def test_active_service_account_in_ds(self):
expected_json = 'fake service account json'
caller_uid = self._random_subject_id()
real_user_id = self._random_subject_id()
ftvm = FenceTokenVendingMachine(
None, self._mock_sam_api(real_user_id, "*****@*****.**"),
self._mock_oauth_adapter("fake_token"), provider_name)
TokenStore.save(real_user_id, "fake_refresh_token",
datetime.datetime.now(), "*****@*****.**", provider_name)
fsa_key = ftvm._fence_service_account_key(real_user_id)
stored_fsa = FenceServiceAccount(key_json=expected_json,
expires_at=datetime.datetime.now() +
datetime.timedelta(days=5),
update_lock_timeout=None,
key=fsa_key)
stored_fsa.put()
self.assertIsNone(memcache.get(namespace=provider_name,
key=caller_uid))
service_account_json = ftvm.get_service_account_key_json(
UserInfo(caller_uid, "*****@*****.**", "fake_token_too", 10))
self.assertEqual(expected_json, service_account_json)
self.assertIsNotNone(
memcache.get(namespace=provider_name, key=caller_uid))
def test_no_service_account(self):
expected_json = 'fake service account json'
caller_uid = self._random_subject_id()
real_user_id = self._random_subject_id()
ftvm = FenceTokenVendingMachine(self._mock_fence_api(expected_json),
self._mock_sam_api(real_user_id, "*****@*****.**"),
self._mock_oauth_adapter("fake_token"), provider_name)
TokenStore.save(real_user_id, "fake_refresh_token", datetime.datetime.now(), "*****@*****.**", provider_name)
self.assertIsNone(memcache.get(namespace=provider_name, key=caller_uid))
fsa_key = ftvm._fence_service_account_key(real_user_id)
self.assertIsNone(fsa_key.get())
service_account_json = ftvm.get_service_account_key_json(
UserInfo(caller_uid, "*****@*****.**", "fake_token_too", 10))
self.assertEqual(expected_json, service_account_json)
self.assertIsNotNone(memcache.get(namespace=provider_name, key=caller_uid))
stored_fsa = fsa_key.get()
self.assertIsNotNone(stored_fsa)
self.assertIsNone(stored_fsa.update_lock_timeout)
self.assertEqual(expected_json, stored_fsa.key_json)
self.assertGreater(stored_fsa.expires_at, datetime.datetime.now())
def test_no_service_account(self):
expected_json = 'fake service account json'
caller_uid = self._random_subject_id()
real_user_id = self._random_subject_id()
ftvm = FenceTokenVendingMachine(
self._mock_fence_api(expected_json),
self._mock_sam_api(real_user_id, "*****@*****.**"),
self._mock_oauth_adapter("fake_token"), provider_name)
TokenStore.save(real_user_id, "fake_refresh_token",
datetime.datetime.now(), "*****@*****.**", provider_name)
self.assertIsNone(memcache.get(namespace=provider_name,
key=caller_uid))
fsa_key = ftvm._fence_service_account_key(real_user_id)
self.assertIsNone(fsa_key.get())
service_account_json = ftvm.get_service_account_key_json(
UserInfo(caller_uid, "*****@*****.**", "fake_token_too", 10))
self.assertEqual(expected_json, service_account_json)
self.assertIsNotNone(
memcache.get(namespace=provider_name, key=caller_uid))
stored_fsa = fsa_key.get()
self.assertIsNotNone(stored_fsa)
self.assertIsNone(stored_fsa.update_lock_timeout)
self.assertEqual(expected_json, stored_fsa.key_json)
self.assertGreater(stored_fsa.expires_at, datetime.datetime.now())
def _test_with_lock(self, lock_timeout, update_fsa_fxn=None, api_json=None):
expected_json = 'fake service account json'
if not api_json:
api_json = expected_json
caller_uid = self._random_subject_id()
real_user_id = self._random_subject_id()
ftvm = FenceTokenVendingMachine(self._mock_fence_api(api_json), self._mock_sam_api(real_user_id, "*****@*****.**"),
self._mock_oauth_adapter("fake_token"), provider_name)
TokenStore.save(real_user_id, "fake_refresh_token", datetime.datetime.now(), "*****@*****.**", provider_name)
fsa_key = ftvm._fence_service_account_key(real_user_id)
stored_fsa = FenceServiceAccount(key_json="expired json",
expires_at=datetime.datetime.now() - datetime.timedelta(days=5),
update_lock_timeout=lock_timeout,
key=fsa_key)
stored_fsa.put()
self.assertIsNone(memcache.get(namespace=provider_name, key=caller_uid))
if update_fsa_fxn:
threading.Thread(target=update_fsa_fxn, args=(fsa_key, expected_json)).start()
service_account_json = ftvm.get_service_account_key_json(
UserInfo(caller_uid, "*****@*****.**", "fake_token_too", 10))
self.assertEqual(expected_json, service_account_json)
self.assertIsNotNone(memcache.get(namespace=provider_name, key=caller_uid))
stored_fsa = fsa_key.get()
self.assertIsNotNone(stored_fsa)
self.assertIsNone(stored_fsa.update_lock_timeout)
self.assertEqual(expected_json, stored_fsa.key_json)
self.assertGreater(stored_fsa.expires_at, datetime.datetime.now())
def test_not_linked(self):
caller_uid = self._random_subject_id()
real_user_id = self._random_subject_id()
ftvm = FenceTokenVendingMachine(None, self._mock_sam_api(real_user_id, "*****@*****.**"), None, provider_name)
self.assertIsNone(memcache.get(namespace=provider_name, key=caller_uid))
fsa_key = ftvm._fence_service_account_key(real_user_id)
self.assertIsNone(fsa_key.get())
with self.assertRaises(endpoints.BadRequestException):
ftvm.get_service_account_key_json(UserInfo(caller_uid, "*****@*****.**", "fake_token_too", 10))
def test_not_linked(self):
caller_uid = self._random_subject_id()
real_user_id = self._random_subject_id()
ftvm = FenceTokenVendingMachine(
None, self._mock_sam_api(real_user_id, "*****@*****.**"), None,
provider_name)
self.assertIsNone(memcache.get(namespace=provider_name,
key=caller_uid))
fsa_key = ftvm._fence_service_account_key(real_user_id)
self.assertIsNone(fsa_key.get())
with self.assertRaises(endpoints.BadRequestException):
ftvm.get_service_account_key_json(
UserInfo(caller_uid, "*****@*****.**", "fake_token_too", 10))
def setUp(self):
super(BondTestCase, self).setUp()
self.testbed = testbed.Testbed()
self.testbed.activate()
self.testbed.init_datastore_v3_stub()
self.testbed.init_memcache_stub()
self.name = "Bob McBob"
self.issued_at_epoch = 1528896868
self.expires_at_epoch = 1529081182
self.fake_access_token = str(uuid.uuid4())
self.user_id = str(uuid.uuid4())
data = {"context": {"user": {"name": self.name}}, 'iat': self.issued_at_epoch}
encoded_jwt = jwt.encode(data, 'secret', 'HS256')
fake_token_dict = {FenceKeys.ACCESS_TOKEN_KEY: self.fake_access_token,
FenceKeys.REFRESH_TOKEN_KEY: str(uuid.uuid4()),
FenceKeys.ID_TOKEN: encoded_jwt,
FenceKeys.EXPIRES_AT_KEY: self.expires_at_epoch}
mock_oauth_adapter = OauthAdapter("foo", "bar", "baz", "qux")
mock_oauth_adapter.exchange_authz_code = MagicMock(return_value=fake_token_dict)
mock_oauth_adapter.refresh_access_token = MagicMock(return_value=fake_token_dict)
mock_oauth_adapter.revoke_refresh_token = MagicMock()
fence_api = self._mock_fence_api(json.dumps({"private_key_id": "asfasdfasdf"}))
sam_api = self._mock_sam_api(self.user_id, "email")
self.bond = Bond(mock_oauth_adapter, fence_api, sam_api,
FenceTokenVendingMachine(fence_api, sam_api, mock_oauth_adapter, provider_name),
provider_name, "/context/user/name")
def test_active_service_account_in_mc(self):
expected_json = 'fake service account json'
caller_uid = self._random_subject_id()
real_user_id = self._random_subject_id()
ftvm = FenceTokenVendingMachine(None, None, None, provider_name) # none of the apis should be called
memcache.add(namespace=provider_name, key=caller_uid, value=expected_json, time=20)
fsa_key = ftvm._fence_service_account_key(real_user_id)
self.assertIsNone(fsa_key.get())
service_account_json = ftvm.get_service_account_key_json(
UserInfo(caller_uid, "*****@*****.**", "fake_token_too", 10))
self.assertEqual(expected_json, service_account_json)
self.assertIsNone(fsa_key.get())
def _test_with_lock(self,
lock_timeout,
update_fsa_fxn=None,
api_json=None):
expected_json = 'fake service account json'
if not api_json:
api_json = expected_json
caller_uid = self._random_subject_id()
real_user_id = self._random_subject_id()
ftvm = FenceTokenVendingMachine(
self._mock_fence_api(api_json),
self._mock_sam_api(real_user_id, "*****@*****.**"),
self._mock_oauth_adapter("fake_token"), provider_name)
TokenStore.save(real_user_id, "fake_refresh_token",
datetime.datetime.now(), "*****@*****.**", provider_name)
fsa_key = ftvm._fence_service_account_key(real_user_id)
stored_fsa = FenceServiceAccount(key_json="expired json",
expires_at=datetime.datetime.now() -
datetime.timedelta(days=5),
update_lock_timeout=lock_timeout,
key=fsa_key)
stored_fsa.put()
self.assertIsNone(memcache.get(namespace=provider_name,
key=caller_uid))
if update_fsa_fxn:
threading.Thread(target=update_fsa_fxn,
args=(fsa_key, expected_json)).start()
service_account_json = ftvm.get_service_account_key_json(
UserInfo(caller_uid, "*****@*****.**", "fake_token_too", 10))
self.assertEqual(expected_json, service_account_json)
self.assertIsNotNone(
memcache.get(namespace=provider_name, key=caller_uid))
stored_fsa = fsa_key.get()
self.assertIsNotNone(stored_fsa)
self.assertIsNone(stored_fsa.update_lock_timeout)
self.assertEqual(expected_json, stored_fsa.key_json)
self.assertGreater(stored_fsa.expires_at, datetime.datetime.now())
def test_active_service_account_in_mc(self):
expected_json = 'fake service account json'
caller_uid = self._random_subject_id()
real_user_id = self._random_subject_id()
ftvm = FenceTokenVendingMachine(
None, None, None,
provider_name) # none of the apis should be called
memcache.add(namespace=provider_name,
key=caller_uid,
value=expected_json,
time=20)
fsa_key = ftvm._fence_service_account_key(real_user_id)
self.assertIsNone(fsa_key.get())
service_account_json = ftvm.get_service_account_key_json(
UserInfo(caller_uid, "*****@*****.**", "fake_token_too", 10))
self.assertEqual(expected_json, service_account_json)
self.assertIsNone(fsa_key.get())
def test_active_service_account_in_ds(self):
expected_json = 'fake service account json'
caller_uid = self._random_subject_id()
real_user_id = self._random_subject_id()
ftvm = FenceTokenVendingMachine(None, self._mock_sam_api(real_user_id, "*****@*****.**"),
self._mock_oauth_adapter("fake_token"), provider_name)
TokenStore.save(real_user_id, "fake_refresh_token", datetime.datetime.now(), "*****@*****.**", provider_name)
fsa_key = ftvm._fence_service_account_key(real_user_id)
stored_fsa = FenceServiceAccount(key_json=expected_json,
expires_at=datetime.datetime.now() + datetime.timedelta(days=5),
update_lock_timeout=None,
key=fsa_key)
stored_fsa.put()
self.assertIsNone(memcache.get(namespace=provider_name, key=caller_uid))
service_account_json = ftvm.get_service_account_key_json(
UserInfo(caller_uid, "*****@*****.**", "fake_token_too", 10))
self.assertEqual(expected_json, service_account_json)
self.assertIsNotNone(memcache.get(namespace=provider_name, key=caller_uid))
def test_exchange_authz_code_missing_token(self):
data = {"context": {"user": {"name": self.name}}, 'iat': self.issued_at_epoch}
encoded_jwt = jwt.encode(data, 'secret', 'HS256')
fake_token_dict = {FenceKeys.ACCESS_TOKEN_KEY: self.fake_access_token,
FenceKeys.ID_TOKEN: encoded_jwt,
FenceKeys.EXPIRES_AT_KEY: self.expires_at_epoch}
mock_oauth_adapter = OauthAdapter("foo", "bar", "baz", "qux")
mock_oauth_adapter.exchange_authz_code = MagicMock(return_value=fake_token_dict)
mock_oauth_adapter.refresh_access_token = MagicMock(return_value=fake_token_dict)
mock_oauth_adapter.revoke_refresh_token = MagicMock()
fence_api = self._mock_fence_api(json.dumps({"private_key_id": "asfasdfasdf"}))
sam_api = self._mock_sam_api(self.user_id, "email")
bond = Bond(mock_oauth_adapter, fence_api, sam_api,
FenceTokenVendingMachine(fence_api, sam_api, mock_oauth_adapter, provider_name),
provider_name, "/context/user/name")
with self.assertRaises(endpoints.BadRequestException):
bond.exchange_authz_code("irrelevantString", "redirect", UserInfo(str(uuid.uuid4()), "", "", 30))
def create_provider(provider_name):
client_id = config.get(provider_name, 'CLIENT_ID')
client_secret = config.get(provider_name, 'CLIENT_SECRET')
open_id_config_url = config.get(provider_name,
'OPEN_ID_CONFIG_URL')
fence_base_url = config.get(provider_name, 'FENCE_BASE_URL')
user_name_path_expr = config.get(provider_name,
'USER_NAME_PATH_EXPR')
sam_base_url = config.get('sam', 'BASE_URL')
oauth_adapter = OauthAdapter(client_id, client_secret,
open_id_config_url, provider_name)
fence_api = FenceApi(fence_base_url)
sam_api = SamApi(sam_base_url)
fence_tvm = FenceTokenVendingMachine(fence_api, sam_api,
oauth_adapter, provider_name)
return BondProvider(
fence_tvm,
Bond(oauth_adapter, fence_api, sam_api, fence_tvm,
provider_name, user_name_path_expr))