Beispiel #1
0
 def configure_as_replica(auth_db_rev=0, modified_ts=None):
     state = model.AuthReplicationState(key=model.replication_state_key(),
                                        primary_id='primary',
                                        primary_url='https://primary',
                                        auth_db_rev=auth_db_rev,
                                        modified_ts=modified_ts)
     state.put()
Beispiel #2
0
 def configure_as_replica(auth_db_rev=0, modified_ts=None):
   state = model.AuthReplicationState(
        key=model.replication_state_key(),
        primary_id='primary',
        primary_url='https://primary',
        auth_db_rev=auth_db_rev,
        modified_ts=modified_ts)
   state.put()
Beispiel #3
0
  def test_non_empty(self):
    self.mock_now(datetime.datetime(2014, 1, 1, 1, 1, 1))

    state = model.AuthReplicationState(
        key=model.replication_state_key(),
        primary_id='blah',
        primary_url='https://blah',
        auth_db_rev=123)
    state.put()

    global_config = model.AuthGlobalConfig(
        key=model.root_key(),
        modified_ts=utils.utcnow(),
        modified_by=model.Identity.from_bytes('user:[email protected]'),
        oauth_client_id='oauth_client_id',
        oauth_client_secret='oauth_client_secret',
        oauth_additional_client_ids=['a', 'b'])
    global_config.put()

    group = model.AuthGroup(
        key=model.group_key('Some group'),
        members=[model.Identity.from_bytes('user:[email protected]')],
        globs=[model.IdentityGlob.from_bytes('user:*@example.com')],
        nested=[],
        description='Some description',
        created_ts=utils.utcnow(),
        created_by=model.Identity.from_bytes('user:[email protected]'),
        modified_ts=utils.utcnow(),
        modified_by=model.Identity.from_bytes('user:[email protected]'))
    group.put()

    another = model.AuthGroup(
        key=model.group_key('Another group'),
        nested=['Some group'])
    another.put()

    global_secret = model.AuthSecret(
        id='global_secret',
        parent=model.secret_scope_key('global'),
        values=['1234', '5678'],
        modified_ts=utils.utcnow(),
        modified_by=model.Identity.from_bytes('user:[email protected]'))
    global_secret.put()

    # Local secret should not appear in a snapshot.
    local_secret = model.AuthSecret(
        id='local_secret',
        parent=model.secret_scope_key('local'),
        values=['1234', '5678'],
        modified_ts=utils.utcnow(),
        modified_by=model.Identity.from_bytes('user:[email protected]'))
    local_secret.put()

    ip_whitelist = model.AuthIPWhitelist(
        key=model.ip_whitelist_key('bots'),
        subnets=['127.0.0.1/32'],
        description='Some description',
        created_ts=utils.utcnow(),
        created_by=model.Identity.from_bytes('user:[email protected]'),
        modified_ts=utils.utcnow(),
        modified_by=model.Identity.from_bytes('user:[email protected]'))
    ip_whitelist.put()

    ip_whitelist_assignments = model.AuthIPWhitelistAssignments(
        key=model.ip_whitelist_assignments_key(),
        modified_ts=utils.utcnow(),
        modified_by=model.Identity.from_bytes('user:[email protected]'),
        assignments=[
          model.AuthIPWhitelistAssignments.Assignment(
            identity=model.Identity.from_bytes('user:[email protected]'),
            ip_whitelist='bots',
            comment='some comment',
            created_ts=utils.utcnow(),
            created_by=model.Identity.from_bytes('user:[email protected]')),
        ])
    ip_whitelist_assignments.put()

    captured_state, snapshot = replication.new_auth_db_snapshot()

    expected_state =  {
      'auth_db_rev': 123,
      'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
      'primary_id': u'blah',
      'primary_url': u'https://blah',
    }
    self.assertEqual(expected_state, captured_state.to_dict())

    expected_snapshot = {
      'global_config': {
        '__id__': 'root',
        '__parent__': None,
        'auth_db_rev': None,
        'auth_db_prev_rev': None,
        'modified_by': model.Identity(kind='user', name='*****@*****.**'),
        'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
        'oauth_additional_client_ids': [u'a', u'b'],
        'oauth_client_id': u'oauth_client_id',
        'oauth_client_secret': u'oauth_client_secret',
      },
      'groups': [
        {
          '__id__': 'Another group',
          '__parent__': ndb.Key('AuthGlobalConfig', 'root'),
          'auth_db_rev': None,
          'auth_db_prev_rev': None,
          'created_by': None,
          'created_ts': None,
          'description': '',
          'globs': [],
          'members': [],
          'modified_by': None,
          'modified_ts': None,
          'nested': [u'Some group'],
        },
        {
          '__id__': 'Some group',
          '__parent__': ndb.Key('AuthGlobalConfig', 'root'),
          'auth_db_rev': None,
          'auth_db_prev_rev': None,
          'created_by': model.Identity(kind='user', name='*****@*****.**'),
          'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
          'description': u'Some description',
          'globs': [model.IdentityGlob(kind='user', pattern='*@example.com')],
          'members': [model.Identity(kind='user', name='*****@*****.**')],
          'modified_by': model.Identity(
              kind='user', name='*****@*****.**'),
          'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
          'nested': [],
        },
      ],
      'secrets': [
        {
          '__id__': 'global_secret',
          '__parent__': ndb.Key(
              'AuthGlobalConfig', 'root', 'AuthSecretScope', 'global'),
          'modified_by': model.Identity(
              kind='user', name='*****@*****.**'),
          'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
          'values': ['1234', '5678'],
        },
      ],
      'ip_whitelists': [
        {
          '__id__': 'bots',
          '__parent__': ndb.Key('AuthGlobalConfig', 'root'),
          'auth_db_rev': None,
          'auth_db_prev_rev': None,
          'created_by': model.Identity(kind='user', name='*****@*****.**'),
          'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
          'description': u'Some description',
          'modified_by': model.Identity(
              kind='user', name='*****@*****.**'),
          'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
          'subnets': ['127.0.0.1/32'],
        },
      ],
      'ip_whitelist_assignments': {
        '__id__': 'default',
        '__parent__': ndb.Key('AuthGlobalConfig', 'root'),
        'assignments': [
          {
            'comment': 'some comment',
            'created_by': model.Identity(
                kind='user', name='*****@*****.**'),
            'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
            'identity': model.Identity(
                kind='user', name='*****@*****.**'),
            'ip_whitelist': 'bots',
          },
        ],
        'auth_db_rev': None,
        'auth_db_prev_rev': None,
        'modified_by': model.Identity(kind='user', name='*****@*****.**'),
        'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
      },
    }
    self.assertEqual(expected_snapshot, snapshot_to_dict(snapshot))
    def test_success(self):
        self.mock_now(datetime.datetime(2015, 1, 1))

        def totimestamp(datetimeobj):
            return utils.datetime_to_timestamp(datetimeobj) / 10**6

        @ndb.tasklet
        def urlfetch(url, payload, **_rest):
            urlfetch.called = True
            self.assertEqual(
                url,
                'https://tokens.example.com/prpc/tokenserver.minter.TokenMinter/'
                'MintProjectToken')
            payload = json.loads(payload)
            self.assertEqual(payload, urlfetch.expected_payload)
            expiry = utils.utcnow() + datetime.timedelta(seconds=1800)
            res = {
                'accessToken': 'deadbeef',
                'serviceAccountEmail': '*****@*****.**',
                'expiry': expiry.isoformat('T') + 'Z',
            }

            raise ndb.Return(
                self.Response(200, json.dumps(res, sort_keys=True)))

        urlfetch.expected_payload = {
            u'luci_project': u'test-project',
            u'oauth_scope': [
                u'https://www.googleapis.com/auth/cloud-platform',
            ],
            u'min_validity_duration': 300,
            u'audit_tags': [],
        }

        urlfetch.called = False

        self.mock(service_account, '_urlfetch_async', urlfetch)

        model.AuthReplicationState(
            key=model.replication_state_key(),
            primary_url='https://auth.example.com',
            primary_id='example-app-id',
        ).put()
        model.AuthGlobalConfig(
            key=model.root_key(),
            token_server_url='https://tokens.example.com',
        ).put()

        args = {
            'project_id': 'test-project',
            'oauth_scopes': [
                u'https://www.googleapis.com/auth/cloud-platform',
            ],
            'min_validity_duration_sec': 300,
            'auth_request_func': service_account.authenticated_request_async,
        }
        result = project_tokens.project_token(**args)
        self.assertTrue(urlfetch.called)
        self.assertEqual(result['access_token'], 'deadbeef')
        self.assertEqual(
            result['exp_ts'],
            totimestamp(utils.utcnow() + datetime.timedelta(seconds=1800)))
Beispiel #5
0
  def test_non_empty(self):
    self.mock_now(datetime.datetime(2014, 1, 1, 1, 1, 1))

    state = model.AuthReplicationState(
        key=model.replication_state_key(),
        primary_id='blah',
        primary_url='https://blah',
        auth_db_rev=123)
    state.put()

    global_config = model.AuthGlobalConfig(
        key=model.root_key(),
        modified_ts=utils.utcnow(),
        modified_by=model.Identity.from_bytes('user:[email protected]'),
        oauth_client_id='oauth_client_id',
        oauth_client_secret='oauth_client_secret',
        oauth_additional_client_ids=['a', 'b'])
    global_config.put()

    group = model.AuthGroup(
        key=model.group_key('Some group'),
        members=[model.Identity.from_bytes('user:[email protected]')],
        globs=[model.IdentityGlob.from_bytes('user:*@example.com')],
        nested=[],
        description='Some description',
        owners='owning-group',
        created_ts=utils.utcnow(),
        created_by=model.Identity.from_bytes('user:[email protected]'),
        modified_ts=utils.utcnow(),
        modified_by=model.Identity.from_bytes('user:[email protected]'))
    group.put()

    another = model.AuthGroup(
        key=model.group_key('Another group'),
        nested=['Some group'])
    another.put()

    global_secret = model.AuthSecret(
        id='global_secret',
        parent=model.secret_scope_key('global'),
        values=['1234', '5678'],
        modified_ts=utils.utcnow(),
        modified_by=model.Identity.from_bytes('user:[email protected]'))
    global_secret.put()

    # Local secret should not appear in a snapshot.
    local_secret = model.AuthSecret(
        id='local_secret',
        parent=model.secret_scope_key('local'),
        values=['1234', '5678'],
        modified_ts=utils.utcnow(),
        modified_by=model.Identity.from_bytes('user:[email protected]'))
    local_secret.put()

    ip_whitelist = model.AuthIPWhitelist(
        key=model.ip_whitelist_key('bots'),
        subnets=['127.0.0.1/32'],
        description='Some description',
        created_ts=utils.utcnow(),
        created_by=model.Identity.from_bytes('user:[email protected]'),
        modified_ts=utils.utcnow(),
        modified_by=model.Identity.from_bytes('user:[email protected]'))
    ip_whitelist.put()

    ip_whitelist_assignments = model.AuthIPWhitelistAssignments(
        key=model.ip_whitelist_assignments_key(),
        modified_ts=utils.utcnow(),
        modified_by=model.Identity.from_bytes('user:[email protected]'),
        assignments=[
          model.AuthIPWhitelistAssignments.Assignment(
            identity=model.Identity.from_bytes('user:[email protected]'),
            ip_whitelist='bots',
            comment='some comment',
            created_ts=utils.utcnow(),
            created_by=model.Identity.from_bytes('user:[email protected]')),
        ])
    ip_whitelist_assignments.put()

    captured_state, snapshot = replication.new_auth_db_snapshot()

    expected_state =  {
      'auth_db_rev': 123,
      'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
      'primary_id': u'blah',
      'primary_url': u'https://blah',
    }
    self.assertEqual(expected_state, captured_state.to_dict())

    expected_snapshot = {
      'global_config': {
        '__id__': 'root',
        '__parent__': None,
        'auth_db_rev': None,
        'auth_db_prev_rev': None,
        'modified_by': model.Identity(kind='user', name='*****@*****.**'),
        'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
        'oauth_additional_client_ids': [u'a', u'b'],
        'oauth_client_id': u'oauth_client_id',
        'oauth_client_secret': u'oauth_client_secret',
      },
      'groups': [
        {
          '__id__': 'Another group',
          '__parent__': ndb.Key('AuthGlobalConfig', 'root'),
          'auth_db_rev': None,
          'auth_db_prev_rev': None,
          'created_by': None,
          'created_ts': None,
          'description': u'',
          'globs': [],
          'members': [],
          'modified_by': None,
          'modified_ts': None,
          'nested': [u'Some group'],
          'owners': u'administrators',
        },
        {
          '__id__': 'Some group',
          '__parent__': ndb.Key('AuthGlobalConfig', 'root'),
          'auth_db_rev': None,
          'auth_db_prev_rev': None,
          'created_by': model.Identity(kind='user', name='*****@*****.**'),
          'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
          'description': u'Some description',
          'globs': [model.IdentityGlob(kind='user', pattern='*@example.com')],
          'members': [model.Identity(kind='user', name='*****@*****.**')],
          'modified_by': model.Identity(
              kind='user', name='*****@*****.**'),
          'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
          'nested': [],
          'owners': u'owning-group',
        },
      ],
      'secrets': [
        {
          '__id__': 'global_secret',
          '__parent__': ndb.Key(
              'AuthGlobalConfig', 'root', 'AuthSecretScope', 'global'),
          'modified_by': model.Identity(
              kind='user', name='*****@*****.**'),
          'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
          'values': ['1234', '5678'],
        },
      ],
      'ip_whitelists': [
        {
          '__id__': 'bots',
          '__parent__': ndb.Key('AuthGlobalConfig', 'root'),
          'auth_db_rev': None,
          'auth_db_prev_rev': None,
          'created_by': model.Identity(kind='user', name='*****@*****.**'),
          'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
          'description': u'Some description',
          'modified_by': model.Identity(
              kind='user', name='*****@*****.**'),
          'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
          'subnets': [u'127.0.0.1/32'],
        },
      ],
      'ip_whitelist_assignments': {
        '__id__': 'default',
        '__parent__': ndb.Key('AuthGlobalConfig', 'root'),
        'assignments': [
          {
            'comment': u'some comment',
            'created_by': model.Identity(
                kind='user', name='*****@*****.**'),
            'created_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
            'identity': model.Identity(
                kind='user', name='*****@*****.**'),
            'ip_whitelist': u'bots',
          },
        ],
        'auth_db_rev': None,
        'auth_db_prev_rev': None,
        'modified_by': model.Identity(kind='user', name='*****@*****.**'),
        'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
      },
    }
    self.assertEqual(expected_snapshot, snapshot_to_dict(snapshot))
Beispiel #6
0
    def test_success(self):
        self.mock_now(datetime.datetime(2015, 1, 1))

        @ndb.tasklet
        def urlfetch(url, payload, **_rest):
            urlfetch.called = True
            self.assertEqual(
                url,
                'https://tokens.example.com/prpc/tokenserver.minter.TokenMinter/'
                'MintDelegationToken')
            payload = json.loads(payload)
            self.assertEqual(payload, urlfetch.expected_payload)
            res = {
                'token': 'deadbeef',
                'serviceVersion': 'app-id/version-id',
                'delegationSubtoken': {
                    'kind': 'BEARER_DELEGATION_TOKEN',
                    'validityDuration': payload['validityDuration'],
                    'subtokenId': '12345',
                },
            }
            raise ndb.Return(
                self.Response(200, ")]}'\n" + json.dumps(res, sort_keys=True)))

        urlfetch.expected_payload = {
            u'audience': [
                u'REQUESTOR',
                u'group:g',
                u'user:[email protected]',
                u'user:[email protected]',
            ],
            u'services': [u'https://example.com', u'service:1', u'service:2'],
            u'delegatedIdentity':
            u'user:[email protected]',
            u'tags': [u'a:b', u'c:d'],
            u'validityDuration':
            3000,
        }
        urlfetch.called = False

        self.mock(delegation, '_urlfetch_async', urlfetch)

        model.AuthReplicationState(
            key=model.replication_state_key(),
            primary_url='https://auth.example.com',
            primary_id='example-app-id',
        ).put()
        model.AuthGlobalConfig(
            key=model.root_key(),
            token_server_url='https://tokens.example.com',
        ).put()

        args = {
            'audience': [
                'user:[email protected]',
                model.Identity('user', '*****@*****.**'),
                'group:g',
                'REQUESTOR',
            ],
            'services': [
                'service:1',
                model.Identity('service', '2'),
                'https://example.com',
            ],
            'max_validity_duration_sec':
            3000,
            'impersonate':
            model.Identity('user', '*****@*****.**'),
            'tags': ['c:d', 'a:b'],
        }
        result = delegation.delegate(**args)
        self.assertTrue(urlfetch.called)
        self.assertEqual(result.token, 'deadbeef')
        self.assertEqual(result.expiry,
                         utils.utcnow() + datetime.timedelta(seconds=3000))

        # Get from cache.
        urlfetch.called = False
        delegation.delegate(**args)
        self.assertFalse(urlfetch.called)

        # Get from cache with larger validity duration.
        urlfetch.called = False
        args['min_validity_duration_sec'] = 5000
        args['max_validity_duration_sec'] = 5000
        urlfetch.expected_payload['validityDuration'] = 5000
        result = delegation.delegate(**args)
        self.assertTrue(urlfetch.called)
        self.assertEqual(result.token, 'deadbeef')
        self.assertEqual(result.expiry,
                         utils.utcnow() + datetime.timedelta(seconds=5000))
        self.assertTrue(urlfetch.called)
Beispiel #7
0
    def test_success(self):

        model.AuthReplicationState(
            key=model.replication_state_key(),
            primary_url='https://auth.example.com',
            primary_id='example-app-id',
        ).put()
        model.AuthGlobalConfig(
            key=model.root_key(),
            token_server_url='https://tokens.example.com',
        ).put()

        calls = []

        @ndb.tasklet
        def mocked_urlfetch_async(*args, **_):
            mocked_urlfetch_async.called = True
            calls.append(('urlfetch', args))
            expiry = utils.utcnow() + datetime.timedelta(seconds=1800)
            res = {
                'accessToken': 'someaccesstoken',
                'serviceAccountEmail': '*****@*****.**',
                'expiry': expiry.isoformat('T') + 'Z'
            }
            raise ndb.Return(
                self.Response(200, json.dumps(res, sort_keys=True)))

        self.mock(service_account, '_urlfetch_async', mocked_urlfetch_async)

        # non-cached
        token = service_account.get_project_access_token(
            project_id='project1',
            scopes=['https://www.googleapis.com/auth/cloud-platform'],
        )
        self.assertEqual(token[0], 'someaccesstoken')
        self.assertEqual(
            token[1],
            self.totimestamp(utils.utcnow() +
                             datetime.timedelta(seconds=1800)))
        self.assertTrue(mocked_urlfetch_async.called)
        mocked_urlfetch_async.called = False

        # cached
        token = service_account.get_project_access_token(
            project_id='project1',
            scopes=['https://www.googleapis.com/auth/cloud-platform'],
        )
        self.assertEqual(token[0], 'someaccesstoken')
        self.assertEqual(
            token[1],
            self.totimestamp(utils.utcnow() +
                             datetime.timedelta(seconds=1800)))
        self.assertFalse(mocked_urlfetch_async.called)

        # cache expired
        token = service_account.get_project_access_token(
            project_id='project1',
            scopes=['https://www.googleapis.com/auth/cloud-platform'],
            min_lifetime_sec=1800,
        )
        self.assertEqual(token[0], 'someaccesstoken')
        self.assertEqual(
            token[1],
            self.totimestamp(utils.utcnow() +
                             datetime.timedelta(seconds=1800)))
        self.assertTrue(mocked_urlfetch_async.called)
Beispiel #8
0
    def test_success(self):
        self.mock_now(datetime.datetime(2015, 1, 1))

        @ndb.tasklet
        def urlfetch(url, payload, **_rest):
            urlfetch.called = True
            self.assertEqual(
                url,
                'https://example.com/auth_service/api/v1/delegation/token/create'
            )
            payload = json.loads(payload)
            self.assertEqual(payload, urlfetch.expected_payload)
            res = {
                'delegation_token': 'deadbeef',
                'validity_duration': payload['validity_duration'],
            }
            raise ndb.Return(
                self.Response(200, json.dumps(res, sort_keys=True)))

        urlfetch.expected_payload = {
            'audience': [
                'group:g',
                'user:[email protected]',
                'user:[email protected]',
            ],
            'services': ['service:1', 'service:2'],
            'validity_duration': 3000,
            'impersonate': 'user:[email protected]',
        }
        urlfetch.called = False

        self.mock(delegation, '_urlfetch_async', urlfetch)

        model.AuthReplicationState(
            key=model.replication_state_key(),
            primary_url='https://example.com',
            primary_id='example-app-id',
        ).put()

        args = {
            'audience': [
                'user:[email protected]',
                model.Identity('user', '*****@*****.**'),
                'group:g',
            ],
            'services': ['service:1',
                         model.Identity('service', '2')],
            'max_validity_duration_sec':
            3000,
            'impersonate':
            model.Identity('user', '*****@*****.**'),
        }
        result = delegation.delegate(**args)
        self.assertTrue(urlfetch.called)
        self.assertEqual(result.token, 'deadbeef')
        self.assertEqual(result.expiry,
                         utils.utcnow() + datetime.timedelta(seconds=3000))

        # Get from cache.
        urlfetch.called = False
        delegation.delegate(**args)  # must not increase urlfetch.call_count
        self.assertFalse(urlfetch.called)

        # Get from cache with larger validity duration.
        urlfetch.called = False
        args['min_validity_duration_sec'] = 5000
        args['max_validity_duration_sec'] = 5000
        urlfetch.expected_payload['validity_duration'] = 5000
        result = delegation.delegate(**args)
        self.assertTrue(urlfetch.called)
        self.assertEqual(result.token, 'deadbeef')
        self.assertEqual(result.expiry,
                         utils.utcnow() + datetime.timedelta(seconds=5000))
        self.assertTrue(urlfetch.called)
  def test_success(self):
    self.mock_now(datetime.datetime(2015, 1, 1))

    @ndb.tasklet
    def urlfetch(url, payload, **_rest):
      urlfetch.called = True
      self.assertEqual(
          url,
          'https://example.com/auth_service/api/v1/delegation/token/create')
      payload = json.loads(payload)
      self.assertEqual(payload, urlfetch.expected_payload)
      res = {
        'delegation_token': 'deadbeef',
        'validity_duration': payload['validity_duration'],
      }
      raise ndb.Return(self.Response(200, json.dumps(res, sort_keys=True)))

    urlfetch.expected_payload = {
      'audience': [
        'user:[email protected]',
        'user:[email protected]',
        'group:g'
      ],
      'services': ['service:1', 'service:2'],
      'validity_duration': 3000,
      'impersonate': 'user:[email protected]',
    }
    urlfetch.called = False

    self.mock(delegation, '_urlfetch_async', urlfetch)

    model.AuthReplicationState(
        key=model.replication_state_key(),
        primary_url='https://example.com'
    ).put()

    args = {
      'audience': [
        'user:[email protected]',
        model.Identity('user', '*****@*****.**'),
        'group:g',
      ],
      'services': [
        'service:1',
        model.Identity('service', '2')
      ],
      'max_validity_duration_sec': 3000,
      'impersonate': model.Identity('user', '*****@*****.**'),
    }
    result = delegation.delegate(**args)
    self.assertTrue(urlfetch.called)
    self.assertEqual(result.token, 'deadbeef')
    self.assertEqual(
        result.expiry, utils.utcnow() + datetime.timedelta(seconds=3000))

    # Get from cache.
    urlfetch.called = False
    delegation.delegate(**args)  # must not increase urlfetch.call_count
    self.assertFalse(urlfetch.called)

    # Get from cache with larger validity duration.
    urlfetch.called = False
    args['min_validity_duration_sec'] = 5000
    args['max_validity_duration_sec'] = 5000
    urlfetch.expected_payload['validity_duration'] = 5000
    result = delegation.delegate(**args)
    self.assertTrue(urlfetch.called)
    self.assertEqual(result.token, 'deadbeef')
    self.assertEqual(
        result.expiry, utils.utcnow() + datetime.timedelta(seconds=5000))
    self.assertTrue(urlfetch.called)
    def test_non_empty(self):
        self.mock_now(datetime.datetime(2014, 1, 1, 1, 1, 1))

        state = model.AuthReplicationState(key=model.replication_state_key(),
                                           primary_id='blah',
                                           primary_url='https://blah',
                                           auth_db_rev=123)
        state.put()

        global_config = model.AuthGlobalConfig(
            key=model.root_key(),
            modified_ts=utils.utcnow(),
            modified_by=model.Identity.from_bytes('user:[email protected]'),
            oauth_client_id='oauth_client_id',
            oauth_client_secret='oauth_client_secret',
            oauth_additional_client_ids=['a', 'b'],
            token_server_url='https://token-server',
            security_config='security config blob')
        global_config.put()

        group = model.AuthGroup(
            key=model.group_key('Some group'),
            members=[model.Identity.from_bytes('user:[email protected]')],
            globs=[model.IdentityGlob.from_bytes('user:*@example.com')],
            nested=[],
            description='Some description',
            owners='owning-group',
            created_ts=utils.utcnow(),
            created_by=model.Identity.from_bytes('user:[email protected]'),
            modified_ts=utils.utcnow(),
            modified_by=model.Identity.from_bytes('user:[email protected]'))
        group.put()

        another = model.AuthGroup(key=model.group_key('Another group'),
                                  nested=['Some group'])
        another.put()

        ip_whitelist = model.AuthIPWhitelist(
            key=model.ip_whitelist_key('bots'),
            subnets=['127.0.0.1/32'],
            description='Some description',
            created_ts=utils.utcnow(),
            created_by=model.Identity.from_bytes('user:[email protected]'),
            modified_ts=utils.utcnow(),
            modified_by=model.Identity.from_bytes('user:[email protected]'))
        ip_whitelist.put()

        ip_whitelist_assignments = model.AuthIPWhitelistAssignments(
            key=model.ip_whitelist_assignments_key(),
            modified_ts=utils.utcnow(),
            modified_by=model.Identity.from_bytes('user:[email protected]'),
            assignments=[
                model.AuthIPWhitelistAssignments.Assignment(
                    identity=model.Identity.from_bytes(
                        'user:[email protected]'),
                    ip_whitelist='bots',
                    comment='some comment',
                    created_ts=utils.utcnow(),
                    created_by=model.Identity.from_bytes(
                        'user:[email protected]')),
            ])
        ip_whitelist_assignments.put()

        realms_globals = model.AuthRealmsGlobals(
            key=model.realms_globals_key(),
            permissions=[
                realms_pb2.Permission(name='luci.dev.p1'),
                realms_pb2.Permission(name='luci.dev.p2'),
            ])
        realms_globals.put()

        model.AuthProjectRealms(key=model.project_realms_key('proj_id1'),
                                realms=realms_pb2.Realms(api_version=1234),
                                config_rev='rev1',
                                perms_rev='rev1').put()
        model.AuthProjectRealms(key=model.project_realms_key('proj_id2'),
                                realms=realms_pb2.Realms(api_version=1234),
                                config_rev='rev2',
                                perms_rev='rev2').put()

        captured_state, snapshot = replication.new_auth_db_snapshot()

        expected_state = {
            'auth_db_rev': 123,
            'modified_ts': datetime.datetime(2014, 1, 1, 1, 1, 1),
            'primary_id': u'blah',
            'primary_url': u'https://blah',
            'shard_ids': [],
        }
        self.assertEqual(expected_state, captured_state.to_dict())

        expected_snapshot = {
            'global_config': {
                '__id__':
                'root',
                '__parent__':
                None,
                'auth_db_rev':
                None,
                'auth_db_prev_rev':
                None,
                'modified_by':
                model.Identity(kind='user', name='*****@*****.**'),
                'modified_ts':
                datetime.datetime(2014, 1, 1, 1, 1, 1),
                'oauth_additional_client_ids': [u'a', u'b'],
                'oauth_client_id':
                u'oauth_client_id',
                'oauth_client_secret':
                u'oauth_client_secret',
                'security_config':
                'security config blob',
                'token_server_url':
                u'https://token-server',
            },
            'groups': [
                {
                    '__id__': 'Another group',
                    '__parent__': ndb.Key('AuthGlobalConfig', 'root'),
                    'auth_db_rev': None,
                    'auth_db_prev_rev': None,
                    'created_by': None,
                    'created_ts': None,
                    'description': u'',
                    'globs': [],
                    'members': [],
                    'modified_by': None,
                    'modified_ts': None,
                    'nested': [u'Some group'],
                    'owners': u'administrators',
                },
                {
                    '__id__':
                    'Some group',
                    '__parent__':
                    ndb.Key('AuthGlobalConfig', 'root'),
                    'auth_db_rev':
                    None,
                    'auth_db_prev_rev':
                    None,
                    'created_by':
                    model.Identity(kind='user', name='*****@*****.**'),
                    'created_ts':
                    datetime.datetime(2014, 1, 1, 1, 1, 1),
                    'description':
                    u'Some description',
                    'globs':
                    [model.IdentityGlob(kind='user', pattern='*@example.com')],
                    'members':
                    [model.Identity(kind='user', name='*****@*****.**')],
                    'modified_by':
                    model.Identity(kind='user', name='*****@*****.**'),
                    'modified_ts':
                    datetime.datetime(2014, 1, 1, 1, 1, 1),
                    'nested': [],
                    'owners':
                    u'owning-group',
                },
            ],
            'ip_whitelists': [
                {
                    '__id__':
                    'bots',
                    '__parent__':
                    ndb.Key('AuthGlobalConfig', 'root'),
                    'auth_db_rev':
                    None,
                    'auth_db_prev_rev':
                    None,
                    'created_by':
                    model.Identity(kind='user', name='*****@*****.**'),
                    'created_ts':
                    datetime.datetime(2014, 1, 1, 1, 1, 1),
                    'description':
                    u'Some description',
                    'modified_by':
                    model.Identity(kind='user', name='*****@*****.**'),
                    'modified_ts':
                    datetime.datetime(2014, 1, 1, 1, 1, 1),
                    'subnets': [u'127.0.0.1/32'],
                },
            ],
            'ip_whitelist_assignments': {
                '__id__':
                'default',
                '__parent__':
                ndb.Key('AuthGlobalConfig', 'root'),
                'assignments': [
                    {
                        'comment':
                        u'some comment',
                        'created_by':
                        model.Identity(kind='user',
                                       name='*****@*****.**'),
                        'created_ts':
                        datetime.datetime(2014, 1, 1, 1, 1, 1),
                        'identity':
                        model.Identity(kind='user',
                                       name='*****@*****.**'),
                        'ip_whitelist':
                        u'bots',
                    },
                ],
                'auth_db_rev':
                None,
                'auth_db_prev_rev':
                None,
                'modified_by':
                model.Identity(kind='user', name='*****@*****.**'),
                'modified_ts':
                datetime.datetime(2014, 1, 1, 1, 1, 1),
            },
            'realms_globals': {
                '__id__':
                'globals',
                '__parent__':
                ndb.Key('AuthGlobalConfig', 'root'),
                'auth_db_prev_rev':
                None,
                'auth_db_rev':
                None,
                'modified_by':
                None,
                'modified_ts':
                None,
                'permissions': [
                    realms_pb2.Permission(name='luci.dev.p1'),
                    realms_pb2.Permission(name='luci.dev.p2'),
                ],
            },
            'project_realms': [{
                '__id__':
                'proj_id1',
                '__parent__':
                ndb.Key('AuthGlobalConfig', 'root'),
                'auth_db_prev_rev':
                None,
                'auth_db_rev':
                None,
                'config_rev':
                u'rev1',
                'perms_rev':
                u'rev1',
                'modified_by':
                None,
                'modified_ts':
                None,
                'realms':
                realms_pb2.Realms(api_version=1234),
            }, {
                '__id__':
                'proj_id2',
                '__parent__':
                ndb.Key('AuthGlobalConfig', 'root'),
                'auth_db_prev_rev':
                None,
                'auth_db_rev':
                None,
                'config_rev':
                u'rev2',
                'perms_rev':
                u'rev2',
                'modified_by':
                None,
                'modified_ts':
                None,
                'realms':
                realms_pb2.Realms(api_version=1234),
            }],
        }
        self.assertEqual(expected_snapshot, snapshot_to_dict(snapshot))
Beispiel #11
0
def mock_replication_state(auth_db_rev):
    return model.AuthReplicationState(key=model.replication_state_key(),
                                      primary_id='primary-id',
                                      auth_db_rev=auth_db_rev)