc@example.com"

56 » » » » » end_user: "group:group-name"	57 » » » » » end_user: "group:enduser-group"

57 proxy: "user:proxy@example.com"	58 proxy: "user:proxy@example.com"

	59 proxy: "group:proxy-group"

58 max_grant_validity_duration: 3600	60 max_grant_validity_duration: 3600

59 }	61 }

60 `,	62 `,

61 },	63 },

62	64

63 » » // TODO(vadimsh): Add more cases.	65 » » // Minimal config.

	66 » » {

	67 » » » Cfg: `

	68 » » » » rules {

	69 » » » » » name: "rule 1"

	70 » » » » }

	71 » » » `,

	72 » » },

	73

	74 » » {

	75 » » » Cfg: `

	76 » » » » rules {

	77 » » » » » name: "rule 1"

	78 » » » » }

	79 » » » » rules {

	80 » » » » » name: "rule 1"

	81 » » » » }

	82 » » » `,

	83 » » » Errors: []string{"two rules with identical name"},

	84 » » },

	85

	86 » » {

	87 » » » Cfg: `

	88 » » » » rules {

	89 » » » » » name: "rule 1"

	90 » » » » » service_account: "abc@robots.com"

	91 » » » » }

	92 » » » » rules {

	93 » » » » » name: "rule 2"

	94 » » » » » service_account: "abc@robots.com"

	95 » » » » }

	96 » » » `,

	97 » » » Errors: []string{"mentioned by more than one rule"},

	98 » » },

	99

	100 » » {

	101 » » » Cfg: `

	102 » » » » rules {

	103 » » » » » service_account: "abc@robots.com"

	104 » » » » }

	105 » » » `,

	106 » » » Errors: []string{`"name" is required`},

	107 » » },

	108

	109 » » {

	110 » » » Cfg: `

	111 » » » » rules {

	112 » » » » » name: "rule 1"

	113 » » » » » service_account: "not an email"

	114 » » » » }

	115 » » » `,

	116 » » » Errors: []string{"bad value"},

	117 » » },

	118

	119 » » {

	120 » » » Cfg: `

	121 » » » » rules {

	122 » » » » » name: "rule 1"

	123 » » » » » allowed_scope: "not a scope"

	124 » » » » }

	125 » » » `,

	126 » » » Errors: []string{"bad scope"},

	127 » » },

	128

	129 » » {

	130 » » » Cfg: `

	131 » » » » rules {

	132 » » » » » name: "rule 1"

	133 » » » » » end_user: "group:"

	134 » » » » » end_user: "user:not an email"

	135 » » » » }

	136 » » » `,

	137 » » » Errors: []string{"bad group entry", "bad value"},

	138 » » },

	139

	140 » » {

	141 » » » Cfg: `

	142 » » » » rules {

	143 » » » » » name: "rule 1"

	144 » » » » » proxy: "group:"

	145 » » » » » proxy: "user:not an email"

	146 » » » » }

	147 » » » `,

	148 » » » Errors: []string{"bad group entry", "bad value"},

	149 » » },

	150

	151 » » {

	152 » » » Cfg: `

	153 » » » » rules {

	154 » » » » » name: "rule 1"

	155 » » » » » max_grant_validity_duration: -1

	156 » » » » }

	157 » » » » rules {

	158 » » » » » name: "rule 2"

	159 » » » » » max_grant_validity_duration: 10000000

	160 » » » » }

	161 » » » `,

	162 » » » Errors: []string{"must be positive", "must not exceed"},

	163 » » },

64 }	164 }

65	165

66 Convey("Validation works", t, func(c C) {	166 Convey("Validation works", t, func(c C) {

67 for idx, cs := range cases {	167 for idx, cs := range cases {

68 c.Printf("Case #%d\n", idx)	168 c.Printf("Case #%d\n", idx)

69	169

70 cfg := &admin.ServiceAccountsPermissions{}	170 cfg := &admin.ServiceAccountsPermissions{}

71 err := proto.UnmarshalText(cs.Cfg, cfg)	171 err := proto.UnmarshalText(cs.Cfg, cfg)

72 So(err, ShouldBeNil)	172 So(err, ShouldBeNil)

73	173

74 ctx := validation.Context{}	174 ctx := validation.Context{}

75 validateConfigs(policy.ConfigBundle{serviceAccountsCfg: cfg}, &ctx)	175 validateConfigs(policy.ConfigBundle{serviceAccountsCfg: cfg}, &ctx)

76 verr := ctx.Finalize()	176 verr := ctx.Finalize()

77	177

78 if len(cs.Errors) == 0 { // no errors expected	178 if len(cs.Errors) == 0 { // no errors expected

79 So(verr, ShouldBeNil)	179 So(verr, ShouldBeNil)

80 } else {	180 } else {

81 verr := verr.(*validation.Error)	181 verr := verr.(*validation.Error)

82 So(len(verr.Errors), ShouldEqual, len(cs.Errors) )	182 So(len(verr.Errors), ShouldEqual, len(cs.Errors) )

83 for i, err := range verr.Errors {	183 for i, err := range verr.Errors {

84 So(err, ShouldErrLike, cs.Errors[i])	184 So(err, ShouldErrLike, cs.Errors[i])

85 }	185 }

86 }	186 }

87 }	187 }

88 })	188 })

89 }	189 }

OLD	NEW