add unit tests

eBay · May 23, 2024 · 1349ca4 · 1349ca4
1 parent fcddad4
commit 1349ca4
Show file tree

Hide file tree

Showing 3 changed files with 69 additions and 33 deletions.
diff --git a/src/auth_manager/security_config.fbs b/src/auth_manager/security_config.fbs
@@ -12,7 +12,7 @@ table TrfClient {
     server: string;
 
     // Leeway for an expired token
-    trf_expiry_leeway_secs: uint32 = 0;
+    trf_expiry_leeway_secs: uint32 = 300;
 
     // Pod env variables
     app_name: string;
@@ -32,13 +32,13 @@ table AuthManager {
     tf_token_url: string;
 
     // leeway to the token expiration
-    expiry_leeway_secs: uint32 = 300;
+    expiry_leeway_secs: uint32 = 0;
 
     // leeway to the token issued_at
-    iat_leeway_secs: uint32 = 120;
+    iat_leeway_secs: uint32 = 5;
 
     // leeway to the token not_before
-    nbf_leeway_secs: uint32 = 120;
+    nbf_leeway_secs: uint32 = 5;
 
     // ssl verification for the signing key download url
     verify: bool = true;

diff --git a/src/auth_manager/tests/AuthTest.cpp b/src/auth_manager/tests/AuthTest.cpp
@@ -33,10 +33,9 @@ class MockAuthManager : public AuthManager {
 public:
     using AuthManager::AuthManager;
     MOCK_METHOD(std::string, download_key, (const std::string&), (const));
-    AuthVerifyStatus verify(const std::string& token) {
-        std::string msg;
-        return AuthManager::verify(token, msg);
-    }
+    std::string msg;
+    AuthVerifyStatus verify(const std::string& token) { return verify(token, msg); }
+    AuthVerifyStatus verify(const std::string& token, std::string& msg) { return AuthManager::verify(token, msg); }
 };
 
 class AuthTest : public ::testing::Test {
@@ -57,7 +56,6 @@ class AuthTest : public ::testing::Test {
         SECURITY_SETTINGS_FACTORY().modifiable_settings([](auto& s) {
             s.auth_manager->auth_allowed_apps = "app1, testapp, app2";
             s.auth_manager->tf_token_url = "http://127.0.0.1";
-            s.auth_manager->leeway = 0;
             s.auth_manager->issuer = "trustfabric";
         });
         SECURITY_SETTINGS_FACTORY().save();
@@ -140,6 +138,48 @@ TEST_F(AuthTest, reject_unauthorized_app) {
     EXPECT_EQ(mock_auth_mgr->verify(token.sign_rs256()), AuthVerifyStatus::FORBIDDEN);
 }
 
+TEST_F(AuthTest, leeway_test) {
+    auto test_token = TestToken();
+    auto& trf_token = test_token.get_token();
+
+    // default leeway is 0 seconds for exp
+    trf_token.set_expires_at(std::chrono::system_clock::now() + std::chrono::seconds(1));
+    // default leeway is 5 seconds for iat and nbf
+    trf_token.set_issued_at(std::chrono::system_clock::now() + std::chrono::seconds(4));
+    trf_token.set_not_before(std::chrono::system_clock::now() + std::chrono::seconds(4));
+    auto raw_token = test_token.sign_rs256();
+
+    EXPECT_CALL(*mock_auth_mgr, download_key(_)).Times(1).WillOnce(Return(rsa_pub_key));
+    EXPECT_EQ(mock_auth_mgr->verify(raw_token), AuthVerifyStatus::OK);
+
+    std::string unauth_msg;
+    // token expired
+    trf_token.set_expires_at(std::chrono::system_clock::now() - std::chrono::seconds(1));
+    raw_token = test_token.sign_rs256();
+    EXPECT_CALL(*mock_auth_mgr, download_key(_)).Times(0);
+    EXPECT_EQ(mock_auth_mgr->verify(raw_token, unauth_msg), AuthVerifyStatus::UNAUTH);
+    EXPECT_EQ(unauth_msg, "token verification failed: token expired");
+
+    unauth_msg.clear();
+    // iat expired
+    trf_token.set_expires_at(std::chrono::system_clock::now() + std::chrono::seconds(1));
+    trf_token.set_issued_at(std::chrono::system_clock::now() + std::chrono::seconds(6));
+    trf_token.set_key_id("new_key_id");
+    raw_token = test_token.sign_rs256();
+    EXPECT_CALL(*mock_auth_mgr, download_key(_)).Times(1).WillOnce(Return(rsa_pub_key));
+    EXPECT_EQ(mock_auth_mgr->verify(raw_token, unauth_msg), AuthVerifyStatus::UNAUTH);
+    EXPECT_EQ(unauth_msg, "token verification failed: token expired");
+
+    unauth_msg.clear();
+    // nbf expired
+    trf_token.set_issued_at(std::chrono::system_clock::now() - std::chrono::seconds(1));
+    trf_token.set_not_before(std::chrono::system_clock::now() + std::chrono::seconds(6));
+    raw_token = test_token.sign_rs256();
+    EXPECT_CALL(*mock_auth_mgr, download_key(_)).Times(0);
+    EXPECT_EQ(mock_auth_mgr->verify(raw_token, unauth_msg), AuthVerifyStatus::UNAUTH);
+    EXPECT_EQ(unauth_msg, "token verification failed: token expired");
+}
+
 // Testing trf client
 class MockTrfClient : public TrfClient {
 public:
@@ -169,7 +209,7 @@ static void load_trf_settings() {
         s.trf_client->grant_path = grant_path;
         s.trf_client->server = "127.0.0.1:12346/token";
         s.auth_manager->verify = false;
-        s.auth_manager->leeway = 30;
+        s.auth_manager->expiry_leeway_secs = 30;
     });
     SECURITY_SETTINGS_FACTORY().save();
 }

diff --git a/src/grpc/tests/unit/auth_test.cpp b/src/grpc/tests/unit/auth_test.cpp
@@ -245,7 +245,7 @@ static void load_auth_settings() {
     SECURITY_SETTINGS_FACTORY().modifiable_settings([](auto& s) {
         s.auth_manager->auth_allowed_apps = "app1, testapp, app2";
         s.auth_manager->tf_token_url = "http://127.0.0.1";
-        s.auth_manager->leeway = 0;
+        s.auth_manager->expiry_leeway_secs = 0;
         s.auth_manager->issuer = "trustfabric";
         s.trf_client->grant_path = grant_path;
         s.trf_client->server = fmt::format("{}:{}/token", trf_token_server_ip, trf_token_server_port);
@@ -401,34 +401,34 @@ TEST(GenericServiceDeathTest, basic_test) {
     auto g_grpc_server = GrpcServer::make("0.0.0.0:56789", nullptr, 1, "", "");
     // register rpc before generic service is registered
 #ifndef NDEBUG
-    ASSERT_DEATH(g_grpc_server->register_generic_rpc(
-                     "method1", [](boost::intrusive_ptr< GenericRpcData >&) { return true; }),
-                 "Assertion .* failed");
+    ASSERT_DEATH(
+        g_grpc_server->register_generic_rpc("method1", [](boost::intrusive_ptr< GenericRpcData >&) { return true; }),
+        "Assertion .* failed");
 #else
-    EXPECT_FALSE(g_grpc_server->register_generic_rpc(
-        "method1", [](boost::intrusive_ptr< GenericRpcData >&) { return true; }));
+    EXPECT_FALSE(
+        g_grpc_server->register_generic_rpc("method1", [](boost::intrusive_ptr< GenericRpcData >&) { return true; }));
 #endif
 
     ASSERT_TRUE(g_grpc_server->register_async_generic_service());
     // duplicate register
     EXPECT_FALSE(g_grpc_server->register_async_generic_service());
     // register rpc before server is run
 #ifndef NDEBUG
-    ASSERT_DEATH(g_grpc_server->register_generic_rpc(
-                     "method1", [](boost::intrusive_ptr< GenericRpcData >&) { return true; }),
-                 "Assertion .* failed");
+    ASSERT_DEATH(
+        g_grpc_server->register_generic_rpc("method1", [](boost::intrusive_ptr< GenericRpcData >&) { return true; }),
+        "Assertion .* failed");
 #else
-    EXPECT_FALSE(g_grpc_server->register_generic_rpc(
-        "method1", [](boost::intrusive_ptr< GenericRpcData >&) { return true; }));
+    EXPECT_FALSE(
+        g_grpc_server->register_generic_rpc("method1", [](boost::intrusive_ptr< GenericRpcData >&) { return true; }));
 #endif
     g_grpc_server->run();
-    EXPECT_TRUE(g_grpc_server->register_generic_rpc(
-        "method1", [](boost::intrusive_ptr< GenericRpcData >&) { return true; }));
-    EXPECT_TRUE(g_grpc_server->register_generic_rpc(
-        "method2", [](boost::intrusive_ptr< GenericRpcData >&) { return true; }));
+    EXPECT_TRUE(
+        g_grpc_server->register_generic_rpc("method1", [](boost::intrusive_ptr< GenericRpcData >&) { return true; }));
+    EXPECT_TRUE(
+        g_grpc_server->register_generic_rpc("method2", [](boost::intrusive_ptr< GenericRpcData >&) { return true; }));
     // re-register method 1
-    EXPECT_FALSE(g_grpc_server->register_generic_rpc(
-        "method1", [](boost::intrusive_ptr< GenericRpcData >&) { return true; }));
+    EXPECT_FALSE(
+        g_grpc_server->register_generic_rpc("method1", [](boost::intrusive_ptr< GenericRpcData >&) { return true; }));
 
     auto client = std::make_unique< GrpcAsyncClient >("0.0.0.0:56789", "", "");
     client->init();
@@ -437,15 +437,11 @@ TEST(GenericServiceDeathTest, basic_test) {
     ::grpc::ByteBuffer cli_buf;
     generic_stub->call_unary(
         cli_buf, "method1",
-        [method = "method1"](::grpc::ByteBuffer&, ::grpc::Status& status) {
-            validate_generic_reply(method, status);
-        },
+        [method = "method1"](::grpc::ByteBuffer&, ::grpc::Status& status) { validate_generic_reply(method, status); },
         1);
     generic_stub->call_unary(
         cli_buf, "method2",
-        [method = "method2"](::grpc::ByteBuffer&, ::grpc::Status& status) {
-            validate_generic_reply(method, status);
-        },
+        [method = "method2"](::grpc::ByteBuffer&, ::grpc::Status& status) { validate_generic_reply(method, status); },
         1);
     generic_stub->call_unary(
         cli_buf, "method_unknown",