func (s *agentSuite) TestAgentLogin(c *gc.C) {
u, err := url.Parse(s.discharger.URL)
c.Assert(err, gc.IsNil)
for i, test := range agentLoginTests {
c.Logf("%d. %s", i, test.about)
s.discharger.LoginHandler = test.loginHandler
client := httpbakery.NewClient()
client.Key, err = bakery.GenerateKey()
c.Assert(err, gc.IsNil)
err = agent.SetUpAuth(client, u, "test-user")
c.Assert(err, gc.IsNil)
m, err := s.bakery.NewMacaroon("", nil, []checkers.Caveat{{
Location: s.discharger.URL,
Condition: "test condition",
}})
c.Assert(err, gc.IsNil)
ms, err := client.DischargeAll(m)
if test.expectError != "" {
c.Assert(err, gc.ErrorMatches, test.expectError)
continue
}
c.Assert(err, gc.IsNil)
err = s.bakery.Check(ms, bakery.FirstPartyCheckerFunc(
func(caveat string) error {
return nil
},
))
c.Assert(err, gc.IsNil)
}
}
// targetService implements a "target service", representing
// an arbitrary web service that wants to delegate authorization
// to third parties.
func targetService(endpoint, authEndpoint string, authPK *bakery.PublicKey) (http.Handler, error) {
key, err := bakery.GenerateKey()
if err != nil {
return nil, err
}
pkLocator := bakery.NewPublicKeyRing()
svc, err := bakery.NewService(bakery.NewServiceParams{
Key: key,
Location: endpoint,
Locator: pkLocator,
})
if err != nil {
return nil, err
}
log.Printf("adding public key for location %s: %v", authEndpoint, authPK)
pkLocator.AddPublicKeyForLocation(authEndpoint, true, authPK)
mux := http.NewServeMux()
srv := &targetServiceHandler{
svc: svc,
authEndpoint: authEndpoint,
}
mux.HandleFunc("/gold/", srv.serveGold)
mux.HandleFunc("/silver/", srv.serveSilver)
return mux, nil
}
func (s *suite) SetUpSuite(c *gc.C) {
key, err := bakery.GenerateKey()
c.Assert(err, gc.IsNil)
s.authPublicKey = &key.Public
s.authEndpoint = serve(c, func(endpoint string) (http.Handler, error) {
return idservice.New(idservice.Params{
Users: map[string]*idservice.UserInfo{
"rog": {
Password: "******",
},
"root": {
Password: "******",
Groups: map[string]bool{
"target-service-users": true,
},
},
},
Service: bakery.NewServiceParams{
Location: endpoint,
Store: bakery.NewMemStorage(),
Key: key,
Locator: bakery.NewPublicKeyRing(),
},
})
})
c.Logf("auth endpoint at %s", s.authEndpoint)
}
func (s *exampleSuite) SetUpSuite(c *gc.C) {
key, err := bakery.GenerateKey()
c.Assert(err, gc.IsNil)
s.authPublicKey = &key.Public
s.authEndpoint, err = serve(func(endpoint string) (http.Handler, error) {
return authService(endpoint, key)
})
c.Assert(err, gc.IsNil)
}
func (s *macaroonServerWrongPublicKeySuite) SetUpTest(c *gc.C) {
s.discharger = bakerytest.NewDischarger(nil, noCheck)
wrongKey, err := bakery.GenerateKey()
c.Assert(err, gc.IsNil)
s.ConfigAttrs = map[string]interface{}{
config.IdentityURL: s.discharger.Location(),
config.IdentityPublicKey: wrongKey.Public.String(),
}
s.JujuConnSuite.SetUpTest(c)
}
func (s *KeyringSuite) TestCachePrepopulated(c *gc.C) {
cache := bakery.NewPublicKeyRing()
key, err := bakery.GenerateKey()
c.Assert(err, gc.IsNil)
cache.AddPublicKeyForLocation("https://0.1.2.3/", true, &key.Public)
kr := httpbakery.NewPublicKeyRing(nil, cache)
pk, err := kr.PublicKeyForLocation("https://0.1.2.3/")
c.Assert(err, gc.IsNil)
c.Assert(*pk, gc.Equals, key.Public)
}
func main() {
kp, err := bakery.GenerateKey()
if err != nil {
fmt.Fprintf(os.Stderr, "cannot generate key: %s\n", err)
os.Exit(1)
}
b, err := json.MarshalIndent(kp, "", "\t")
if err != nil {
panic(err)
}
fmt.Printf("%s\n", b)
}
func newService(c *gc.C, location string, locator bakery.PublicKeyLocatorMap) *bakery.Service {
keyPair, err := bakery.GenerateKey()
c.Assert(err, gc.IsNil)
svc, err := bakery.NewService(bakery.NewServiceParams{
Location: location,
Key: keyPair,
Locator: locator,
})
c.Assert(err, gc.IsNil)
if locator != nil {
locator[location] = &keyPair.Public
}
return svc
}
func newMockAPI() (*mockapi, error) {
kp, err := bakery.GenerateKey()
if err != nil {
return nil, errors.Trace(err)
}
svc, err := bakery.NewService(bakery.NewServiceParams{
Location: "omnibus",
Key: kp,
})
if err != nil {
return nil, errors.Trace(err)
}
return &mockapi{
service: svc,
}, nil
}
func main() {
key, err := bakery.GenerateKey()
if err != nil {
log.Fatalf("cannot generate auth service key pair: %v", err)
}
authPublicKey := &key.Public
authEndpoint := mustServe(func(endpoint string) (http.Handler, error) {
return authService(endpoint, key)
})
serverEndpoint := mustServe(func(endpoint string) (http.Handler, error) {
return targetService(endpoint, authEndpoint, authPublicKey)
})
resp, err := clientRequest(newClient(), serverEndpoint)
if err != nil {
log.Fatalf("client failed: %v", err)
}
fmt.Printf("client success: %q\n", resp)
}
func (*DischargeSuite) TestDischargeAllLocalDischarge(c *gc.C) {
svc, err := bakery.NewService(bakery.NewServiceParams{})
c.Assert(err, gc.IsNil)
clientKey, err := bakery.GenerateKey()
c.Assert(err, gc.IsNil)
m, err := svc.NewMacaroon("", nil, []checkers.Caveat{
bakery.LocalThirdPartyCaveat(&clientKey.Public),
})
c.Assert(err, gc.IsNil)
ms, err := bakery.DischargeAllWithKey(m, noDischarge(c), clientKey)
c.Assert(err, gc.IsNil)
err = svc.Check(ms, checkers.New())
c.Assert(err, gc.IsNil)
}
func (s *agentSuite) SetUpSuite(c *gc.C) {
key, err := bakery.GenerateKey()
c.Assert(err, gc.IsNil)
s.dischargeKey = &key.Public
c.Assert(err, gc.IsNil)
bak, err := bakery.NewService(bakery.NewServiceParams{
Key: key,
})
c.Assert(err, gc.IsNil)
s.discharger = &Discharger{
Bakery: bak,
}
s.server = s.discharger.Serve()
s.bakery, err = bakery.NewService(bakery.NewServiceParams{
Locator: bakery.PublicKeyLocatorMap{
s.discharger.URL: &key.Public,
},
})
}
// newBakeryService creates a new bakery.Service.
func newBakeryService(
st *state.State,
store bakerystorage.ExpirableStorage,
locator bakery.PublicKeyLocator,
) (*bakery.Service, *bakery.KeyPair, error) {
key, err := bakery.GenerateKey()
if err != nil {
return nil, nil, errors.Annotate(err, "generating key for bakery service")
}
service, err := bakery.NewService(bakery.NewServiceParams{
Location: "juju model " + st.ModelUUID(),
Store: store,
Key: key,
Locator: locator,
})
if err != nil {
return nil, nil, errors.Trace(err)
}
return service, key, nil
}
func (m keyManager) keyPair() (*keyPair, error) {
keyPath, err := m.keyPath()
if err != nil {
return nil, err
}
kp := newKeyPair()
if err = kp.load(keyPath); err == nil {
return kp, nil
} else if os.IsNotExist(err) {
bakeryKeyPair, err := bakery.GenerateKey()
if err != nil {
return nil, fmt.Errorf("failed to create new key pair: %v", err)
}
kp.KeyPair = bakeryKeyPair
err = kp.save(keyPath)
if err != nil {
return nil, fmt.Errorf("failed to save new key pair: %v", err)
}
return kp, nil
}
return nil, err
}
func (s *StorageSuite) TestCreateMacaroon(c *gc.C) {
keypair, err := bakery.GenerateKey()
c.Assert(err, gc.IsNil)
params := bakery.NewServiceParams{Location: "local", Store: s.store, Key: keypair}
service, err := bakery.NewService(params)
c.Assert(err, gc.IsNil)
c.Assert(service, gc.NotNil)
m, err := service.NewMacaroon(
"123",
[]byte("abc"),
[]checkers.Caveat{checkers.Caveat{Location: "", Condition: "is-authorised bob"}},
)
c.Assert(err, gc.IsNil)
c.Assert(m, gc.NotNil)
item, err := s.store.Get("123")
c.Assert(err, gc.IsNil)
c.Assert(item, gc.DeepEquals, `{"RootKey":"YWJj"}`)
err = service.Check(macaroon.Slice{m}, &testChecker{})
c.Assert(err, gc.IsNil)
}
func (s *agentSuite) TestLoginCookie(c *gc.C) {
key, err := bakery.GenerateKey()
c.Assert(err, gc.IsNil)
tests := []struct {
about string
setCookie func(*httpbakery.Client, *url.URL)
expectUser string
expectKey *bakery.PublicKey
expectError string
expectCause error
}{{
about: "success",
setCookie: func(client *httpbakery.Client, u *url.URL) {
agent.SetUpAuth(client, u, "bob")
},
expectUser: "******",
expectKey: &key.Public,
}, {
about: "no cookie",
setCookie: func(client *httpbakery.Client, u *url.URL) {},
expectError: "no agent-login cookie found",
expectCause: agent.ErrNoAgentLoginCookie,
}, {
about: "invalid base64 encoding",
setCookie: func(client *httpbakery.Client, u *url.URL) {
client.Jar.SetCookies(u, []*http.Cookie{{
Name: "agent-login",
Value: "x",
}})
},
expectError: "cannot decode cookie value: illegal base64 data at input byte 0",
}, {
about: "invalid JSON",
setCookie: func(client *httpbakery.Client, u *url.URL) {
client.Jar.SetCookies(u, []*http.Cookie{{
Name: "agent-login",
Value: base64.StdEncoding.EncodeToString([]byte("}")),
}})
},
expectError: "cannot unmarshal agent login: invalid character '}' looking for beginning of value",
}, {
about: "no username",
setCookie: func(client *httpbakery.Client, u *url.URL) {
agent.SetCookie(client.Jar, u, "", &key.Public)
},
expectError: "agent login has no user name",
}, {
about: "no public key",
setCookie: func(client *httpbakery.Client, u *url.URL) {
agent.SetCookie(client.Jar, u, "hello", nil)
},
expectError: "agent login has no public key",
}}
var (
foundUser string
foundKey *bakery.PublicKey
foundErr error
)
srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, req *http.Request) {
foundUser, foundKey, foundErr = agent.LoginCookie(req)
}))
defer srv.Close()
srvURL, err := url.Parse(srv.URL)
c.Assert(err, gc.IsNil)
for i, test := range tests {
c.Logf("test %d: %s", i, test.about)
client := httpbakery.NewClient()
client.Key = key
test.setCookie(client, srvURL)
req, err := http.NewRequest("GET", srv.URL, nil)
c.Assert(err, gc.IsNil)
resp, err := client.Do(req)
c.Assert(err, gc.IsNil)
c.Assert(resp.StatusCode, gc.Equals, http.StatusOK)
if test.expectError != "" {
c.Assert(foundErr, gc.ErrorMatches, test.expectError)
if test.expectCause != nil {
c.Assert(errgo.Cause(foundErr), gc.Equals, test.expectCause)
}
continue
}
c.Assert(foundUser, gc.Equals, test.expectUser)
c.Assert(foundKey, gc.DeepEquals, test.expectKey)
}
}