mirror of
https://github.com/Luzifer/nginx-sso.git
synced 2024-12-21 05:11:17 +00:00
217 lines
10 KiB
Go
217 lines
10 KiB
Go
/*-
|
|
* Copyright 2016 Zbigniew Mandziejewicz
|
|
* Copyright 2016 Square, Inc.
|
|
*
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
* you may not use this file except in compliance with the License.
|
|
* You may obtain a copy of the License at
|
|
*
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
*
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
* See the License for the specific language governing permissions and
|
|
* limitations under the License.
|
|
*/
|
|
|
|
package jwt
|
|
|
|
import (
|
|
"strings"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
jose "gopkg.in/square/go-jose.v2"
|
|
)
|
|
|
|
var (
|
|
hmacSignedToken = `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzdWJqZWN0IiwiaXNzIjoiaXNzdWVyIiwic2NvcGVzIjpbInMxIiwiczIiXX0.Y6_PfQHrzRJ_Vlxij5VI07-pgDIuJNN3Z_g5sSaGQ0c`
|
|
rsaSignedToken = `eyJhbGciOiJSUzI1NiJ9.eyJpc3MiOiJpc3N1ZXIiLCJzY29wZXMiOlsiczEiLCJzMiJdLCJzdWIiOiJzdWJqZWN0In0.UDDtyK9gC9kyHltcP7E_XODsnqcJWZIiXeGmSAH7SE9YKy3N0KSfFIN85dCNjTfs6zvy4rkrCHzLB7uKAtzMearh3q7jL4nxbhUMhlUcs_9QDVoN4q_j58XmRqBqRnBk-RmDu9TgcV8RbErP4awpIhwWb5UU-hR__4_iNbHdKqwSUPDKYGlf5eicuiYrPxH8mxivk4LRD-vyRdBZZKBt0XIDnEU4TdcNCzAXojkftqcFWYsczwS8R4JHd1qYsMyiaWl4trdHZkO4QkeLe34z4ZAaPMt3wE-gcU-VoqYTGxz-K3Le2VaZ0r3j_z6bOInsv0yngC_cD1dCXMyQJWnWjQ`
|
|
rsaSignedTokenWithKid = `eyJhbGciOiJSUzI1NiIsImtpZCI6ImZvb2JhciJ9.eyJpc3MiOiJpc3N1ZXIiLCJzY29wZXMiOlsiczEiLCJzMiJdLCJzdWIiOiJzdWJqZWN0In0.RxZhTRfPDb6UJ58FwvC89GgJGC8lAO04tz5iLlBpIJsyPZB0X_UgXSj0SGVFm2jbP_i-ZVH4HFC2fMB1n-so9CnCOpunWwhYNdgF6ewQJ0ADTWwfDGsK12UOmyT2naaZN8ZUBF8cgPtOgdWqQjk2Ng9QFRJxlUuKYczBp7vjWvgX8WMwQcaA-eK7HtguR4e9c4FMbeFK8Soc4jCsVTjIKdSn9SErc42gFu65NI1hZ3OPe_T7AZqdDjCkJpoiJ65GdD_qvGkVndJSEcMp3riXQpAy0JbctVkYecdFaGidbxHRrdcQYHtKn-XGMCh2uoBKleUr1fTMiyCGPQQesy3xHw`
|
|
invalidPayloadSignedToken = `eyJhbGciOiJIUzI1NiJ9.aW52YWxpZC1wYXlsb2Fk.ScBKKm18jcaMLGYDNRUqB5gVMRZl4DM6dh3ShcxeNgY`
|
|
invalidPartsSignedToken = `eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiJzdWJqZWN0IiwiaXNzIjoiaXNzdWVyIiwic2NvcGVzIjpbInMxIiwiczIiXX0`
|
|
hmacEncryptedToken = `eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4R0NNIn0..NZrU98U4QNO0y-u6.HSq5CvlmkUT1BPqLGZ4.1-zuiZ4RbHrTTUoA8Dvfhg`
|
|
rsaEncryptedToken = `eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0.IvkVHHiI8JwwavvTR80xGjYvkzubMrZ-TDDx8k8SNJMEylfFfNUc7F2rC3WAABF_xmJ3SW2A6on-S6EAG97k0RsjqHHNqZuaFpDvjeuLqZFfYKzI45aCtkGG4C2ij2GbeySqJ784CcvFJPUWJ-6VPN2Ho2nhefUSqig0jE2IvOKy1ywTj_VBVBxF_dyXFnXwxPKGUQr3apxrWeRJfDh2Cf8YPBlLiRznjfBfwgePB1jP7WCZNwItj10L7hsT_YWEx01XJcbxHaXFLwKyVzwWaDhreFyaWMRbGqEfqVuOT34zfmhLDhQlgLLwkXrvYqX90NsQ9Ftg0LLIfRMbsfdgug.BFy2Tj1RZN8yq2Lk-kMiZQ.9Z0eOyPiv5cEzmXh64RlAQ36Uvz0WpZgqRcc2_69zHTmUOv0Vnl1I6ks8sTraUEvukAilolNBjBj47s0b4b-Og.VM8-eJg5ZsqnTqs0LtGX_Q`
|
|
invalidPayloadEncryptedToken = `eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4R0NNIn0..T4jCS4Yyw1GCH0aW.y4gFaMITdBs_QZM8RKrL.6MPyk1cMVaOJFoNGlEuaRQ`
|
|
invalidPartsEncryptedToken = `eyJhbGciOiJkaXIiLCJlbmMiOiJBMTI4R0NNIn0..NZrU98U4QNO0y-u6.HSq5CvlmkUT1BPqLGZ4`
|
|
signedAndEncryptedToken = `eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2IiwiY3R5IjoiSldUIn0.icnR7M1HSgMDaUnJhfzT5nLmT0eRPeNsKPkioNcyq9TZsm-LgbE7wZkNFGfQqYwvbmrZ3UpOhNkrq4n2KN3N1dtjH9TVxzfMxz2OMh0dRWUNMi58EMadhmIpH3PLyyaeDyd0dyHpOIRPFTAoOdn2GoO_flV5CvPMhgdVKYB3h3vQW-ZZDu4cOZwXAjTuThdoUZCNWFhJhXyj-PrKLyVpX6rE1o4X05IS8008SLZyx-PZlsUPyLs6CJi7Z4PzZRzOJTV00a-7UOi-fBKBZV5V8eRpWuzJ673pMALlRCBzrRin-JeEA_QnAejtMAHG7RSGP60easQN4I-0jLTQNNNynw.oFrO-5ZgRrnWmbkPsbyMiQ.BVaWUzlrdfhe0otPJpb3DGoDCT6-BOmN_Pgq5NOqVFYIAwG5pM4pf7TaiPUJeQLf0phbLgpT4RfJ20Zhwfc2MH5unCqc8TZEP2dOrYRhb8o-X57x6IQppIDbjK2i_CAWf3yF5JUB7qRqOizpKZTh3HFTVEglY3WF8tAJ8KpnatTUmwcnqlyjdBFvYu4usiyvc_u9wNbXx5-lFt0slQYleHQMUirBprKyswIBjMoFJEe7kDvU_MCKI4NI9_fSfWJpaUdNxQEvRYR1PV4ZQdwBY0X9u2n2QH5iVQMrmgmQ5hPbWxwRv1-7jXBMPBpGeFQZHeEtSwif1_Umwyt8cDyRChb3OM7XQ3eY0UJRrbmvhcLWIcMp8FpblDaBinbjD6qIVXZVmaAdIbi2a_HblfoeL3-UABb82AAxOqQcAFjDEDTR2TFalDXSwgPZrAaQ_Mql3eFe9r2y0UVkgG7XYF4ik8sSK48CkZPUvkZFr-K9QMq-RZLzT3Zw0edxNaKgje27S26H9qClh6CCr9nk38AZZ76_Xz7f-Fil5xI0Dq95UzvwW__U3JJWE6OVUVx_RVJgdOJn8_B7hluckwBLUblscA.83pPXNnH0sKgHvFboiJVDA`
|
|
invalidSignedAndEncryptedToken = `eyJhbGciOiJSU0ExXzUiLCJlbmMiOiJBMTI4Q0JDLUhTMjU2In0.QKYu3DkFEXBUa2U0Sgtm-e44BMuaFVbMu2T-GB3qEGONrmOuaB5BtNCvBUnuj6HR0v6u-tvawToRSzExQQLFTvPcLiQR8iclWirqAFUqLrg8kRU3qIRLkmErYeGIfCML1jq9ofKg0DI5-YrU5RSyUg9cwfXKEx8KNwFcjeVeDZwWEACdU8xBnQp57rNfr0Tj-dPnGKID7LU5ZV0vhK90FpEG7UqOeSHFmvONQyz6Ca-ZkE8X2swqGad-q5xl8f9pApdFqHzADox5OlgtxPkr-Khkm6WGfvf1K_e-iW5LYtvWIAjNByft2TexsNcYpdAO2oNAgh2nkhoohl-zCWU-og.UAU65JWKqvHZ_Z0V-xLyjQ.M6sQ4lAzKFelSmL6C6uoK00rB8IFCAK-eJ0iByGhtg8eYtmSBFsP_oUySfKPtxcPRkQ7YxnEX5D-DOo20wCV7il2Be9No__0R6_5heISOMXcKmKP3D6pFusaPisNGOgLw8SKXBuVpe20PvOJ9RgOXRKucSR2UMINXtqIn9RdxbKOlBBmMJhnX4TeQ00fRILng2sMbUHsWExSthQODHGx6VcwLFp-Aqmsnv2q2KkLpA8sEm48AHHFQXSGtlVGVgWKi3dOQYUnDJW4P64Xxr1Uq3yT7w_dRwK4BA7l3Biecj5dwkKrFMJ_RaCt-ED_R15zpxg6PmnXeeJnif58Fai40ZWOsGvLZNYwL1jbi-TrsargpdUQedfzuTk8Na2NkCzFNg2BYXVDHJ_WAX1daVyhvunaURwAlBatAcmnOGxWebwV1xQoQ7iHg6ZGohCannn_pqGwJlMHMgnCcnCIhwfj9uL9Ejz_TVceZNMlT1KvLRafVfxGhkp48bdnd8OcXmjT9pQzZUB3OqrstWKhbItZ1xMpy6dZ54ldWvtTTyQ4tQJaVWgXERUM1erDT6Ypyl15-fumOB9MRcgMG3NDblKowA.P9WTBITvVUgrLjX6bS0opQ`
|
|
)
|
|
|
|
type customClaims struct {
|
|
Scopes []string `json:"scopes,omitempty"`
|
|
}
|
|
|
|
func TestGetClaimsWithoutVerification(t *testing.T) {
|
|
tok, err := ParseSigned(hmacSignedToken)
|
|
if assert.NoError(t, err, "Error parsing signed token.") {
|
|
c := &Claims{}
|
|
c2 := &customClaims{}
|
|
|
|
err := tok.UnsafeClaimsWithoutVerification(c, c2)
|
|
if err != nil {
|
|
t.Errorf("Error not expected: %s", err)
|
|
}
|
|
assert.Equal(t, "subject", c.Subject)
|
|
assert.Equal(t, "issuer", c.Issuer)
|
|
assert.Equal(t, []string{"s1", "s2"}, c2.Scopes)
|
|
|
|
}
|
|
tok, err = ParseEncrypted(hmacEncryptedToken)
|
|
if assert.NoError(t, err, "Error parsing encrypted token.") {
|
|
c := Claims{}
|
|
err := tok.UnsafeClaimsWithoutVerification(c)
|
|
if err == nil {
|
|
t.Errorf("Error expected")
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestDecodeTokenWithJWKS(t *testing.T) {
|
|
jwks := &jose.JSONWebKeySet{
|
|
Keys: []jose.JSONWebKey{
|
|
{
|
|
KeyID: "foobar",
|
|
Key: &testPrivRSAKey1.PublicKey,
|
|
},
|
|
},
|
|
}
|
|
|
|
tok, err := ParseSigned(rsaSignedTokenWithKid)
|
|
if assert.NoError(t, err, "Error parsing signed token.") {
|
|
cl := make(map[string]interface{})
|
|
if assert.NoError(t, tok.Claims(jwks, &cl)) {
|
|
assert.Equal(t, map[string]interface{}{
|
|
"sub": "subject",
|
|
"iss": "issuer",
|
|
"scopes": []interface{}{"s1", "s2"},
|
|
}, cl)
|
|
}
|
|
}
|
|
}
|
|
|
|
func TestDecodeToken(t *testing.T) {
|
|
tok, err := ParseSigned(hmacSignedToken)
|
|
if assert.NoError(t, err, "Error parsing signed token.") {
|
|
c := &Claims{}
|
|
c2 := &customClaims{}
|
|
if assert.NoError(t, tok.Claims(sharedKey, c, c2)) {
|
|
assert.Equal(t, "subject", c.Subject)
|
|
assert.Equal(t, "issuer", c.Issuer)
|
|
assert.Equal(t, []string{"s1", "s2"}, c2.Scopes)
|
|
}
|
|
}
|
|
assert.EqualError(t, tok.Claims([]byte("invalid-secret")), "square/go-jose: error in cryptographic primitive")
|
|
|
|
tok2, err := ParseSigned(rsaSignedToken)
|
|
if assert.NoError(t, err, "Error parsing encrypted token.") {
|
|
c := make(map[string]interface{})
|
|
if assert.NoError(t, tok2.Claims(&testPrivRSAKey1.PublicKey, &c)) {
|
|
assert.Equal(t, map[string]interface{}{
|
|
"sub": "subject",
|
|
"iss": "issuer",
|
|
"scopes": []interface{}{"s1", "s2"},
|
|
}, c)
|
|
}
|
|
}
|
|
assert.EqualError(t, tok.Claims(&testPrivRSAKey2.PublicKey), "square/go-jose: error in cryptographic primitive")
|
|
|
|
tok3, err := ParseSigned(invalidPayloadSignedToken)
|
|
if assert.NoError(t, err, "Error parsing signed token.") {
|
|
assert.Error(t, tok3.Claims(sharedKey, &Claims{}), "Expected unmarshaling claims to fail.")
|
|
}
|
|
|
|
_, err = ParseSigned(invalidPartsSignedToken)
|
|
assert.EqualError(t, err, "square/go-jose: compact JWS format must have three parts")
|
|
|
|
tok4, err := ParseEncrypted(hmacEncryptedToken)
|
|
if assert.NoError(t, err, "Error parsing encrypted token.") {
|
|
c := Claims{}
|
|
if assert.NoError(t, tok4.Claims(sharedEncryptionKey, &c)) {
|
|
assert.Equal(t, "foo", c.Subject)
|
|
}
|
|
}
|
|
assert.EqualError(t, tok4.Claims([]byte("invalid-secret-key")), "square/go-jose: error in cryptographic primitive")
|
|
|
|
tok5, err := ParseEncrypted(rsaEncryptedToken)
|
|
if assert.NoError(t, err, "Error parsing encrypted token.") {
|
|
c := make(map[string]interface{})
|
|
if assert.NoError(t, tok5.Claims(testPrivRSAKey1, &c)) {
|
|
assert.Equal(t, map[string]interface{}{
|
|
"sub": "subject",
|
|
"iss": "issuer",
|
|
"scopes": []interface{}{"s1", "s2"},
|
|
}, c)
|
|
}
|
|
}
|
|
assert.EqualError(t, tok5.Claims(testPrivRSAKey2), "square/go-jose: error in cryptographic primitive")
|
|
|
|
tok6, err := ParseEncrypted(invalidPayloadEncryptedToken)
|
|
if assert.NoError(t, err, "Error parsing encrypted token.") {
|
|
assert.Error(t, tok6.Claims(sharedEncryptionKey, &Claims{}))
|
|
}
|
|
|
|
_, err = ParseEncrypted(invalidPartsEncryptedToken)
|
|
assert.EqualError(t, err, "square/go-jose: compact JWE format must have five parts")
|
|
|
|
tok7, err := ParseSignedAndEncrypted(signedAndEncryptedToken)
|
|
if assert.NoError(t, err, "Error parsing signed-then-encrypted token.") {
|
|
c := make(map[string]interface{})
|
|
if nested, err := tok7.Decrypt(testPrivRSAKey1); assert.NoError(t, err) {
|
|
assert.NoError(t, nested.Claims(testPrivRSAKey1.Public(), &c))
|
|
assert.Equal(t, map[string]interface{}{
|
|
"sub": "subject",
|
|
"iss": "issuer",
|
|
"scopes": []interface{}{"s1", "s2"},
|
|
}, c)
|
|
assert.EqualError(t, nested.Claims(testPrivRSAKey2.Public()), "square/go-jose: error in cryptographic primitive")
|
|
}
|
|
}
|
|
_, err = tok7.Decrypt(testPrivRSAKey2)
|
|
assert.EqualError(t, err, "square/go-jose: error in cryptographic primitive")
|
|
|
|
_, err = ParseSignedAndEncrypted(invalidSignedAndEncryptedToken)
|
|
assert.EqualError(t, err, "square/go-jose/jwt: expected content type to be JWT (cty header)")
|
|
}
|
|
|
|
func TestTamperedJWT(t *testing.T) {
|
|
key := []byte("1234567890123456")
|
|
|
|
sig, _ := jose.NewEncrypter(
|
|
jose.A128GCM,
|
|
jose.Recipient{Algorithm: jose.DIRECT, Key: key},
|
|
(&jose.EncrypterOptions{}).WithType("JWT"))
|
|
|
|
cl := Claims{
|
|
Subject: "foo",
|
|
Issuer: "bar",
|
|
}
|
|
|
|
raw, _ := Encrypted(sig).Claims(cl).CompactSerialize()
|
|
|
|
// Modify with valid base64 junk
|
|
r := strings.Split(raw, ".")
|
|
r[2] = "b3RoZXJ0aGluZw"
|
|
raw = strings.Join(r, ".")
|
|
|
|
tok, _ := ParseEncrypted(raw)
|
|
|
|
cl = Claims{}
|
|
err := tok.Claims(key, &cl)
|
|
if err == nil {
|
|
t.Error("Claims() on invalid token should fail")
|
|
}
|
|
}
|
|
|
|
func BenchmarkDecodeSignedToken(b *testing.B) {
|
|
for i := 0; i < b.N; i++ {
|
|
ParseSigned(hmacSignedToken)
|
|
}
|
|
}
|
|
|
|
func BenchmarkDecodeEncryptedHMACToken(b *testing.B) {
|
|
for i := 0; i < b.N; i++ {
|
|
ParseEncrypted(hmacEncryptedToken)
|
|
}
|
|
}
|