def test_delegation_token(self):
# No delegation.
self.assertEqual(
{
'cur_id': 'user:[email protected]',
'peer_id': 'user:[email protected]'
}, self.call_with_tokens())
# Grab a fake-signed delegation token.
subtoken = delegation_pb2.Subtoken(
delegated_identity='user:[email protected]',
kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN,
audience=['*'],
services=['*'],
creation_time=int(utils.time_time()),
validity_duration=3600)
tok_pb = delegation_pb2.DelegationToken(
serialized_subtoken=subtoken.SerializeToString(),
signer_id='user:[email protected]',
signing_key_id='signing-key',
pkcs1_sha256_sig='fake-signature')
tok = tokens.base64_encode(tok_pb.SerializeToString())
# Valid delegation token.
self.assertEqual(
{
'cur_id': 'user:[email protected]',
'peer_id': 'user:[email protected]'
}, self.call_with_tokens(delegation_tok=tok))
# Invalid delegation token.
with self.assertRaises(api.AuthorizationError):
self.call_with_tokens(delegation_tok=tok + 'blah')
def test_delegation_token(self):
# Grab a fake-signed delegation token.
subtoken = delegation_pb2.Subtoken(
delegated_identity='user:[email protected]',
kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN,
audience=['*'],
services=['*'],
creation_time=int(utils.time_time()),
validity_duration=3600)
tok_pb = delegation_pb2.DelegationToken(
serialized_subtoken=subtoken.SerializeToString(),
signer_id='user:[email protected]',
signing_key_id='signing-key',
pkcs1_sha256_sig='fake-signature')
tok = tokens.base64_encode(tok_pb.SerializeToString())
# Valid delegation token.
state, ctx = self.call(
'ipv4:127.0.0.1', '*****@*****.**', {'X-Delegation-Token-V1': tok})
self.assertEqual(state, CapturedState(
current_identity='user:[email protected]',
is_superuser=False,
peer_identity='user:[email protected]',
peer_ip=ipaddr.ip_from_string('127.0.0.1'),
delegation_token=subtoken,
))
# Invalid delegation token.
state, ctx = self.call(
'ipv4:127.0.0.1', '*****@*****.**', {'X-Delegation-Token-V1': tok + 'blah'})
self.assertIsNone(state)
self.assertEqual(ctx.code, prpclib.StatusCode.PERMISSION_DENIED)
self.assertEqual(
ctx.details, 'Bad delegation token: Bad proto: Truncated message.')
def fake_subtoken_proto(delegated_identity='user:[email protected]', **kwargs): kwargs['delegated_identity'] = delegated_identity kwargs.setdefault('audience', ['*']) kwargs.setdefault('services', ['*']) kwargs.setdefault('creation_time', int(utils.time_time())) kwargs.setdefault('validity_duration', 3600) return delegation_pb2.Subtoken(**kwargs)
def test_delegation_token(self):
peer_ident = model.Identity.from_bytes('user:[email protected]')
class Handler(handler.AuthenticatingHandler):
@classmethod
def get_auth_methods(cls, conf):
return [lambda _request: peer_ident]
@api.public
def get(self):
self.response.write(
json.dumps({
'peer_id': api.get_peer_identity().to_bytes(),
'cur_id': api.get_current_identity().to_bytes(),
}))
app = self.make_test_app('/request', Handler)
def call(headers=None):
return json.loads(app.get('/request', headers=headers).body)
# No delegation.
self.assertEqual(
{
u'cur_id': u'user:[email protected]',
u'peer_id': u'user:[email protected]'
}, call())
# TODO(vadimsh): Mint token via some high-level function call.
subtoken = delegation_pb2.Subtoken(
delegated_identity='user:[email protected]',
audience=['*'],
services=['*'],
creation_time=int(utils.time_time()),
validity_duration=3600)
tok = delegation.serialize_token(delegation.seal_token(subtoken))
# With valid delegation token.
self.assertEqual(
{
u'cur_id': u'user:[email protected]',
u'peer_id': u'user:[email protected]'
}, call({'X-Delegation-Token-V1': tok}))
# With invalid delegation token.
r = app.get('/request',
headers={'X-Delegation-Token-V1': tok + 'blah'},
expect_errors=True)
self.assertEqual(403, r.status_int)
# Transient error.
def mocked_check(*_args):
raise delegation.TransientError('Blah')
self.mock(delegation, 'check_bearer_delegation_token', mocked_check)
r = app.get('/request',
headers={'X-Delegation-Token-V1': tok},
expect_errors=True)
self.assertEqual(500, r.status_int)
def test_delegation_token(self):
call = self.make_test_app_with_peer('user:[email protected]')
# No delegation.
self.assertEqual(
{
'status': 200,
'body': {
u'cur_id': u'user:[email protected]',
u'peer_id': u'user:[email protected]',
},
}, call())
# Grab a fake-signed delegation token.
subtoken = delegation_pb2.Subtoken(
delegated_identity='user:[email protected]',
kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN,
audience=['*'],
services=['*'],
creation_time=int(utils.time_time()),
validity_duration=3600)
tok_pb = delegation_pb2.DelegationToken(
serialized_subtoken=subtoken.SerializeToString(),
signer_id='user:[email protected]',
signing_key_id='signing-key',
pkcs1_sha256_sig='fake-signature')
tok = b64.encode(tok_pb.SerializeToString())
# With valid delegation token.
self.assertEqual(
{
'status': 200,
'body': {
u'cur_id': u'user:[email protected]',
u'peer_id': u'user:[email protected]',
},
}, call({'X-Delegation-Token-V1': tok}))
# With invalid delegation token.
resp = call({'X-Delegation-Token-V1': tok + 'blah'})
self.assertEqual(403, resp['status'])
self.assertIn('Bad delegation token', resp['body'])
# Transient error.
def mocked_check(*_args):
raise delegation.TransientError('Blah')
self.mock(delegation, 'check_bearer_delegation_token', mocked_check)
resp = call({'X-Delegation-Token-V1': tok})
self.assertEqual(500, resp['status'])
self.assertIn('Blah', resp['body'])
def test_delegation_token(self):
def call(tok=None):
headers = {'X-Delegation-Token-V1': tok} if tok else None
self.call('127.0.0.1', '*****@*****.**', headers)
return {
'cur_id': api.get_current_identity().to_bytes(),
'peer_id': api.get_current_identity().to_bytes(),
}
# No delegation.
self.assertEqual(
{
'cur_id': 'user:[email protected]',
'peer_id': 'user:[email protected]'
}, call())
# TODO(vadimsh): Mint token via some high-level function call.
subtokens = delegation_pb2.SubtokenList(subtokens=[
delegation_pb2.Subtoken(issuer_id='user:[email protected]',
creation_time=int(utils.time_time()),
validity_duration=3600),
])
tok = delegation.serialize_token(delegation.seal_token(subtokens))
# Valid delegation token.
self.assertEqual(
{
'cur_id': 'user:[email protected]',
'peer_id': 'user:[email protected]'
}, call(tok))
# Invalid delegation token.
with self.assertRaises(api.AuthorizationError):
call(tok + 'blah')
# Transient error.
def mocked_check(*_args):
raise delegation.TransientError('Blah')
self.mock(delegation, 'check_delegation_token', mocked_check)
with self.assertRaises(endpoints.InternalServerErrorException):
call(tok)
def test_delegation_token(self):
def call(tok=None):
headers = {'X-Delegation-Token-V1': tok} if tok else None
self.call('127.0.0.1', '*****@*****.**', headers)
return {
'cur_id': api.get_current_identity().to_bytes(),
'peer_id': api.get_current_identity().to_bytes(),
}
# No delegation.
self.assertEqual(
{
'cur_id': 'user:[email protected]',
'peer_id': 'user:[email protected]'
}, call())
# Grab a fake-signed delegation token.
subtoken = delegation_pb2.Subtoken(
delegated_identity='user:[email protected]',
kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN,
audience=['*'],
services=['*'],
creation_time=int(utils.time_time()),
validity_duration=3600)
tok_pb = delegation_pb2.DelegationToken(
serialized_subtoken=subtoken.SerializeToString(),
signer_id='user:[email protected]',
signing_key_id='signing-key',
pkcs1_sha256_sig='fake-signature')
tok = tokens.base64_encode(tok_pb.SerializeToString())
# Valid delegation token.
self.assertEqual(
{
'cur_id': 'user:[email protected]',
'peer_id': 'user:[email protected]'
}, call(tok))
# Invalid delegation token.
with self.assertRaises(api.AuthorizationError):
call(tok + 'blah')
def subtoken_from_jsonish(d):
"""Given JSON dict with request body returns delegation_pb2.Subtoken msg.
Raises:
ValueError if some fields are invalid.
"""
msg = delegation_pb2.Subtoken()
# 'audience' is an optional list of 'group:...' or identity names.
if 'audience' in d:
aud = d['audience']
if not isinstance(aud, list):
raise ValueError('"audience" must be a list of strings')
for e in aud:
if not isinstance(e, basestring):
raise ValueError('"audience" must be a list of strings')
if e.startswith('group:'):
if not auth.is_valid_group_name(e.lstrip('group:')):
raise ValueError('Invalid group name in "audience": %s' % e)
else:
try:
auth.Identity.from_bytes(e)
except ValueError as exc:
raise ValueError(
'Invalid identity name "%s" in "audience": %s' % (e, exc))
msg.audience.append(str(e))
# 'services' is an optional list of identity names.
if 'services' in d:
services = d['services']
if not isinstance(services, list):
raise ValueError('"services" must be a list of strings')
for e in services:
if not isinstance(e, basestring):
raise ValueError('"services" must be a list of strings')
try:
auth.Identity.from_bytes(e)
except ValueError as exc:
raise ValueError(
'Invalid identity name "%s" in "services": %s' % (e, exc))
msg.services.append(str(e))
# 'validity_duration' is optional positive number within some defined bounds.
if 'validity_duration' in d:
dur = d['validity_duration']
if not isinstance(dur, (int, float)):
raise ValueError('"validity_duration" must be a positive number')
if dur < MIN_VALIDITY_DURATION_SEC or dur > MAX_VALIDITY_DURATION_SEC:
raise ValueError(
'"validity_duration" must be between %d and %d sec' %
(MIN_VALIDITY_DURATION_SEC, MAX_VALIDITY_DURATION_SEC))
msg.validity_duration = int(dur)
# 'impersonate' is an optional identity string.
if 'impersonate' in d:
imp = d['impersonate']
try:
auth.Identity.from_bytes(imp)
except ValueError as exc:
raise ValueError(
'Invalid identity name "%s" in "impersonate": %s' % (imp, exc))
msg.issuer_id = str(imp)
return msg
def make_subtoken(self, **kwargs): return delegation_pb2.Subtoken(**kwargs)
def fake_subtoken_proto(issuer_id, **kwargs):
kwargs['issuer_id'] = issuer_id
kwargs.setdefault('creation_time', int(utils.time_time()))
kwargs.setdefault('validity_duration', 3600)
return delegation_pb2.Subtoken(**kwargs)
def test_delegation_token(self):
peer_ident = model.Identity.from_bytes('user:[email protected]')
class Handler(handler.AuthenticatingHandler):
@classmethod
def get_auth_methods(cls, conf):
return [lambda _request: (peer_ident, False)]
@api.public
def get(self):
self.response.write(
json.dumps({
'peer_id': api.get_peer_identity().to_bytes(),
'cur_id': api.get_current_identity().to_bytes(),
}))
app = self.make_test_app('/request', Handler)
def call(headers=None):
return json.loads(app.get('/request', headers=headers).body)
# No delegation.
self.assertEqual(
{
u'cur_id': u'user:[email protected]',
u'peer_id': u'user:[email protected]'
}, call())
# Grab a fake-signed delegation token.
subtoken = delegation_pb2.Subtoken(
delegated_identity='user:[email protected]',
kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN,
audience=['*'],
services=['*'],
creation_time=int(utils.time_time()),
validity_duration=3600)
tok_pb = delegation_pb2.DelegationToken(
serialized_subtoken=subtoken.SerializeToString(),
signer_id='user:[email protected]',
signing_key_id='signing-key',
pkcs1_sha256_sig='fake-signature')
tok = tokens.base64_encode(tok_pb.SerializeToString())
# With valid delegation token.
self.assertEqual(
{
u'cur_id': u'user:[email protected]',
u'peer_id': u'user:[email protected]'
}, call({'X-Delegation-Token-V1': tok}))
# With invalid delegation token.
r = app.get('/request',
headers={'X-Delegation-Token-V1': tok + 'blah'},
expect_errors=True)
self.assertEqual(403, r.status_int)
# Transient error.
def mocked_check(*_args):
raise delegation.TransientError('Blah')
self.mock(delegation, 'check_bearer_delegation_token', mocked_check)
r = app.get('/request',
headers={'X-Delegation-Token-V1': tok},
expect_errors=True)
self.assertEqual(500, r.status_int)
