Python DelegationToken Examples, components.auth.proto.delegation_pb2.DelegationToken Python Examples

Example #1

0

Show file

File: delegation_test.py Project: stefb965/luci-py

def fake_token_proto():
    """Just a fake envelope to test base64 serialization."""
    return delegation_pb2.DelegationToken(
        serialized_subtoken='serialized_subtoken',
        signer_id='signer_id',
        signing_key_id='signing_key_id',
        pkcs1_sha256_sig='pkcs1_sha256_sig')

Example #2

0

Show file

File: prpc_test.py Project: stefb965/luci-py

  def test_delegation_token(self):
    # Grab a fake-signed delegation token.
    subtoken = delegation_pb2.Subtoken(
        delegated_identity='user:[email protected]',
        kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN,
        audience=['*'],
        services=['*'],
        creation_time=int(utils.time_time()),
        validity_duration=3600)
    tok_pb = delegation_pb2.DelegationToken(
      serialized_subtoken=subtoken.SerializeToString(),
      signer_id='user:[email protected]',
      signing_key_id='signing-key',
      pkcs1_sha256_sig='fake-signature')
    tok = tokens.base64_encode(tok_pb.SerializeToString())

    # Valid delegation token.
    state, ctx = self.call(
        'ipv4:127.0.0.1', '*****@*****.**', {'X-Delegation-Token-V1': tok})
    self.assertEqual(state, CapturedState(
        current_identity='user:[email protected]',
        is_superuser=False,
        peer_identity='user:[email protected]',
        peer_ip=ipaddr.ip_from_string('127.0.0.1'),
        delegation_token=subtoken,
    ))

    # Invalid delegation token.
    state, ctx = self.call(
        'ipv4:127.0.0.1', '*****@*****.**', {'X-Delegation-Token-V1': tok + 'blah'})
    self.assertIsNone(state)
    self.assertEqual(ctx.code, prpclib.StatusCode.PERMISSION_DENIED)
    self.assertEqual(
        ctx.details, 'Bad delegation token: Bad proto: Truncated message.')

Example #3

0

Show file

File: endpoints_support_test.py Project: brandonscott1780/luci-py

    def test_delegation_token(self):
        # No delegation.
        self.assertEqual(
            {
                'cur_id': 'user:[email protected]',
                'peer_id': 'user:[email protected]'
            }, self.call_with_tokens())

        # Grab a fake-signed delegation token.
        subtoken = delegation_pb2.Subtoken(
            delegated_identity='user:[email protected]',
            kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN,
            audience=['*'],
            services=['*'],
            creation_time=int(utils.time_time()),
            validity_duration=3600)
        tok_pb = delegation_pb2.DelegationToken(
            serialized_subtoken=subtoken.SerializeToString(),
            signer_id='user:[email protected]',
            signing_key_id='signing-key',
            pkcs1_sha256_sig='fake-signature')
        tok = tokens.base64_encode(tok_pb.SerializeToString())

        # Valid delegation token.
        self.assertEqual(
            {
                'cur_id': 'user:[email protected]',
                'peer_id': 'user:[email protected]'
            }, self.call_with_tokens(delegation_tok=tok))

        # Invalid delegation token.
        with self.assertRaises(api.AuthorizationError):
            self.call_with_tokens(delegation_tok=tok + 'blah')

Example #4

0

Show file

File: delegation_test.py Project: stefb965/luci-py

def seal_token(subtoken):
    serialized = subtoken.SerializeToString()
    signing_key_id, pkcs1_sha256_sig = signature.sign_blob(serialized, 0.5)
    return delegation_pb2.DelegationToken(
        serialized_subtoken=serialized,
        signer_id=model.get_service_self_identity().to_bytes(),
        signing_key_id=signing_key_id,
        pkcs1_sha256_sig=pkcs1_sha256_sig)

Example #5

0

Show file

    def test_delegation_token(self):
        call = self.make_test_app_with_peer('user:[email protected]')

        # No delegation.
        self.assertEqual(
            {
                'status': 200,
                'body': {
                    u'cur_id': u'user:[email protected]',
                    u'peer_id': u'user:[email protected]',
                },
            }, call())

        # Grab a fake-signed delegation token.
        subtoken = delegation_pb2.Subtoken(
            delegated_identity='user:[email protected]',
            kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN,
            audience=['*'],
            services=['*'],
            creation_time=int(utils.time_time()),
            validity_duration=3600)
        tok_pb = delegation_pb2.DelegationToken(
            serialized_subtoken=subtoken.SerializeToString(),
            signer_id='user:[email protected]',
            signing_key_id='signing-key',
            pkcs1_sha256_sig='fake-signature')
        tok = b64.encode(tok_pb.SerializeToString())

        # With valid delegation token.
        self.assertEqual(
            {
                'status': 200,
                'body': {
                    u'cur_id': u'user:[email protected]',
                    u'peer_id': u'user:[email protected]',
                },
            }, call({'X-Delegation-Token-V1': tok}))

        # With invalid delegation token.
        resp = call({'X-Delegation-Token-V1': tok + 'blah'})
        self.assertEqual(403, resp['status'])
        self.assertIn('Bad delegation token', resp['body'])

        # Transient error.
        def mocked_check(*_args):
            raise delegation.TransientError('Blah')

        self.mock(delegation, 'check_bearer_delegation_token', mocked_check)
        resp = call({'X-Delegation-Token-V1': tok})
        self.assertEqual(500, resp['status'])
        self.assertIn('Blah', resp['body'])

Example #6

0

Show file

File: endpoints_support_test.py Project: rmoorman/luci-py

    def test_delegation_token(self):
        def call(tok=None):
            headers = {'X-Delegation-Token-V1': tok} if tok else None
            self.call('127.0.0.1', '*****@*****.**', headers)
            return {
                'cur_id': api.get_current_identity().to_bytes(),
                'peer_id': api.get_current_identity().to_bytes(),
            }

        # No delegation.
        self.assertEqual(
            {
                'cur_id': 'user:[email protected]',
                'peer_id': 'user:[email protected]'
            }, call())

        # Grab a fake-signed delegation token.
        subtoken = delegation_pb2.Subtoken(
            delegated_identity='user:[email protected]',
            kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN,
            audience=['*'],
            services=['*'],
            creation_time=int(utils.time_time()),
            validity_duration=3600)
        tok_pb = delegation_pb2.DelegationToken(
            serialized_subtoken=subtoken.SerializeToString(),
            signer_id='user:[email protected]',
            signing_key_id='signing-key',
            pkcs1_sha256_sig='fake-signature')
        tok = tokens.base64_encode(tok_pb.SerializeToString())

        # Valid delegation token.
        self.assertEqual(
            {
                'cur_id': 'user:[email protected]',
                'peer_id': 'user:[email protected]'
            }, call(tok))

        # Invalid delegation token.
        with self.assertRaises(api.AuthorizationError):
            call(tok + 'blah')

Example #7

0

Show file

File: handler_test.py Project: stefb965/luci-py

    def test_delegation_token(self):
        peer_ident = model.Identity.from_bytes('user:[email protected]')

        class Handler(handler.AuthenticatingHandler):
            @classmethod
            def get_auth_methods(cls, conf):
                return [lambda _request: (peer_ident, False)]

            @api.public
            def get(self):
                self.response.write(
                    json.dumps({
                        'peer_id': api.get_peer_identity().to_bytes(),
                        'cur_id': api.get_current_identity().to_bytes(),
                    }))

        app = self.make_test_app('/request', Handler)

        def call(headers=None):
            return json.loads(app.get('/request', headers=headers).body)

        # No delegation.
        self.assertEqual(
            {
                u'cur_id': u'user:[email protected]',
                u'peer_id': u'user:[email protected]'
            }, call())

        # Grab a fake-signed delegation token.
        subtoken = delegation_pb2.Subtoken(
            delegated_identity='user:[email protected]',
            kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN,
            audience=['*'],
            services=['*'],
            creation_time=int(utils.time_time()),
            validity_duration=3600)
        tok_pb = delegation_pb2.DelegationToken(
            serialized_subtoken=subtoken.SerializeToString(),
            signer_id='user:[email protected]',
            signing_key_id='signing-key',
            pkcs1_sha256_sig='fake-signature')
        tok = tokens.base64_encode(tok_pb.SerializeToString())

        # With valid delegation token.
        self.assertEqual(
            {
                u'cur_id': u'user:[email protected]',
                u'peer_id': u'user:[email protected]'
            }, call({'X-Delegation-Token-V1': tok}))

        # With invalid delegation token.
        r = app.get('/request',
                    headers={'X-Delegation-Token-V1': tok + 'blah'},
                    expect_errors=True)
        self.assertEqual(403, r.status_int)

        # Transient error.
        def mocked_check(*_args):
            raise delegation.TransientError('Blah')

        self.mock(delegation, 'check_bearer_delegation_token', mocked_check)
        r = app.get('/request',
                    headers={'X-Delegation-Token-V1': tok},
                    expect_errors=True)
        self.assertEqual(500, r.status_int)