go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/tokenserver/appengine/impl/delegation/rpc_inspect_delegation_token_test.go

go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/tokenserver/appengine/impl/delegation/rpc_inspect_delegation_token_test.go (about)

     1  // Copyright 2016 The LUCI Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package delegation
    16  
    17  import (
    18  	"context"
    19  	"encoding/base64"
    20  	"testing"
    21  	"time"
    22  
    23  	"google.golang.org/protobuf/proto"
    24  
    25  	"go.chromium.org/luci/common/clock"
    26  	"go.chromium.org/luci/common/clock/testclock"
    27  	"go.chromium.org/luci/server/auth/delegation/messages"
    28  	"go.chromium.org/luci/server/auth/signing"
    29  	"go.chromium.org/luci/server/auth/signing/signingtest"
    30  
    31  	admin "go.chromium.org/luci/tokenserver/api/admin/v1"
    32  
    33  	. "github.com/smartystreets/goconvey/convey"
    34  	. "go.chromium.org/luci/common/testing/assertions"
    35  )
    36  
    37  func TestInspectDelegationToken(t *testing.T) {
    38  	ctx := context.Background()
    39  	ctx, tc := testclock.UseTime(ctx, testclock.TestTimeUTC)
    40  
    41  	signer := signingtest.NewSigner(&signing.ServiceInfo{
    42  		ServiceAccountName: "service@example.com",
    43  	})
    44  	rpc := InspectDelegationTokenRPC{
    45  		Signer: signer,
    46  	}
    47  
    48  	original := &messages.Subtoken{
    49  		DelegatedIdentity: "user:delegated@example.com",
    50  		RequestorIdentity: "user:requestor@example.com",
    51  		CreationTime:      clock.Now(ctx).Unix(),
    52  		ValidityDuration:  3600,
    53  		Audience:          []string{"*"},
    54  		Services:          []string{"*"},
    55  	}
    56  
    57  	tok, _ := SignToken(ctx, rpc.Signer, original)
    58  
    59  	Convey("Happy path", t, func() {
    60  		resp, err := rpc.InspectDelegationToken(ctx, &admin.InspectDelegationTokenRequest{
    61  			Token: tok,
    62  		})
    63  		So(err, ShouldBeNil)
    64  
    65  		resp.Envelope.Pkcs1Sha256Sig = nil
    66  		resp.Envelope.SerializedSubtoken = nil
    67  		So(resp, ShouldResembleProto, &admin.InspectDelegationTokenResponse{
    68  			Valid:      true,
    69  			Signed:     true,
    70  			NonExpired: true,
    71  			Envelope: &messages.DelegationToken{
    72  				SignerId:     "user:service@example.com",
    73  				SigningKeyId: signer.KeyNameForTest(),
    74  			},
    75  			Subtoken: original,
    76  		})
    77  	})
    78  
    79  	Convey("Not base64", t, func() {
    80  		resp, err := rpc.InspectDelegationToken(ctx, &admin.InspectDelegationTokenRequest{
    81  			Token: "@@@@@@@@@@@@@",
    82  		})
    83  		So(err, ShouldBeNil)
    84  		So(resp, ShouldResembleProto, &admin.InspectDelegationTokenResponse{
    85  			InvalidityReason: "not base64 - illegal base64 data at input byte 0",
    86  		})
    87  	})
    88  
    89  	Convey("Not valid envelope proto", t, func() {
    90  		resp, err := rpc.InspectDelegationToken(ctx, &admin.InspectDelegationTokenRequest{
    91  			Token: "zzzz",
    92  		})
    93  		So(err, ShouldBeNil)
    94  		So(resp.InvalidityReason, ShouldStartWith, "can't unmarshal the envelope - proto")
    95  	})
    96  
    97  	Convey("Bad signature", t, func() {
    98  		env, _, _ := deserializeForTest(ctx, tok, rpc.Signer)
    99  		env.Pkcs1Sha256Sig = []byte("lalala")
   100  		blob, _ := proto.Marshal(env)
   101  		tok := base64.RawURLEncoding.EncodeToString(blob)
   102  
   103  		resp, err := rpc.InspectDelegationToken(ctx, &admin.InspectDelegationTokenRequest{
   104  			Token: tok,
   105  		})
   106  		So(err, ShouldBeNil)
   107  
   108  		resp.Envelope.Pkcs1Sha256Sig = nil
   109  		resp.Envelope.SerializedSubtoken = nil
   110  		So(resp, ShouldResembleProto, &admin.InspectDelegationTokenResponse{
   111  			Valid:            false,
   112  			InvalidityReason: "bad signature - crypto/rsa: verification error",
   113  			Signed:           false,
   114  			NonExpired:       true,
   115  			Envelope: &messages.DelegationToken{
   116  				SignerId:     "user:service@example.com",
   117  				SigningKeyId: signer.KeyNameForTest(),
   118  			},
   119  			Subtoken: original,
   120  		})
   121  	})
   122  
   123  	Convey("Expired", t, func() {
   124  		tc.Add(2 * time.Hour)
   125  
   126  		resp, err := rpc.InspectDelegationToken(ctx, &admin.InspectDelegationTokenRequest{
   127  			Token: tok,
   128  		})
   129  		So(err, ShouldBeNil)
   130  
   131  		resp.Envelope.Pkcs1Sha256Sig = nil
   132  		resp.Envelope.SerializedSubtoken = nil
   133  		So(resp, ShouldResembleProto, &admin.InspectDelegationTokenResponse{
   134  			Valid:            false,
   135  			InvalidityReason: "expired",
   136  			Signed:           true,
   137  			NonExpired:       false,
   138  			Envelope: &messages.DelegationToken{
   139  				SignerId:     "user:service@example.com",
   140  				SigningKeyId: signer.KeyNameForTest(),
   141  			},
   142  			Subtoken: original,
   143  		})
   144  	})
   145  }