def test_expired(self):
now = int(utils.time_time())
tok = fake_subtoken_proto('user:[email protected]',
creation_time=now - 120,
validity_duration=60)
with self.assertRaises(delegation.BadTokenError):
delegation.check_subtoken(tok, FAKE_IDENT, api.AuthDB())
def test_allowed_clock_drift(self):
now = utils.utcnow()
self.mock_now(now)
tok = fake_subtoken_proto('user:[email protected]')
# Works -29 sec before activation.
self.mock_now(now, -29)
self.assertTrue(delegation.check_subtoken(tok, FAKE_IDENT))
# Doesn't work before that.
self.mock_now(now, -31)
with self.assertRaises(delegation.BadTokenError):
delegation.check_subtoken(tok, FAKE_IDENT)
def test_subtoken_services(self):
tok = fake_subtoken_proto('user:[email protected]',
services=['service:app-id'])
# Passes.
self.mock(model, 'get_service_self_identity',
lambda: model.Identity.from_bytes('service:app-id'))
self.assertTrue(delegation.check_subtoken(tok, FAKE_IDENT))
# Fails.
self.mock(model, 'get_service_self_identity',
lambda: model.Identity.from_bytes('service:another-app-id'))
with self.assertRaises(delegation.BadTokenError):
delegation.check_subtoken(tok, FAKE_IDENT)
def test_expiration_moment(self):
now = utils.utcnow()
self.mock_now(now)
tok = fake_subtoken_proto('user:[email protected]',
validity_duration=3600)
# Active at now + 3599.
self.mock_now(now, 3599)
self.assertTrue(delegation.check_subtoken(tok, FAKE_IDENT))
# Expired at now + 3601.
self.mock_now(now, 3601)
with self.assertRaises(delegation.BadTokenError):
delegation.check_subtoken(tok, FAKE_IDENT)
def test_subtoken_audience(self):
groups = {'abc': ['user:[email protected]']}
self.mock(api, 'is_group_member',
lambda g, i: i.to_bytes() in groups.get(g, []))
tok = fake_subtoken_proto('user:[email protected]',
audience=['user:[email protected]', 'group:abc'])
# Works.
make_id = model.Identity.from_bytes
self.assertTrue(delegation.check_subtoken(tok,
make_id('user:[email protected]')))
self.assertTrue(delegation.check_subtoken(tok,
make_id('user:[email protected]')))
# Other ids are rejected.
with self.assertRaises(delegation.BadTokenError):
delegation.check_subtoken(tok, make_id('user:[email protected]'))
def test_subtoken_audience(self):
auth_db = api.AuthDB.empty()
self.mock(
auth_db, 'is_group_member', lambda gr, ident: gr == 'abc' and ident
.to_bytes() == 'user:[email protected]')
tok = fake_subtoken_proto('user:[email protected]',
audience=['user:[email protected]', 'group:abc'])
# Works.
make_id = model.Identity.from_bytes
self.assertTrue(
delegation.check_subtoken(tok, make_id('user:[email protected]'), auth_db))
self.assertTrue(
delegation.check_subtoken(tok, make_id('user:[email protected]'), auth_db))
# Other ids are rejected.
with self.assertRaises(exceptions.BadTokenError):
delegation.check_subtoken(tok, make_id('user:[email protected]'), auth_db)
def test_subtoken_audience(self):
auth_db = api.AuthDB(groups=[
model.AuthGroup(
id='abc',
members=[model.Identity.from_bytes('user:[email protected]')],
)
])
tok = fake_subtoken_proto('user:[email protected]',
audience=['user:[email protected]', 'group:abc'])
# Works.
make_id = model.Identity.from_bytes
self.assertTrue(
delegation.check_subtoken(tok, make_id('user:[email protected]'), auth_db))
self.assertTrue(
delegation.check_subtoken(tok, make_id('user:[email protected]'), auth_db))
# Other ids are rejected.
with self.assertRaises(delegation.BadTokenError):
delegation.check_subtoken(tok, make_id('user:[email protected]'), auth_db)
def test_not_active_yet(self):
now = int(utils.time_time())
tok = fake_subtoken_proto('user:[email protected]',
creation_time=now + 120)
with self.assertRaises(delegation.BadTokenError):
delegation.check_subtoken(tok, FAKE_IDENT, api.AuthDB())
def test_negative_validatity_duration(self):
tok = fake_subtoken_proto('user:[email protected]',
validity_duration=-3600)
with self.assertRaises(delegation.BadTokenError):
delegation.check_subtoken(tok, FAKE_IDENT, api.AuthDB())
def test_passes_validation(self):
tok = fake_subtoken_proto('user:[email protected]')
ident = delegation.check_subtoken(tok, FAKE_IDENT, api.AuthDB())
self.assertEqual('user:[email protected]', ident.to_bytes())
