blob: a2c498c84213447fbf2aed7d75f65852840c48a3 [file] [log] [blame]
// Copyright 2020 The LUCI Authors.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package iap
import (
"context"
"net/http"
"testing"
"google.golang.org/api/idtoken"
"go.chromium.org/luci/common/logging/gologger"
. "github.com/smartystreets/goconvey/convey"
)
func TestIAPAuthenticator(t *testing.T) {
t.Parallel()
Convey("iap", t, func() {
c := context.Background()
c = gologger.StdConfig.Use(c)
Convey("missing iap jwt assertion header", func() {
a := &IAPAuthMethod{}
r := makeGetRequest()
user, session, err := a.Authenticate(c, r)
So(user, ShouldBeNil)
So(session, ShouldBeNil)
So(err, ShouldBeNil)
})
Convey("invalid jwt assertion header bytes", func() {
a := &IAPAuthMethod{}
r := makeGetRequest()
r.Header[iapJWTAssertionHeader] = []string{"some invalid header bytes"}
user, session, err := a.Authenticate(c, r)
So(user, ShouldBeNil)
So(session, ShouldBeNil)
So(err, ShouldNotBeNil)
})
Convey("invalid multiple assertion header values", func() {
a := &IAPAuthMethod{}
r := makeGetRequest()
r.Header[iapJWTAssertionHeader] = []string{"only", "expect", "one", "header", "value"}
user, session, err := a.Authenticate(c, r)
So(user, ShouldBeNil)
So(session, ShouldBeNil)
So(err, ShouldNotBeNil)
})
Convey("invalid no email claims", func() {
a := &IAPAuthMethod{
Aud: AudForGAE("1234", "some-app-id"),
validator: func(ctx context.Context, idToken string, audience string) (*idtoken.Payload, error) {
return &idtoken.Payload{
Issuer: "",
IssuedAt: 0,
Subject: "",
}, nil
},
}
r := makeGetRequest()
r.Header[iapJWTAssertionHeader] = []string{"just needs to be non-empty for testing"}
user, session, err := a.Authenticate(c, r)
So(user, ShouldBeNil)
So(session, ShouldBeNil)
So(err, ShouldNotBeNil)
})
Convey("happy path", func() {
a := &IAPAuthMethod{
Aud: AudForGAE("1234", "some-app-id"),
validator: func(ctx context.Context, idToken string, audience string) (*idtoken.Payload, error) {
return &idtoken.Payload{
Issuer: "",
IssuedAt: 0,
Subject: "",
Claims: map[string]interface{}{
"email": "someemail@somedomain.com",
},
}, nil
},
}
r := makeGetRequest()
r.Header[iapJWTAssertionHeader] = []string{string("just needs to be non-empty for testing")}
user, session, err := a.Authenticate(c, r)
So(err, ShouldBeNil)
So(user, ShouldNotBeNil)
So(user.Email, ShouldEqual, "someemail@somedomain.com")
So(session, ShouldBeNil)
})
})
}
func makeGetRequest() *http.Request {
req, _ := http.NewRequest("GET", "/doesntmatter", nil)
return req
}