def test_negative_validatity_duration(self):
toks = delegation_pb2.SubtokenList(subtokens=[
fake_subtoken_proto('user:[email protected]',
validity_duration=-3600),
])
with self.assertRaises(delegation.BadTokenError):
delegation.check_subtoken_list(toks, FAKE_IDENT)
def test_not_active_yet(self):
now = int(utils.time_time())
toks = delegation_pb2.SubtokenList(subtokens=[
fake_subtoken_proto(
'user:[email protected]', creation_time=now+120),
])
with self.assertRaises(delegation.BadTokenError):
delegation.check_subtoken_list(toks, FAKE_IDENT)
def test_expired(self):
now = int(utils.time_time())
toks = delegation_pb2.SubtokenList(subtokens=[
fake_subtoken_proto(
'user:[email protected]', creation_time=now-120, validity_duration=60),
])
with self.assertRaises(delegation.BadTokenError):
delegation.check_subtoken_list(toks, FAKE_IDENT)
def test_not_active_yet(self):
now = int(utils.time_time())
toks = delegation_pb2.SubtokenList(subtokens=[
fake_subtoken_proto('user:[email protected]',
creation_time=now + 120),
])
with self.assertRaises(delegation.BadTokenError):
delegation.check_subtoken_list(toks, FAKE_IDENT)
def test_expired(self):
now = int(utils.time_time())
toks = delegation_pb2.SubtokenList(subtokens=[
fake_subtoken_proto('user:[email protected]',
creation_time=now - 120,
validity_duration=60),
])
with self.assertRaises(delegation.BadTokenError):
delegation.check_subtoken_list(toks, FAKE_IDENT)
def test_expiration_moment(self):
now = utils.utcnow()
self.mock_now(now)
toks = delegation_pb2.SubtokenList(subtokens=[
fake_subtoken_proto('user:[email protected]', validity_duration=3600),
])
# Active at now + 3599.
self.mock_now(now, 3599)
self.assertTrue(delegation.check_subtoken_list(toks, FAKE_IDENT))
# Expired at now + 3601.
self.mock_now(now, 3601)
with self.assertRaises(delegation.BadTokenError):
delegation.check_subtoken_list(toks, FAKE_IDENT)
def test_allowed_clock_drift(self):
now = utils.utcnow()
self.mock_now(now)
toks = delegation_pb2.SubtokenList(subtokens=[
fake_subtoken_proto('user:[email protected]'),
])
# Works -29 sec before activation.
self.mock_now(now, -29)
self.assertTrue(delegation.check_subtoken_list(toks, FAKE_IDENT))
# Doesn't work before that.
self.mock_now(now, -31)
with self.assertRaises(delegation.BadTokenError):
delegation.check_subtoken_list(toks, FAKE_IDENT)
def test_allowed_clock_drift(self):
now = utils.utcnow()
self.mock_now(now)
toks = delegation_pb2.SubtokenList(subtokens=[
fake_subtoken_proto('user:[email protected]'),
])
# Works -29 sec before activation.
self.mock_now(now, -29)
self.assertTrue(delegation.check_subtoken_list(toks, FAKE_IDENT))
# Doesn't work before that.
self.mock_now(now, -31)
with self.assertRaises(delegation.BadTokenError):
delegation.check_subtoken_list(toks, FAKE_IDENT)
def test_subtoken_services(self):
toks = delegation_pb2.SubtokenList(subtokens=[
fake_subtoken_proto('user:[email protected]',
services=['service:app-id']),
])
# Passes.
self.mock(model, 'get_service_self_identity',
lambda: model.Identity.from_bytes('service:app-id'))
self.assertTrue(delegation.check_subtoken_list(toks, FAKE_IDENT))
# Fails.
self.mock(model, 'get_service_self_identity',
lambda: model.Identity.from_bytes('service:another-app-id'))
with self.assertRaises(delegation.BadTokenError):
delegation.check_subtoken_list(toks, FAKE_IDENT)
def test_expiration_moment(self):
now = utils.utcnow()
self.mock_now(now)
toks = delegation_pb2.SubtokenList(subtokens=[
fake_subtoken_proto('user:[email protected]',
validity_duration=3600),
])
# Active at now + 3599.
self.mock_now(now, 3599)
self.assertTrue(delegation.check_subtoken_list(toks, FAKE_IDENT))
# Expired at now + 3601.
self.mock_now(now, 3601)
with self.assertRaises(delegation.BadTokenError):
delegation.check_subtoken_list(toks, FAKE_IDENT)
def test_subtoken_services(self):
toks = delegation_pb2.SubtokenList(subtokens=[
fake_subtoken_proto(
'user:[email protected]', services=['service:app-id']),
])
# Passes.
self.mock(
model, 'get_service_self_identity',
lambda: model.Identity.from_bytes('service:app-id'))
self.assertTrue(delegation.check_subtoken_list(toks, FAKE_IDENT))
# Fails.
self.mock(
model, 'get_service_self_identity',
lambda: model.Identity.from_bytes('service:another-app-id'))
with self.assertRaises(delegation.BadTokenError):
delegation.check_subtoken_list(toks, FAKE_IDENT)
def test_subtoken_audience(self):
groups = {'abc': ['user:[email protected]']}
self.mock(api, 'is_group_member',
lambda g, i: i.to_bytes() in groups.get(g, []))
toks = delegation_pb2.SubtokenList(subtokens=[
fake_subtoken_proto('user:[email protected]',
audience=['user:[email protected]', 'group:abc']),
])
# Works.
make_id = model.Identity.from_bytes
self.assertTrue(
delegation.check_subtoken_list(toks, make_id('user:[email protected]')))
self.assertTrue(
delegation.check_subtoken_list(toks, make_id('user:[email protected]')))
# Other ids are rejected.
with self.assertRaises(delegation.BadTokenError):
delegation.check_subtoken_list(toks, make_id('user:[email protected]'))
def test_subtoken_audience(self):
groups = {'abc': ['user:[email protected]']}
self.mock(
api, 'is_group_member', lambda g, i: i.to_bytes() in groups.get(g, []))
toks = delegation_pb2.SubtokenList(subtokens=[
fake_subtoken_proto(
'user:[email protected]', audience=['user:[email protected]', 'group:abc']),
])
# Works.
make_id = model.Identity.from_bytes
self.assertTrue(
delegation.check_subtoken_list(toks, make_id('user:[email protected]')))
self.assertTrue(
delegation.check_subtoken_list(toks, make_id('user:[email protected]')))
# Other ids are rejected.
with self.assertRaises(delegation.BadTokenError):
delegation.check_subtoken_list(toks, make_id('user:[email protected]'))
def test_token_chain(self):
toks = delegation_pb2.SubtokenList(subtokens=[
fake_subtoken_proto(
'user:[email protected]', audience=['user:[email protected]']),
fake_subtoken_proto(
'user:[email protected]', audience=['user:[email protected]']),
])
make_id = model.Identity.from_bytes
ident = delegation.check_subtoken_list(toks, make_id('user:[email protected]'))
self.assertEqual(make_id('user:[email protected]'), ident)
def test_token_chain(self):
toks = delegation_pb2.SubtokenList(subtokens=[
fake_subtoken_proto('user:[email protected]',
audience=['user:[email protected]']),
fake_subtoken_proto('user:[email protected]',
audience=['user:[email protected]']),
])
make_id = model.Identity.from_bytes
ident = delegation.check_subtoken_list(toks,
make_id('user:[email protected]'))
self.assertEqual(make_id('user:[email protected]'), ident)
def test_negative_validatity_duration(self):
toks = delegation_pb2.SubtokenList(subtokens=[
fake_subtoken_proto('user:[email protected]', validity_duration=-3600),
])
with self.assertRaises(delegation.BadTokenError):
delegation.check_subtoken_list(toks, FAKE_IDENT)
def test_passes_validation(self):
toks = delegation_pb2.SubtokenList(subtokens=[
fake_subtoken_proto('user:[email protected]'),
])
ident = delegation.check_subtoken_list(toks, FAKE_IDENT)
self.assertEqual('user:[email protected]', ident.to_bytes())
def test_passes_validation(self):
toks = delegation_pb2.SubtokenList(subtokens=[
fake_subtoken_proto('user:[email protected]'),
])
ident = delegation.check_subtoken_list(toks, FAKE_IDENT)
self.assertEqual('user:[email protected]', ident.to_bytes())
