Skip to content

Commit

Permalink
test: add remaining session tests (#21)
Browse files Browse the repository at this point in the history
refs #4

---------

Co-authored-by: Alan Shaw <[email protected]>
  • Loading branch information
alanshaw and Alan Shaw authored Oct 3, 2024
1 parent 994d37c commit f3261cb
Show file tree
Hide file tree
Showing 4 changed files with 217 additions and 24 deletions.
15 changes: 3 additions & 12 deletions core/delegation/delegate.go
Original file line number Diff line number Diff line change
Expand Up @@ -69,26 +69,17 @@ func WithFacts(fct []ucan.FactBuilder) Option {
}
}

// WithProofs configures the proofs for the UCAN. If the `issuer` of this
// WithProof configures the proof(s) for the UCAN. If the `issuer` of this
// `Delegation` is not the resource owner / service provider, for the delegated
// capabilities, the `proofs` must contain valid `Proof`s containing
// delegations to the `issuer`.
func WithProofs(prf Proofs) Option {
func WithProof(prf ...Proof) Option {
return func(cfg *delegationConfig) error {
cfg.prf = prf
return nil
}
}

// WithProof configures the proofs for the UCAN in the case where there is only
// a single proof.
func WithProof(prf Proof) Option {
return func(cfg *delegationConfig) error {
cfg.prf = Proofs{prf}
return nil
}
}

// Delegate creates a new signed token with a given `options.issuer`. If
// expiration is not set it defaults to 30 seconds from now. Returns UCAN in
// primary IPLD representation.
Expand All @@ -114,7 +105,7 @@ func Delegate[C ucan.CaveatBuilder](issuer ucan.Signer, audience ucan.Principal,
ucan.WithFacts(cfg.fct),
ucan.WithNonce(cfg.nnc),
ucan.WithNotBefore(cfg.nbf),
ucan.WithProofs(links),
ucan.WithProof(links...),
}
if cfg.noexp {
opts = append(opts, ucan.WithNoExpiration())
Expand Down
2 changes: 1 addition & 1 deletion server/server_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -192,7 +192,7 @@ func TestExecute(t *testing.T) {
require.NoError(t, err)

prfs := []delegation.Proof{delegation.FromDelegation(dgl)}
inv, err := invocation.Invoke(fixtures.Alice, fixtures.Service, cap, delegation.WithProofs(prfs))
inv, err := invocation.Invoke(fixtures.Alice, fixtures.Service, cap, delegation.WithProof(prfs...))
require.NoError(t, err)

resp, err := client.Execute([]invocation.Invocation{inv}, conn)
Expand Down
4 changes: 2 additions & 2 deletions ucan/lib.go
Original file line number Diff line number Diff line change
Expand Up @@ -71,8 +71,8 @@ func WithFacts(fct []FactBuilder) Option {
}
}

// WithProofs configures the proofs for the UCAN.
func WithProofs(prf []Link) Option {
// WithProof configures the proofs for the UCAN.
func WithProof(prf ...Link) Option {
return func(cfg *ucanConfig) error {
cfg.prf = prf
return nil
Expand Down
220 changes: 211 additions & 9 deletions validator/session_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -120,10 +120,10 @@ func TestSession(t *testing.T) {
service,
account.DID().String(),
nb,
delegation.WithProofs(delegation.Proofs{
delegation.WithProof(
delegation.FromDelegation(prf),
delegation.FromDelegation(session),
}),
),
)
require.NoError(t, err)

Expand Down Expand Up @@ -208,10 +208,10 @@ func TestSession(t *testing.T) {
service,
account.DID().String(),
nb,
delegation.WithProofs(delegation.Proofs{
delegation.WithProof(
delegation.FromDelegation(session),
delegation.FromDelegation(prf),
}),
),
)
require.NoError(t, err)

Expand Down Expand Up @@ -351,11 +351,9 @@ func TestSession(t *testing.T) {
service,
account.DID().String(),
nb,
delegation.WithProofs(
delegation.Proofs{
delegation.FromDelegation(prf),
delegation.FromDelegation(session),
},
delegation.WithProof(
delegation.FromDelegation(prf),
delegation.FromDelegation(session),
),
)
require.NoError(t, err)
Expand Down Expand Up @@ -409,4 +407,208 @@ func TestSession(t *testing.T) {
require.Equal(t, account.DID().String(), a.Capability().With())
require.Equal(t, nb, a.Capability().Nb())
})

t.Run("service can not delegate access to account", func(t *testing.T) {
accountDID := helpers.Must(did.Parse("did:mailto:web.mail:alice"))
account := absentee.From(accountDID)

// service should not be able to delegate access to account resource
auth, err := debugEcho.Delegate(
service,
fixtures.Alice,
account.DID().String(),
debugEchoCaveats{},
)
require.NoError(t, err)

session, err := attest.Delegate(
service,
fixtures.Alice,
service.DID().String(),
attestCaveats{Proof: auth.Link()},
delegation.WithProof(delegation.FromDelegation(auth)),
)
require.NoError(t, err)

msg := "Hello World"
nb := debugEchoCaveats{Message: &msg}
inv, err := debugEcho.Invoke(
fixtures.Alice,
service,
account.DID().String(),
nb,
delegation.WithProof(
delegation.FromDelegation(auth),
delegation.FromDelegation(session),
),
)
require.NoError(t, err)

context := NewValidationContext(
service.Verifier(),
debugEcho,
IsSelfIssued,
validateAuthOk,
ProofUnavailable,
parseEdPrincipal,
FailDIDKeyResolution,
)

a, x := Access(inv, context)
require.Nil(t, a)
require.Error(t, x)
})

t.Run("attest with an account DID", func(t *testing.T) {
accountDID := helpers.Must(did.Parse("did:mailto:web.mail:alice"))
account := absentee.From(accountDID)

// service should not be able to delegate access to account resource
auth, err := debugEcho.Delegate(
service,
fixtures.Alice,
account.DID().String(),
debugEchoCaveats{},
)
require.NoError(t, err)

session, err := attest.Delegate(
service,
fixtures.Alice,
// this should be an service did instead
account.DID().String(),
attestCaveats{Proof: auth.Link()},
delegation.WithProof(delegation.FromDelegation(auth)),
)
require.NoError(t, err)

msg := "Hello World"
nb := debugEchoCaveats{Message: &msg}
inv, err := debugEcho.Invoke(
fixtures.Alice,
service,
account.DID().String(),
nb,
delegation.WithProof(
delegation.FromDelegation(auth),
delegation.FromDelegation(session),
),
)
require.NoError(t, err)

context := NewValidationContext(
service.Verifier(),
debugEcho,
IsSelfIssued,
validateAuthOk,
ProofUnavailable,
parseEdPrincipal,
FailDIDKeyResolution,
)

a, x := Access(inv, context)
require.Nil(t, a)
require.Error(t, x)
})

t.Run("service cannot delegate account resource", func(t *testing.T) {
accountDID := helpers.Must(did.Parse("did:mailto:web.mail:alice"))
account := absentee.From(accountDID)

prf, err := debugEcho.Delegate(
service,
fixtures.Alice,
account.DID().String(),
debugEchoCaveats{},
)
require.NoError(t, err)

msg := "Hello World"
nb := debugEchoCaveats{Message: &msg}
inv, err := debugEcho.Invoke(
fixtures.Alice,
service,
account.DID().String(),
nb,
delegation.WithProof(delegation.FromDelegation(prf)),
)
require.NoError(t, err)

context := NewValidationContext(
service.Verifier(),
debugEcho,
IsSelfIssued,
validateAuthOk,
ProofUnavailable,
parseEdPrincipal,
FailDIDKeyResolution,
)

a, x := Access(inv, context)
require.Nil(t, a)
require.Error(t, x)
})

t.Run("redundant proofs have no impact", func(t *testing.T) {
accountDID := helpers.Must(did.Parse("did:mailto:web.mail:alice"))
account := absentee.From(accountDID)

var logins delegation.Proofs
for i := range 6 {
dlg, err := delegation.Delegate(
account,
fixtures.Alice,
[]ucan.Capability[ucan.NoCaveats]{
ucan.NewCapability("*", "ucan:*", ucan.NoCaveats{}),
},
delegation.WithNoExpiration(),
delegation.WithNonce(fmt.Sprint(i)),
)
require.NoError(t, err)
logins = append(logins, delegation.FromDelegation(dlg))
}

exp := ucan.Now() + 60*60*24*365 // 1 year
var attestations delegation.Proofs
for _, login := range logins {
dlg, err := attest.Delegate(
service,
fixtures.Alice,
service.DID().String(),
attestCaveats{Proof: login.Link()},
delegation.WithExpiration(exp),
)
require.NoError(t, err)
attestations = append(attestations, delegation.FromDelegation(dlg))
}

var prfs delegation.Proofs
prfs = append(prfs, logins...)
prfs = append(prfs, attestations...)

msg := "Hello World"
nb := debugEchoCaveats{Message: &msg}
inv, err := debugEcho.Invoke(
fixtures.Alice,
service,
account.DID().String(),
nb,
delegation.WithProof(prfs...),
)
require.NoError(t, err)

context := NewValidationContext(
service.Verifier(),
debugEcho,
IsSelfIssued,
validateAuthOk,
ProofUnavailable,
parseEdPrincipal,
FailDIDKeyResolution,
)

a, x := Access(inv, context)
require.NotEmpty(t, a)
require.NoError(t, x)
})
}

0 comments on commit f3261cb

Please sign in to comment.