def fake_token_proto():
"""Just a fake envelope to test base64 serialization."""
return delegation_pb2.DelegationToken(
serialized_subtoken='serialized_subtoken',
signer_id='signer_id',
signing_key_id='signing_key_id',
pkcs1_sha256_sig='pkcs1_sha256_sig')
def test_delegation_token(self):
# Grab a fake-signed delegation token.
subtoken = delegation_pb2.Subtoken(
delegated_identity='user:[email protected]',
kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN,
audience=['*'],
services=['*'],
creation_time=int(utils.time_time()),
validity_duration=3600)
tok_pb = delegation_pb2.DelegationToken(
serialized_subtoken=subtoken.SerializeToString(),
signer_id='user:[email protected]',
signing_key_id='signing-key',
pkcs1_sha256_sig='fake-signature')
tok = tokens.base64_encode(tok_pb.SerializeToString())
# Valid delegation token.
state, ctx = self.call(
'ipv4:127.0.0.1', '*****@*****.**', {'X-Delegation-Token-V1': tok})
self.assertEqual(state, CapturedState(
current_identity='user:[email protected]',
is_superuser=False,
peer_identity='user:[email protected]',
peer_ip=ipaddr.ip_from_string('127.0.0.1'),
delegation_token=subtoken,
))
# Invalid delegation token.
state, ctx = self.call(
'ipv4:127.0.0.1', '*****@*****.**', {'X-Delegation-Token-V1': tok + 'blah'})
self.assertIsNone(state)
self.assertEqual(ctx.code, prpclib.StatusCode.PERMISSION_DENIED)
self.assertEqual(
ctx.details, 'Bad delegation token: Bad proto: Truncated message.')
def test_delegation_token(self):
# No delegation.
self.assertEqual(
{
'cur_id': 'user:[email protected]',
'peer_id': 'user:[email protected]'
}, self.call_with_tokens())
# Grab a fake-signed delegation token.
subtoken = delegation_pb2.Subtoken(
delegated_identity='user:[email protected]',
kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN,
audience=['*'],
services=['*'],
creation_time=int(utils.time_time()),
validity_duration=3600)
tok_pb = delegation_pb2.DelegationToken(
serialized_subtoken=subtoken.SerializeToString(),
signer_id='user:[email protected]',
signing_key_id='signing-key',
pkcs1_sha256_sig='fake-signature')
tok = tokens.base64_encode(tok_pb.SerializeToString())
# Valid delegation token.
self.assertEqual(
{
'cur_id': 'user:[email protected]',
'peer_id': 'user:[email protected]'
}, self.call_with_tokens(delegation_tok=tok))
# Invalid delegation token.
with self.assertRaises(api.AuthorizationError):
self.call_with_tokens(delegation_tok=tok + 'blah')
def seal_token(subtoken):
serialized = subtoken.SerializeToString()
signing_key_id, pkcs1_sha256_sig = signature.sign_blob(serialized, 0.5)
return delegation_pb2.DelegationToken(
serialized_subtoken=serialized,
signer_id=model.get_service_self_identity().to_bytes(),
signing_key_id=signing_key_id,
pkcs1_sha256_sig=pkcs1_sha256_sig)
def test_delegation_token(self):
call = self.make_test_app_with_peer('user:[email protected]')
# No delegation.
self.assertEqual(
{
'status': 200,
'body': {
u'cur_id': u'user:[email protected]',
u'peer_id': u'user:[email protected]',
},
}, call())
# Grab a fake-signed delegation token.
subtoken = delegation_pb2.Subtoken(
delegated_identity='user:[email protected]',
kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN,
audience=['*'],
services=['*'],
creation_time=int(utils.time_time()),
validity_duration=3600)
tok_pb = delegation_pb2.DelegationToken(
serialized_subtoken=subtoken.SerializeToString(),
signer_id='user:[email protected]',
signing_key_id='signing-key',
pkcs1_sha256_sig='fake-signature')
tok = b64.encode(tok_pb.SerializeToString())
# With valid delegation token.
self.assertEqual(
{
'status': 200,
'body': {
u'cur_id': u'user:[email protected]',
u'peer_id': u'user:[email protected]',
},
}, call({'X-Delegation-Token-V1': tok}))
# With invalid delegation token.
resp = call({'X-Delegation-Token-V1': tok + 'blah'})
self.assertEqual(403, resp['status'])
self.assertIn('Bad delegation token', resp['body'])
# Transient error.
def mocked_check(*_args):
raise delegation.TransientError('Blah')
self.mock(delegation, 'check_bearer_delegation_token', mocked_check)
resp = call({'X-Delegation-Token-V1': tok})
self.assertEqual(500, resp['status'])
self.assertIn('Blah', resp['body'])
def test_delegation_token(self):
def call(tok=None):
headers = {'X-Delegation-Token-V1': tok} if tok else None
self.call('127.0.0.1', '*****@*****.**', headers)
return {
'cur_id': api.get_current_identity().to_bytes(),
'peer_id': api.get_current_identity().to_bytes(),
}
# No delegation.
self.assertEqual(
{
'cur_id': 'user:[email protected]',
'peer_id': 'user:[email protected]'
}, call())
# Grab a fake-signed delegation token.
subtoken = delegation_pb2.Subtoken(
delegated_identity='user:[email protected]',
kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN,
audience=['*'],
services=['*'],
creation_time=int(utils.time_time()),
validity_duration=3600)
tok_pb = delegation_pb2.DelegationToken(
serialized_subtoken=subtoken.SerializeToString(),
signer_id='user:[email protected]',
signing_key_id='signing-key',
pkcs1_sha256_sig='fake-signature')
tok = tokens.base64_encode(tok_pb.SerializeToString())
# Valid delegation token.
self.assertEqual(
{
'cur_id': 'user:[email protected]',
'peer_id': 'user:[email protected]'
}, call(tok))
# Invalid delegation token.
with self.assertRaises(api.AuthorizationError):
call(tok + 'blah')
def test_delegation_token(self):
peer_ident = model.Identity.from_bytes('user:[email protected]')
class Handler(handler.AuthenticatingHandler):
@classmethod
def get_auth_methods(cls, conf):
return [lambda _request: (peer_ident, False)]
@api.public
def get(self):
self.response.write(
json.dumps({
'peer_id': api.get_peer_identity().to_bytes(),
'cur_id': api.get_current_identity().to_bytes(),
}))
app = self.make_test_app('/request', Handler)
def call(headers=None):
return json.loads(app.get('/request', headers=headers).body)
# No delegation.
self.assertEqual(
{
u'cur_id': u'user:[email protected]',
u'peer_id': u'user:[email protected]'
}, call())
# Grab a fake-signed delegation token.
subtoken = delegation_pb2.Subtoken(
delegated_identity='user:[email protected]',
kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN,
audience=['*'],
services=['*'],
creation_time=int(utils.time_time()),
validity_duration=3600)
tok_pb = delegation_pb2.DelegationToken(
serialized_subtoken=subtoken.SerializeToString(),
signer_id='user:[email protected]',
signing_key_id='signing-key',
pkcs1_sha256_sig='fake-signature')
tok = tokens.base64_encode(tok_pb.SerializeToString())
# With valid delegation token.
self.assertEqual(
{
u'cur_id': u'user:[email protected]',
u'peer_id': u'user:[email protected]'
}, call({'X-Delegation-Token-V1': tok}))
# With invalid delegation token.
r = app.get('/request',
headers={'X-Delegation-Token-V1': tok + 'blah'},
expect_errors=True)
self.assertEqual(403, r.status_int)
# Transient error.
def mocked_check(*_args):
raise delegation.TransientError('Blah')
self.mock(delegation, 'check_bearer_delegation_token', mocked_check)
r = app.get('/request',
headers={'X-Delegation-Token-V1': tok},
expect_errors=True)
self.assertEqual(500, r.status_int)