def test_delegation_token(self): # No delegation. self.assertEqual( { 'cur_id': 'user:[email protected]', 'peer_id': 'user:[email protected]' }, self.call_with_tokens()) # Grab a fake-signed delegation token. subtoken = delegation_pb2.Subtoken( delegated_identity='user:[email protected]', kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN, audience=['*'], services=['*'], creation_time=int(utils.time_time()), validity_duration=3600) tok_pb = delegation_pb2.DelegationToken( serialized_subtoken=subtoken.SerializeToString(), signer_id='user:[email protected]', signing_key_id='signing-key', pkcs1_sha256_sig='fake-signature') tok = tokens.base64_encode(tok_pb.SerializeToString()) # Valid delegation token. self.assertEqual( { 'cur_id': 'user:[email protected]', 'peer_id': 'user:[email protected]' }, self.call_with_tokens(delegation_tok=tok)) # Invalid delegation token. with self.assertRaises(api.AuthorizationError): self.call_with_tokens(delegation_tok=tok + 'blah')
def test_delegation_token(self): # Grab a fake-signed delegation token. subtoken = delegation_pb2.Subtoken( delegated_identity='user:[email protected]', kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN, audience=['*'], services=['*'], creation_time=int(utils.time_time()), validity_duration=3600) tok_pb = delegation_pb2.DelegationToken( serialized_subtoken=subtoken.SerializeToString(), signer_id='user:[email protected]', signing_key_id='signing-key', pkcs1_sha256_sig='fake-signature') tok = tokens.base64_encode(tok_pb.SerializeToString()) # Valid delegation token. state, ctx = self.call( 'ipv4:127.0.0.1', '*****@*****.**', {'X-Delegation-Token-V1': tok}) self.assertEqual(state, CapturedState( current_identity='user:[email protected]', is_superuser=False, peer_identity='user:[email protected]', peer_ip=ipaddr.ip_from_string('127.0.0.1'), delegation_token=subtoken, )) # Invalid delegation token. state, ctx = self.call( 'ipv4:127.0.0.1', '*****@*****.**', {'X-Delegation-Token-V1': tok + 'blah'}) self.assertIsNone(state) self.assertEqual(ctx.code, prpclib.StatusCode.PERMISSION_DENIED) self.assertEqual( ctx.details, 'Bad delegation token: Bad proto: Truncated message.')
def fake_subtoken_proto(delegated_identity='user:[email protected]', **kwargs): kwargs['delegated_identity'] = delegated_identity kwargs.setdefault('audience', ['*']) kwargs.setdefault('services', ['*']) kwargs.setdefault('creation_time', int(utils.time_time())) kwargs.setdefault('validity_duration', 3600) return delegation_pb2.Subtoken(**kwargs)
def test_delegation_token(self): peer_ident = model.Identity.from_bytes('user:[email protected]') class Handler(handler.AuthenticatingHandler): @classmethod def get_auth_methods(cls, conf): return [lambda _request: peer_ident] @api.public def get(self): self.response.write( json.dumps({ 'peer_id': api.get_peer_identity().to_bytes(), 'cur_id': api.get_current_identity().to_bytes(), })) app = self.make_test_app('/request', Handler) def call(headers=None): return json.loads(app.get('/request', headers=headers).body) # No delegation. self.assertEqual( { u'cur_id': u'user:[email protected]', u'peer_id': u'user:[email protected]' }, call()) # TODO(vadimsh): Mint token via some high-level function call. subtoken = delegation_pb2.Subtoken( delegated_identity='user:[email protected]', audience=['*'], services=['*'], creation_time=int(utils.time_time()), validity_duration=3600) tok = delegation.serialize_token(delegation.seal_token(subtoken)) # With valid delegation token. self.assertEqual( { u'cur_id': u'user:[email protected]', u'peer_id': u'user:[email protected]' }, call({'X-Delegation-Token-V1': tok})) # With invalid delegation token. r = app.get('/request', headers={'X-Delegation-Token-V1': tok + 'blah'}, expect_errors=True) self.assertEqual(403, r.status_int) # Transient error. def mocked_check(*_args): raise delegation.TransientError('Blah') self.mock(delegation, 'check_bearer_delegation_token', mocked_check) r = app.get('/request', headers={'X-Delegation-Token-V1': tok}, expect_errors=True) self.assertEqual(500, r.status_int)
def test_delegation_token(self): call = self.make_test_app_with_peer('user:[email protected]') # No delegation. self.assertEqual( { 'status': 200, 'body': { u'cur_id': u'user:[email protected]', u'peer_id': u'user:[email protected]', }, }, call()) # Grab a fake-signed delegation token. subtoken = delegation_pb2.Subtoken( delegated_identity='user:[email protected]', kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN, audience=['*'], services=['*'], creation_time=int(utils.time_time()), validity_duration=3600) tok_pb = delegation_pb2.DelegationToken( serialized_subtoken=subtoken.SerializeToString(), signer_id='user:[email protected]', signing_key_id='signing-key', pkcs1_sha256_sig='fake-signature') tok = b64.encode(tok_pb.SerializeToString()) # With valid delegation token. self.assertEqual( { 'status': 200, 'body': { u'cur_id': u'user:[email protected]', u'peer_id': u'user:[email protected]', }, }, call({'X-Delegation-Token-V1': tok})) # With invalid delegation token. resp = call({'X-Delegation-Token-V1': tok + 'blah'}) self.assertEqual(403, resp['status']) self.assertIn('Bad delegation token', resp['body']) # Transient error. def mocked_check(*_args): raise delegation.TransientError('Blah') self.mock(delegation, 'check_bearer_delegation_token', mocked_check) resp = call({'X-Delegation-Token-V1': tok}) self.assertEqual(500, resp['status']) self.assertIn('Blah', resp['body'])
def test_delegation_token(self): def call(tok=None): headers = {'X-Delegation-Token-V1': tok} if tok else None self.call('127.0.0.1', '*****@*****.**', headers) return { 'cur_id': api.get_current_identity().to_bytes(), 'peer_id': api.get_current_identity().to_bytes(), } # No delegation. self.assertEqual( { 'cur_id': 'user:[email protected]', 'peer_id': 'user:[email protected]' }, call()) # TODO(vadimsh): Mint token via some high-level function call. subtokens = delegation_pb2.SubtokenList(subtokens=[ delegation_pb2.Subtoken(issuer_id='user:[email protected]', creation_time=int(utils.time_time()), validity_duration=3600), ]) tok = delegation.serialize_token(delegation.seal_token(subtokens)) # Valid delegation token. self.assertEqual( { 'cur_id': 'user:[email protected]', 'peer_id': 'user:[email protected]' }, call(tok)) # Invalid delegation token. with self.assertRaises(api.AuthorizationError): call(tok + 'blah') # Transient error. def mocked_check(*_args): raise delegation.TransientError('Blah') self.mock(delegation, 'check_delegation_token', mocked_check) with self.assertRaises(endpoints.InternalServerErrorException): call(tok)
def test_delegation_token(self): def call(tok=None): headers = {'X-Delegation-Token-V1': tok} if tok else None self.call('127.0.0.1', '*****@*****.**', headers) return { 'cur_id': api.get_current_identity().to_bytes(), 'peer_id': api.get_current_identity().to_bytes(), } # No delegation. self.assertEqual( { 'cur_id': 'user:[email protected]', 'peer_id': 'user:[email protected]' }, call()) # Grab a fake-signed delegation token. subtoken = delegation_pb2.Subtoken( delegated_identity='user:[email protected]', kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN, audience=['*'], services=['*'], creation_time=int(utils.time_time()), validity_duration=3600) tok_pb = delegation_pb2.DelegationToken( serialized_subtoken=subtoken.SerializeToString(), signer_id='user:[email protected]', signing_key_id='signing-key', pkcs1_sha256_sig='fake-signature') tok = tokens.base64_encode(tok_pb.SerializeToString()) # Valid delegation token. self.assertEqual( { 'cur_id': 'user:[email protected]', 'peer_id': 'user:[email protected]' }, call(tok)) # Invalid delegation token. with self.assertRaises(api.AuthorizationError): call(tok + 'blah')
def subtoken_from_jsonish(d): """Given JSON dict with request body returns delegation_pb2.Subtoken msg. Raises: ValueError if some fields are invalid. """ msg = delegation_pb2.Subtoken() # 'audience' is an optional list of 'group:...' or identity names. if 'audience' in d: aud = d['audience'] if not isinstance(aud, list): raise ValueError('"audience" must be a list of strings') for e in aud: if not isinstance(e, basestring): raise ValueError('"audience" must be a list of strings') if e.startswith('group:'): if not auth.is_valid_group_name(e.lstrip('group:')): raise ValueError('Invalid group name in "audience": %s' % e) else: try: auth.Identity.from_bytes(e) except ValueError as exc: raise ValueError( 'Invalid identity name "%s" in "audience": %s' % (e, exc)) msg.audience.append(str(e)) # 'services' is an optional list of identity names. if 'services' in d: services = d['services'] if not isinstance(services, list): raise ValueError('"services" must be a list of strings') for e in services: if not isinstance(e, basestring): raise ValueError('"services" must be a list of strings') try: auth.Identity.from_bytes(e) except ValueError as exc: raise ValueError( 'Invalid identity name "%s" in "services": %s' % (e, exc)) msg.services.append(str(e)) # 'validity_duration' is optional positive number within some defined bounds. if 'validity_duration' in d: dur = d['validity_duration'] if not isinstance(dur, (int, float)): raise ValueError('"validity_duration" must be a positive number') if dur < MIN_VALIDITY_DURATION_SEC or dur > MAX_VALIDITY_DURATION_SEC: raise ValueError( '"validity_duration" must be between %d and %d sec' % (MIN_VALIDITY_DURATION_SEC, MAX_VALIDITY_DURATION_SEC)) msg.validity_duration = int(dur) # 'impersonate' is an optional identity string. if 'impersonate' in d: imp = d['impersonate'] try: auth.Identity.from_bytes(imp) except ValueError as exc: raise ValueError( 'Invalid identity name "%s" in "impersonate": %s' % (imp, exc)) msg.issuer_id = str(imp) return msg
def make_subtoken(self, **kwargs): return delegation_pb2.Subtoken(**kwargs)
def fake_subtoken_proto(issuer_id, **kwargs): kwargs['issuer_id'] = issuer_id kwargs.setdefault('creation_time', int(utils.time_time())) kwargs.setdefault('validity_duration', 3600) return delegation_pb2.Subtoken(**kwargs)
def test_delegation_token(self): peer_ident = model.Identity.from_bytes('user:[email protected]') class Handler(handler.AuthenticatingHandler): @classmethod def get_auth_methods(cls, conf): return [lambda _request: (peer_ident, False)] @api.public def get(self): self.response.write( json.dumps({ 'peer_id': api.get_peer_identity().to_bytes(), 'cur_id': api.get_current_identity().to_bytes(), })) app = self.make_test_app('/request', Handler) def call(headers=None): return json.loads(app.get('/request', headers=headers).body) # No delegation. self.assertEqual( { u'cur_id': u'user:[email protected]', u'peer_id': u'user:[email protected]' }, call()) # Grab a fake-signed delegation token. subtoken = delegation_pb2.Subtoken( delegated_identity='user:[email protected]', kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN, audience=['*'], services=['*'], creation_time=int(utils.time_time()), validity_duration=3600) tok_pb = delegation_pb2.DelegationToken( serialized_subtoken=subtoken.SerializeToString(), signer_id='user:[email protected]', signing_key_id='signing-key', pkcs1_sha256_sig='fake-signature') tok = tokens.base64_encode(tok_pb.SerializeToString()) # With valid delegation token. self.assertEqual( { u'cur_id': u'user:[email protected]', u'peer_id': u'user:[email protected]' }, call({'X-Delegation-Token-V1': tok})) # With invalid delegation token. r = app.get('/request', headers={'X-Delegation-Token-V1': tok + 'blah'}, expect_errors=True) self.assertEqual(403, r.status_int) # Transient error. def mocked_check(*_args): raise delegation.TransientError('Blah') self.mock(delegation, 'check_bearer_delegation_token', mocked_check) r = app.get('/request', headers={'X-Delegation-Token-V1': tok}, expect_errors=True) self.assertEqual(500, r.status_int)