authorize: move headers and jwt signing to rego (#1856)

* wip * wip * wip * remove SignedJWT field * set google_cloud_serverless_authentication_service_account * update jwt claim headers * add mock get_google_cloud_serverless_headers for opa test * swap issuer and audience * add comment * change default port in authz
2025-05-10 07:37:33 +02:00 · 2021-02-08 10:53:21 -07:00 · 2021-02-08 10:53:21 -07:00 · 7d236ca1af
commit 7d236ca1af
parent 2dc0be2ec9
17 changed files with 492 additions and 675 deletions
--- a/authorize/evaluator/google_cloud_serverless_test.go
+++ b/authorize/evaluator/google_cloud_serverless_test.go
@ -0,0 +1,70 @@
+package evaluator
+
+import (
+	"net/http"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func withMockGCP(t *testing.T, f func()) {
+	originalGCPIdentityDocURL := GCPIdentityDocURL
+	defer func() {
+		GCPIdentityDocURL = originalGCPIdentityDocURL
+		GCPIdentityNow = time.Now
+	}()
+
+	now := time.Date(2020, 1, 1, 1, 0, 0, 0, time.UTC)
+	GCPIdentityNow = func() time.Time {
+		return now
+	}
+
+	srv := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
+		assert.Equal(t, "Google", r.Header.Get("Metadata-Flavor"))
+		assert.Equal(t, "full", r.URL.Query().Get("format"))
+		_, _ = w.Write([]byte(now.Format(time.RFC3339)))
+	}))
+	defer srv.Close()
+
+	GCPIdentityDocURL = srv.URL
+	f()
+}
+
+func TestGCPIdentityTokenSource(t *testing.T) {
+	withMockGCP(t, func() {
+		src, err := getGoogleCloudServerlessTokenSource("", "example")
+		assert.NoError(t, err)
+
+		token, err := src.Token()
+		assert.NoError(t, err)
+		assert.Equal(t, "2020-01-01T01:00:00Z", token.AccessToken)
+	})
+}
+
+func Test_normalizeServiceAccount(t *testing.T) {
+	tests := []struct {
+		name                   string
+		serviceAccount         string
+		expectedServiceAccount string
+		wantError              bool
+	}{
+		{"empty", "", "", false},
+		{"leading spaces", `  {"service_account": "foo"}`, `{"service_account": "foo"}`, false},
+		{"trailing spaces", `{"service_account": "foo"}  `, `{"service_account": "foo"}`, false},
+		{"leading+trailing spaces", `   {"service_account": "foo"}  `, `{"service_account": "foo"}`, false},
+		{"base64", "eyJzZXJ2aWNlX2FjY291bnQiOiAiZm9vIn0=", `{"service_account": "foo"}`, false},
+		{"invalid base64", "--eyJzZXJ2aWNlX2FjY291bnQiOiAiZm9vIn0=--", "", true},
+	}
+
+	for _, tc := range tests {
+		tc := tc
+		t.Run(tc.name, func(t *testing.T) {
+			t.Parallel()
+			gotServiceAccount, err := normalizeServiceAccount(tc.serviceAccount)
+			assert.True(t, (err != nil) == tc.wantError)
+			assert.Equal(t, tc.expectedServiceAccount, gotServiceAccount)
+		})
+	}
+}