def test_minting_via_rpc_fatal_error(self):
local_auth_ctx = self.init_auth_system(
bot_auth.AuthParams(bot_id='bot_1',
task_id='task_1',
swarming_http_headers={
'Authorization': 'Bearer bot-own-token'
},
swarming_http_headers_exp=int(time.time() +
3600),
bot_service_account='none',
system_service_account='*****@*****.**',
task_service_account='none'))
rpc_client = self.mocked_rpc_client(
remote_client.MintOAuthTokenError('msg'))
self.auth_sys.set_remote_client(rpc_client)
code, resp = call_rpc(local_auth_ctx, 'system', ['A', 'B', 'C'])
self.assertEqual(200, code)
self.assertEqual({u'error_message': u'msg', u'error_code': 4}, resp)
self.assertTrue(rpc_client.calls)
del rpc_client.calls[:]
# The error is cached, no RPCs are made.
code, resp = call_rpc(local_auth_ctx, 'system', ['A', 'B', 'C'])
self.assertEqual(200, code)
self.assertEqual({u'error_message': u'msg', u'error_code': 4}, resp)
self.assertFalse(rpc_client.calls)
def test_minting_via_rpc_switching_to_none(self):
local_auth_ctx = self.init_auth_system(
bot_auth.AuthParams(bot_id='bot_1',
task_id='task_1',
swarming_http_headers={
'Authorization': 'Bearer bot-own-token'
},
swarming_http_headers_exp=int(time.time() +
3600),
bot_service_account='none',
system_service_account='*****@*****.**',
task_service_account='none'))
rpc_client = self.mocked_rpc_client({'service_account': 'none'})
self.auth_sys.set_remote_client(rpc_client)
# Refused.
code, resp = call_rpc(local_auth_ctx, 'system', ['A', 'B', 'C'])
self.assertEqual(200, code)
self.assertEqual(
{
u'error_code':
1,
u'error_message':
u"The task has no 'system' account associated with it"
}, resp)
def test_minting_via_rpc_internal_error(self):
local_auth_ctx = self.init_auth_system(
bot_auth.AuthParams(bot_id='bot_1',
task_id='task_1',
swarming_http_headers={
'Authorization': 'Bearer bot-own-token'
},
swarming_http_headers_exp=int(time.time() +
3600),
bot_service_account='none',
system_service_account='*****@*****.**',
task_service_account='none'))
rpc_client = self.mocked_rpc_client(remote_client.InternalError('msg'))
self.auth_sys.set_remote_client(rpc_client)
code, resp = call_rpc(local_auth_ctx, 'system', ['A', 'B', 'C'])
self.assertEqual(500, code)
self.assertEqual(b'msg\n', resp)
self.assertTrue(rpc_client.calls)
del rpc_client.calls[:]
# The error is NOT cached, another RPC is made.
code, resp = call_rpc(local_auth_ctx, 'system', ['A', 'B', 'C'])
self.assertEqual(500, code)
self.assertTrue(rpc_client.calls)
def test_no_auth(self):
# Not using service accounts at all -> no LUCI_CONTEXT['local_auth'].
local_auth_ctx = self.init_auth_system(
bot_auth.AuthParams(bot_id='bot_1',
task_id='task_1',
swarming_http_headers={
'Authorization': 'Bearer bot-own-token'
},
swarming_http_headers_exp=0,
bot_service_account='none',
system_service_account='none',
task_service_account='none'))
self.assertIsNone(local_auth_ctx)
def test_get_bot_headers(self):
# 'get_bot_headers' returns swarming_http_headers.
exp = int(time.time() + 3600)
self.init_auth_system(
bot_auth.AuthParams(bot_id='bot_1',
task_id='task_1',
swarming_http_headers={
'Authorization': 'Bearer bot-own-token'
},
swarming_http_headers_exp=exp,
bot_service_account='none',
system_service_account='none',
task_service_account='none'))
self.assertEqual(({
'Authorization': 'Bearer bot-own-token'
}, exp), self.auth_sys.get_bot_headers())
def test_minting_via_rpc_ok(self):
local_auth_ctx = self.init_auth_system(
bot_auth.AuthParams(bot_id='bot_1',
task_id='task_1',
swarming_http_headers={
'Authorization': 'Bearer bot-own-token'
},
swarming_http_headers_exp=int(time.time() +
3600),
bot_service_account='none',
system_service_account='*****@*****.**',
task_service_account='none'))
# Email is set.
self.assertEqual([{
'id': 'system',
'email': '*****@*****.**'
}], local_auth_ctx['accounts'])
expiry = int(time.time() + 3600)
rpc_client = self.mocked_rpc_client({
'service_account': '*****@*****.**',
'access_token': 'blah',
'expiry': expiry,
})
self.auth_sys.set_remote_client(rpc_client)
code, resp = call_rpc(local_auth_ctx, 'system', ['A', 'B', 'C'])
self.assertEqual(200, code)
self.assertEqual({u'access_token': u'blah', u'expiry': expiry}, resp)
self.assertEqual([{
'account_id': 'system',
'bot_id': 'bot_1',
'scopes': ('A', 'B', 'C'),
'task_id': 'task_1',
}], rpc_client.calls)
del rpc_client.calls[:]
# The token is cached.
code, resp = call_rpc(local_auth_ctx, 'system', ['A', 'B', 'C'])
self.assertEqual(200, code)
self.assertEqual({u'access_token': u'blah', u'expiry': expiry}, resp)
self.assertFalse(rpc_client.calls)
def test_minting_via_rpc_switching_to_bot(self):
expiry = int(time.time() + 3600)
local_auth_ctx = self.init_auth_system(
bot_auth.AuthParams(bot_id='bot_1',
task_id='task_1',
swarming_http_headers={
'Authorization': 'Bearer bot-own-token'
},
swarming_http_headers_exp=expiry,
bot_service_account='none',
system_service_account='*****@*****.**',
task_service_account='none'))
rpc_client = self.mocked_rpc_client({'service_account': 'bot'})
self.auth_sys.set_remote_client(rpc_client)
# Got bot token instead.
code, resp = call_rpc(local_auth_ctx, 'system', ['A', 'B', 'C'])
self.assertEqual(200, code)
self.assertEqual({
u'access_token': u'bot-own-token',
u'expiry': expiry
}, resp)
def test_system_and_task_as_bot(self):
exp = int(time.time() + 3600)
# An auth system configured to use both system and task accounts, both set
# to bot's own credentials.
local_auth_ctx = self.init_auth_system(
bot_auth.AuthParams(bot_id='bot_1',
task_id='task_1',
swarming_http_headers={
'Authorization': 'Bearer bot-own-token'
},
swarming_http_headers_exp=exp,
bot_service_account='*****@*****.**',
system_service_account='bot',
task_service_account='bot'))
self.assertEqual(
['accounts', 'default_account_id', 'rpc_port', 'secret'],
sorted(local_auth_ctx))
# Both are defined, 'system' is default.
self.assertEqual([
{
'id': 'system',
'email': '*****@*****.**'
},
{
'id': 'task',
'email': '*****@*****.**'
},
], local_auth_ctx['accounts'])
self.assertEqual('system', local_auth_ctx.get('default_account_id'))
# Both 'system' and 'task' tokens work.
for account_id in ('system', 'task'):
code, resp = call_rpc(local_auth_ctx, account_id, ['A', 'B', 'C'])
self.assertEqual(200, code)
self.assertEqual([u'access_token', u'expiry'], sorted(resp))
self.assertEqual(u'bot-own-token', resp['access_token'])
self.assertEqual(exp, resp['expiry'])
def test_using_bot_without_known_email(self):
# An auth system configured to use both system and task accounts, both set
# to bot's own credentials, with email not known.
local_auth_ctx = self.init_auth_system(
bot_auth.AuthParams(bot_id='bot_1',
task_id='task_1',
swarming_http_headers={},
swarming_http_headers_exp=None,
bot_service_account='none',
system_service_account='bot',
task_service_account='bot'))
# Email is not available, as indicated by '-'.
self.assertEqual([
{
'id': 'system',
'email': '-'
},
{
'id': 'task',
'email': '-'
},
], local_auth_ctx['accounts'])
def test_system_as_bot(self):
exp = int(time.time() + 3600)
# An auth system is configured to use only system account, set to bot's own
# credentials.
local_auth_ctx = self.init_auth_system(
bot_auth.AuthParams(bot_id='bot_1',
task_id='task_1',
swarming_http_headers={
'Authorization': 'Bearer bot-own-token'
},
swarming_http_headers_exp=exp,
bot_service_account='*****@*****.**',
system_service_account='bot',
task_service_account='none'))
self.assertEqual(
['accounts', 'default_account_id', 'rpc_port', 'secret'],
sorted(local_auth_ctx))
# Only 'system' account is defined (no 'task'), and it is default.
self.assertEqual([{
'id': 'system',
'email': '*****@*****.**'
}], local_auth_ctx['accounts'])
self.assertEqual('system', local_auth_ctx['default_account_id'])
# Try to use the local RPC service to grab a 'system' token. Should return
# the token specified by 'swarming_http_headers'.
code, resp = call_rpc(local_auth_ctx, 'system', ['A', 'B', 'C'])
self.assertEqual(200, code)
self.assertEqual([u'access_token', u'expiry'], sorted(resp))
self.assertEqual(u'bot-own-token', resp['access_token'])
self.assertEqual(exp, resp['expiry'])
# No 'task' token at all.
code, _ = call_rpc(local_auth_ctx, 'task', ['A', 'B', 'C'])
self.assertEqual(404, code)
