def test_active_service_account_in_ds(self): expected_json = 'fake service account json' caller_uid = self._random_subject_id() real_user_id = self._random_subject_id() ftvm = FenceTokenVendingMachine( None, self._mock_sam_api(real_user_id, "*****@*****.**"), self._mock_oauth_adapter("fake_token"), provider_name) TokenStore.save(real_user_id, "fake_refresh_token", datetime.datetime.now(), "*****@*****.**", provider_name) fsa_key = ftvm._fence_service_account_key(real_user_id) stored_fsa = FenceServiceAccount(key_json=expected_json, expires_at=datetime.datetime.now() + datetime.timedelta(days=5), update_lock_timeout=None, key=fsa_key) stored_fsa.put() self.assertIsNone(memcache.get(namespace=provider_name, key=caller_uid)) service_account_json = ftvm.get_service_account_key_json( UserInfo(caller_uid, "*****@*****.**", "fake_token_too", 10)) self.assertEqual(expected_json, service_account_json) self.assertIsNotNone( memcache.get(namespace=provider_name, key=caller_uid))
def test_no_service_account(self): expected_json = 'fake service account json' caller_uid = self._random_subject_id() real_user_id = self._random_subject_id() ftvm = FenceTokenVendingMachine( self._mock_fence_api(expected_json), self._mock_sam_api(real_user_id, "*****@*****.**"), self._mock_oauth_adapter("fake_token"), provider_name) TokenStore.save(real_user_id, "fake_refresh_token", datetime.datetime.now(), "*****@*****.**", provider_name) self.assertIsNone(memcache.get(namespace=provider_name, key=caller_uid)) fsa_key = ftvm._fence_service_account_key(real_user_id) self.assertIsNone(fsa_key.get()) service_account_json = ftvm.get_service_account_key_json( UserInfo(caller_uid, "*****@*****.**", "fake_token_too", 10)) self.assertEqual(expected_json, service_account_json) self.assertIsNotNone( memcache.get(namespace=provider_name, key=caller_uid)) stored_fsa = fsa_key.get() self.assertIsNotNone(stored_fsa) self.assertIsNone(stored_fsa.update_lock_timeout) self.assertEqual(expected_json, stored_fsa.key_json) self.assertGreater(stored_fsa.expires_at, datetime.datetime.now())
def test_link_info_exists(self): token = str(uuid.uuid4()) TokenStore.save(user_id=self.user_id, refresh_token_str=token, issued_at=datetime.fromtimestamp(self.issued_at_epoch), username=self.name, provider_name=provider_name) link_info = self.bond.get_link_info(UserInfo(str(uuid.uuid4()), "", "", 30)) self.assertEqual(token, link_info.token)
def test_generate_access_token(self): token = str(uuid.uuid4()) TokenStore.save(user_id=self.user_id, refresh_token_str=token, issued_at=datetime.fromtimestamp(self.issued_at_epoch), username=self.name, provider_name=provider_name) access_token, expires_at = self.bond.generate_access_token(UserInfo(str(uuid.uuid4()), "", "", 30)) self.assertEqual(self.fake_access_token, access_token) self.assertEqual(datetime.fromtimestamp(self.expires_at_epoch), expires_at)
def test_revoke_link_exists(self): token = str(uuid.uuid4()) TokenStore.save(self.user_id, token, datetime.now(), self.name, provider_name) user_info = UserInfo(str(uuid.uuid4()), "", "", 30) self.bond.fence_tvm.get_service_account_key_json(user_info) self.assertIsNotNone(self.bond.fence_tvm._fence_service_account_key(self.user_id).get()) self.bond.unlink_account(user_info) self.assertIsNone(self.bond.fence_tvm._fence_service_account_key(self.user_id).get()) self.assertIsNone(TokenStore.lookup(self.user_id, provider_name)) self.bond.oauth_adapter.revoke_refresh_token.assert_called_once() self.bond.fence_api.delete_credentials_google.assert_called_once()
def test_not_linked(self): caller_uid = self._random_subject_id() real_user_id = self._random_subject_id() ftvm = FenceTokenVendingMachine( None, self._mock_sam_api(real_user_id, "*****@*****.**"), None, provider_name) self.assertIsNone(memcache.get(namespace=provider_name, key=caller_uid)) fsa_key = ftvm._fence_service_account_key(real_user_id) self.assertIsNone(fsa_key.get()) with self.assertRaises(endpoints.BadRequestException): ftvm.get_service_account_key_json( UserInfo(caller_uid, "*****@*****.**", "fake_token_too", 10))
def _test_with_lock(self, lock_timeout, update_fsa_fxn=None, api_json=None): expected_json = 'fake service account json' if not api_json: api_json = expected_json caller_uid = self._random_subject_id() real_user_id = self._random_subject_id() ftvm = FenceTokenVendingMachine( self._mock_fence_api(api_json), self._mock_sam_api(real_user_id, "*****@*****.**"), self._mock_oauth_adapter("fake_token"), provider_name) TokenStore.save(real_user_id, "fake_refresh_token", datetime.datetime.now(), "*****@*****.**", provider_name) fsa_key = ftvm._fence_service_account_key(real_user_id) stored_fsa = FenceServiceAccount(key_json="expired json", expires_at=datetime.datetime.now() - datetime.timedelta(days=5), update_lock_timeout=lock_timeout, key=fsa_key) stored_fsa.put() self.assertIsNone(memcache.get(namespace=provider_name, key=caller_uid)) if update_fsa_fxn: threading.Thread(target=update_fsa_fxn, args=(fsa_key, expected_json)).start() service_account_json = ftvm.get_service_account_key_json( UserInfo(caller_uid, "*****@*****.**", "fake_token_too", 10)) self.assertEqual(expected_json, service_account_json) self.assertIsNotNone( memcache.get(namespace=provider_name, key=caller_uid)) stored_fsa = fsa_key.get() self.assertIsNotNone(stored_fsa) self.assertIsNone(stored_fsa.update_lock_timeout) self.assertEqual(expected_json, stored_fsa.key_json) self.assertGreater(stored_fsa.expires_at, datetime.datetime.now())
def test_exchange_authz_code_missing_token(self): data = {"context": {"user": {"name": self.name}}, 'iat': self.issued_at_epoch} encoded_jwt = jwt.encode(data, 'secret', 'HS256') fake_token_dict = {FenceKeys.ACCESS_TOKEN_KEY: self.fake_access_token, FenceKeys.ID_TOKEN: encoded_jwt, FenceKeys.EXPIRES_AT_KEY: self.expires_at_epoch} mock_oauth_adapter = OauthAdapter("foo", "bar", "baz", "qux") mock_oauth_adapter.exchange_authz_code = MagicMock(return_value=fake_token_dict) mock_oauth_adapter.refresh_access_token = MagicMock(return_value=fake_token_dict) mock_oauth_adapter.revoke_refresh_token = MagicMock() fence_api = self._mock_fence_api(json.dumps({"private_key_id": "asfasdfasdf"})) sam_api = self._mock_sam_api(self.user_id, "email") bond = Bond(mock_oauth_adapter, fence_api, sam_api, FenceTokenVendingMachine(fence_api, sam_api, mock_oauth_adapter, provider_name), provider_name, "/context/user/name") with self.assertRaises(endpoints.BadRequestException): bond.exchange_authz_code("irrelevantString", "redirect", UserInfo(str(uuid.uuid4()), "", "", 30))
def test_active_service_account_in_mc(self): expected_json = 'fake service account json' caller_uid = self._random_subject_id() real_user_id = self._random_subject_id() ftvm = FenceTokenVendingMachine( None, None, None, provider_name) # none of the apis should be called memcache.add(namespace=provider_name, key=caller_uid, value=expected_json, time=20) fsa_key = ftvm._fence_service_account_key(real_user_id) self.assertIsNone(fsa_key.get()) service_account_json = ftvm.get_service_account_key_json( UserInfo(caller_uid, "*****@*****.**", "fake_token_too", 10)) self.assertEqual(expected_json, service_account_json) self.assertIsNone(fsa_key.get())
def test_generate_access_token_errors_when_missing_token(self): self.assertRaises(Bond.MissingTokenError, self.bond.generate_access_token, UserInfo(str(uuid.uuid4()), "", "", 30))
def test_exchange_authz_code(self): issued_at, username = self.bond.exchange_authz_code("irrelevantString", "redirect", UserInfo(str(uuid.uuid4()), "", "", 30)) self.assertEqual(self.name, username) self.assertEqual(datetime.fromtimestamp(self.issued_at_epoch), issued_at)
def test_link_info_not_exists(self): link_info = self.bond.get_link_info(UserInfo(str(uuid.uuid4()), "", "", 30)) self.assertIsNone(link_info)
def test_revoke_link_does_not_exists(self): user_info = UserInfo(str(uuid.uuid4()), "", "", 30) self.bond.unlink_account(user_info)