def test_expired(self): now = int(utils.time_time()) tok = fake_subtoken_proto('user:[email protected]', creation_time=now - 120, validity_duration=60) with self.assertRaises(delegation.BadTokenError): delegation.check_subtoken(tok, FAKE_IDENT, api.AuthDB())
def test_allowed_clock_drift(self): now = utils.utcnow() self.mock_now(now) tok = fake_subtoken_proto('user:[email protected]') # Works -29 sec before activation. self.mock_now(now, -29) self.assertTrue(delegation.check_subtoken(tok, FAKE_IDENT)) # Doesn't work before that. self.mock_now(now, -31) with self.assertRaises(delegation.BadTokenError): delegation.check_subtoken(tok, FAKE_IDENT)
def test_subtoken_services(self): tok = fake_subtoken_proto('user:[email protected]', services=['service:app-id']) # Passes. self.mock(model, 'get_service_self_identity', lambda: model.Identity.from_bytes('service:app-id')) self.assertTrue(delegation.check_subtoken(tok, FAKE_IDENT)) # Fails. self.mock(model, 'get_service_self_identity', lambda: model.Identity.from_bytes('service:another-app-id')) with self.assertRaises(delegation.BadTokenError): delegation.check_subtoken(tok, FAKE_IDENT)
def test_expiration_moment(self): now = utils.utcnow() self.mock_now(now) tok = fake_subtoken_proto('user:[email protected]', validity_duration=3600) # Active at now + 3599. self.mock_now(now, 3599) self.assertTrue(delegation.check_subtoken(tok, FAKE_IDENT)) # Expired at now + 3601. self.mock_now(now, 3601) with self.assertRaises(delegation.BadTokenError): delegation.check_subtoken(tok, FAKE_IDENT)
def test_subtoken_audience(self): groups = {'abc': ['user:[email protected]']} self.mock(api, 'is_group_member', lambda g, i: i.to_bytes() in groups.get(g, [])) tok = fake_subtoken_proto('user:[email protected]', audience=['user:[email protected]', 'group:abc']) # Works. make_id = model.Identity.from_bytes self.assertTrue(delegation.check_subtoken(tok, make_id('user:[email protected]'))) self.assertTrue(delegation.check_subtoken(tok, make_id('user:[email protected]'))) # Other ids are rejected. with self.assertRaises(delegation.BadTokenError): delegation.check_subtoken(tok, make_id('user:[email protected]'))
def test_subtoken_audience(self): auth_db = api.AuthDB.empty() self.mock( auth_db, 'is_group_member', lambda gr, ident: gr == 'abc' and ident .to_bytes() == 'user:[email protected]') tok = fake_subtoken_proto('user:[email protected]', audience=['user:[email protected]', 'group:abc']) # Works. make_id = model.Identity.from_bytes self.assertTrue( delegation.check_subtoken(tok, make_id('user:[email protected]'), auth_db)) self.assertTrue( delegation.check_subtoken(tok, make_id('user:[email protected]'), auth_db)) # Other ids are rejected. with self.assertRaises(exceptions.BadTokenError): delegation.check_subtoken(tok, make_id('user:[email protected]'), auth_db)
def test_subtoken_audience(self): auth_db = api.AuthDB(groups=[ model.AuthGroup( id='abc', members=[model.Identity.from_bytes('user:[email protected]')], ) ]) tok = fake_subtoken_proto('user:[email protected]', audience=['user:[email protected]', 'group:abc']) # Works. make_id = model.Identity.from_bytes self.assertTrue( delegation.check_subtoken(tok, make_id('user:[email protected]'), auth_db)) self.assertTrue( delegation.check_subtoken(tok, make_id('user:[email protected]'), auth_db)) # Other ids are rejected. with self.assertRaises(delegation.BadTokenError): delegation.check_subtoken(tok, make_id('user:[email protected]'), auth_db)
def test_not_active_yet(self): now = int(utils.time_time()) tok = fake_subtoken_proto('user:[email protected]', creation_time=now + 120) with self.assertRaises(delegation.BadTokenError): delegation.check_subtoken(tok, FAKE_IDENT, api.AuthDB())
def test_negative_validatity_duration(self): tok = fake_subtoken_proto('user:[email protected]', validity_duration=-3600) with self.assertRaises(delegation.BadTokenError): delegation.check_subtoken(tok, FAKE_IDENT, api.AuthDB())
def test_passes_validation(self): tok = fake_subtoken_proto('user:[email protected]') ident = delegation.check_subtoken(tok, FAKE_IDENT, api.AuthDB()) self.assertEqual('user:[email protected]', ident.to_bytes())