def test_http_403(self):
res = ndb.Future()
res.set_result(self.Response(403, 'Not authorized'))
self.mock(delegation, '_urlfetch_async', lambda **_k: res)
with self.assertRaises(delegation.DelegationAuthorizationError):
delegation.delegate(auth_service_url='https://example.com')
def test_http_500(self):
res = ndb.Future()
res.set_result(self.Response(500, 'Server internal error'))
self.mock(delegation, '_urlfetch_async', lambda **_k: res)
with self.assertRaises(delegation.DelegationTokenCreationError):
delegation.delegate(auth_service_url='https://example.com')
def test_http_403(self):
res = ndb.Future()
res.set_result(self.Response(403, 'Not authorized'))
self.mock(delegation, '_urlfetch_async', lambda **_k: res)
with self.assertRaises(delegation.DelegationAuthorizationError):
delegation.delegate(auth_service_url='https://example.com')
def test_http_500(self):
res = ndb.Future()
res.set_result(self.Response(500, 'Server internal error'))
self.mock(delegation, '_urlfetch_async', lambda **_k: res)
with self.assertRaises(delegation.DelegationTokenCreationError):
delegation.delegate(auth_service_url='https://example.com')
def test_http_403(self):
res = ndb.Future()
res.set_result(self.Response(403, 'Not authorized'))
self.mock(service_account, '_urlfetch_async', lambda **_k: res)
with self.assertRaises(exceptions.TokenAuthorizationError):
delegation.delegate(audience=['*'],
services=['*'],
token_server_url='https://example.com')
def test_http_500(self):
res = ndb.Future()
res.set_result(self.Response(500, 'Server internal error'))
self.mock(service_account, '_urlfetch_async', lambda **_k: res)
with self.assertRaises(exceptions.TokenCreationError):
delegation.delegate(audience=['*'],
services=['*'],
token_server_url='https://example.com')
def test_success(self):
self.mock_now(datetime.datetime(2015, 1, 1))
@ndb.tasklet
def urlfetch(url, payload, **_rest):
urlfetch.called = True
self.assertEqual(
url,
'https://tokens.example.com/prpc/tokenserver.minter.TokenMinter/'
'MintDelegationToken')
payload = json.loads(payload)
self.assertEqual(payload, urlfetch.expected_payload)
res = {
'token': 'deadbeef',
'serviceVersion': 'app-id/version-id',
'delegationSubtoken': {
'kind': 'BEARER_DELEGATION_TOKEN',
'validityDuration': payload['validityDuration'],
'subtokenId': '12345',
},
}
raise ndb.Return(
self.Response(200, ")]}'\n" + json.dumps(res, sort_keys=True)))
urlfetch.expected_payload = {
u'audience': [
u'REQUESTOR',
u'group:g',
u'user:[email protected]',
u'user:[email protected]',
],
u'services': [u'https://example.com', u'service:1', u'service:2'],
u'delegatedIdentity':
u'user:[email protected]',
u'tags': [u'a:b', u'c:d'],
u'validityDuration':
3000,
}
urlfetch.called = False
self.mock(delegation, '_urlfetch_async', urlfetch)
model.AuthReplicationState(
key=model.replication_state_key(),
primary_url='https://auth.example.com',
primary_id='example-app-id',
).put()
model.AuthGlobalConfig(
key=model.root_key(),
token_server_url='https://tokens.example.com',
).put()
args = {
'audience': [
'user:[email protected]',
model.Identity('user', '*****@*****.**'),
'group:g',
'REQUESTOR',
],
'services': [
'service:1',
model.Identity('service', '2'),
'https://example.com',
],
'max_validity_duration_sec':
3000,
'impersonate':
model.Identity('user', '*****@*****.**'),
'tags': ['c:d', 'a:b'],
}
result = delegation.delegate(**args)
self.assertTrue(urlfetch.called)
self.assertEqual(result.token, 'deadbeef')
self.assertEqual(result.expiry,
utils.utcnow() + datetime.timedelta(seconds=3000))
# Get from cache.
urlfetch.called = False
delegation.delegate(**args)
self.assertFalse(urlfetch.called)
# Get from cache with larger validity duration.
urlfetch.called = False
args['min_validity_duration_sec'] = 5000
args['max_validity_duration_sec'] = 5000
urlfetch.expected_payload['validityDuration'] = 5000
result = delegation.delegate(**args)
self.assertTrue(urlfetch.called)
self.assertEqual(result.token, 'deadbeef')
self.assertEqual(result.expiry,
utils.utcnow() + datetime.timedelta(seconds=5000))
self.assertTrue(urlfetch.called)
def test_success(self):
self.mock_now(datetime.datetime(2015, 1, 1))
@ndb.tasklet
def urlfetch(url, payload, **_rest):
urlfetch.called = True
self.assertEqual(
url,
'https://example.com/auth_service/api/v1/delegation/token/create'
)
payload = json.loads(payload)
self.assertEqual(payload, urlfetch.expected_payload)
res = {
'delegation_token': 'deadbeef',
'validity_duration': payload['validity_duration'],
}
raise ndb.Return(
self.Response(200, json.dumps(res, sort_keys=True)))
urlfetch.expected_payload = {
'audience': [
'group:g',
'user:[email protected]',
'user:[email protected]',
],
'services': ['service:1', 'service:2'],
'validity_duration': 3000,
'impersonate': 'user:[email protected]',
}
urlfetch.called = False
self.mock(delegation, '_urlfetch_async', urlfetch)
model.AuthReplicationState(
key=model.replication_state_key(),
primary_url='https://example.com',
primary_id='example-app-id',
).put()
args = {
'audience': [
'user:[email protected]',
model.Identity('user', '*****@*****.**'),
'group:g',
],
'services': ['service:1',
model.Identity('service', '2')],
'max_validity_duration_sec':
3000,
'impersonate':
model.Identity('user', '*****@*****.**'),
}
result = delegation.delegate(**args)
self.assertTrue(urlfetch.called)
self.assertEqual(result.token, 'deadbeef')
self.assertEqual(result.expiry,
utils.utcnow() + datetime.timedelta(seconds=3000))
# Get from cache.
urlfetch.called = False
delegation.delegate(**args) # must not increase urlfetch.call_count
self.assertFalse(urlfetch.called)
# Get from cache with larger validity duration.
urlfetch.called = False
args['min_validity_duration_sec'] = 5000
args['max_validity_duration_sec'] = 5000
urlfetch.expected_payload['validity_duration'] = 5000
result = delegation.delegate(**args)
self.assertTrue(urlfetch.called)
self.assertEqual(result.token, 'deadbeef')
self.assertEqual(result.expiry,
utils.utcnow() + datetime.timedelta(seconds=5000))
self.assertTrue(urlfetch.called)
def test_success(self):
self.mock_now(datetime.datetime(2015, 1, 1))
@ndb.tasklet
def urlfetch(url, payload, **_rest):
urlfetch.called = True
self.assertEqual(
url,
'https://example.com/auth_service/api/v1/delegation/token/create')
payload = json.loads(payload)
self.assertEqual(payload, urlfetch.expected_payload)
res = {
'delegation_token': 'deadbeef',
'validity_duration': payload['validity_duration'],
}
raise ndb.Return(self.Response(200, json.dumps(res, sort_keys=True)))
urlfetch.expected_payload = {
'audience': [
'user:[email protected]',
'user:[email protected]',
'group:g'
],
'services': ['service:1', 'service:2'],
'validity_duration': 3000,
'impersonate': 'user:[email protected]',
}
urlfetch.called = False
self.mock(delegation, '_urlfetch_async', urlfetch)
model.AuthReplicationState(
key=model.replication_state_key(),
primary_url='https://example.com'
).put()
args = {
'audience': [
'user:[email protected]',
model.Identity('user', '*****@*****.**'),
'group:g',
],
'services': [
'service:1',
model.Identity('service', '2')
],
'max_validity_duration_sec': 3000,
'impersonate': model.Identity('user', '*****@*****.**'),
}
result = delegation.delegate(**args)
self.assertTrue(urlfetch.called)
self.assertEqual(result.token, 'deadbeef')
self.assertEqual(
result.expiry, utils.utcnow() + datetime.timedelta(seconds=3000))
# Get from cache.
urlfetch.called = False
delegation.delegate(**args) # must not increase urlfetch.call_count
self.assertFalse(urlfetch.called)
# Get from cache with larger validity duration.
urlfetch.called = False
args['min_validity_duration_sec'] = 5000
args['max_validity_duration_sec'] = 5000
urlfetch.expected_payload['validity_duration'] = 5000
result = delegation.delegate(**args)
self.assertTrue(urlfetch.called)
self.assertEqual(result.token, 'deadbeef')
self.assertEqual(
result.expiry, utils.utcnow() + datetime.timedelta(seconds=5000))
self.assertTrue(urlfetch.called)
