Make sure tokens returned by local auth service live for >3 min.

luci-go auth implementation freaks out if the returned token lives for less than 2 min ('minAcceptedLifetime' constant in common/auth/auth.go). [email protected] BUG=skia:6611 Review-Url: https://codereview.chromium.org/2954033002
whesse · Jun 23, 2017 · 28ae091 · 28ae091
1 parent 2df2f6f
commit 28ae091
Show file tree

Hide file tree

Showing 3 changed files with 27 additions and 8 deletions.
diff --git a/client/LUCI_CONTEXT.md b/client/LUCI_CONTEXT.md
@@ -31,7 +31,8 @@ Example contents:
 {
   "local_auth": {
     "rpc_port": 10000,
-    "secret": "aGVsbG8gd29ybGQK"
+    "secret": "aGVsbG8gd29ybGQK",
+    ...
   },
   "swarming": {
     "secret_bytes": "cmFkaWNhbGx5IGNvb2wgc2VjcmV0IHN0dWZmCg=="
@@ -59,18 +60,35 @@ equivalent to specifying the 'OrigName' parameter in the Marshaller.
 
 ## `local_auth`
 
-Local auth specifies how where subprocesses can obtain OAuth2 tokens to use when
-calling other services.
-
-TODO(vadimsh): Fill this in.
+Local auth specifies where subprocesses can obtain OAuth2 tokens to use when
+calling other services. It is a reference to a local RPC port, along with
+some configuration of what this RPC service (called "local auth service") can
+provide.
 
 ```
 message LocalAuth {
+  message Account {
+    string id = 1;
+  }
+
   int rpc_port = 1;
   bytes secret = 2;
+
+  repeated Account accounts = 3;
+  string default_account_id = 4;
 }
 ```
 
+...
+
+The returned tokens MUST have expiration duration longer than 150 sec. Clients
+of the protocol rely on this.
+
+...
+
+TODO(vadimsh): Finish this.
+
+
 ## `swarming`
 
 This section describes data passed down from the

diff --git a/client/tests/auth_server_test.py b/client/tests/auth_server_test.py
@@ -9,7 +9,6 @@
 import os
 import socket
 import sys
-import tempfile
 import time
 import unittest
 
@@ -91,7 +90,7 @@ def token_gen(scopes):
       del calls[:]
 
       # Reuses cached token until it is close to expiration.
-      self.mock_time(200)
+      self.mock_time(60)
       resp = call_rpc(['B', 'A', 'C'])
       self.assertEqual(
           {u'access_token': u'tok', u'expiry': self.epoch + 300}, resp)

diff --git a/client/utils/auth_server.py b/client/utils/auth_server.py
@@ -257,7 +257,9 @@ def constant_time_equals(a, b):
 
 def should_refresh(tok):
   """Returns True if the token must be refreshed because it expires soon."""
-  return time.time() > tok.expiry - 60
+  # LUCI_CONTEXT protocol requires that returned tokens are alive for at least
+  # 2.5 min. See LUCI_CONTEXT.md. Add 30 sec extra of leeway.
+  return time.time() > tok.expiry - 3*60
 
 
 class _HTTPServer(SocketServer.ThreadingMixIn, BaseHTTPServer.HTTPServer):