mirror of https://github.com/golang-jwt/jwt.git
Adjusted `parser_test.go` to include RSA and ECDSA tokens (#106)
This commit is contained in:
parent
02bc1ac506
commit
fd8cd69d8e
123
parser_test.go
123
parser_test.go
|
@ -1,6 +1,7 @@
|
||||||
package jwt_test
|
package jwt_test
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"crypto"
|
||||||
"crypto/rsa"
|
"crypto/rsa"
|
||||||
"encoding/json"
|
"encoding/json"
|
||||||
"fmt"
|
"fmt"
|
||||||
|
@ -15,25 +16,36 @@ import (
|
||||||
var errKeyFuncError error = fmt.Errorf("error loading key")
|
var errKeyFuncError error = fmt.Errorf("error loading key")
|
||||||
|
|
||||||
var (
|
var (
|
||||||
jwtTestDefaultKey *rsa.PublicKey
|
jwtTestDefaultKey *rsa.PublicKey
|
||||||
defaultKeyFunc jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return jwtTestDefaultKey, nil }
|
jwtTestRSAPrivateKey *rsa.PrivateKey
|
||||||
emptyKeyFunc jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return nil, nil }
|
jwtTestEC256PublicKey crypto.PublicKey
|
||||||
errorKeyFunc jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return nil, errKeyFuncError }
|
jwtTestEC256PrivateKey crypto.PrivateKey
|
||||||
nilKeyFunc jwt.Keyfunc = nil
|
defaultKeyFunc jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return jwtTestDefaultKey, nil }
|
||||||
|
ecdsaKeyFunc jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return jwtTestEC256PublicKey, nil }
|
||||||
|
emptyKeyFunc jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return nil, nil }
|
||||||
|
errorKeyFunc jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return nil, errKeyFuncError }
|
||||||
|
nilKeyFunc jwt.Keyfunc = nil
|
||||||
)
|
)
|
||||||
|
|
||||||
func init() {
|
func init() {
|
||||||
|
// Load public keys
|
||||||
jwtTestDefaultKey = test.LoadRSAPublicKeyFromDisk("test/sample_key.pub")
|
jwtTestDefaultKey = test.LoadRSAPublicKeyFromDisk("test/sample_key.pub")
|
||||||
|
jwtTestEC256PublicKey = test.LoadECPublicKeyFromDisk("test/ec256-public.pem")
|
||||||
|
|
||||||
|
// Load private keys
|
||||||
|
jwtTestRSAPrivateKey = test.LoadRSAPrivateKeyFromDisk("test/sample_key")
|
||||||
|
jwtTestEC256PrivateKey = test.LoadECPrivateKeyFromDisk("test/ec256-private.pem")
|
||||||
}
|
}
|
||||||
|
|
||||||
var jwtTestData = []struct {
|
var jwtTestData = []struct {
|
||||||
name string
|
name string
|
||||||
tokenString string
|
tokenString string
|
||||||
keyfunc jwt.Keyfunc
|
keyfunc jwt.Keyfunc
|
||||||
claims jwt.Claims
|
claims jwt.Claims
|
||||||
valid bool
|
valid bool
|
||||||
errors uint32
|
errors uint32
|
||||||
parser *jwt.Parser
|
parser *jwt.Parser
|
||||||
|
signingMethod jwt.SigningMethod // The method to sign the JWT token for test purpose
|
||||||
}{
|
}{
|
||||||
{
|
{
|
||||||
"basic",
|
"basic",
|
||||||
|
@ -43,6 +55,7 @@ var jwtTestData = []struct {
|
||||||
true,
|
true,
|
||||||
0,
|
0,
|
||||||
nil,
|
nil,
|
||||||
|
jwt.SigningMethodRS256,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"basic expired",
|
"basic expired",
|
||||||
|
@ -52,6 +65,7 @@ var jwtTestData = []struct {
|
||||||
false,
|
false,
|
||||||
jwt.ValidationErrorExpired,
|
jwt.ValidationErrorExpired,
|
||||||
nil,
|
nil,
|
||||||
|
jwt.SigningMethodRS256,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"basic nbf",
|
"basic nbf",
|
||||||
|
@ -61,6 +75,7 @@ var jwtTestData = []struct {
|
||||||
false,
|
false,
|
||||||
jwt.ValidationErrorNotValidYet,
|
jwt.ValidationErrorNotValidYet,
|
||||||
nil,
|
nil,
|
||||||
|
jwt.SigningMethodRS256,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"expired and nbf",
|
"expired and nbf",
|
||||||
|
@ -70,6 +85,7 @@ var jwtTestData = []struct {
|
||||||
false,
|
false,
|
||||||
jwt.ValidationErrorNotValidYet | jwt.ValidationErrorExpired,
|
jwt.ValidationErrorNotValidYet | jwt.ValidationErrorExpired,
|
||||||
nil,
|
nil,
|
||||||
|
jwt.SigningMethodRS256,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"basic invalid",
|
"basic invalid",
|
||||||
|
@ -79,6 +95,7 @@ var jwtTestData = []struct {
|
||||||
false,
|
false,
|
||||||
jwt.ValidationErrorSignatureInvalid,
|
jwt.ValidationErrorSignatureInvalid,
|
||||||
nil,
|
nil,
|
||||||
|
jwt.SigningMethodRS256,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"basic nokeyfunc",
|
"basic nokeyfunc",
|
||||||
|
@ -88,6 +105,7 @@ var jwtTestData = []struct {
|
||||||
false,
|
false,
|
||||||
jwt.ValidationErrorUnverifiable,
|
jwt.ValidationErrorUnverifiable,
|
||||||
nil,
|
nil,
|
||||||
|
jwt.SigningMethodRS256,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"basic nokey",
|
"basic nokey",
|
||||||
|
@ -97,6 +115,7 @@ var jwtTestData = []struct {
|
||||||
false,
|
false,
|
||||||
jwt.ValidationErrorSignatureInvalid,
|
jwt.ValidationErrorSignatureInvalid,
|
||||||
nil,
|
nil,
|
||||||
|
jwt.SigningMethodRS256,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"basic errorkey",
|
"basic errorkey",
|
||||||
|
@ -106,6 +125,7 @@ var jwtTestData = []struct {
|
||||||
false,
|
false,
|
||||||
jwt.ValidationErrorUnverifiable,
|
jwt.ValidationErrorUnverifiable,
|
||||||
nil,
|
nil,
|
||||||
|
jwt.SigningMethodRS256,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"invalid signing method",
|
"invalid signing method",
|
||||||
|
@ -115,15 +135,37 @@ var jwtTestData = []struct {
|
||||||
false,
|
false,
|
||||||
jwt.ValidationErrorSignatureInvalid,
|
jwt.ValidationErrorSignatureInvalid,
|
||||||
&jwt.Parser{ValidMethods: []string{"HS256"}},
|
&jwt.Parser{ValidMethods: []string{"HS256"}},
|
||||||
|
jwt.SigningMethodRS256,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"valid signing method",
|
"valid RSA signing method",
|
||||||
"",
|
"",
|
||||||
defaultKeyFunc,
|
defaultKeyFunc,
|
||||||
jwt.MapClaims{"foo": "bar"},
|
jwt.MapClaims{"foo": "bar"},
|
||||||
true,
|
true,
|
||||||
0,
|
0,
|
||||||
&jwt.Parser{ValidMethods: []string{"RS256", "HS256"}},
|
&jwt.Parser{ValidMethods: []string{"RS256", "HS256"}},
|
||||||
|
jwt.SigningMethodRS256,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"ECDSA signing method not accepted",
|
||||||
|
"",
|
||||||
|
ecdsaKeyFunc,
|
||||||
|
jwt.MapClaims{"foo": "bar"},
|
||||||
|
false,
|
||||||
|
jwt.ValidationErrorSignatureInvalid,
|
||||||
|
&jwt.Parser{ValidMethods: []string{"RS256", "HS256"}},
|
||||||
|
jwt.SigningMethodES256,
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"valid ECDSA signing method",
|
||||||
|
"",
|
||||||
|
ecdsaKeyFunc,
|
||||||
|
jwt.MapClaims{"foo": "bar"},
|
||||||
|
true,
|
||||||
|
0,
|
||||||
|
&jwt.Parser{ValidMethods: []string{"HS256", "ES256"}},
|
||||||
|
jwt.SigningMethodES256,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"JSON Number",
|
"JSON Number",
|
||||||
|
@ -133,6 +175,7 @@ var jwtTestData = []struct {
|
||||||
true,
|
true,
|
||||||
0,
|
0,
|
||||||
&jwt.Parser{UseJSONNumber: true},
|
&jwt.Parser{UseJSONNumber: true},
|
||||||
|
jwt.SigningMethodRS256,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"Standard Claims",
|
"Standard Claims",
|
||||||
|
@ -144,6 +187,7 @@ var jwtTestData = []struct {
|
||||||
true,
|
true,
|
||||||
0,
|
0,
|
||||||
&jwt.Parser{UseJSONNumber: true},
|
&jwt.Parser{UseJSONNumber: true},
|
||||||
|
jwt.SigningMethodRS256,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"JSON Number - basic expired",
|
"JSON Number - basic expired",
|
||||||
|
@ -153,6 +197,7 @@ var jwtTestData = []struct {
|
||||||
false,
|
false,
|
||||||
jwt.ValidationErrorExpired,
|
jwt.ValidationErrorExpired,
|
||||||
&jwt.Parser{UseJSONNumber: true},
|
&jwt.Parser{UseJSONNumber: true},
|
||||||
|
jwt.SigningMethodRS256,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"JSON Number - basic nbf",
|
"JSON Number - basic nbf",
|
||||||
|
@ -162,6 +207,7 @@ var jwtTestData = []struct {
|
||||||
false,
|
false,
|
||||||
jwt.ValidationErrorNotValidYet,
|
jwt.ValidationErrorNotValidYet,
|
||||||
&jwt.Parser{UseJSONNumber: true},
|
&jwt.Parser{UseJSONNumber: true},
|
||||||
|
jwt.SigningMethodRS256,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"JSON Number - expired and nbf",
|
"JSON Number - expired and nbf",
|
||||||
|
@ -171,6 +217,7 @@ var jwtTestData = []struct {
|
||||||
false,
|
false,
|
||||||
jwt.ValidationErrorNotValidYet | jwt.ValidationErrorExpired,
|
jwt.ValidationErrorNotValidYet | jwt.ValidationErrorExpired,
|
||||||
&jwt.Parser{UseJSONNumber: true},
|
&jwt.Parser{UseJSONNumber: true},
|
||||||
|
jwt.SigningMethodRS256,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"SkipClaimsValidation during token parsing",
|
"SkipClaimsValidation during token parsing",
|
||||||
|
@ -180,6 +227,7 @@ var jwtTestData = []struct {
|
||||||
true,
|
true,
|
||||||
0,
|
0,
|
||||||
&jwt.Parser{UseJSONNumber: true, SkipClaimsValidation: true},
|
&jwt.Parser{UseJSONNumber: true, SkipClaimsValidation: true},
|
||||||
|
jwt.SigningMethodRS256,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"RFC7519 Claims",
|
"RFC7519 Claims",
|
||||||
|
@ -191,6 +239,7 @@ var jwtTestData = []struct {
|
||||||
true,
|
true,
|
||||||
0,
|
0,
|
||||||
&jwt.Parser{UseJSONNumber: true},
|
&jwt.Parser{UseJSONNumber: true},
|
||||||
|
jwt.SigningMethodRS256,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"RFC7519 Claims - single aud",
|
"RFC7519 Claims - single aud",
|
||||||
|
@ -202,6 +251,7 @@ var jwtTestData = []struct {
|
||||||
true,
|
true,
|
||||||
0,
|
0,
|
||||||
&jwt.Parser{UseJSONNumber: true},
|
&jwt.Parser{UseJSONNumber: true},
|
||||||
|
jwt.SigningMethodRS256,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"RFC7519 Claims - multiple aud",
|
"RFC7519 Claims - multiple aud",
|
||||||
|
@ -213,6 +263,7 @@ var jwtTestData = []struct {
|
||||||
true,
|
true,
|
||||||
0,
|
0,
|
||||||
&jwt.Parser{UseJSONNumber: true},
|
&jwt.Parser{UseJSONNumber: true},
|
||||||
|
jwt.SigningMethodRS256,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"RFC7519 Claims - single aud with wrong type",
|
"RFC7519 Claims - single aud with wrong type",
|
||||||
|
@ -224,6 +275,7 @@ var jwtTestData = []struct {
|
||||||
false,
|
false,
|
||||||
jwt.ValidationErrorMalformed,
|
jwt.ValidationErrorMalformed,
|
||||||
&jwt.Parser{UseJSONNumber: true},
|
&jwt.Parser{UseJSONNumber: true},
|
||||||
|
jwt.SigningMethodRS256,
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
"RFC7519 Claims - multiple aud with wrong types",
|
"RFC7519 Claims - multiple aud with wrong types",
|
||||||
|
@ -235,18 +287,33 @@ var jwtTestData = []struct {
|
||||||
false,
|
false,
|
||||||
jwt.ValidationErrorMalformed,
|
jwt.ValidationErrorMalformed,
|
||||||
&jwt.Parser{UseJSONNumber: true},
|
&jwt.Parser{UseJSONNumber: true},
|
||||||
|
jwt.SigningMethodRS256,
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// signToken creates and returns a signed JWT token using signingMethod.
|
||||||
|
func signToken(claims jwt.Claims, signingMethod jwt.SigningMethod) string {
|
||||||
|
var privateKey interface{}
|
||||||
|
switch signingMethod {
|
||||||
|
case jwt.SigningMethodRS256:
|
||||||
|
privateKey = jwtTestRSAPrivateKey
|
||||||
|
case jwt.SigningMethodES256:
|
||||||
|
privateKey = jwtTestEC256PrivateKey
|
||||||
|
default:
|
||||||
|
return ""
|
||||||
|
}
|
||||||
|
return test.MakeSampleToken(claims, signingMethod, privateKey)
|
||||||
|
}
|
||||||
|
|
||||||
func TestParser_Parse(t *testing.T) {
|
func TestParser_Parse(t *testing.T) {
|
||||||
privateKey := test.LoadRSAPrivateKeyFromDisk("test/sample_key")
|
|
||||||
|
|
||||||
// Iterate over test data set and run tests
|
// Iterate over test data set and run tests
|
||||||
for _, data := range jwtTestData {
|
for _, data := range jwtTestData {
|
||||||
t.Run(data.name, func(t *testing.T) {
|
t.Run(data.name, func(t *testing.T) {
|
||||||
|
|
||||||
// If the token string is blank, use helper function to generate string
|
// If the token string is blank, use helper function to generate string
|
||||||
if data.tokenString == "" {
|
if data.tokenString == "" {
|
||||||
data.tokenString = test.MakeSampleToken(data.claims, privateKey)
|
data.tokenString = signToken(data.claims, data.signingMethod)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Parse the token
|
// Parse the token
|
||||||
|
@ -285,7 +352,7 @@ func TestParser_Parse(t *testing.T) {
|
||||||
|
|
||||||
if data.errors != 0 {
|
if data.errors != 0 {
|
||||||
if err == nil {
|
if err == nil {
|
||||||
t.Errorf("[%v] Expecting error. Didn't get one.", data.name)
|
t.Errorf("[%v] Expecting error. Didn't get one.", data.name)
|
||||||
} else {
|
} else {
|
||||||
|
|
||||||
ve := err.(*jwt.ValidationError)
|
ve := err.(*jwt.ValidationError)
|
||||||
|
@ -299,15 +366,20 @@ func TestParser_Parse(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
if data.valid && token.Signature == "" {
|
if data.valid {
|
||||||
t.Errorf("[%v] Signature is left unpopulated after parsing", data.name)
|
if token.Signature == "" {
|
||||||
|
t.Errorf("[%v] Signature is left unpopulated after parsing", data.name)
|
||||||
|
}
|
||||||
|
if !token.Valid {
|
||||||
|
// The 'Valid' field should be set to true when invoking Parse()
|
||||||
|
t.Errorf("[%v] Token.Valid field mismatch. Expecting true, got %v", data.name, token.Valid)
|
||||||
|
}
|
||||||
}
|
}
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func TestParser_ParseUnverified(t *testing.T) {
|
func TestParser_ParseUnverified(t *testing.T) {
|
||||||
privateKey := test.LoadRSAPrivateKeyFromDisk("test/sample_key")
|
|
||||||
|
|
||||||
// Iterate over test data set and run tests
|
// Iterate over test data set and run tests
|
||||||
for _, data := range jwtTestData {
|
for _, data := range jwtTestData {
|
||||||
|
@ -319,7 +391,7 @@ func TestParser_ParseUnverified(t *testing.T) {
|
||||||
t.Run(data.name, func(t *testing.T) {
|
t.Run(data.name, func(t *testing.T) {
|
||||||
// If the token string is blank, use helper function to generate string
|
// If the token string is blank, use helper function to generate string
|
||||||
if data.tokenString == "" {
|
if data.tokenString == "" {
|
||||||
data.tokenString = test.MakeSampleToken(data.claims, privateKey)
|
data.tokenString = signToken(data.claims, data.signingMethod)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Parse the token
|
// Parse the token
|
||||||
|
@ -351,18 +423,25 @@ func TestParser_ParseUnverified(t *testing.T) {
|
||||||
if data.valid && err != nil {
|
if data.valid && err != nil {
|
||||||
t.Errorf("[%v] Error while verifying token: %T:%v", data.name, err, err)
|
t.Errorf("[%v] Error while verifying token: %T:%v", data.name, err, err)
|
||||||
}
|
}
|
||||||
|
if token.Valid {
|
||||||
|
// The 'Valid' field should not be set to true when invoking ParseUnverified()
|
||||||
|
t.Errorf("[%v] Token.Valid field mismatch. Expecting false, got %v", data.name, token.Valid)
|
||||||
|
}
|
||||||
|
if token.Signature != "" {
|
||||||
|
// The signature was not validated, hence the 'Signature' field is not populated.
|
||||||
|
t.Errorf("[%v] Token.Signature field mismatch. Expecting '', got %v", data.name, token.Signature)
|
||||||
|
}
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func BenchmarkParseUnverified(b *testing.B) {
|
func BenchmarkParseUnverified(b *testing.B) {
|
||||||
privateKey := test.LoadRSAPrivateKeyFromDisk("test/sample_key")
|
|
||||||
|
|
||||||
// Iterate over test data set and run tests
|
// Iterate over test data set and run tests
|
||||||
for _, data := range jwtTestData {
|
for _, data := range jwtTestData {
|
||||||
// If the token string is blank, use helper function to generate string
|
// If the token string is blank, use helper function to generate string
|
||||||
if data.tokenString == "" {
|
if data.tokenString == "" {
|
||||||
data.tokenString = test.MakeSampleToken(data.claims, privateKey)
|
data.tokenString = signToken(data.claims, data.signingMethod)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Parse the token
|
// Parse the token
|
||||||
|
|
|
@ -65,7 +65,7 @@ func TestParseRequest(t *testing.T) {
|
||||||
// Bearer token request
|
// Bearer token request
|
||||||
for _, data := range requestTestData {
|
for _, data := range requestTestData {
|
||||||
// Make token from claims
|
// Make token from claims
|
||||||
tokenString := test.MakeSampleToken(data.claims, privateKey)
|
tokenString := test.MakeSampleToken(data.claims, jwt.SigningMethodRS256, privateKey)
|
||||||
|
|
||||||
// Make query string
|
// Make query string
|
||||||
for k, vv := range data.query {
|
for k, vv := range data.query {
|
||||||
|
|
|
@ -1,6 +1,7 @@
|
||||||
package test
|
package test
|
||||||
|
|
||||||
import (
|
import (
|
||||||
|
"crypto"
|
||||||
"crypto/rsa"
|
"crypto/rsa"
|
||||||
"io/ioutil"
|
"io/ioutil"
|
||||||
|
|
||||||
|
@ -31,8 +32,9 @@ func LoadRSAPublicKeyFromDisk(location string) *rsa.PublicKey {
|
||||||
return key
|
return key
|
||||||
}
|
}
|
||||||
|
|
||||||
func MakeSampleToken(c jwt.Claims, key interface{}) string {
|
// MakeSampleToken creates and returns a encoded JWT token that has been signed with the specified cryptographic key.
|
||||||
token := jwt.NewWithClaims(jwt.SigningMethodRS256, c)
|
func MakeSampleToken(c jwt.Claims, method jwt.SigningMethod, key interface{}) string {
|
||||||
|
token := jwt.NewWithClaims(method, c)
|
||||||
s, e := token.SignedString(key)
|
s, e := token.SignedString(key)
|
||||||
|
|
||||||
if e != nil {
|
if e != nil {
|
||||||
|
@ -41,3 +43,27 @@ func MakeSampleToken(c jwt.Claims, key interface{}) string {
|
||||||
|
|
||||||
return s
|
return s
|
||||||
}
|
}
|
||||||
|
|
||||||
|
func LoadECPrivateKeyFromDisk(location string) crypto.PrivateKey {
|
||||||
|
keyData, e := ioutil.ReadFile(location)
|
||||||
|
if e != nil {
|
||||||
|
panic(e.Error())
|
||||||
|
}
|
||||||
|
key, e := jwt.ParseECPrivateKeyFromPEM(keyData)
|
||||||
|
if e != nil {
|
||||||
|
panic(e.Error())
|
||||||
|
}
|
||||||
|
return key
|
||||||
|
}
|
||||||
|
|
||||||
|
func LoadECPublicKeyFromDisk(location string) crypto.PublicKey {
|
||||||
|
keyData, e := ioutil.ReadFile(location)
|
||||||
|
if e != nil {
|
||||||
|
panic(e.Error())
|
||||||
|
}
|
||||||
|
key, e := jwt.ParseECPublicKeyFromPEM(keyData)
|
||||||
|
if e != nil {
|
||||||
|
panic(e.Error())
|
||||||
|
}
|
||||||
|
return key
|
||||||
|
}
|
||||||
|
|
Loading…
Reference in New Issue