go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/tokenserver/appengine/impl/machinetoken/rpc_mint_machine_token_test.go

go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/tokenserver/appengine/impl/machinetoken/rpc_mint_machine_token_test.go (about)

     1  // Copyright 2016 The LUCI Authors.
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //      http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package machinetoken
    16  
    17  import (
    18  	"context"
    19  	"crypto/x509"
    20  	"math/big"
    21  	"net"
    22  	"testing"
    23  	"time"
    24  
    25  	"google.golang.org/protobuf/types/known/timestamppb"
    26  
    27  	"go.chromium.org/luci/common/clock"
    28  	"go.chromium.org/luci/server/auth"
    29  	"go.chromium.org/luci/server/auth/authtest"
    30  
    31  	tokenserver "go.chromium.org/luci/tokenserver/api"
    32  	"go.chromium.org/luci/tokenserver/api/admin/v1"
    33  	"go.chromium.org/luci/tokenserver/api/minter/v1"
    34  	"go.chromium.org/luci/tokenserver/appengine/impl/certconfig"
    35  
    36  	. "github.com/smartystreets/goconvey/convey"
    37  
    38  	. "go.chromium.org/luci/common/testing/assertions"
    39  )
    40  
    41  func TestMintMachineTokenRPC(t *testing.T) {
    42  	t.Parallel()
    43  
    44  	Convey("Successful RPC", t, func() {
    45  		ctx := auth.WithState(testingContext(testingCA), &authtest.FakeState{
    46  			PeerIPOverride: net.ParseIP("127.10.10.10"),
    47  		})
    48  		signer := testingSigner()
    49  
    50  		var loggedInfo *MintedTokenInfo
    51  		impl := MintMachineTokenRPC{
    52  			Signer: signer,
    53  			CheckCertificate: func(_ context.Context, cert *x509.Certificate) (*certconfig.CA, error) {
    54  				return &testingCA, nil
    55  			},
    56  			LogToken: func(c context.Context, info *MintedTokenInfo) error {
    57  				loggedInfo = info
    58  				return nil
    59  			},
    60  		}
    61  
    62  		resp, err := impl.MintMachineToken(ctx, testingMachineTokenRequest(ctx))
    63  		So(err, ShouldBeNil)
    64  		So(resp, ShouldResembleProto, &minter.MintMachineTokenResponse{
    65  			ServiceVersion: "unit-tests/mocked-ver",
    66  			TokenResponse: &minter.MachineTokenResponse{
    67  				ServiceVersion: "unit-tests/mocked-ver",
    68  				TokenType: &minter.MachineTokenResponse_LuciMachineToken{
    69  					LuciMachineToken: &minter.LuciMachineToken{
    70  						MachineToken: testingMachineToken(ctx, signer),
    71  						Expiry:       timestamppb.New(clock.Now(ctx).Add(time.Hour)),
    72  					},
    73  				},
    74  			},
    75  		})
    76  
    77  		So(loggedInfo.TokenBody, ShouldResembleProto, &tokenserver.MachineTokenBody{
    78  			MachineFqdn: "luci-token-server-test-1.fake.domain",
    79  			IssuedBy:    "signer@testing.host",
    80  			IssuedAt:    1422936306,
    81  			Lifetime:    3600,
    82  			CaId:        123,
    83  			CertSn:      big.NewInt(4096).Bytes(),
    84  		})
    85  		So(loggedInfo.Request, ShouldResembleProto, testingRawRequest(ctx))
    86  		So(loggedInfo.Response, ShouldResembleProto, resp.TokenResponse)
    87  		So(loggedInfo.CA, ShouldEqual, &testingCA)
    88  		So(loggedInfo.PeerIP, ShouldResemble, net.ParseIP("127.10.10.10"))
    89  		So(loggedInfo.RequestID, ShouldEqual, testingRequestID.String())
    90  	})
    91  
    92  	Convey("Unsuccessful RPC", t, func() {
    93  		// Modify testing CA to have no domains listed.
    94  		testingCA2 := certconfig.CA{
    95  			CN: "Fake CA: fake.ca",
    96  			ParsedConfig: &admin.CertificateAuthorityConfig{
    97  				UniqueId: 123,
    98  			},
    99  		}
   100  		ctx := auth.WithState(testingContext(testingCA2), &authtest.FakeState{
   101  			PeerIPOverride: net.ParseIP("127.10.10.10"),
   102  		})
   103  
   104  		impl := MintMachineTokenRPC{
   105  			Signer: testingSigner(),
   106  			CheckCertificate: func(_ context.Context, cert *x509.Certificate) (*certconfig.CA, error) {
   107  				return &testingCA2, nil
   108  			},
   109  			LogToken: func(c context.Context, info *MintedTokenInfo) error {
   110  				panic("must not be called") // we log only successfully generated tokens
   111  			},
   112  		}
   113  
   114  		// This request is structurally valid, but forbidden by CA config. It
   115  		// generates MintMachineTokenResponse with non-zero error code.
   116  		resp, err := impl.MintMachineToken(ctx, testingMachineTokenRequest(ctx))
   117  		So(err, ShouldBeNil)
   118  		So(resp, ShouldResembleProto, &minter.MintMachineTokenResponse{
   119  			ServiceVersion: "unit-tests/mocked-ver",
   120  			ErrorCode:      minter.ErrorCode_BAD_TOKEN_ARGUMENTS,
   121  			ErrorMessage:   `the domain "fake.domain" is not listed in the config`,
   122  		})
   123  	})
   124  }