def test_get_delegation_config(self): # Missing -> returns empty proto. proto = config.get_delegation_config() self.assertFalse(proto.rules) # Add some. body = """rules { user_id: "service:abc" target_service: "*" max_validity_duration: 3600 }""" config._update_service_config('delegation.cfg', config.Revision('rev', 'url'), body) utils.clear_cache(config.get_delegation_config) proto = config.get_delegation_config() self.assertEqual(1, len(proto.rules))
def test_get_delegation_config(self): # Missing -> returns empty proto. proto = config.get_delegation_config() self.assertFalse(proto.rules) # Add some. body = """rules { user_id: "service:abc" target_service: "*" max_validity_duration: 3600 }""" config._update_service_config( 'delegation.cfg', config.Revision('rev', 'url'), body) utils.clear_cache(config.get_delegation_config) proto = config.get_delegation_config() self.assertEqual(1, len(proto.rules))
def get_delegation_rule(user_id, services): """Returns first matching rule from delegation.cfg DelegationConfig rules. Args: user_id: identity string to match against 'user_id' field. services: list of identities (as strings) to match against 'target_service'. Returns: config_pb2.DelegationConfig.Rule if found, DEFAULT_RULE if not. """ services_set = set(services) for r in config.get_delegation_config().rules: if (('*' in r.user_id or user_id in r.user_id) and ('*' in r.target_service or services_set.issubset(r.target_service))): return r return DEFAULT_RULE
def get_delegation_rule(user_id, services): """Returns first matching rule from delegation.cfg DelegationConfig rules. Args: user_id: identity string to match against 'user_id' field. services: list of identities (as strings) to match against 'target_service'. If contains '*', first user_id-matching rule will be returned. Returns: config_pb2.DelegationConfig.Rule if found, DEFAULT_RULE if not. """ ident = auth.Identity.from_bytes(user_id) services_set = set(services) for r in config.get_delegation_config().rules: if any(is_identity_in_principal_set(ident, p) for p in r.user_id): if ('*' in r.target_service or '*' in services or services_set.issubset(r.target_service)): return r return DEFAULT_RULE