tokenserver/appengine/impl/serviceaccounts/rpc_inspect_oauth_token_grant_test.go - Issue 2999483002: tokenserver: Implement InspectOAuthTokenGrant RPC.

Side by Side Diff: tokenserver/appengine/impl/serviceaccounts/rpc_inspect_oauth_token_grant_test.go

Issue 2999483002: tokenserver: Implement InspectOAuthTokenGrant RPC. (Closed)

Patch Set: Created 3 years, 4 months ago

Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.

Jump to:

« no previous file with comments | « tokenserver/appengine/impl/serviceaccounts/rpc_inspect_oauth_token_grant.go ('k') | tokenserver/appengine/impl/services/admin/adminsrv/service.go » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Hide Comments ('s')

OLD	NEW
(Empty)
	1 // Copyright 2017 The LUCI Authors.

	2 //

	3 // Licensed under the Apache License, Version 2.0 (the "License");

	4 // you may not use this file except in compliance with the License.

	5 // You may obtain a copy of the License at

	6 //

	7 // http://www.apache.org/licenses/LICENSE-2.0

	8 //

	9 // Unless required by applicable law or agreed to in writing, software

	10 // distributed under the License is distributed on an "AS IS" BASIS,

	11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.

	12 // See the License for the specific language governing permissions and

	13 // limitations under the License.

	14

	15 package serviceaccounts

	16

	17 import (

	18 "encoding/base64"

	19 "testing"

	20 "time"

	21

	22 "golang.org/x/net/context"

	23

	24 "github.com/golang/protobuf/proto"

	25 "github.com/luci/luci-go/common/clock"

	26 "github.com/luci/luci-go/common/clock/testclock"

	27 "github.com/luci/luci-go/common/proto/google"

	28 "github.com/luci/luci-go/server/auth/signing/signingtest"

	29

	30 "github.com/luci/luci-go/tokenserver/api"

	31 "github.com/luci/luci-go/tokenserver/api/admin/v1"

	32

	33 . "github.com/smartystreets/goconvey/convey"

	34 )

	35

	36 func TestInspectOAuthTokenGrant(t *testing.T) {

	37 ctx := context.Background()

	38 ctx, tc := testclock.UseTime(ctx, testclock.TestTimeUTC)

	39

	40 rpc := InspectOAuthTokenGrantRPC{

	41 Signer: signingtest.NewSigner(0, nil),

	42 }

	43

	44 original := &tokenserver.OAuthTokenGrantBody{

	45 TokenId: 123,

	46 ServiceAccount: "serviceaccount@robots.com",

	47 Proxy: "user:proxy@example.com",

	48 EndUser: "user:enduser@example.com",

	49 IssuedAt: google.NewTimestamp(clock.Now(ctx)),

	50 ValidityDuration: 3600,

	51 }

	52

	53 tok, _ := SignGrant(ctx, rpc.Signer, original)

	54

	55 Convey("Happy path", t, func() {

	56 resp, err := rpc.InspectOAuthTokenGrant(ctx, &admin.InspectOAuth TokenGrantRequest{

	57 Token: tok,

	58 })

	59 So(err, ShouldBeNil)

	60 So(resp, ShouldResemble, &admin.InspectOAuthTokenGrantResponse{

	61 Valid: true,

	62 Signed: true,

	63 NonExpired: true,

	64 SigningKeyId: "f9da5a0d0903bda58c6d664e3852a89c283d7fe9" ,

	65 TokenBody: original,

	66 })

	67 })

	68

	69 Convey("Not base64", t, func() {

	70 resp, err := rpc.InspectOAuthTokenGrant(ctx, &admin.InspectOAuth TokenGrantRequest{

	71 Token: "@@@@@@@@@@@@@",

	72 })

	73 So(err, ShouldBeNil)

	74 So(resp, ShouldResemble, &admin.InspectOAuthTokenGrantResponse{

	75 InvalidityReason: "not base64 - illegal base64 data at i nput byte 0",

	76 })

	77 })

	78

	79 Convey("Not valid envelope proto", t, func() {

	80 resp, err := rpc.InspectOAuthTokenGrant(ctx, &admin.InspectOAuth TokenGrantRequest{

	81 Token: "zzzz",

	82 })

	83 So(err, ShouldBeNil)

	84 So(resp, ShouldResemble, &admin.InspectOAuthTokenGrantResponse{

	85 InvalidityReason: "can't unmarshal the envelope - proto: can't skip unknown wire type 7 for tokenserver.OAuthTokenGrantEnvelope",

	86 })

	87 })

	88

	89 Convey("Bad signature", t, func() {

	90 env, _, _ := deserializeForTest(ctx, tok, rpc.Signer)

	91 env.Pkcs1Sha256Sig = []byte("lalala")

	92 blob, _ := proto.Marshal(env)

	93 tok := base64.RawURLEncoding.EncodeToString(blob)

	94

	95 resp, err := rpc.InspectOAuthTokenGrant(ctx, &admin.InspectOAuth TokenGrantRequest{

	96 Token: tok,

	97 })

	98 So(err, ShouldBeNil)

	99

	100 So(resp, ShouldResemble, &admin.InspectOAuthTokenGrantResponse{

	101 Valid: false,

	102 Signed: false,

	103 NonExpired: true,

	104 InvalidityReason: "bad signature - crypto/rsa: verificat ion error",

	105 SigningKeyId: "f9da5a0d0903bda58c6d664e3852a89c283d7 fe9",

	106 TokenBody: original,

	107 })

	108 })

	109

	110 Convey("Expired", t, func() {

	111 tc.Add(2 * time.Hour)

	112

	113 resp, err := rpc.InspectOAuthTokenGrant(ctx, &admin.InspectOAuth TokenGrantRequest{

	114 Token: tok,

	115 })

	116 So(err, ShouldBeNil)

	117

	118 So(resp, ShouldResemble, &admin.InspectOAuthTokenGrantResponse{

	119 Valid: false,

	120 Signed: true,

	121 NonExpired: false,

	122 InvalidityReason: "expired",

	123 SigningKeyId: "f9da5a0d0903bda58c6d664e3852a89c283d7 fe9",

	124 TokenBody: original,

	125 })

	126 })

	127 }

OLD	NEW