go.chromium.org/luci@v0.0.0-20240309015107-7cdc2e660f33/tokenserver/appengine/impl/machinetoken/rpc_mocks_test.go (about) 1 // Copyright 2016 The LUCI Authors. 2 // 3 // Licensed under the Apache License, Version 2.0 (the "License"); 4 // you may not use this file except in compliance with the License. 5 // You may obtain a copy of the License at 6 // 7 // http://www.apache.org/licenses/LICENSE-2.0 8 // 9 // Unless required by applicable law or agreed to in writing, software 10 // distributed under the License is distributed on an "AS IS" BASIS, 11 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 // See the License for the specific language governing permissions and 13 // limitations under the License. 14 15 package machinetoken 16 17 // This file contains common mocks used by unit tests. 18 19 import ( 20 "context" 21 "crypto" 22 "crypto/rsa" 23 "crypto/sha256" 24 "crypto/x509" 25 "crypto/x509/pkix" 26 "encoding/pem" 27 "time" 28 29 "go.opentelemetry.io/otel/trace" 30 "google.golang.org/protobuf/proto" 31 "google.golang.org/protobuf/types/known/timestamppb" 32 33 "go.chromium.org/luci/appengine/gaetesting" 34 "go.chromium.org/luci/common/clock" 35 "go.chromium.org/luci/common/clock/testclock" 36 ds "go.chromium.org/luci/gae/service/datastore" 37 "go.chromium.org/luci/server/auth/signing" 38 "go.chromium.org/luci/server/auth/signing/signingtest" 39 40 tokenserver "go.chromium.org/luci/tokenserver/api" 41 admin "go.chromium.org/luci/tokenserver/api/admin/v1" 42 minter "go.chromium.org/luci/tokenserver/api/minter/v1" 43 "go.chromium.org/luci/tokenserver/appengine/impl/certconfig" 44 ) 45 46 const pkey = `-----BEGIN RSA PRIVATE KEY----- 47 MIIEowIBAAKCAQEAvc6v42I4badqYA+IF9dMB838Q2l2IflSpA8xSC5O7XrDwa1R 48 YCqPq+MOIIaMUgqBMJz0OmNyQkbtRLq3Qu4Q44UIbdqyy34rj7kcw/9t/K9x+2ne 49 Phx0tfdz+5Lj6UiRRI7FRCi9cs+mgSQquCDaBW8J5l3lCZEne8fpHPO3Hxl+dkUX 50 0Y8T2ZCsn19hnV7Z7wbfN1dUuRihXD+UwN2axoqZ0EJ2GNSLYAz3HHkKc6ELM1Lx 51 biOD9Jxw8wb+5VnpIuR3l426Fcux9EQGewLZFTxjRS7DRPL/9L0xE+yRJ/I04UyJ 52 v4Ws98fYp/vAM922Wt21P9Py6vgn+Xjyz2AoyQIDAQABAoIBABKQhq+Mycwf1c2z 53 dzItwqf4w7WsOPu1sRmOytkuflXH7iGhXBY103uSZ61Su6LCmEQy9chINcK5wTc5 54 s/b95fT67Aoim94/Zu9VwbSB5TYTyug2QKB+lAPAQj3W7ifBC0RTWoQCIBV8reJv 55 sSX1QJ3LcIJxqJc49U2sDebhB4YpAv7xmy4IfpqX+0iURtXrgBmp0hWKTQb7kRdG 56 BycDU9/AadgkI1PEhRdbfJ4VHFKxkeSRwPyp1UKvzydfe7Nw2HWlflEH4fZCc29x 57 AM52K5zN/7ns/xEz9XPOUG0/pBcXeQNA5rbTGoZrhQda/aBWbI9TYGWh7XZFvx5y 58 vZ/xlckCgYEA6ULnJYn+DDUfa1eKwYsYvzf82pbfBvrpTsIKi9h0CWy7GltYuSJk 59 6yt6pzEmAeV+eY6/F8pPxN0TTZHQAVcRHiMbazmLiaLUeuZCvIZwU54ttyENC2+k 60 fLUlt3a5eiPKBZEPGx++HuESWVY0LYk8hcg9koc4+AIsiifXz9kgzRcCgYEA0E9h 61 Dn1qWEXYxzV6Efcux62d9P8vwRx+ZWtbCdMleosVAWQ4RtS8HKfjYvJdPcKJlaGO 62 b7VyYbJzayPs0skhayEYXajDhwcykxNCYJTXxSqh3Hf4yEeRLquDLW468a9tRc8q 63 Q2wv+lav7ZeW+Db35fq0mEHRaUn0iXFiq9c1JR8CgYEA16ocrk98TGsdRpCk4Lcr 64 RTiNlsihIgIAjenH+G5DMqeOAhts15beObR0bXp6ioxVuCvrsCJESF6iRzjGWUbX 65 s8Z/xk5pHfMngw27rDScTCNWXxe2yNkK+qY9XffuGuhWE3l/vvNFQ6WS4nhaO7PD 66 +mkdzIkredoAtieKWEiHFDcCgYBQetqcpoe3owSlslt/JWjFbKZiSVVB3qhWtqtt 67 mE4akjGDYBz+AKLMz3BighDUE5zkWo6VShzu8er1seOFbH+kzByF0vX37Sf0+rPi 68 bJ8QZfAzJYbQmhXVWh5MJxJO3d/x4KALfHjs1yERQkfpjhMonzu2t3cYnqIDl/Lv 69 QS4fMQKBgFx5masOJqHNx/HDOLtOvO8MeKbZgb2wzrBteJBs/KyFjP4fzZZseiVV 70 67XuwVxrLup7KzUaHK8PysA+ZgiT4ZlvyX+J+pFZA2XPtKTKCA3bKYtIG2JF5W1v 71 uHXl2FV53+kI2rF188v3jbuUhK0FrsUEXpN8C+dotMMLCLakbNXP 72 -----END RSA PRIVATE KEY-----` 73 74 // Cert for luci-token-server-test-1.fake.domain. Signed by 'Fake CA: fake.ca'. 75 const certWithCN = `-----BEGIN CERTIFICATE----- 76 MIIEFjCCAv6gAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwYDELMAkGA1UEBhMCVVMx 77 EzARBgNVBAgMCkNhbGlmb3JuaWExDTALBgNVBAcMBEJsYWgxEjAQBgNVBAoMCVN0 78 dWZmIEluYzEZMBcGA1UEAwwQRmFrZSBDQTogZmFrZS5jYTAeFw0xNjA0MDkwNDIx 79 MTJaFw0xNzA0MTkwNDIxMTJaMHQxCzAJBgNVBAYTAlVTMRMwEQYDVQQIDApDYWxp 80 Zm9ybmlhMQ0wCwYDVQQHDARCbGFoMRIwEAYDVQQKDAlTdHVmZiBJbmMxLTArBgNV 81 BAMMJGx1Y2ktdG9rZW4tc2VydmVyLXRlc3QtMS5mYWtlLmRvbWFpbjCCASIwDQYJ 82 KoZIhvcNAQEBBQADggEPADCCAQoCggEBAL3Or+NiOG2namAPiBfXTAfN/ENpdiH5 83 UqQPMUguTu16w8GtUWAqj6vjDiCGjFIKgTCc9DpjckJG7US6t0LuEOOFCG3asst+ 84 K4+5HMP/bfyvcftp3j4cdLX3c/uS4+lIkUSOxUQovXLPpoEkKrgg2gVvCeZd5QmR 85 J3vH6Rzztx8ZfnZFF9GPE9mQrJ9fYZ1e2e8G3zdXVLkYoVw/lMDdmsaKmdBCdhjU 86 i2AM9xx5CnOhCzNS8W4jg/SccPMG/uVZ6SLkd5eNuhXLsfREBnsC2RU8Y0Uuw0Ty 87 //S9MRPskSfyNOFMib+FrPfH2Kf7wDPdtlrdtT/T8ur4J/l48s9gKMkCAwEAAaOB 88 xTCBwjAJBgNVHRMEAjAAMBEGCWCGSAGG+EIBAQQEAwIFoDAzBglghkgBhvhCAQ0E 89 JhYkT3BlblNTTCBHZW5lcmF0ZWQgQ2xpZW50IENlcnRpZmljYXRlMB0GA1UdDgQW 90 BBQf/Xtn7MQpybujv9/54DxdiNDKFzAfBgNVHSMEGDAWgBRhO7licgHsGIwDmWmP 91 zL+oymoPHjAOBgNVHQ8BAf8EBAMCBeAwHQYDVR0lBBYwFAYIKwYBBQUHAwIGCCsG 92 AQUFBwMEMA0GCSqGSIb3DQEBCwUAA4IBAQA9YXLIMwJbfQMMpTxPZLQoiqbG0fPB 93 xuSBGNYd/US6NIWLOg/v5tfN2GB+RAuB1Rz12eS+TmN7+A/lfNx0dFYwcfeOz05g 94 jQMwgUDmlnicMqENd0pswccS/mci215addFq6Wknti+To+TST0Ci5zmIt2fbBjmI 95 VRAWsPfLInwtW94S54UF38n2gp3iXizQLG2urSqotPsWIiyO+f2M3Q2ki3fDzimj 96 EyA+GFsGD6l0nQUySNyk2xE4S5CHOyLG0qWOsaJsEkTMnN+lrUh1bLUcI3bvVpVP 97 uwi+mmV6pbwEPKYNHpxHXSbEFnWwnZm1OtM28sP9O0D94XzRq2OfWiiD 98 -----END CERTIFICATE-----` 99 100 // Cert for CN=fuchsia-debian-dev-141242e1-us-central1-f-0psd with SAN 101 // DNS:fuchsia-debian-dev-141242e1-us-central1-f-0psd.c.fuchsia-infra.internal 102 // Signed by 'Fuchsia Infra CA'. 103 const certWithSAN = ` 104 -----BEGIN CERTIFICATE----- 105 MIIFuTCCA6GgAwIBAgIJAJZJwMfxXGrnMA0GCSqGSIb3DQEBCwUAMBsxGTAXBgNV 106 BAMMEEZ1Y2hzaWEgSW5mcmEgQ0EwHhcNMTcwODE2MDEyNTEwWhcNMTcxMTE0MDEy 107 NTEwWjA5MTcwNQYDVQQDDC5mdWNoc2lhLWRlYmlhbi1kZXYtMTQxMjQyZTEtdXMt 108 Y2VudHJhbDEtZi0wcHNkMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA 109 z4pB9PB50ULz3rSDcksN4ZWJv0p5+DqKNxkBVcoqULNFDsD3I+zoOJn8EZgdNRD6 110 xAiFigQkZUOLgIYmDDmlWJdfPJM4Q9pWLPwq+ukqlWSA6WsoAJFLnzqjZSlQ3hKw 111 pyHgkQy3Y80Z4pxmlbKpDqpyiJpacoKGx0en8IYOf+dwu3d37b9jGftAbIDZqTdP 112 Cvfp5Z9m+LcDN/jFyL2cgvPDdrtskpKbIZy/80+Fh8MPLs/F327edEVEWv7cfvnP 113 RX0Y8tthdHNXEVDT/akzT2kRQBjiOGMhjNocau4po4+KU4lMBKvpWdg6ar0nZTBX 114 Rw4bRyYtIa71kSsJFCXO7+ljfyF8RVfZjb9CwNc1VWCzmPdQX7aJf0jgnbffU9oH 115 PAIJf9pSvFmrs3CyFz7QQGkLzvcLm5P2YDgG3IGRncyTTLuqkBtlkmGti1nM3iPP 116 rIyOeib1b7xl49AqsATFjk9GbfVHEVOx6EbpIWKi5I7fVTK8ax7kmE5heCUJ+nc2 117 HS+c/DaoGiPoly+7SuYTaFTeFaBKpZbS2JaqxwccHjLC02IgwoLFQrkaG4O+zZbG 118 HovdR+hQT1Bv1JYl7h7ztcyH+Xi0xwA0URLMqu+CGG17sHpYJLpus3OPXqGIeQiK 119 SWLMRF9EK99rO6fz/+8+DxYEJ2pmT/9fxLXGwKG/T9UCAwEAAaOB4TCB3jAMBgNV 120 HRMBAf8EAjAAMA4GA1UdDwEB/wQEAwIFIDAdBgNVHQ4EFgQU5NmocyuT3c+0v4S5 121 j8CUmRPzAqkwSwYDVR0jBEQwQoAUrQ+P1nNDqPCBSDtc4j6RkCgl/AqhH6QdMBsx 122 GTAXBgNVBAMMEEZ1Y2hzaWEgSW5mcmEgQ0GCCQCNC1KbQTIWhTBSBgNVHREESzBJ 123 gkdmdWNoc2lhLWRlYmlhbi1kZXYtMTQxMjQyZTEtdXMtY2VudHJhbDEtZi0wcHNk 124 LmMuZnVjaHNpYS1pbmZyYS5pbnRlcm5hbDANBgkqhkiG9w0BAQsFAAOCAgEAWFUw 125 2ncqnGKp4qmLmjS3E0C9CwAIciky2Vunb7Sb9AMnu5cCdiTLudQkoLwy80t0Y1TV 126 mEfGXn1Amt+B65X4TyRRSqFbDqLgUAb+0YX99f+mB9MKxaDDLPX8i3m3NLXd4che 127 OBRfeGY2kCE04svzA0t+Dy80jQENqu7a22tX5BFKSPTCEnNXXTH0X227vhwausTM 128 ngv10lsxNqxt0LimxB2gPjMms58fDEwUx1tj2k4BJmgfe2OW8lPqKXzXOOe8NI5k 129 5utCtd3aWdFRuJhpduUMdEQG920Cmb8PT6OeGrDdSV0nCmzG+fPy8O7sLzFlKsgQ 130 bX6YZX9f87k423gQZ7DP4Ic8t/1a30njZf+tBrABkr1kPDGajQjXK8MxtaTstn1A 131 jKeva9iI0QGECiwYfXKVJLDh9NYdD8QTzgMh2cWPNaPUJAvhe11gkH2+j6SE68YJ 132 ZtHVYstruzpnSdv/EjpcU7VvfOGBvjruksjCPkL09+EnH0hrw2BIOnEXA7gXhQV+ 133 /qew6kPTNHlWNJHXXMrbZbWlBWjYZQcaqXcCBWHujMHy2P4RH9zMCiLE6uHHc3mL 134 q07s6UiAqamPwRd1A5OffPEvchkbKSaOOLPICpYu5Qg2LrZ0IAFS3r5y+5EXOJLV 135 3SsvIZgCBTBX8gzpcssCjvBiJSPUTTiowPE4+MA= 136 -----END CERTIFICATE-----` 137 138 // Cert for CN=proto-chrome-focal.c.chromecompute.google.com.internal with SAN 139 // DNS:proto-chrome-focal.c.chromecompute.google.com.internal 140 // Signed by 'Puppet CA: puppet3-g.golo.chromium.org'. 141 const certWithCNEqualSAN = ` 142 -----BEGIN CERTIFICATE----- 143 MIIGPTCCBCWgAwIBAgIBDTANBgkqhkiG9w0BAQsFADAxMS8wLQYDVQQDDCZQdXBw 144 ZXQgQ0E6IHB1cHBldDMtZy5nb2xvLmNocm9taXVtLm9yZzAeFw0yMjA0MTIyMDE2 145 MjRaFw0yMjA3MTIyMDE2MjRaMEExPzA9BgNVBAMMNnByb3RvLWNocm9tZS1mb2Nh 146 bC5jLmNocm9tZWNvbXB1dGUuZ29vZ2xlLmNvbS5pbnRlcm5hbDCCAiIwDQYJKoZI 147 hvcNAQEBBQADggIPADCCAgoCggIBAMOWGfP9ScQgYfiNzmymsVRoPz6dzHw63dXS 148 GnkIEuIWRlm9XhRlHw26MYoXT7ocmZINwNwModtZU5T2CKKrioi4uLNcF/Rx4UNX 149 cqyUuYJA3RS+3ceFX6dsPfGdDhq1i0uidIkROIAm+Pqu597vbbtIfzql8yuDcno9 150 QHfxXz/ELy8ffRilAnynfVUR/3ju/OYvkhcDnXI0IU0Y3z1IAkmLVbQgpLYBjvaX 151 2SWyoH/NlRJfX0TIPzKUV5GFG0KRP0tEFfNybXO3lfjkkIGvKhUkmGE2oq2jbz2L 152 t3At1WmUGt8UIOEMcHDzL7GV99HTkI/CnesfKu/oFYQWuocqXnEkWbPwZuswBfjd 153 WMb9G4YaSp3RTbF61iuju21+WuhLdyHNx18SmPOw0UFmGc4/vosPhy/H3EuyQgmK 154 mLywl/4F73y+bZJ3+9UyLndCA2msT9HY8GuvRrH4ssL12ykjKE5tjve50+iMz+1b 155 gD4/JnKVIlISbzLtkGqTMSAiGuU1lrD1fOzTiyeBF9fOcEFRA0hKAFvRJ8Sa8fyw 156 HYzigJyRf40NQoFZIEQhwmIz/vLVjY2tQe0v+Asc0DNoZ8lvgd6LuoIjSttHObGR 157 mdTxE3NuT5YXC7K3IQbIQxiPtF6xfBgFWGqiKmv+r7wE1YIrmsEjY+EQbBaEtcTc 158 X5nq568LAgMBAAGjggFOMIIBSjBBBgNVHREEOjA4gjZwcm90by1jaHJvbWUtZm9j 159 YWwuYy5jaHJvbWVjb21wdXRlLmdvb2dsZS5jb20uaW50ZXJuYWwwMQYJYIZIAYb4 160 QgENBCQWIlB1cHBldCBTZXJ2ZXIgSW50ZXJuYWwgQ2VydGlmaWNhdGUwHwYDVR0j 161 BBgwFoAUc7KkDCXCfVqstU//XdPqLnFMOWMwHQYDVR0OBBYEFLLKi/eiilSnAndc 162 75Fs8RrcZRenMCQGCysGAQQBgoxMAQECBBUMEzE5MDAyNTI5MzQwNDIxOTQ0ODkw 163 LAYLKwYBBAGCjEwBAQMEHQwbdWJ1bnR1LTIwMDQtZm9jYWwtdjIwMjIwMzA4MAwG 164 A1UdEwEB/wQCMAAwIAYDVR0lAQH/BBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMA4G 165 A1UdDwEB/wQEAwIFoDANBgkqhkiG9w0BAQsFAAOCAgEAg1JEVJ0AO9QYNxzbS0hx 166 N2delFjEgkmvE+QOC+Y6lAnp7X8Xb1DCJ7Pd06Ru6EaDhwwBAIUuijGsyuFIP+P4 167 Aq4pT1ihMxdRmEAavc3vZIn/NVu6MoctV+n0teEFCuh+ZYcYPjWrG4wWOviqDA1B 168 nhjP41YkED+MGMrMkJsU/j+KaNIqtKJnTHIz9hkg79LnzsQ/0yLItUe66TkCUDlS 169 4gED23+7SL4enbiDIAsklg5WxI38yb9pgcuaYK1bQhDxQy/PI5KcU98cRCAGDw9w 170 1CA/5IoTAnZX15tXGUFA2ReigzEadYUZZv8feVUeIMfRPdgDDcxIIYcOWJXo3v4G 171 ooY4xUKCba7rtcBgqHBH9wEpLgvtdpvLDtODUl+ZvyTqGMefSW9UyHGReKsEFgYA 172 /Hm4+gusu5QEJIHF951BJJVIFJVQhAfdzhGZIOqzhLLPkg2uY0OWCDj8FumIJ1gI 173 Urj31Vt3EWNHffQV5ybpGf7bn4OdV1rr/0H1gSWi8kD1Xz345KeLG7F4UI3HI+iP 174 +uc4OKhSSY+3q2X7bCZMEZct11vOLOgNCht4M90OFFReuoxLeUy0UCBK5JxvuoX5 175 9UTjzTm82CEcEtvpNCk3+png5pyu9P0mL0/E7PgAY/LCO+dQy3R/tm8R6O0lezIt 176 3vGXKjM3KlJdhtH0acWtirk= 177 -----END CERTIFICATE-----` 178 179 var testingTime = time.Date(2015, time.February, 3, 4, 5, 6, 0, time.UTC) 180 181 var testingCA = certconfig.CA{ 182 CN: "Fake CA: fake.ca", 183 ParsedConfig: &admin.CertificateAuthorityConfig{ 184 UniqueId: 123, 185 KnownDomains: []*admin.DomainConfig{ 186 { 187 Domain: []string{"fake.domain"}, 188 MachineTokenLifetime: 3600, 189 }, 190 }, 191 }, 192 AddedRev: "cfg-added-rev", 193 UpdatedRev: "cfg-updated-rev", 194 } 195 196 var testingRequestID = trace.TraceID{1, 2, 3, 4, 5} 197 198 func testingContext(ca certconfig.CA) context.Context { 199 ctx := gaetesting.TestingContext() 200 ctx = trace.ContextWithSpanContext(ctx, trace.NewSpanContext(trace.SpanContextConfig{ 201 TraceID: testingRequestID, 202 })) 203 ctx, _ = testclock.UseTime(ctx, testingTime) 204 205 // Put mocked CA config in the datastore. 206 ds.Put(ctx, &ca) 207 certconfig.StoreCAUniqueIDToCNMap(ctx, map[int64]string{ 208 ca.ParsedConfig.UniqueId: ca.CN, 209 }) 210 certconfig.UpdateCRLSet(ctx, ca.CN, certconfig.CRLShardCount, &pkix.CertificateList{}) 211 212 return ctx 213 } 214 215 func testingSigner() *signingtest.Signer { 216 return signingtest.NewSigner(&signing.ServiceInfo{ 217 ServiceAccountName: "signer@testing.host", 218 AppID: "unit-tests", 219 AppVersion: "mocked-ver", 220 }) 221 } 222 223 // testingRawRequest is canned request for machine token before it is serialized 224 // and signed. 225 func testingRawRequest(ctx context.Context) *minter.MachineTokenRequest { 226 return &minter.MachineTokenRequest{ 227 Certificate: getTestCertDER(certWithCN), 228 SignatureAlgorithm: minter.SignatureAlgorithm_SHA256_RSA_ALGO, 229 IssuedAt: timestamppb.New(clock.Now(ctx)), 230 TokenType: tokenserver.MachineTokenType_LUCI_MACHINE_TOKEN, 231 } 232 } 233 234 // testingMachineTokenRequest is canned request to MintMachineToken RPC. 235 func testingMachineTokenRequest(ctx context.Context) *minter.MintMachineTokenRequest { 236 serialized, err := proto.Marshal(testingRawRequest(ctx)) 237 if err != nil { 238 panic(err) 239 } 240 digest := sha256.Sum256(serialized) 241 signature, err := getTestPrivateKey().Sign(nil, digest[:], crypto.SHA256) 242 if err != nil { 243 panic(err) 244 } 245 return &minter.MintMachineTokenRequest{ 246 SerializedTokenRequest: serialized, 247 Signature: signature, 248 } 249 } 250 251 func testingMachineToken(ctx context.Context, signer signing.Signer) string { 252 _, tok, err := Mint(ctx, &MintParams{ 253 Cert: getTestCert(certWithCN), 254 Config: testingCA.ParsedConfig, 255 Signer: signer, 256 }) 257 if err != nil { 258 panic(err) 259 } 260 return tok 261 } 262 263 func getTestPrivateKey() *rsa.PrivateKey { 264 block, _ := pem.Decode([]byte(pkey)) 265 key, err := x509.ParsePKCS1PrivateKey(block.Bytes) 266 if err != nil { 267 panic(err) 268 } 269 return key 270 } 271 272 func getTestCert(cert string) *x509.Certificate { 273 crt, err := x509.ParseCertificate(getTestCertDER(cert)) 274 if err != nil { 275 panic(err) 276 } 277 return crt 278 } 279 280 func getTestCertDER(cert string) []byte { 281 block, _ := pem.Decode([]byte(cert)) 282 return block.Bytes 283 }