From a2f900ec2dfbccc602c07206c1f9efc078e2df40 Mon Sep 17 00:00:00 2001
From: whythat <whythat@protonmail.com>
Date: Fri, 22 Sep 2017 08:51:15 +0300
Subject: [PATCH] macaroons: add constraints unit tests

---
 macaroons/constraints_test.go | 94 +++++++++++++++++++++++++++++++++++
 1 file changed, 94 insertions(+)
 create mode 100644 macaroons/constraints_test.go

diff --git a/macaroons/constraints_test.go b/macaroons/constraints_test.go
new file mode 100644
index 000000000..9db166170
--- /dev/null
+++ b/macaroons/constraints_test.go
@@ -0,0 +1,94 @@
+package macaroons
+
+import (
+	"testing"
+	"time"
+
+	"gopkg.in/macaroon-bakery.v1/bakery"
+	"gopkg.in/macaroon-bakery.v1/bakery/checkers"
+	macaroon "gopkg.in/macaroon.v1"
+)
+
+func TestAllowConstraint(t *testing.T) {
+	macParams := bakery.NewServiceParams{}
+	svc, err := bakery.NewService(macParams)
+	if err != nil {
+		t.Fatalf("Failed to create a new service")
+	}
+	mac, err := svc.NewMacaroon("", nil, nil)
+	if err != nil {
+		t.Fatalf("Failed to create a new macaroon")
+	}
+
+	constraint := AllowConstraint("op1", "op2", "op4")
+	mac, err = AddConstraints(mac, constraint)
+	if err != nil {
+		t.Fatalf("Failed to add macaroon constraint")
+	}
+
+	checker := checkers.New(AllowChecker("op1"))
+	if err := svc.Check(macaroon.Slice{mac}, checker); err != nil {
+		t.Fatalf("Allowed operation failed macaroon check")
+	}
+
+	checker = checkers.New(AllowChecker("op3"))
+	if err := svc.Check(macaroon.Slice{mac}, checker); err == nil {
+		t.Fatalf("Disallowed operation passed macaroon check")
+	}
+}
+
+func TestTimeoutConstraint(t *testing.T) {
+	macParams := bakery.NewServiceParams{}
+	svc, err := bakery.NewService(macParams)
+	if err != nil {
+		t.Fatalf("Failed to create a new service")
+	}
+	mac, err := svc.NewMacaroon("", nil, nil)
+	if err != nil {
+		t.Fatalf("Failed to create a new macaroon")
+	}
+
+	constraint := TimeoutConstraint(1)
+	mac, err = AddConstraints(mac, constraint)
+	if err != nil {
+		t.Fatalf("Failed to add macaroon constraint")
+	}
+
+	checker := checkers.New(TimeoutChecker())
+	if err := svc.Check(macaroon.Slice{mac}, checker); err != nil {
+		t.Fatalf("Timeout check failed within timeframe")
+	}
+
+	time.Sleep(time.Second)
+	if err := svc.Check(macaroon.Slice{mac}, checker); err == nil {
+		t.Fatalf("Timeout check passed for an expired timeout")
+	}
+}
+
+func TestIPLockConstraint(t *testing.T) {
+	macParams := bakery.NewServiceParams{}
+	svc, err := bakery.NewService(macParams)
+	if err != nil {
+		t.Fatalf("Failed to create a new service")
+	}
+	mac, err := svc.NewMacaroon("", nil, nil)
+	if err != nil {
+		t.Fatalf("Failed to create a new macaroon")
+	}
+
+	constraint := IPLockConstraint("127.0.0.1")
+	mac, err = AddConstraints(mac, constraint)
+	if err != nil {
+		t.Fatalf("Failed to add macaroon constraint")
+	}
+
+	checker := checkers.New(IPLockChecker("127.0.0.1"))
+	if err := svc.Check(macaroon.Slice{mac}, checker); err != nil {
+		t.Fatalf("IPLock for the same IP failed the test")
+	}
+
+	checker = checkers.New(IPLockChecker("0.0.0.0"))
+	if err := svc.Check(macaroon.Slice{mac}, checker); err == nil {
+		t.Fatalf("IPLock for a different IP passed the test")
+	}
+}