Uploaded image for project: 'Hybrid Cloud Console'
  1. Hybrid Cloud Console
  2. RHCLOUD-29391 Unit tests for the service account changes in RBAC
  3. RHCLOUD-29392

Token validator tests

XMLWordPrintable

    • Icon: Sub-task Sub-task
    • Resolution: Done
    • Icon: Normal Normal
    • None
    • None
    • None
    • 2
    • False
    • Hide

      None

      Show
      None
    • False
    • None
    • Unset
    • A&M Tech Debt Sprint Q1 2025, Access & Management Sprint 106, Access & Management Sprint 107, Access & Management Sprint 108, Access & Management Sprint 109, Access & Management Sprint 110, Access & Management Sprint 111, A&M Tech Debt Sprint Q2 2025, Access & Management Sprint 112

      File

      rbac/management/authorization/token_validator.py

      Tests

      Bypassing token validation returns a fixed string

      Description

      When the IT_BYPASS_TOKEN_VALIDATION environment variable is set to true, we return a mocked bearer token.

      Preconditions

      IT_BYPASS_TOKEN_VALIDATION set to true.

      Desired outcome

      When calling ITSSOTokenValidator#validate_token, the following string is returned: "mocked-invalid-bearer-token-because-token-validation-is-disabled".

      Authorization header is missing

      Description

      The bearer token is grabbed from the "Authorization" header, so if the header is missing then we can't validate the token.

      Desired outcome

      A MissingAuthorizationError is raised.

      Can't get the OIDC configuration from IT

      Description

      In order to fetch the key set to decode the token, we need to fetch the OIDC configuration from IT's SSO. If we can't fetch it, the validation can't continue.

      Test preparation

      We will have to mock the requests.get(url=self.oidc_configuration_url) for it to return a non success status code.

      Desired outcome

      An UnableMeetPrerequisitesError is raised.

      The OIDC configuration file does not contain the "jwks_uri"

      Description

      The JWKS URI contains the URI RBAC needs to call to get the certificates. If it is not present in the received payload, the validation process cannot continue.

      Test preparation.

      Mock the oidc_response for it to be an empty dict

      Desired outcome.

      An UnableMeetPrerequisitesError is raised.

      The JKWS URI returns a non valid status code

      Description

      If the JKWS URI is wrong or IT responds with something else than the expected payload, we can't continue with the token validation.

      Test preparation.

      • Mock the oidc_response for it to contain a jwks_uri key.
      • Mock the requests.get(url=jwks_uri) response for its status code to be a non successful one.

      Desired outcome.

      An UnableMeetPrerequisitesError is raised.

      The JWKS certificates body contents are invalid

      Description

      If the JWKS body is invalid, the keyset cannot be imported and it can't be used to decode the user token.

      Test preparation

      • Mock the oidc_response for it to contain a jwks_uri key.
      • Mock the jwks_certificates_response for it to contain an empty dict.

      The token cannot be decoded

      Description

      We might properly fetch and import the keyset from SSO, but some error might happen when decoding the token, which will not allow us to validate it.

      Test preparation

      • Mock the self._get_json_web_keyset() call so that it returns an empty KeySet.
      • Set an Authorization: Bearer <invalid> header in the request to be passed to the validate_token function.

      Desired outcome

      A InvalidTokenError with the "Unable to decode token" error message is raised.

      The issuer claim is missing from the token.

      Description

      If the issuer claim is missing from the token we can't validate that the token is coming from the IT SSO service.

      Test preparation

      • Mock the self._get_json_web_keyset() call so that it returns a new Keyset.
      • Mock the jwt.decode(value=bearer_token, key=key_set) call so that it returns a new Token with the following claims:
        • "exp" claim set to a date in the future
        • "aud" claim set to "cloud-services"
        • "scope" claim set to "api.iam.service_accounts"

      Desired outcome

      A InvalidTokenError with the "The token's claims are invalid" error message is raised.

      The issuer claim is incorrect in the token.

      Description

      If the issuer claim doesn't match the IT SSO service issuer, then we can't confirm that the token comes from IT.

      Test preparation

      • Set the IT_SERVICE_HOST environment variable to "example.com".
      • Set the IT_SERVICE_PROTOCOL_SCHEME environment variable to "https".
      • Mock the self._get_json_web_keyset() call so that it returns a new Keyset.
      • Mock the jwt.decode(value=bearer_token, key=key_set) call so that it returns a new Token with the following claims:
        • "exp" claim set to a date in the future
        • "iss" claim set to "http://localhost"
        • "aud" claim set to "cloud-services"
        • "scope" claim set to "api.iam.service_accounts"

      Desired outcome

      A InvalidTokenError with the "The token's claims are invalid" error message is raised.

      The audience claim is missing.

      Description

      If the audience claim is missing from the token, we don't know who the token was intended for, and therefore we can't be sure that it was created for RBAC. Therefore, we have to reject the token.

      Test preparation

      • Set the IT_SERVICE_HOST environment variable to "example.com".
      • Set the IT_SERVICE_PROTOCOL_SCHEME environment variable to "https".
      • Mock the self._get_json_web_keyset() call so that it returns a new Keyset.
      • Mock the jwt.decode(value=bearer_token, key=key_set) call so that it returns a new Token with the following claims:
        • "exp" claim set to a date in the future
        • "iss" claim set to "https://example.com/auth/realms/redhat-external"
        • "scope" claim set to "api.iam.service_accounts"

      Desired outcome

      A InvalidTokenError with the "The token's claims are invalid" error message is raised.

      The audience claim is incorrect in the token.

      Description

      If the audience claim doesn't contain "cloud-services", that means that the token was not meant for a ConsoleDot application, and therefore we should reject using it.

      Test preparation

      • Set the IT_SERVICE_HOST environment variable to "example.com".
      • Set the IT_SERVICE_PROTOCOL_SCHEME environment variable to "https".
      • Mock the self._get_json_web_keyset() call so that it returns a new Keyset.
      • Mock the {{jwt.decode(value=bearer_token, key=key_set)}}call so that it returns a new Token with the following claims:
        • "exp" claim set to a date in the future
        • "iss" claim set to "https://example.com/auth/realms/redhat-external"
        • "aud" claim set to "invalid"
        • the "scope" claim set to "api.iam.service_accounts"

      Desired outcome

      A InvalidTokenError with the "The token's claims are invalid" error message is raised.

      The scope claim is missing.

      Description

      If the scope claim is missing, we can't be sure if the user has the proper permissions to query or manage service accounts, so we need to reject the token.

      Test preparation

      • Set the IT_SERVICE_HOST environment variable to "example.com".
      • Set the IT_SERVICE_PROTOCOL_SCHEME environment variable to "https".
      • Mock the self._get_json_web_keyset() call so that it returns a new Keyset.
      • Mock the jwt.decode(value=bearer_token, key=key_set) call so that it returns a new Token with the following claims:
        • "exp" claim set to a date in the future
        • "iss" claim set to "https://example.com/auth/realms/redhat-external"
        • the "aud" claim set to "cloud-services"

      Desired outcome

      A InvalidTokenError with the "The token's claims are invalid" error message is raised.

      The scope claim is invalid.

      Description

      If the scope claim is not the one we expect, the user does not have the proper permissions to query service accounts from IT, and therefore we must reject the token.

      Test preparation

      • Set the IT_SERVICE_HOST environment variable to "example.com".
      • Set the IT_SERVICE_PROTOCOL_SCHEME environment variable to "https".
      • Mock the self._get_json_web_keyset() call so that it returns a new Keyset.
      • Mock the jwt.decode(value=bearer_token, key=key_set) call so that it returns a new Token with the following claims:
        • "exp" claim set to a date in the future
        • "iss" claim set to "https://example.com/auth/realms/redhat-external"
        • "aud" claim set to "cloud-services"
        • "scope" claim set to "invalid"

      Desired outcome

      A InvalidTokenError with the "The token's claims are invalid" error message is raised.

      The token has expired.

      Description

      If the token has expired, it's no longer valid and we must reject it.

      Test preparation

      • Set the IT_SERVICE_HOST environment variable to "example.com".
      • Set the IT_SERVICE_PROTOCOL_SCHEME environment variable to "https".
      • Mock the self._get_json_web_keyset() call so that it returns a new Keyset.
      • Mock the jwt.decode(value=bearer_token, key=key_set) call so that it returns a new Token with the following claims:
        • "exp" claim set to a date in the past
        • "iss" claim set to "https://example.com/auth/realms/redhat-external"
        • "aud" claim set to "cloud-services"
        • "scope" claim set to "api.iam.service_accounts"

      Desired outcome

      A InvalidTokenError with the "The token's claims are invalid" error message is raised.

              mbarcina@redhat.com Mikel Alejo Barcina Ribera
              mbarcina@redhat.com Mikel Alejo Barcina Ribera
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved: