def fake_token_proto(): """Just a fake envelope to test base64 serialization.""" return delegation_pb2.DelegationToken( serialized_subtoken='serialized_subtoken', signer_id='signer_id', signing_key_id='signing_key_id', pkcs1_sha256_sig='pkcs1_sha256_sig')
def test_delegation_token(self): # Grab a fake-signed delegation token. subtoken = delegation_pb2.Subtoken( delegated_identity='user:[email protected]', kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN, audience=['*'], services=['*'], creation_time=int(utils.time_time()), validity_duration=3600) tok_pb = delegation_pb2.DelegationToken( serialized_subtoken=subtoken.SerializeToString(), signer_id='user:[email protected]', signing_key_id='signing-key', pkcs1_sha256_sig='fake-signature') tok = tokens.base64_encode(tok_pb.SerializeToString()) # Valid delegation token. state, ctx = self.call( 'ipv4:127.0.0.1', '*****@*****.**', {'X-Delegation-Token-V1': tok}) self.assertEqual(state, CapturedState( current_identity='user:[email protected]', is_superuser=False, peer_identity='user:[email protected]', peer_ip=ipaddr.ip_from_string('127.0.0.1'), delegation_token=subtoken, )) # Invalid delegation token. state, ctx = self.call( 'ipv4:127.0.0.1', '*****@*****.**', {'X-Delegation-Token-V1': tok + 'blah'}) self.assertIsNone(state) self.assertEqual(ctx.code, prpclib.StatusCode.PERMISSION_DENIED) self.assertEqual( ctx.details, 'Bad delegation token: Bad proto: Truncated message.')
def test_delegation_token(self): # No delegation. self.assertEqual( { 'cur_id': 'user:[email protected]', 'peer_id': 'user:[email protected]' }, self.call_with_tokens()) # Grab a fake-signed delegation token. subtoken = delegation_pb2.Subtoken( delegated_identity='user:[email protected]', kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN, audience=['*'], services=['*'], creation_time=int(utils.time_time()), validity_duration=3600) tok_pb = delegation_pb2.DelegationToken( serialized_subtoken=subtoken.SerializeToString(), signer_id='user:[email protected]', signing_key_id='signing-key', pkcs1_sha256_sig='fake-signature') tok = tokens.base64_encode(tok_pb.SerializeToString()) # Valid delegation token. self.assertEqual( { 'cur_id': 'user:[email protected]', 'peer_id': 'user:[email protected]' }, self.call_with_tokens(delegation_tok=tok)) # Invalid delegation token. with self.assertRaises(api.AuthorizationError): self.call_with_tokens(delegation_tok=tok + 'blah')
def seal_token(subtoken): serialized = subtoken.SerializeToString() signing_key_id, pkcs1_sha256_sig = signature.sign_blob(serialized, 0.5) return delegation_pb2.DelegationToken( serialized_subtoken=serialized, signer_id=model.get_service_self_identity().to_bytes(), signing_key_id=signing_key_id, pkcs1_sha256_sig=pkcs1_sha256_sig)
def test_delegation_token(self): call = self.make_test_app_with_peer('user:[email protected]') # No delegation. self.assertEqual( { 'status': 200, 'body': { u'cur_id': u'user:[email protected]', u'peer_id': u'user:[email protected]', }, }, call()) # Grab a fake-signed delegation token. subtoken = delegation_pb2.Subtoken( delegated_identity='user:[email protected]', kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN, audience=['*'], services=['*'], creation_time=int(utils.time_time()), validity_duration=3600) tok_pb = delegation_pb2.DelegationToken( serialized_subtoken=subtoken.SerializeToString(), signer_id='user:[email protected]', signing_key_id='signing-key', pkcs1_sha256_sig='fake-signature') tok = b64.encode(tok_pb.SerializeToString()) # With valid delegation token. self.assertEqual( { 'status': 200, 'body': { u'cur_id': u'user:[email protected]', u'peer_id': u'user:[email protected]', }, }, call({'X-Delegation-Token-V1': tok})) # With invalid delegation token. resp = call({'X-Delegation-Token-V1': tok + 'blah'}) self.assertEqual(403, resp['status']) self.assertIn('Bad delegation token', resp['body']) # Transient error. def mocked_check(*_args): raise delegation.TransientError('Blah') self.mock(delegation, 'check_bearer_delegation_token', mocked_check) resp = call({'X-Delegation-Token-V1': tok}) self.assertEqual(500, resp['status']) self.assertIn('Blah', resp['body'])
def test_delegation_token(self): def call(tok=None): headers = {'X-Delegation-Token-V1': tok} if tok else None self.call('127.0.0.1', '*****@*****.**', headers) return { 'cur_id': api.get_current_identity().to_bytes(), 'peer_id': api.get_current_identity().to_bytes(), } # No delegation. self.assertEqual( { 'cur_id': 'user:[email protected]', 'peer_id': 'user:[email protected]' }, call()) # Grab a fake-signed delegation token. subtoken = delegation_pb2.Subtoken( delegated_identity='user:[email protected]', kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN, audience=['*'], services=['*'], creation_time=int(utils.time_time()), validity_duration=3600) tok_pb = delegation_pb2.DelegationToken( serialized_subtoken=subtoken.SerializeToString(), signer_id='user:[email protected]', signing_key_id='signing-key', pkcs1_sha256_sig='fake-signature') tok = tokens.base64_encode(tok_pb.SerializeToString()) # Valid delegation token. self.assertEqual( { 'cur_id': 'user:[email protected]', 'peer_id': 'user:[email protected]' }, call(tok)) # Invalid delegation token. with self.assertRaises(api.AuthorizationError): call(tok + 'blah')
def test_delegation_token(self): peer_ident = model.Identity.from_bytes('user:[email protected]') class Handler(handler.AuthenticatingHandler): @classmethod def get_auth_methods(cls, conf): return [lambda _request: (peer_ident, False)] @api.public def get(self): self.response.write( json.dumps({ 'peer_id': api.get_peer_identity().to_bytes(), 'cur_id': api.get_current_identity().to_bytes(), })) app = self.make_test_app('/request', Handler) def call(headers=None): return json.loads(app.get('/request', headers=headers).body) # No delegation. self.assertEqual( { u'cur_id': u'user:[email protected]', u'peer_id': u'user:[email protected]' }, call()) # Grab a fake-signed delegation token. subtoken = delegation_pb2.Subtoken( delegated_identity='user:[email protected]', kind=delegation_pb2.Subtoken.BEARER_DELEGATION_TOKEN, audience=['*'], services=['*'], creation_time=int(utils.time_time()), validity_duration=3600) tok_pb = delegation_pb2.DelegationToken( serialized_subtoken=subtoken.SerializeToString(), signer_id='user:[email protected]', signing_key_id='signing-key', pkcs1_sha256_sig='fake-signature') tok = tokens.base64_encode(tok_pb.SerializeToString()) # With valid delegation token. self.assertEqual( { u'cur_id': u'user:[email protected]', u'peer_id': u'user:[email protected]' }, call({'X-Delegation-Token-V1': tok})) # With invalid delegation token. r = app.get('/request', headers={'X-Delegation-Token-V1': tok + 'blah'}, expect_errors=True) self.assertEqual(403, r.status_int) # Transient error. def mocked_check(*_args): raise delegation.TransientError('Blah') self.mock(delegation, 'check_bearer_delegation_token', mocked_check) r = app.get('/request', headers={'X-Delegation-Token-V1': tok}, expect_errors=True) self.assertEqual(500, r.status_int)