def test_allowed_to_impersonate(self): rule = self.add_rule(user_id=['user:[email protected]'], target_service=['*'], max_validity_duration=300, allowed_to_impersonate=[ 'user:[email protected]', 'user:*@viaglob.com', 'group:via-group', ]) self.mock( auth, 'is_group_member', lambda g, m: g == 'via-group' and m. to_bytes() == 'user:[email protected]') tok = self.make_subtoken(delegated_identity='user:[email protected]', validity_duration=300) r = delegation.check_can_create_token('user:[email protected]', tok) self.assertEqual(rule, r) tok = self.make_subtoken(delegated_identity='user:[email protected]', validity_duration=300) r = delegation.check_can_create_token('user:[email protected]', tok) self.assertEqual(rule, r) tok = self.make_subtoken(delegated_identity='user:[email protected]', validity_duration=300) r = delegation.check_can_create_token('user:[email protected]', tok) self.assertEqual(rule, r) # Trying to impersonate someone not allowed. with self.assertRaises(auth.AuthorizationError): tok = self.make_subtoken(delegated_identity='user:[email protected]', validity_duration=300) delegation.check_can_create_token('user:[email protected]', tok)
def test_impersonation_disallowed_by_default(self): # Making delegation token. tok = self.make_subtoken(issuer_id='user:[email protected]', validity_duration=300) delegation.check_can_create_token('user:[email protected]', tok) # Making impersonation token. with self.assertRaises(auth.AuthorizationError): tok = self.make_subtoken(issuer_id='user:[email protected]', validity_duration=300) delegation.check_can_create_token('user:[email protected]', tok)
def test_validity_duration(self): self.add_rule( user_id=['*'], target_service=['*'], max_validity_duration=300) tok = self.make_subtoken(issuer_id='user:[email protected]', validity_duration=300) delegation.check_can_create_token('user:[email protected]', tok) with self.assertRaises(auth.AuthorizationError): tok = self.make_subtoken(issuer_id='user:[email protected]', validity_duration=400) delegation.check_can_create_token('user:[email protected]', tok)
def test_impersonation_disallowed_by_default(self): # Making delegation token. tok = self.make_subtoken(delegated_identity='user:[email protected]', validity_duration=300) r = delegation.check_can_create_token('user:[email protected]', tok) self.assertEqual(delegation.DEFAULT_RULE, r) # Making impersonation token. with self.assertRaises(auth.AuthorizationError): tok = self.make_subtoken(delegated_identity='user:[email protected]', validity_duration=300) delegation.check_can_create_token('user:[email protected]', tok)