Add tests for invalid keys from upstream, and rename test cases.

Change-Id: Ib41cb81c779534fc6efd74d66bf4728efd743906

Author: huangjiahua

cab-token-generator/java/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactory.java

@@ -486,6 +486,7 @@ private byte[] serializeCredentialAccessBoundary(
               .setAvailableResource(rule.getAvailableResource());
 
       // Availability condition is an optional field from the CredentialAccessBoundary
+      // CEL compliation is only performed if there is a non-empty availablity condition.
       if (rule.getAvailabilityCondition() != null) {
         String availabilityCondition =
             rule.getAvailabilityCondition().getExpression();
@@ -522,6 +523,8 @@ private byte[] encryptRestrictions(byte[] restriction, String sessionKey) throws
     Aead aead =
         keysetHandle.getPrimitive(RegistryConfiguration.get(), Aead.class);
 
+    // For Client-Side CAB token encryption, empty associated data is expected.
+    // Tink requires a byte[0] to be passed for this case.
     return aead.encrypt(restriction, /*associatedData=*/new byte[0]);
   }
 

cab-token-generator/javatests/com/google/auth/credentialaccessboundary/ClientSideCredentialAccessBoundaryFactoryTest.java

@@ -66,6 +66,7 @@
 import dev.cel.expr.Expr;
 
 import java.io.IOException;
+import java.security.GeneralSecurityException;
 import java.time.Duration;
 import java.util.Base64;
 import java.util.Map;
@@ -589,7 +590,7 @@ private static void triggerConcurrentRefresh(
   }
 
   @Test
-  public void generateToken() throws Exception {
+  public void generateToken_withAvailablityCondition_success() throws Exception {
     MockStsTransportFactory transportFactory = new MockStsTransportFactory();
     transportFactory.transport.setReturnAccessBoundarySessionKey(true);
 
@@ -662,7 +663,7 @@ public void generateToken() throws Exception {
   }
 
   @Test
-  public void generateToken_withoutAvailabilityCondition() throws Exception {
+  public void generateToken_withoutAvailabilityCondition_success() throws Exception {
     MockStsTransportFactory transportFactory = new MockStsTransportFactory();
     transportFactory.transport.setReturnAccessBoundarySessionKey(true);
 
@@ -719,7 +720,7 @@ public void generateToken_withoutAvailabilityCondition() throws Exception {
   }
 
   @Test
-  public void generateToken_withInvalidCelExpression() throws Exception {
+  public void generateToken_withInvalidAvailabilityCondition_failure() throws Exception {
     MockStsTransportFactory transportFactory = new MockStsTransportFactory();
     transportFactory.transport.setReturnAccessBoundarySessionKey(true);
 
@@ -756,4 +757,84 @@ public void generateToken_withInvalidCelExpression() throws Exception {
     assertThrows(CelValidationException.class,
                  () -> { factory.generateToken(accessBoundary); });
   }
+
+  @Test
+  public void generateToken_withSessionKeyNotBase64Encoded_failure() throws Exception {
+    MockStsTransportFactory transportFactory = new MockStsTransportFactory();
+    transportFactory.transport.setReturnAccessBoundarySessionKey(true);
+    transportFactory.transport.setAccessBoundarySessionKey("invalid_key");
+
+    ClientSideCredentialAccessBoundaryFactory.Builder builder =
+        ClientSideCredentialAccessBoundaryFactory.newBuilder();
+
+    ClientSideCredentialAccessBoundaryFactory factory =
+        builder
+            .setSourceCredential(getServiceAccountSourceCredentials(
+                mockTokenServerTransportFactory))
+            .setHttpTransportFactory(transportFactory)
+            .build();
+
+    CredentialAccessBoundary.Builder cabBuilder =
+        CredentialAccessBoundary.newBuilder();
+    CredentialAccessBoundary accessBoundary =
+        cabBuilder
+            .addRule(
+                CredentialAccessBoundary.AccessBoundaryRule.newBuilder()
+                    .setAvailableResource("//storage.googleapis.com/projects/"
+                                          + "_/buckets/example-bucket")
+                    .setAvailablePermissions(
+                        ImmutableList.of("inRole:roles/storage.objectViewer"))
+                    .setAvailabilityCondition(
+                        CredentialAccessBoundary.AccessBoundaryRule
+                            .AvailabilityCondition.newBuilder()
+                            .setExpression(
+                                "resource.name.startsWith('projects/_/"
+                                + "buckets/example-bucket/objects/customer-a')")
+                            .build())
+                    .build())
+            .build();
+
+    assertThrows(IllegalArgumentException.class,
+                 () -> { factory.generateToken(accessBoundary); });
+  }
+
+  @Test
+  public void generateToken_withMalformSessionKey_failure() throws Exception {
+    MockStsTransportFactory transportFactory = new MockStsTransportFactory();
+    transportFactory.transport.setReturnAccessBoundarySessionKey(true);
+    transportFactory.transport.setAccessBoundarySessionKey("aW52YWxpZF9rZXk=");
+
+    ClientSideCredentialAccessBoundaryFactory.Builder builder =
+        ClientSideCredentialAccessBoundaryFactory.newBuilder();
+
+    ClientSideCredentialAccessBoundaryFactory factory =
+        builder
+            .setSourceCredential(getServiceAccountSourceCredentials(
+                mockTokenServerTransportFactory))
+            .setHttpTransportFactory(transportFactory)
+            .build();
+
+    CredentialAccessBoundary.Builder cabBuilder =
+        CredentialAccessBoundary.newBuilder();
+    CredentialAccessBoundary accessBoundary =
+        cabBuilder
+            .addRule(
+                CredentialAccessBoundary.AccessBoundaryRule.newBuilder()
+                    .setAvailableResource("//storage.googleapis.com/projects/"
+                                          + "_/buckets/example-bucket")
+                    .setAvailablePermissions(
+                        ImmutableList.of("inRole:roles/storage.objectViewer"))
+                    .setAvailabilityCondition(
+                        CredentialAccessBoundary.AccessBoundaryRule
+                            .AvailabilityCondition.newBuilder()
+                            .setExpression(
+                                "resource.name.startsWith('projects/_/"
+                                + "buckets/example-bucket/objects/customer-a')")
+                            .build())
+                    .build())
+            .build();
+
+    assertThrows(GeneralSecurityException.class,
+                 () -> { factory.generateToken(accessBoundary); });
+  }
 }

oauth2_http/javatests/com/google/auth/oauth2/MockStsTransport.java

@@ -76,6 +76,7 @@ public final class MockStsTransport extends MockHttpTransport {
 
   private boolean returnExpiresIn = true;
   private boolean returnAccessBoundarySessionKey = false;
+  private String accessBoundarySessionKey = ACCESS_BOUNDARY_SESSION_KEY_VALUE;
   private MockLowLevelHttpRequest request;
   private int requestCount = 0;
 
@@ -142,7 +143,7 @@ public LowLevelHttpResponse execute() throws IOException {
             }
 
             if (returnAccessBoundarySessionKey) {
-              response.put("access_boundary_session_key", ACCESS_BOUNDARY_SESSION_KEY_VALUE);
+              response.put("access_boundary_session_key", accessBoundarySessionKey);
             }
 
             return new MockLowLevelHttpResponse()
@@ -189,6 +190,10 @@ public void setReturnExpiresIn(boolean returnExpiresIn) {
     this.returnExpiresIn = returnExpiresIn;
   }
 
+  public void setAccessBoundarySessionKey(String accessBoundarySessionKey) {
+    this.accessBoundarySessionKey = accessBoundarySessionKey;
+  }
+
   public void setReturnAccessBoundarySessionKey(boolean returnAccessBoundarySessionKey) {
     this.returnAccessBoundarySessionKey = returnAccessBoundarySessionKey;
   }