func (s *macaroonServerSuite) TestServerBakery(c *gc.C) {
srv := newServer(c, s.State)
defer srv.Stop()
m, err := apiserver.ServerMacaroon(srv)
c.Assert(err, gc.IsNil)
bsvc, err := apiserver.ServerBakeryService(srv)
c.Assert(err, gc.IsNil)
// Check that we can add a third party caveat addressed to the
// discharger, which indirectly ensures that the discharger's public
// key has been added to the bakery service's locator.
m = m.Clone()
err = bsvc.AddCaveat(m, checkers.Caveat{
Location: s.discharger.Location(),
Condition: "true",
})
c.Assert(err, jc.ErrorIsNil)
// Check that we can discharge the macaroon and check it with
// the service.
client := httpbakery.NewClient()
ms, err := client.DischargeAll(m)
c.Assert(err, jc.ErrorIsNil)
err = bsvc.Check(ms, checkers.New())
c.Assert(err, gc.IsNil)
}
func (s *serverSuite) TestNoBakeryWhenNoIdentityURL(c *gc.C) {
srv := newServer(c, s.State)
defer srv.Stop()
// By default, when there is no identity location, no
// bakery service or macaroon is created.
_, err := apiserver.ServerMacaroon(srv)
c.Assert(err, gc.ErrorMatches, "macaroon authentication is not configured")
_, err = apiserver.ServerBakeryService(srv)
c.Assert(err, gc.ErrorMatches, "macaroon authentication is not configured")
}
func (s *macaroonServerWrongPublicKeySuite) TestDischargeFailsWithWrongPublicKey(c *gc.C) {
srv := newServer(c, s.State)
defer srv.Stop()
m, err := apiserver.ServerMacaroon(srv)
c.Assert(err, gc.IsNil)
m = m.Clone()
bsvc, err := apiserver.ServerBakeryService(srv)
c.Assert(err, gc.IsNil)
err = bsvc.AddCaveat(m, checkers.Caveat{
Location: s.discharger.Location(),
Condition: "true",
})
c.Assert(err, gc.IsNil)
client := httpbakery.NewClient()
_, err = client.DischargeAll(m)
c.Assert(err, gc.ErrorMatches, `cannot get discharge from ".*": third party refused discharge: cannot discharge: discharger cannot decode caveat id: public key mismatch`)
}