def test_active_service_account_in_ds(self):
expected_json = 'fake service account json'
caller_uid = self._random_subject_id()
real_user_id = self._random_subject_id()
ftvm = FenceTokenVendingMachine(
None, self._mock_sam_api(real_user_id, "*****@*****.**"),
self._mock_oauth_adapter("fake_token"), provider_name)
TokenStore.save(real_user_id, "fake_refresh_token",
datetime.datetime.now(), "*****@*****.**", provider_name)
fsa_key = ftvm._fence_service_account_key(real_user_id)
stored_fsa = FenceServiceAccount(key_json=expected_json,
expires_at=datetime.datetime.now() +
datetime.timedelta(days=5),
update_lock_timeout=None,
key=fsa_key)
stored_fsa.put()
self.assertIsNone(memcache.get(namespace=provider_name,
key=caller_uid))
service_account_json = ftvm.get_service_account_key_json(
UserInfo(caller_uid, "*****@*****.**", "fake_token_too", 10))
self.assertEqual(expected_json, service_account_json)
self.assertIsNotNone(
memcache.get(namespace=provider_name, key=caller_uid))
def test_no_service_account(self):
expected_json = 'fake service account json'
caller_uid = self._random_subject_id()
real_user_id = self._random_subject_id()
ftvm = FenceTokenVendingMachine(self._mock_fence_api(expected_json),
self._mock_sam_api(real_user_id, "*****@*****.**"),
self._mock_oauth_adapter("fake_token"), provider_name)
TokenStore.save(real_user_id, "fake_refresh_token", datetime.datetime.now(), "*****@*****.**", provider_name)
self.assertIsNone(memcache.get(namespace=provider_name, key=caller_uid))
fsa_key = ftvm._fence_service_account_key(real_user_id)
self.assertIsNone(fsa_key.get())
service_account_json = ftvm.get_service_account_key_json(
UserInfo(caller_uid, "*****@*****.**", "fake_token_too", 10))
self.assertEqual(expected_json, service_account_json)
self.assertIsNotNone(memcache.get(namespace=provider_name, key=caller_uid))
stored_fsa = fsa_key.get()
self.assertIsNotNone(stored_fsa)
self.assertIsNone(stored_fsa.update_lock_timeout)
self.assertEqual(expected_json, stored_fsa.key_json)
self.assertGreater(stored_fsa.expires_at, datetime.datetime.now())
def test_no_service_account(self):
expected_json = 'fake service account json'
caller_uid = self._random_subject_id()
real_user_id = self._random_subject_id()
ftvm = FenceTokenVendingMachine(
self._mock_fence_api(expected_json),
self._mock_sam_api(real_user_id, "*****@*****.**"),
self._mock_oauth_adapter("fake_token"), provider_name)
TokenStore.save(real_user_id, "fake_refresh_token",
datetime.datetime.now(), "*****@*****.**", provider_name)
self.assertIsNone(memcache.get(namespace=provider_name,
key=caller_uid))
fsa_key = ftvm._fence_service_account_key(real_user_id)
self.assertIsNone(fsa_key.get())
service_account_json = ftvm.get_service_account_key_json(
UserInfo(caller_uid, "*****@*****.**", "fake_token_too", 10))
self.assertEqual(expected_json, service_account_json)
self.assertIsNotNone(
memcache.get(namespace=provider_name, key=caller_uid))
stored_fsa = fsa_key.get()
self.assertIsNotNone(stored_fsa)
self.assertIsNone(stored_fsa.update_lock_timeout)
self.assertEqual(expected_json, stored_fsa.key_json)
self.assertGreater(stored_fsa.expires_at, datetime.datetime.now())
def test_lookup(self):
TokenStore.save(self.user_id, self.token_str, self.issued_at,
self.username, provider_name)
persisted_token = TokenStore.lookup(self.user_id, provider_name)
self.assertEqual(self.token_str, persisted_token.token)
self.assertEqual(self.issued_at, persisted_token.issued_at)
self.assertEqual(self.username, persisted_token.username)
def _test_with_lock(self, lock_timeout, update_fsa_fxn=None, api_json=None):
expected_json = 'fake service account json'
if not api_json:
api_json = expected_json
caller_uid = self._random_subject_id()
real_user_id = self._random_subject_id()
ftvm = FenceTokenVendingMachine(self._mock_fence_api(api_json), self._mock_sam_api(real_user_id, "*****@*****.**"),
self._mock_oauth_adapter("fake_token"), provider_name)
TokenStore.save(real_user_id, "fake_refresh_token", datetime.datetime.now(), "*****@*****.**", provider_name)
fsa_key = ftvm._fence_service_account_key(real_user_id)
stored_fsa = FenceServiceAccount(key_json="expired json",
expires_at=datetime.datetime.now() - datetime.timedelta(days=5),
update_lock_timeout=lock_timeout,
key=fsa_key)
stored_fsa.put()
self.assertIsNone(memcache.get(namespace=provider_name, key=caller_uid))
if update_fsa_fxn:
threading.Thread(target=update_fsa_fxn, args=(fsa_key, expected_json)).start()
service_account_json = ftvm.get_service_account_key_json(
UserInfo(caller_uid, "*****@*****.**", "fake_token_too", 10))
self.assertEqual(expected_json, service_account_json)
self.assertIsNotNone(memcache.get(namespace=provider_name, key=caller_uid))
stored_fsa = fsa_key.get()
self.assertIsNotNone(stored_fsa)
self.assertIsNone(stored_fsa.update_lock_timeout)
self.assertEqual(expected_json, stored_fsa.key_json)
self.assertGreater(stored_fsa.expires_at, datetime.datetime.now())
def test_link_info_exists(self):
token = str(uuid.uuid4())
TokenStore.save(user_id=self.user_id,
refresh_token_str=token,
issued_at=datetime.fromtimestamp(self.issued_at_epoch),
username=self.name,
provider_name=provider_name)
link_info = self.bond.get_link_info(UserInfo(str(uuid.uuid4()), "", "", 30))
self.assertEqual(token, link_info.token)
def test_generate_access_token(self):
token = str(uuid.uuid4())
TokenStore.save(user_id=self.user_id,
refresh_token_str=token,
issued_at=datetime.fromtimestamp(self.issued_at_epoch),
username=self.name,
provider_name=provider_name)
access_token, expires_at = self.bond.generate_access_token(UserInfo(str(uuid.uuid4()), "", "", 30))
self.assertEqual(self.fake_access_token, access_token)
self.assertEqual(datetime.fromtimestamp(self.expires_at_epoch), expires_at)
def test_revoke_link_exists(self):
token = str(uuid.uuid4())
TokenStore.save(self.user_id, token, datetime.now(), self.name, provider_name)
user_info = UserInfo(str(uuid.uuid4()), "", "", 30)
self.bond.fence_tvm.get_service_account_key_json(user_info)
self.assertIsNotNone(self.bond.fence_tvm._fence_service_account_key(self.user_id).get())
self.bond.unlink_account(user_info)
self.assertIsNone(self.bond.fence_tvm._fence_service_account_key(self.user_id).get())
self.assertIsNone(TokenStore.lookup(self.user_id, provider_name))
self.bond.oauth_adapter.revoke_refresh_token.assert_called_once()
self.bond.fence_api.delete_credentials_google.assert_called_once()
def test_save(self):
self.assertIsNone(self.key.get())
result_key = TokenStore.save(self.user_id, self.token_str, self.issued_at, self.username, provider_name)
self.assertEqual(result_key, self.key)
saved_token = self.key.get()
self.assertIsNotNone(saved_token)
self.assertEqual(self.token_str, saved_token.token)
self.assertEqual(self.issued_at, saved_token.issued_at)
self.assertEqual(self.username, saved_token.username)
def _test_with_lock(self,
lock_timeout,
update_fsa_fxn=None,
api_json=None):
expected_json = 'fake service account json'
if not api_json:
api_json = expected_json
caller_uid = self._random_subject_id()
real_user_id = self._random_subject_id()
ftvm = FenceTokenVendingMachine(
self._mock_fence_api(api_json),
self._mock_sam_api(real_user_id, "*****@*****.**"),
self._mock_oauth_adapter("fake_token"), provider_name)
TokenStore.save(real_user_id, "fake_refresh_token",
datetime.datetime.now(), "*****@*****.**", provider_name)
fsa_key = ftvm._fence_service_account_key(real_user_id)
stored_fsa = FenceServiceAccount(key_json="expired json",
expires_at=datetime.datetime.now() -
datetime.timedelta(days=5),
update_lock_timeout=lock_timeout,
key=fsa_key)
stored_fsa.put()
self.assertIsNone(memcache.get(namespace=provider_name,
key=caller_uid))
if update_fsa_fxn:
threading.Thread(target=update_fsa_fxn,
args=(fsa_key, expected_json)).start()
service_account_json = ftvm.get_service_account_key_json(
UserInfo(caller_uid, "*****@*****.**", "fake_token_too", 10))
self.assertEqual(expected_json, service_account_json)
self.assertIsNotNone(
memcache.get(namespace=provider_name, key=caller_uid))
stored_fsa = fsa_key.get()
self.assertIsNotNone(stored_fsa)
self.assertIsNone(stored_fsa.update_lock_timeout)
self.assertEqual(expected_json, stored_fsa.key_json)
self.assertGreater(stored_fsa.expires_at, datetime.datetime.now())
def exchange_authz_code(self, authz_code, redirect_uri, user_info):
"""
Given an authz_code and user information, exchange that code for an OAuth Access Token and Refresh Token. Store
the refresh token for later, and return the datetime the token was issued along with the username for whom it
was issued to by the OAuth provider.
:param authz_code: Authorization code from OAuth provider
:param redirect_uri: redirect url that was used when generating the code - will use default if None
:param user_info: Information of the user who issued the request to Bond (not necessarily the same as
the username for whom the refresh token was issued by the OAuth provider)
:return: Two values: datetime when token was issued, username for whom the token was issued
"""
token_response = self.oauth_adapter.exchange_authz_code(authz_code, redirect_uri)
jwt_token = JwtToken(token_response.get(FenceKeys.ID_TOKEN), self.user_name_path_expr)
user_id = self.sam_api.user_info(user_info.token)[SamKeys.USER_ID_KEY]
if FenceKeys.REFRESH_TOKEN_KEY not in token_response:
raise endpoints.BadRequestException("authorization response did not include " + FenceKeys.REFRESH_TOKEN_KEY)
TokenStore.save(user_id, token_response.get(FenceKeys.REFRESH_TOKEN_KEY), jwt_token.issued_at,
jwt_token.username, self.provider_name)
return jwt_token.issued_at, jwt_token.username
def test_save(self):
self.assertIsNone(self.key.get())
result_key = TokenStore.save(self.user_id, self.token_str,
self.issued_at, self.username,
provider_name)
self.assertEqual(result_key, self.key)
saved_token = self.key.get()
self.assertIsNotNone(saved_token)
self.assertEqual(self.token_str, saved_token.token)
self.assertEqual(self.issued_at, saved_token.issued_at)
self.assertEqual(self.username, saved_token.username)
def test_active_service_account_in_ds(self):
expected_json = 'fake service account json'
caller_uid = self._random_subject_id()
real_user_id = self._random_subject_id()
ftvm = FenceTokenVendingMachine(None, self._mock_sam_api(real_user_id, "*****@*****.**"),
self._mock_oauth_adapter("fake_token"), provider_name)
TokenStore.save(real_user_id, "fake_refresh_token", datetime.datetime.now(), "*****@*****.**", provider_name)
fsa_key = ftvm._fence_service_account_key(real_user_id)
stored_fsa = FenceServiceAccount(key_json=expected_json,
expires_at=datetime.datetime.now() + datetime.timedelta(days=5),
update_lock_timeout=None,
key=fsa_key)
stored_fsa.put()
self.assertIsNone(memcache.get(namespace=provider_name, key=caller_uid))
service_account_json = ftvm.get_service_account_key_json(
UserInfo(caller_uid, "*****@*****.**", "fake_token_too", 10))
self.assertEqual(expected_json, service_account_json)
self.assertIsNotNone(memcache.get(namespace=provider_name, key=caller_uid))
def test_lookup(self):
TokenStore.save(self.user_id, self.token_str, self.issued_at, self.username, provider_name)
persisted_token = TokenStore.lookup(self.user_id, provider_name)
self.assertEqual(self.token_str, persisted_token.token)
self.assertEqual(self.issued_at, persisted_token.issued_at)
self.assertEqual(self.username, persisted_token.username)