def get_session_token(request, context):
authenticated_user = authenticate_user(request, context)
utils.validate_not_empty(request, 'owner')
utils.validate_not_empty(request, 'scope')
owner = request.owner or authenticated_user
renewer = request.renewer
target = request.target
scope = request.scope
utils.validate_impersonator(authenticated_user, owner)
# Create and save session
session = Session(
owner=owner,
renewer=renewer,
target=target,
scope=scope,
)
session.save()
# Create and return RPC response
response = broker_pb2.GetSessionTokenResponse()
response.session_token = generate_session_token(session)
return response, {
'owner': session.owner,
'renewer': session.renewer,
'session-id': session.id
}
def test_get_access_token_SESSION_TOKEN_AUTH_SUCCESS(monkeypatch):
monkeypatch_environment(monkeypatch)
session = Session(
owner='*****@*****.**', renewer='*****@*****.**', target=MOCK_BUCKET, scope=SCOPE)
session.save()
session_token = generate_session_token(session)
test_get_access_token_DIRECT_AUTH_SUCCESS(
monkeypatch, authenticated_user=None, owner='*****@*****.**', session_token=session_token)
def test_rewnew_session_token_WRONG_RENEWER(monkeypatch):
monkeypatch_environment(monkeypatch)
session = Session(owner='*****@*****.**', renewer='*****@*****.**')
session.save()
session_token = generate_session_token(session)
response, context = renew_session_token('*****@*****.**', session_token)
assert response is None
assert Session.exist(session.id)
assert context.code == grpc.StatusCode.PERMISSION_DENIED
assert context.details == 'Unauthorized renewer: [email protected]'
def test_get_access_token_SESSION_TOKEN_WRONG_PASSWORD(monkeypatch):
monkeypatch_environment(monkeypatch)
session = Session(owner='*****@*****.**', renewer='*****@*****.**')
session_token = generate_session_token(session)
# Change password
session.password = '******'
session.save()
request = GetAccessTokenRequest()
request.scope = SCOPE
request.target = MOCK_BUCKET
context = MockContext({'authorization': f'BrokerSession {session_token}'})
response = BrokerServicer().GetAccessToken(request, context)
assert response is None
assert context.code == grpc.StatusCode.UNAUTHENTICATED
assert context.details == f'Invalid session token'
def test_renew_session_token_SUCCESS(mock_datetime, monkeypatch):
monkeypatch_environment(monkeypatch)
mock_now = datetime(2001, 1, 1)
mock_datetime.utcnow.return_value = mock_now
session = Session(owner='*****@*****.**', renewer='*****@*****.**')
session.save()
assert session.expires_at == datetime_to_integer(mock_now) + settings.SESSION_RENEW_PERIOD
mock_now = datetime(2002, 2, 2)
mock_datetime.utcnow.return_value = mock_now
session_token = generate_session_token(session)
response, context = renew_session_token('*****@*****.**', session_token)
assert isinstance(response, RenewSessionTokenResponse)
session = Session.get(session.id)
assert session.expires_at == datetime_to_integer(mock_now) + settings.SESSION_RENEW_PERIOD
def test_get_session_token(monkeypatch):
monkeypatch_environment(monkeypatch)
response, context = get_session_token('*****@*****.**', '*****@*****.**')
assert isinstance(response, GetSessionTokenResponse)
token = response.session_token
session_id, encrypted_password = read_session_token(token)
session = Session.get(session_id)
assert session.owner == '*****@*****.**'
assert session.renewer == '*****@*****.**'
assert password_match(session, encrypted_password)
def test_cancel_session_token_SUCCESS(monkeypatch):
monkeypatch_environment(monkeypatch)
session = Session(owner='*****@*****.**', renewer='*****@*****.**')
session.save()
assert Session.exist(session.id)
session_token = generate_session_token(session)
response, context = cancel_session_token('*****@*****.**', session_token)
assert isinstance(response, CancelSessionTokenResponse)
assert not Session.exist(session.id)
def get_session_from_token(token: str) -> Session:
session_id, encrypted_password = read_session_token(token)
session = Session.get(session_id)
if not password_match(session, encrypted_password):
abort(grpc.StatusCode.UNAUTHENTICATED, 'Invalid session token')
return session