def __init__(self, name, auth, idm, locator):
self._name = name
self._store = _MacaroonStore(macaroonbakery.generate_key(), locator)
self._checker = macaroonbakery.Checker(checker=test_checker(),
authorizer=auth,
identity_client=idm,
macaroon_opstore=self._store)
def __init__(self, name, auth, idm, locator):
self._name = name
self._store = _MacaroonStore(bakery.generate_key(), locator)
self._checker = bakery.Checker(
checker=test_checker(),
authorizer=auth,
identity_client=idm,
macaroon_opstore=self._store)
def test_discharge_all_no_discharges(self):
root_key = b'root key'
m = bakery.Macaroon(
root_key=root_key, id=b'id0', location='loc0',
version=bakery.LATEST_VERSION,
namespace=common.test_checker().namespace())
ms = bakery.discharge_all(m, no_discharge(self))
self.assertEqual(len(ms), 1)
self.assertEqual(ms[0], m.macaroon)
v = Verifier()
v.satisfy_general(always_ok)
v.verify(m.macaroon, root_key, None)
def test_third_party_discharge_macaroon_wrong_root_key_and_third_party_caveat(
self):
root_keys = bakery.MemoryKeyStore()
ts = bakery.Bakery(
key=bakery.generate_key(),
checker=common.test_checker(),
root_key_store=root_keys,
identity_client=common.OneIdentity(),
)
locator = bakery.ThirdPartyStore()
bs = common.new_bakery('bs-loc', locator)
# ts creates a macaroon with a third party caveat addressed to bs.
ts_macaroon = ts.oven.macaroon(bakery.LATEST_VERSION, common.ages,
None, [bakery.LOGIN_OP])
ts_macaroon.add_caveat(
checkers.Caveat(location='bs-loc', condition='true'),
ts.oven.key,
locator,
)
def get_discharge(cav, payload):
return bakery.discharge(
common.test_context,
cav.caveat_id_bytes,
payload,
bs.oven.key,
common.ThirdPartyStrcmpChecker('true'),
bs.oven.locator,
)
d = bakery.discharge_all(ts_macaroon, get_discharge)
# The authorization should succeed at first.
ts.checker.auth([d]).allow(common.test_context, [bakery.LOGIN_OP])
# Corrupt the root key and try again.
# We should get a DischargeRequiredError because the verification has failed.
root_keys._key = os.urandom(24)
with self.assertRaises(bakery.PermissionDenied) as err:
ts.checker.auth([d]).allow(common.test_context, [bakery.LOGIN_OP])
self.assertEqual(
str(err.exception),
'verification failed: Decryption failed. Ciphertext failed verification'
)
def test_third_party_discharge_macaroon_wrong_root_key_and_third_party_caveat(self):
root_keys = bakery.MemoryKeyStore()
ts = bakery.Bakery(
key=bakery.generate_key(),
checker=common.test_checker(),
root_key_store=root_keys,
identity_client=common.OneIdentity(),
)
locator = bakery.ThirdPartyStore()
bs = common.new_bakery('bs-loc', locator)
# ts creates a macaroon with a third party caveat addressed to bs.
ts_macaroon = ts.oven.macaroon(bakery.LATEST_VERSION,
common.ages,
None, [bakery.LOGIN_OP])
ts_macaroon.add_caveat(
checkers.Caveat(location='bs-loc', condition='true'),
ts.oven.key, locator,
)
def get_discharge(cav, payload):
return bakery.discharge(
common.test_context,
cav.caveat_id_bytes,
payload,
bs.oven.key,
common.ThirdPartyStrcmpChecker('true'),
bs.oven.locator,
)
d = bakery.discharge_all(ts_macaroon, get_discharge)
# The authorization should succeed at first.
ts.checker.auth([d]).allow(common.test_context, [bakery.LOGIN_OP])
# Corrupt the root key and try again.
# We should get a DischargeRequiredError because the verification has failed.
root_keys._key = os.urandom(24)
with self.assertRaises(bakery.PermissionDenied) as err:
ts.checker.auth([d]).allow(common.test_context, [bakery.LOGIN_OP])
self.assertEqual(str(err.exception), 'verification failed: Decryption failed. Ciphertext failed verification')