-
Notifications
You must be signed in to change notification settings - Fork 18
/
oidc_gateway_test.go
125 lines (97 loc) · 3.05 KB
/
oidc_gateway_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
package main
import (
"crypto/rand"
"crypto/rsa"
"encoding/base64"
"encoding/json"
"testing"
"time"
"github.com/golang-jwt/jwt/v4"
)
func TestGetKeyForTokenMaker(t *testing.T) {
// Create a JWKS for verifying tokens
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
panic(err)
}
pubKey := privateKey.Public().(*rsa.PublicKey)
jwk := JWK{Kty: "RSA", Kid: "testKey", Alg: "RS256", Use: "sig"}
jwk.N = base64.RawURLEncoding.EncodeToString(pubKey.N.Bytes())
jwk.E = "AQAB"
jwks := JWKS{Keys: []JWK{jwk}}
jwksBytes, _ := json.Marshal(jwks)
getKeyFunc := getKeyFromJwks(jwksBytes)
// Test token referencing known key
tokenClaims := jwt.MapClaims{"for": "testing"}
token := jwt.NewWithClaims(jwt.SigningMethodRS256, tokenClaims)
token.Header["kid"] = "testKey"
key, err := getKeyFunc(token)
if err != nil {
t.Error(err)
}
if key.(*rsa.PublicKey).N.Cmp(pubKey.N) != 0 {
t.Error("public key does not match")
}
// Test token referencing unknown key
token.Header["kid"] = "unknownKey"
key, err = getKeyFunc(token)
if err == nil {
t.Error("Should fail when passed unknown key")
}
// Test token fails with any other signing key than RSA
tokenHmac := jwt.NewWithClaims(jwt.SigningMethodHS256, tokenClaims)
key, err = getKeyFunc(tokenHmac)
if err == nil {
t.Error("Should fail any signing algorithm other than RSA")
}
}
func TestValidateTokenCameFromGitHub(t *testing.T) {
// Create a JWKS for verifying tokens
privateKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
panic(err)
}
pubKey := privateKey.Public().(*rsa.PublicKey)
jwk := JWK{Kty: "RSA", Kid: "testKey", Alg: "RS256", Use: "sig"}
jwk.N = base64.RawURLEncoding.EncodeToString(pubKey.N.Bytes())
jwk.E = "AQAB"
jwks := JWKS{Keys: []JWK{jwk}}
jwksBytes, _ := json.Marshal(jwks)
gatewayContext := &GatewayContext{jwksCache: jwksBytes, jwksLastUpdate: time.Now()}
// Test token signed in the expected way
tokenClaims := jwt.MapClaims{"for": "testing"}
token := jwt.NewWithClaims(jwt.SigningMethodRS256, tokenClaims)
token.Header["kid"] = "testKey"
signedToken, err := token.SignedString(privateKey)
if err != nil {
panic(err)
}
claims, err := validateTokenCameFromGitHub(signedToken, gatewayContext)
if err != nil {
t.Error(err)
}
if claims["for"] != "testing" {
t.Error("Unable to find claims")
}
// Test signing with a unknown key is not allowed
otherPrivateKey, err := rsa.GenerateKey(rand.Reader, 2048)
if err != nil {
panic(err)
}
signedToken, err = token.SignedString(otherPrivateKey)
if err != nil {
panic(err)
}
claims, err = validateTokenCameFromGitHub(signedToken, gatewayContext)
if err == nil {
t.Error("Should not validate token signed with other key")
}
// Test unsigned token is not allowed
unsigendToken := jwt.NewWithClaims(jwt.SigningMethodNone, tokenClaims)
unsigendToken.Header["kid"] = "testKey"
noneToken, err := token.SignedString("none signing method allowed")
claims, err = validateTokenCameFromGitHub(noneToken, gatewayContext)
if err == nil {
t.Error("Should not validate unsigned token")
}
}