go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/tokenserver/appengine/impl/delegation/token_test.go (about)

     1  // Copyright 2016 The LUCI Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package delegation
    16  
    17  import (
    18  	"context"
    19  	"encoding/base64"
    20  	"testing"
    21  
    22  	"google.golang.org/protobuf/proto"
    23  
    24  	"go.chromium.org/luci/server/auth/delegation/messages"
    25  	"go.chromium.org/luci/server/auth/signing"
    26  	"go.chromium.org/luci/server/auth/signing/signingtest"
    27  
    28  	. "github.com/smartystreets/goconvey/convey"
    29  	. "go.chromium.org/luci/common/testing/assertions"
    30  )
    31  
    32  func TestSignToken(t *testing.T) {
    33  	Convey("Works", t, func() {
    34  		ctx := context.Background()
    35  		signer := signingtest.NewSigner(&signing.ServiceInfo{
    36  			ServiceAccountName: "service@example.com",
    37  		})
    38  
    39  		original := &messages.Subtoken{
    40  			DelegatedIdentity: "user:delegated@example.com",
    41  			RequestorIdentity: "user:requestor@example.com",
    42  			CreationTime:      1477624966,
    43  			ValidityDuration:  3600,
    44  			Audience:          []string{"*"},
    45  			Services:          []string{"*"},
    46  		}
    47  
    48  		tok, err := SignToken(ctx, signer, original)
    49  		So(err, ShouldBeNil)
    50  		So(tok, ShouldHaveLength, 276)
    51  
    52  		envelope, back, err := deserializeForTest(ctx, tok, signer)
    53  		So(err, ShouldBeNil)
    54  		So(back, ShouldResembleProto, original)
    55  
    56  		envelope.Pkcs1Sha256Sig = nil
    57  		envelope.SerializedSubtoken = nil
    58  		So(envelope, ShouldResembleProto, &messages.DelegationToken{
    59  			SignerId:     "user:service@example.com",
    60  			SigningKeyId: signer.KeyNameForTest(),
    61  		})
    62  	})
    63  }
    64  
    65  func deserializeForTest(c context.Context, tok string, signer signing.Signer) (*messages.DelegationToken, *messages.Subtoken, error) {
    66  	blob, err := base64.RawURLEncoding.DecodeString(tok)
    67  	if err != nil {
    68  		return nil, nil, err
    69  	}
    70  	env := &messages.DelegationToken{}
    71  	if err = proto.Unmarshal(blob, env); err != nil {
    72  		return nil, nil, err
    73  	}
    74  	certs, err := signer.Certificates(c)
    75  	if err != nil {
    76  		return nil, nil, err
    77  	}
    78  	if err = certs.CheckSignature(env.SigningKeyId, env.SerializedSubtoken, env.Pkcs1Sha256Sig); err != nil {
    79  		return nil, nil, err
    80  	}
    81  	subtoken := &messages.Subtoken{}
    82  	if err = proto.Unmarshal(env.SerializedSubtoken, subtoken); err != nil {
    83  		return nil, nil, err
    84  	}
    85  	return env, subtoken, nil
    86  }