@@ -252,6 +252,101 @@ TEST_F(SerializeTest, FailVerifyATJWTTest) {
252252 scitoken_set_deserialize_profile (m_read_token.get (), SciTokenProfile::AT_JWT);
253253 rv = scitoken_deserialize_v2 (token_value, m_read_token.get (), nullptr , &err_msg);
254254 ASSERT_FALSE (rv == 0 );
255+ }
256+
257+ TEST_F (SerializeTest, EnforcerTest) {
258+ /*
259+ * Test that the enforcer works and returns an err_msg
260+ */
261+ char *err_msg = nullptr ;
262+
263+ auto rv = scitoken_set_claim_string (m_token.get (), " aud"
264+ " https://demo.scitokens.org/"
265+ ASSERT_TRUE (rv == 0 );
266+
267+ std::vector<const char *> audiences_array;
268+ audiences_array.push_back (" https://demo.scitokens.org/"
269+ audiences_array.push_back (nullptr );
270+
271+ auto enforcer = enforcer_create (" https://demo.scitokens.org/gtest" 0 ], &err_msg);
272+ ASSERT_TRUE (enforcer != nullptr );
273+
274+ Acl acl;
275+ acl.authz = " read"
276+ acl.resource = " /stuff"
277+
278+ rv = scitoken_set_claim_string (m_token.get (), " scope"
279+ " read:/blah"
280+ ASSERT_TRUE (rv == 0 );
281+
282+ rv = scitoken_set_claim_string (m_token.get (), " ver"
283+ " scitoken:2.0"
284+ ASSERT_TRUE (rv == 0 );
285+
286+ char *token_value = nullptr ;
287+ rv = scitoken_serialize (m_token.get (), &token_value, &err_msg);
288+ ASSERT_TRUE (rv == 0 );
289+ std::unique_ptr<char , decltype (&free)> token_value_ptr (token_value, free);
290+
291+ rv = scitoken_deserialize_v2 (token_value, m_read_token.get (), nullptr , &err_msg);
292+ ASSERT_TRUE (rv == 0 );
293+
294+ rv = enforcer_test (enforcer, m_read_token.get (), &acl, &err_msg);
295+ ASSERT_STREQ (err_msg, " token verification failed: 'scope' claim verification failed."
296+ ASSERT_TRUE (rv == -1 ) << err_msg;
297+
298+ }
299+
300+ TEST_F (SerializeTest, EnforcerScopeTest) {
301+ char *err_msg = nullptr ;
302+
303+ auto rv = scitoken_set_claim_string (m_token.get (), " aud"
304+ " https://demo.scitokens.org/"
305+ ASSERT_TRUE (rv == 0 );
306+
307+ std::vector<const char *> audiences_array;
308+ audiences_array.push_back (" https://demo.scitokens.org/"
309+ audiences_array.push_back (nullptr );
310+
311+ auto enforcer = enforcer_create (" https://demo.scitokens.org/gtest" 0 ], &err_msg);
312+ ASSERT_TRUE (enforcer != nullptr );
313+
314+ scitoken_set_serialize_profile (m_token.get (), SciTokenProfile::WLCG_1_0);
315+
316+ rv = scitoken_set_claim_string (m_token.get (), " scope"
317+ " storage.modify:/ storage.read:/ openid offline_access"
318+ ASSERT_TRUE (rv == 0 );
319+
320+ char *token_value = nullptr ;
321+ rv = scitoken_serialize (m_token.get (), &token_value, &err_msg);
322+ ASSERT_TRUE (rv == 0 );
323+
324+ rv = scitoken_deserialize_v2 (token_value, m_read_token.get (), nullptr , &err_msg);
325+ ASSERT_TRUE (rv == 0 );
326+
327+ Acl *acls;
328+ enforcer_generate_acls (enforcer, m_read_token.get (), &acls, &err_msg);
329+ ASSERT_TRUE (acls != nullptr );
330+ int idx = 0 ;
331+ bool found_read = false ;
332+ bool found_write = false ;
333+ while (acls[idx].resource && acls[idx++].authz ) {
334+ auto resource = acls[idx-1 ].resource ;
335+ auto authz = acls[idx-1 ].authz ;
336+ if (strcmp (authz, " read" 0 ) {
337+ found_read = true ;
338+ ASSERT_STREQ (resource, " /"
339+ } else if (strcmp (authz, " write" 0 ) {
340+ found_write = true ;
341+ ASSERT_STREQ (resource, " /"
342+ }
343+ }
344+ ASSERT_TRUE (found_read);
345+ ASSERT_TRUE (found_write);
346+
347+
348+
349+
255350}
256351
257352}
0 commit comments