def test_minting_via_rpc_fatal_error(self): local_auth_ctx = self.init_auth_system( bot_auth.AuthParams(bot_id='bot_1', task_id='task_1', swarming_http_headers={ 'Authorization': 'Bearer bot-own-token' }, swarming_http_headers_exp=int(time.time() + 3600), bot_service_account='none', system_service_account='*****@*****.**', task_service_account='none')) rpc_client = self.mocked_rpc_client( remote_client.MintOAuthTokenError('msg')) self.auth_sys.set_remote_client(rpc_client) code, resp = call_rpc(local_auth_ctx, 'system', ['A', 'B', 'C']) self.assertEqual(200, code) self.assertEqual({u'error_message': u'msg', u'error_code': 4}, resp) self.assertTrue(rpc_client.calls) del rpc_client.calls[:] # The error is cached, no RPCs are made. code, resp = call_rpc(local_auth_ctx, 'system', ['A', 'B', 'C']) self.assertEqual(200, code) self.assertEqual({u'error_message': u'msg', u'error_code': 4}, resp) self.assertFalse(rpc_client.calls)
def test_minting_via_rpc_switching_to_none(self): local_auth_ctx = self.init_auth_system( bot_auth.AuthParams(bot_id='bot_1', task_id='task_1', swarming_http_headers={ 'Authorization': 'Bearer bot-own-token' }, swarming_http_headers_exp=int(time.time() + 3600), bot_service_account='none', system_service_account='*****@*****.**', task_service_account='none')) rpc_client = self.mocked_rpc_client({'service_account': 'none'}) self.auth_sys.set_remote_client(rpc_client) # Refused. code, resp = call_rpc(local_auth_ctx, 'system', ['A', 'B', 'C']) self.assertEqual(200, code) self.assertEqual( { u'error_code': 1, u'error_message': u"The task has no 'system' account associated with it" }, resp)
def test_minting_via_rpc_internal_error(self): local_auth_ctx = self.init_auth_system( bot_auth.AuthParams(bot_id='bot_1', task_id='task_1', swarming_http_headers={ 'Authorization': 'Bearer bot-own-token' }, swarming_http_headers_exp=int(time.time() + 3600), bot_service_account='none', system_service_account='*****@*****.**', task_service_account='none')) rpc_client = self.mocked_rpc_client(remote_client.InternalError('msg')) self.auth_sys.set_remote_client(rpc_client) code, resp = call_rpc(local_auth_ctx, 'system', ['A', 'B', 'C']) self.assertEqual(500, code) self.assertEqual(b'msg\n', resp) self.assertTrue(rpc_client.calls) del rpc_client.calls[:] # The error is NOT cached, another RPC is made. code, resp = call_rpc(local_auth_ctx, 'system', ['A', 'B', 'C']) self.assertEqual(500, code) self.assertTrue(rpc_client.calls)
def test_no_auth(self): # Not using service accounts at all -> no LUCI_CONTEXT['local_auth']. local_auth_ctx = self.init_auth_system( bot_auth.AuthParams(bot_id='bot_1', task_id='task_1', swarming_http_headers={ 'Authorization': 'Bearer bot-own-token' }, swarming_http_headers_exp=0, bot_service_account='none', system_service_account='none', task_service_account='none')) self.assertIsNone(local_auth_ctx)
def test_get_bot_headers(self): # 'get_bot_headers' returns swarming_http_headers. exp = int(time.time() + 3600) self.init_auth_system( bot_auth.AuthParams(bot_id='bot_1', task_id='task_1', swarming_http_headers={ 'Authorization': 'Bearer bot-own-token' }, swarming_http_headers_exp=exp, bot_service_account='none', system_service_account='none', task_service_account='none')) self.assertEqual(({ 'Authorization': 'Bearer bot-own-token' }, exp), self.auth_sys.get_bot_headers())
def test_minting_via_rpc_ok(self): local_auth_ctx = self.init_auth_system( bot_auth.AuthParams(bot_id='bot_1', task_id='task_1', swarming_http_headers={ 'Authorization': 'Bearer bot-own-token' }, swarming_http_headers_exp=int(time.time() + 3600), bot_service_account='none', system_service_account='*****@*****.**', task_service_account='none')) # Email is set. self.assertEqual([{ 'id': 'system', 'email': '*****@*****.**' }], local_auth_ctx['accounts']) expiry = int(time.time() + 3600) rpc_client = self.mocked_rpc_client({ 'service_account': '*****@*****.**', 'access_token': 'blah', 'expiry': expiry, }) self.auth_sys.set_remote_client(rpc_client) code, resp = call_rpc(local_auth_ctx, 'system', ['A', 'B', 'C']) self.assertEqual(200, code) self.assertEqual({u'access_token': u'blah', u'expiry': expiry}, resp) self.assertEqual([{ 'account_id': 'system', 'bot_id': 'bot_1', 'scopes': ('A', 'B', 'C'), 'task_id': 'task_1', }], rpc_client.calls) del rpc_client.calls[:] # The token is cached. code, resp = call_rpc(local_auth_ctx, 'system', ['A', 'B', 'C']) self.assertEqual(200, code) self.assertEqual({u'access_token': u'blah', u'expiry': expiry}, resp) self.assertFalse(rpc_client.calls)
def test_minting_via_rpc_switching_to_bot(self): expiry = int(time.time() + 3600) local_auth_ctx = self.init_auth_system( bot_auth.AuthParams(bot_id='bot_1', task_id='task_1', swarming_http_headers={ 'Authorization': 'Bearer bot-own-token' }, swarming_http_headers_exp=expiry, bot_service_account='none', system_service_account='*****@*****.**', task_service_account='none')) rpc_client = self.mocked_rpc_client({'service_account': 'bot'}) self.auth_sys.set_remote_client(rpc_client) # Got bot token instead. code, resp = call_rpc(local_auth_ctx, 'system', ['A', 'B', 'C']) self.assertEqual(200, code) self.assertEqual({ u'access_token': u'bot-own-token', u'expiry': expiry }, resp)
def test_system_and_task_as_bot(self): exp = int(time.time() + 3600) # An auth system configured to use both system and task accounts, both set # to bot's own credentials. local_auth_ctx = self.init_auth_system( bot_auth.AuthParams(bot_id='bot_1', task_id='task_1', swarming_http_headers={ 'Authorization': 'Bearer bot-own-token' }, swarming_http_headers_exp=exp, bot_service_account='*****@*****.**', system_service_account='bot', task_service_account='bot')) self.assertEqual( ['accounts', 'default_account_id', 'rpc_port', 'secret'], sorted(local_auth_ctx)) # Both are defined, 'system' is default. self.assertEqual([ { 'id': 'system', 'email': '*****@*****.**' }, { 'id': 'task', 'email': '*****@*****.**' }, ], local_auth_ctx['accounts']) self.assertEqual('system', local_auth_ctx.get('default_account_id')) # Both 'system' and 'task' tokens work. for account_id in ('system', 'task'): code, resp = call_rpc(local_auth_ctx, account_id, ['A', 'B', 'C']) self.assertEqual(200, code) self.assertEqual([u'access_token', u'expiry'], sorted(resp)) self.assertEqual(u'bot-own-token', resp['access_token']) self.assertEqual(exp, resp['expiry'])
def test_using_bot_without_known_email(self): # An auth system configured to use both system and task accounts, both set # to bot's own credentials, with email not known. local_auth_ctx = self.init_auth_system( bot_auth.AuthParams(bot_id='bot_1', task_id='task_1', swarming_http_headers={}, swarming_http_headers_exp=None, bot_service_account='none', system_service_account='bot', task_service_account='bot')) # Email is not available, as indicated by '-'. self.assertEqual([ { 'id': 'system', 'email': '-' }, { 'id': 'task', 'email': '-' }, ], local_auth_ctx['accounts'])
def test_system_as_bot(self): exp = int(time.time() + 3600) # An auth system is configured to use only system account, set to bot's own # credentials. local_auth_ctx = self.init_auth_system( bot_auth.AuthParams(bot_id='bot_1', task_id='task_1', swarming_http_headers={ 'Authorization': 'Bearer bot-own-token' }, swarming_http_headers_exp=exp, bot_service_account='*****@*****.**', system_service_account='bot', task_service_account='none')) self.assertEqual( ['accounts', 'default_account_id', 'rpc_port', 'secret'], sorted(local_auth_ctx)) # Only 'system' account is defined (no 'task'), and it is default. self.assertEqual([{ 'id': 'system', 'email': '*****@*****.**' }], local_auth_ctx['accounts']) self.assertEqual('system', local_auth_ctx['default_account_id']) # Try to use the local RPC service to grab a 'system' token. Should return # the token specified by 'swarming_http_headers'. code, resp = call_rpc(local_auth_ctx, 'system', ['A', 'B', 'C']) self.assertEqual(200, code) self.assertEqual([u'access_token', u'expiry'], sorted(resp)) self.assertEqual(u'bot-own-token', resp['access_token']) self.assertEqual(exp, resp['expiry']) # No 'task' token at all. code, _ = call_rpc(local_auth_ctx, 'task', ['A', 'B', 'C']) self.assertEqual(404, code)