server/auth/iap/iap_method_test.go - infra/luci/luci-go - Git at Google

 // Copyright 2020 The LUCI Authors.
 //
 // Licensed under the Apache License, Version 2.0 (the "License");
 // you may not use this file except in compliance with the License.
 // You may obtain a copy of the License at
 //
 //      http://www.apache.org/licenses/LICENSE-2.0
 //
 // Unless required by applicable law or agreed to in writing, software
 // distributed under the License is distributed on an "AS IS" BASIS,
 // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 // See the License for the specific language governing permissions and
 // limitations under the License.

 package iap

 import (
 	"context"
 	"testing"

 	"google.golang.org/api/idtoken"

 	"go.chromium.org/luci/common/logging/gologger"

 	"go.chromium.org/luci/server/auth/authtest"

 	. "github.com/smartystreets/goconvey/convey"
 )

 func TestIAPAuthenticator(t *testing.T) {
 	t.Parallel()
 	Convey("iap", t, func() {
 		c := context.Background()
 		c = gologger.StdConfig.Use(c)

 		Convey("missing iap jwt assertion header", func() {
 			a := &IAPAuthMethod{}
 			r := authtest.NewFakeRequestMetadata()
 			user, session, err := a.Authenticate(c, r)
 			So(user, ShouldBeNil)
 			So(session, ShouldBeNil)
 			So(err, ShouldBeNil)
 		})

 		Convey("invalid jwt assertion header bytes", func() {
 			a := &IAPAuthMethod{}
 			r := authtest.NewFakeRequestMetadata()
 			r.FakeHeader.Set(iapJWTAssertionHeader, "some invalid header bytes")

 			user, session, err := a.Authenticate(c, r)
 			So(user, ShouldBeNil)
 			So(session, ShouldBeNil)
 			So(err, ShouldNotBeNil)
 		})

 		Convey("invalid no email claims", func() {
 			a := &IAPAuthMethod{
 				Aud: AudForGAE("1234", "some-app-id"),
 				validator: func(ctx context.Context, idToken string, audience string) (*idtoken.Payload, error) {
 					return &idtoken.Payload{
 						Issuer:   "",
 						IssuedAt: 0,
 						Subject:  "",
 					}, nil
 				},
 			}
 			r := authtest.NewFakeRequestMetadata()
 			r.FakeHeader.Set(iapJWTAssertionHeader, "just needs to be non-empty for testing")

 			user, session, err := a.Authenticate(c, r)
 			So(user, ShouldBeNil)
 			So(session, ShouldBeNil)
 			So(err, ShouldNotBeNil)
 		})

 		Convey("happy path", func() {
 			a := &IAPAuthMethod{
 				Aud: AudForGAE("1234", "some-app-id"),
 				validator: func(ctx context.Context, idToken string, audience string) (*idtoken.Payload, error) {
 					return &idtoken.Payload{
 						Issuer:   "",
 						IssuedAt: 0,
 						Subject:  "",
 						Claims: map[string]any{
 							"email": "someemail@somedomain.com",
 						},
 					}, nil
 				},
 			}

 			r := authtest.NewFakeRequestMetadata()
 			r.FakeHeader.Set(iapJWTAssertionHeader, "just needs to be non-empty for testing")

 			user, session, err := a.Authenticate(c, r)
 			So(err, ShouldBeNil)
 			So(user, ShouldNotBeNil)
 			So(user.Email, ShouldEqual, "someemail@somedomain.com")
 			So(session, ShouldBeNil)
 		})
 	})
 }
	// Copyright 2020 The LUCI Authors.
	//
	// Licensed under the Apache License, Version 2.0 (the "License");
	// you may not use this file except in compliance with the License.
	// You may obtain a copy of the License at
	//
	// http://www.apache.org/licenses/LICENSE-2.0
	//
	// Unless required by applicable law or agreed to in writing, software
	// distributed under the License is distributed on an "AS IS" BASIS,
	// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
	// See the License for the specific language governing permissions and
	// limitations under the License.

	package iap

	import (
	"context"
	"testing"

	"google.golang.org/api/idtoken"

	"go.chromium.org/luci/common/logging/gologger"

	"go.chromium.org/luci/server/auth/authtest"

	. "github.com/smartystreets/goconvey/convey"
	)

	func TestIAPAuthenticator(t *testing.T) {
	t.Parallel()
	Convey("iap", t, func() {
	c := context.Background()
	c = gologger.StdConfig.Use(c)

	Convey("missing iap jwt assertion header", func() {
	a := &IAPAuthMethod{}
	r := authtest.NewFakeRequestMetadata()
	user, session, err := a.Authenticate(c, r)
	So(user, ShouldBeNil)
	So(session, ShouldBeNil)
	So(err, ShouldBeNil)
	})

	Convey("invalid jwt assertion header bytes", func() {
	a := &IAPAuthMethod{}
	r := authtest.NewFakeRequestMetadata()
	r.FakeHeader.Set(iapJWTAssertionHeader, "some invalid header bytes")

	user, session, err := a.Authenticate(c, r)
	So(user, ShouldBeNil)
	So(session, ShouldBeNil)
	So(err, ShouldNotBeNil)
	})

	Convey("invalid no email claims", func() {
	a := &IAPAuthMethod{
	Aud: AudForGAE("1234", "some-app-id"),
	validator: func(ctx context.Context, idToken string, audience string) (*idtoken.Payload, error) {
	return &idtoken.Payload{
	Issuer: "",
	IssuedAt: 0,
	Subject: "",
	}, nil
	},
	}
	r := authtest.NewFakeRequestMetadata()
	r.FakeHeader.Set(iapJWTAssertionHeader, "just needs to be non-empty for testing")

	user, session, err := a.Authenticate(c, r)
	So(user, ShouldBeNil)
	So(session, ShouldBeNil)
	So(err, ShouldNotBeNil)
	})

	Convey("happy path", func() {
	a := &IAPAuthMethod{
	Aud: AudForGAE("1234", "some-app-id"),
	validator: func(ctx context.Context, idToken string, audience string) (*idtoken.Payload, error) {
	return &idtoken.Payload{
	Issuer: "",
	IssuedAt: 0,
	Subject: "",
	Claims: map[string]any{
	"email": "someemail@somedomain.com",
	},
	}, nil
	},
	}

	r := authtest.NewFakeRequestMetadata()
	r.FakeHeader.Set(iapJWTAssertionHeader, "just needs to be non-empty for testing")

	user, session, err := a.Authenticate(c, r)
	So(err, ShouldBeNil)
	So(user, ShouldNotBeNil)
	So(user.Email, ShouldEqual, "someemail@somedomain.com")
	So(session, ShouldBeNil)
	})
	})
	}