macaroons: add utilities for constraint tests

This commit is contained in:
whythat 2017-09-22 09:35:47 +03:00 committed by Oliver Gugger
parent a2f900ec2d
commit 04f4dbe639

@ -1,6 +1,8 @@
package macaroons package macaroons
import ( import (
"errors"
"fmt"
"testing" "testing"
"time" "time"
@ -9,86 +11,99 @@ import (
macaroon "gopkg.in/macaroon.v1" macaroon "gopkg.in/macaroon.v1"
) )
func TestAllowConstraint(t *testing.T) { type macError struct {
message string
}
func (err macError) Error() string {
return err.message
}
func testConstraint(constraint Constraint, ok checkers.Checker,
failFn func() checkers.Checker) error {
macParams := bakery.NewServiceParams{} macParams := bakery.NewServiceParams{}
svc, err := bakery.NewService(macParams) svc, err := bakery.NewService(macParams)
if err != nil { if err != nil {
t.Fatalf("Failed to create a new service") return errors.New("Failed to create a new service")
} }
mac, err := svc.NewMacaroon("", nil, nil) mac, err := svc.NewMacaroon("", nil, nil)
if err != nil { if err != nil {
t.Fatalf("Failed to create a new macaroon") return errors.New("Failed to create a new macaroon")
} }
constraint := AllowConstraint("op1", "op2", "op4")
mac, err = AddConstraints(mac, constraint) mac, err = AddConstraints(mac, constraint)
if err != nil { if err != nil {
t.Fatalf("Failed to add macaroon constraint") return errors.New("Failed to add macaroon constraint")
} }
checker := checkers.New(AllowChecker("op1")) okChecker := checkers.New(ok)
if err := svc.Check(macaroon.Slice{mac}, checker); err != nil { if err := svc.Check(macaroon.Slice{mac}, okChecker); err != nil {
t.Fatalf("Allowed operation failed macaroon check") msg := "Correct checker failed: %v"
return macError{fmt.Sprintf(msg, ok)}
} }
checker = checkers.New(AllowChecker("op3")) fail := failFn()
if err := svc.Check(macaroon.Slice{mac}, checker); err == nil { failChecker := checkers.New(fail)
t.Fatalf("Disallowed operation passed macaroon check") if err := svc.Check(macaroon.Slice{mac}, failChecker); err == nil {
msg := "Incorrect checker succeeded: %v"
return macError{fmt.Sprintf(msg, fail)}
}
return nil
}
func TestAllowConstraint(t *testing.T) {
if err := testConstraint(
AllowConstraint("op1", "op2", "op4"),
AllowChecker("op1"),
func() checkers.Checker {
return AllowChecker("op3")
},
); err != nil {
t.Fatalf(err.Error())
} }
} }
func TestTimeoutConstraint(t *testing.T) { func TestTimeoutConstraint(t *testing.T) {
macParams := bakery.NewServiceParams{} if err := testConstraint(
svc, err := bakery.NewService(macParams) TimeoutConstraint(1),
if err != nil { TimeoutChecker(),
t.Fatalf("Failed to create a new service") func() checkers.Checker {
} time.Sleep(time.Second)
mac, err := svc.NewMacaroon("", nil, nil) return TimeoutChecker()
if err != nil { },
t.Fatalf("Failed to create a new macaroon") ); err != nil {
} t.Fatalf(err.Error())
constraint := TimeoutConstraint(1)
mac, err = AddConstraints(mac, constraint)
if err != nil {
t.Fatalf("Failed to add macaroon constraint")
}
checker := checkers.New(TimeoutChecker())
if err := svc.Check(macaroon.Slice{mac}, checker); err != nil {
t.Fatalf("Timeout check failed within timeframe")
}
time.Sleep(time.Second)
if err := svc.Check(macaroon.Slice{mac}, checker); err == nil {
t.Fatalf("Timeout check passed for an expired timeout")
} }
} }
func TestIPLockConstraint(t *testing.T) { func TestIPLockConstraint(t *testing.T) {
macParams := bakery.NewServiceParams{} if err := testConstraint(
svc, err := bakery.NewService(macParams) IPLockConstraint("127.0.0.1"),
if err != nil { IPLockChecker("127.0.0.1"),
t.Fatalf("Failed to create a new service") func() checkers.Checker {
} return IPLockChecker("0.0.0.0")
mac, err := svc.NewMacaroon("", nil, nil) },
if err != nil { ); err != nil {
t.Fatalf("Failed to create a new macaroon") t.Fatalf(err.Error())
} }
}
constraint := IPLockConstraint("127.0.0.1")
mac, err = AddConstraints(mac, constraint) func TestIPLockEmptyIP(t *testing.T) {
if err != nil { if err := testConstraint(
t.Fatalf("Failed to add macaroon constraint") IPLockConstraint(""),
} IPLockChecker("127.0.0.1"),
func() checkers.Checker {
checker := checkers.New(IPLockChecker("127.0.0.1")) return IPLockChecker("0.0.0.0")
if err := svc.Check(macaroon.Slice{mac}, checker); err != nil { },
t.Fatalf("IPLock for the same IP failed the test") ); err != nil {
} if _, ok := err.(macError); !ok {
t.Fatalf("IPLock with an empty IP should always pass")
checker = checkers.New(IPLockChecker("0.0.0.0")) }
if err := svc.Check(macaroon.Slice{mac}, checker); err == nil { }
t.Fatalf("IPLock for a different IP passed the test") }
func TestIPLockBadIP(t *testing.T) {
if err := IPLockConstraint("127.0.0/800"); err == nil {
t.Fatalf("IPLockConstraint with bad IP should fail")
} }
} }