diff options
author | Vitaly Buka <vitalybuka@google.com> | 2016-02-23 18:21:40 -0800 |
---|---|---|
committer | Vitaly Buka <vitalybuka@google.com> | 2016-02-24 18:13:01 +0000 |
commit | 5a1990fec7fd74ade9090cc4506d005b0891ea3e (patch) | |
tree | 05a88148e2745f4d5cda517eac615f066879d1ab /src | |
parent | 51dcfadb657361f4b0dd33248aeec16dcca81829 (diff) | |
download | libweave-5a1990fec7fd74ade9090cc4506d005b0891ea3e.tar.gz |
Implement revocation list check when validating auth token
BUG: 26728665
Change-Id: Ib46df44357f1503ef3490566660288a5e09cd01e
Reviewed-on: https://weave-review.googlesource.com/2728
Reviewed-by: Alex Vakulenko <avakulenko@google.com>
Diffstat (limited to 'src')
-rw-r--r-- | src/privet/auth_manager.cc | 22 | ||||
-rw-r--r-- | src/privet/auth_manager_unittest.cc | 21 |
2 files changed, 41 insertions, 2 deletions
diff --git a/src/privet/auth_manager.cc b/src/privet/auth_manager.cc index 90cf62b..ddead46 100644 --- a/src/privet/auth_manager.cc +++ b/src/privet/auth_manager.cc @@ -513,6 +513,28 @@ bool AuthManager::CreateAccessTokenFromAuth( "Invalid session id"); } + if (black_list_) { + std::vector<uint8_t> user_id; + std::vector<uint8_t> app_id; + for (size_t i = 0; i < result.num_delegatees; ++i) { + if (result.delegatees[i].type == kUwMacaroonDelegateeTypeUser) { + user_id.assign(result.delegatees[i].id, + result.delegatees[i].id + result.delegatees[i].id_len); + } else if (result.delegatees[i].type == kUwMacaroonDelegateeTypeApp) { + app_id.assign(result.delegatees[i].id, + result.delegatees[i].id + result.delegatees[i].id_len); + } else { + // Do not block by other types of delegatees. + continue; + } + if (black_list_->IsBlocked( + user_id, app_id, FromJ2000Time(result.delegatees[i].timestamp))) { + return Error::AddTo(error, FROM_HERE, errors::kInvalidAuthCode, + "Auth token is revoked"); + } + } + } + CHECK_GE(FromJ2000Time(result.expiration_time), now); if (!access_token) diff --git a/src/privet/auth_manager_unittest.cc b/src/privet/auth_manager_unittest.cc index 8a4938e..f2c8728 100644 --- a/src/privet/auth_manager_unittest.cc +++ b/src/privet/auth_manager_unittest.cc @@ -14,9 +14,10 @@ #include "src/test/mock_black_list_manager.h" #include "src/test/mock_clock.h" +using testing::_; using testing::Return; using testing::SaveArg; -using testing::_; +using testing::StrictMock; namespace weave { namespace privet { @@ -26,6 +27,7 @@ class MockBlackListManager : public test::MockAccessBlackListManager { MockBlackListManager() { EXPECT_CALL(*this, AddEntryAddedCallback(_)) .WillOnce(SaveArg<0>(&changed_callback_)); + EXPECT_CALL(*this, IsBlocked(_, _, _)).WillRepeatedly(Return(false)); } base::Closure changed_callback_; @@ -59,7 +61,7 @@ class AuthManagerTest : public testing::Test { 60, 62, 10, 18, 82, 35, 88, 100, 30, 45, 7, 46, 67, 84, 58, 85}; test::MockClock clock_; - MockBlackListManager black_list_; + StrictMock<MockBlackListManager> black_list_; AuthManager auth_{kSecret1, kFingerprint, kSecret2, &clock_, &black_list_}; }; @@ -350,6 +352,21 @@ TEST_F(AuthManagerTest, CreateAccessTokenFromAuthExpiredSessionid) { EXPECT_TRUE(error->HasError("invalidAuthCode")); } +TEST_F(AuthManagerTest, CreateAccessTokenFromAuthRevoked) { + TestUserId user{"234"}; + EXPECT_CALL(black_list_, IsBlocked(user.user, _, clock_.Now())) + .WillOnce(Return(true)); + std::vector<uint8_t> access_token; + auto root = auth_.GetRootClientAuthToken(RootClientTokenOwner::kCloud); + auto extended = DelegateToUser(root, base::TimeDelta::FromSeconds(1000), + UserInfo{AuthScope::kUser, user}); + ErrorPtr error; + EXPECT_FALSE( + auth_.CreateAccessTokenFromAuth(extended, base::TimeDelta::FromDays(1), + nullptr, nullptr, nullptr, &error)); + EXPECT_TRUE(error->HasError("invalidAuthCode")); +} + class AuthManagerClaimTest : public testing::Test { public: void SetUp() override { EXPECT_EQ(auth_.GetAuthSecret().size(), 32u); } |