Adjusted `parser_test.go` to include RSA and ECDSA tokens (#106)

This commit is contained in:
Sebastien Rosset 2021-09-24 12:32:29 -07:00 committed by GitHub
parent 02bc1ac506
commit fd8cd69d8e
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 130 additions and 25 deletions

View File

@ -1,6 +1,7 @@
package jwt_test package jwt_test
import ( import (
"crypto"
"crypto/rsa" "crypto/rsa"
"encoding/json" "encoding/json"
"fmt" "fmt"
@ -15,25 +16,36 @@ import (
var errKeyFuncError error = fmt.Errorf("error loading key") var errKeyFuncError error = fmt.Errorf("error loading key")
var ( var (
jwtTestDefaultKey *rsa.PublicKey jwtTestDefaultKey *rsa.PublicKey
defaultKeyFunc jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return jwtTestDefaultKey, nil } jwtTestRSAPrivateKey *rsa.PrivateKey
emptyKeyFunc jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return nil, nil } jwtTestEC256PublicKey crypto.PublicKey
errorKeyFunc jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return nil, errKeyFuncError } jwtTestEC256PrivateKey crypto.PrivateKey
nilKeyFunc jwt.Keyfunc = nil defaultKeyFunc jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return jwtTestDefaultKey, nil }
ecdsaKeyFunc jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return jwtTestEC256PublicKey, nil }
emptyKeyFunc jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return nil, nil }
errorKeyFunc jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return nil, errKeyFuncError }
nilKeyFunc jwt.Keyfunc = nil
) )
func init() { func init() {
// Load public keys
jwtTestDefaultKey = test.LoadRSAPublicKeyFromDisk("test/sample_key.pub") jwtTestDefaultKey = test.LoadRSAPublicKeyFromDisk("test/sample_key.pub")
jwtTestEC256PublicKey = test.LoadECPublicKeyFromDisk("test/ec256-public.pem")
// Load private keys
jwtTestRSAPrivateKey = test.LoadRSAPrivateKeyFromDisk("test/sample_key")
jwtTestEC256PrivateKey = test.LoadECPrivateKeyFromDisk("test/ec256-private.pem")
} }
var jwtTestData = []struct { var jwtTestData = []struct {
name string name string
tokenString string tokenString string
keyfunc jwt.Keyfunc keyfunc jwt.Keyfunc
claims jwt.Claims claims jwt.Claims
valid bool valid bool
errors uint32 errors uint32
parser *jwt.Parser parser *jwt.Parser
signingMethod jwt.SigningMethod // The method to sign the JWT token for test purpose
}{ }{
{ {
"basic", "basic",
@ -43,6 +55,7 @@ var jwtTestData = []struct {
true, true,
0, 0,
nil, nil,
jwt.SigningMethodRS256,
}, },
{ {
"basic expired", "basic expired",
@ -52,6 +65,7 @@ var jwtTestData = []struct {
false, false,
jwt.ValidationErrorExpired, jwt.ValidationErrorExpired,
nil, nil,
jwt.SigningMethodRS256,
}, },
{ {
"basic nbf", "basic nbf",
@ -61,6 +75,7 @@ var jwtTestData = []struct {
false, false,
jwt.ValidationErrorNotValidYet, jwt.ValidationErrorNotValidYet,
nil, nil,
jwt.SigningMethodRS256,
}, },
{ {
"expired and nbf", "expired and nbf",
@ -70,6 +85,7 @@ var jwtTestData = []struct {
false, false,
jwt.ValidationErrorNotValidYet | jwt.ValidationErrorExpired, jwt.ValidationErrorNotValidYet | jwt.ValidationErrorExpired,
nil, nil,
jwt.SigningMethodRS256,
}, },
{ {
"basic invalid", "basic invalid",
@ -79,6 +95,7 @@ var jwtTestData = []struct {
false, false,
jwt.ValidationErrorSignatureInvalid, jwt.ValidationErrorSignatureInvalid,
nil, nil,
jwt.SigningMethodRS256,
}, },
{ {
"basic nokeyfunc", "basic nokeyfunc",
@ -88,6 +105,7 @@ var jwtTestData = []struct {
false, false,
jwt.ValidationErrorUnverifiable, jwt.ValidationErrorUnverifiable,
nil, nil,
jwt.SigningMethodRS256,
}, },
{ {
"basic nokey", "basic nokey",
@ -97,6 +115,7 @@ var jwtTestData = []struct {
false, false,
jwt.ValidationErrorSignatureInvalid, jwt.ValidationErrorSignatureInvalid,
nil, nil,
jwt.SigningMethodRS256,
}, },
{ {
"basic errorkey", "basic errorkey",
@ -106,6 +125,7 @@ var jwtTestData = []struct {
false, false,
jwt.ValidationErrorUnverifiable, jwt.ValidationErrorUnverifiable,
nil, nil,
jwt.SigningMethodRS256,
}, },
{ {
"invalid signing method", "invalid signing method",
@ -115,15 +135,37 @@ var jwtTestData = []struct {
false, false,
jwt.ValidationErrorSignatureInvalid, jwt.ValidationErrorSignatureInvalid,
&jwt.Parser{ValidMethods: []string{"HS256"}}, &jwt.Parser{ValidMethods: []string{"HS256"}},
jwt.SigningMethodRS256,
}, },
{ {
"valid signing method", "valid RSA signing method",
"", "",
defaultKeyFunc, defaultKeyFunc,
jwt.MapClaims{"foo": "bar"}, jwt.MapClaims{"foo": "bar"},
true, true,
0, 0,
&jwt.Parser{ValidMethods: []string{"RS256", "HS256"}}, &jwt.Parser{ValidMethods: []string{"RS256", "HS256"}},
jwt.SigningMethodRS256,
},
{
"ECDSA signing method not accepted",
"",
ecdsaKeyFunc,
jwt.MapClaims{"foo": "bar"},
false,
jwt.ValidationErrorSignatureInvalid,
&jwt.Parser{ValidMethods: []string{"RS256", "HS256"}},
jwt.SigningMethodES256,
},
{
"valid ECDSA signing method",
"",
ecdsaKeyFunc,
jwt.MapClaims{"foo": "bar"},
true,
0,
&jwt.Parser{ValidMethods: []string{"HS256", "ES256"}},
jwt.SigningMethodES256,
}, },
{ {
"JSON Number", "JSON Number",
@ -133,6 +175,7 @@ var jwtTestData = []struct {
true, true,
0, 0,
&jwt.Parser{UseJSONNumber: true}, &jwt.Parser{UseJSONNumber: true},
jwt.SigningMethodRS256,
}, },
{ {
"Standard Claims", "Standard Claims",
@ -144,6 +187,7 @@ var jwtTestData = []struct {
true, true,
0, 0,
&jwt.Parser{UseJSONNumber: true}, &jwt.Parser{UseJSONNumber: true},
jwt.SigningMethodRS256,
}, },
{ {
"JSON Number - basic expired", "JSON Number - basic expired",
@ -153,6 +197,7 @@ var jwtTestData = []struct {
false, false,
jwt.ValidationErrorExpired, jwt.ValidationErrorExpired,
&jwt.Parser{UseJSONNumber: true}, &jwt.Parser{UseJSONNumber: true},
jwt.SigningMethodRS256,
}, },
{ {
"JSON Number - basic nbf", "JSON Number - basic nbf",
@ -162,6 +207,7 @@ var jwtTestData = []struct {
false, false,
jwt.ValidationErrorNotValidYet, jwt.ValidationErrorNotValidYet,
&jwt.Parser{UseJSONNumber: true}, &jwt.Parser{UseJSONNumber: true},
jwt.SigningMethodRS256,
}, },
{ {
"JSON Number - expired and nbf", "JSON Number - expired and nbf",
@ -171,6 +217,7 @@ var jwtTestData = []struct {
false, false,
jwt.ValidationErrorNotValidYet | jwt.ValidationErrorExpired, jwt.ValidationErrorNotValidYet | jwt.ValidationErrorExpired,
&jwt.Parser{UseJSONNumber: true}, &jwt.Parser{UseJSONNumber: true},
jwt.SigningMethodRS256,
}, },
{ {
"SkipClaimsValidation during token parsing", "SkipClaimsValidation during token parsing",
@ -180,6 +227,7 @@ var jwtTestData = []struct {
true, true,
0, 0,
&jwt.Parser{UseJSONNumber: true, SkipClaimsValidation: true}, &jwt.Parser{UseJSONNumber: true, SkipClaimsValidation: true},
jwt.SigningMethodRS256,
}, },
{ {
"RFC7519 Claims", "RFC7519 Claims",
@ -191,6 +239,7 @@ var jwtTestData = []struct {
true, true,
0, 0,
&jwt.Parser{UseJSONNumber: true}, &jwt.Parser{UseJSONNumber: true},
jwt.SigningMethodRS256,
}, },
{ {
"RFC7519 Claims - single aud", "RFC7519 Claims - single aud",
@ -202,6 +251,7 @@ var jwtTestData = []struct {
true, true,
0, 0,
&jwt.Parser{UseJSONNumber: true}, &jwt.Parser{UseJSONNumber: true},
jwt.SigningMethodRS256,
}, },
{ {
"RFC7519 Claims - multiple aud", "RFC7519 Claims - multiple aud",
@ -213,6 +263,7 @@ var jwtTestData = []struct {
true, true,
0, 0,
&jwt.Parser{UseJSONNumber: true}, &jwt.Parser{UseJSONNumber: true},
jwt.SigningMethodRS256,
}, },
{ {
"RFC7519 Claims - single aud with wrong type", "RFC7519 Claims - single aud with wrong type",
@ -224,6 +275,7 @@ var jwtTestData = []struct {
false, false,
jwt.ValidationErrorMalformed, jwt.ValidationErrorMalformed,
&jwt.Parser{UseJSONNumber: true}, &jwt.Parser{UseJSONNumber: true},
jwt.SigningMethodRS256,
}, },
{ {
"RFC7519 Claims - multiple aud with wrong types", "RFC7519 Claims - multiple aud with wrong types",
@ -235,18 +287,33 @@ var jwtTestData = []struct {
false, false,
jwt.ValidationErrorMalformed, jwt.ValidationErrorMalformed,
&jwt.Parser{UseJSONNumber: true}, &jwt.Parser{UseJSONNumber: true},
jwt.SigningMethodRS256,
}, },
} }
// signToken creates and returns a signed JWT token using signingMethod.
func signToken(claims jwt.Claims, signingMethod jwt.SigningMethod) string {
var privateKey interface{}
switch signingMethod {
case jwt.SigningMethodRS256:
privateKey = jwtTestRSAPrivateKey
case jwt.SigningMethodES256:
privateKey = jwtTestEC256PrivateKey
default:
return ""
}
return test.MakeSampleToken(claims, signingMethod, privateKey)
}
func TestParser_Parse(t *testing.T) { func TestParser_Parse(t *testing.T) {
privateKey := test.LoadRSAPrivateKeyFromDisk("test/sample_key")
// Iterate over test data set and run tests // Iterate over test data set and run tests
for _, data := range jwtTestData { for _, data := range jwtTestData {
t.Run(data.name, func(t *testing.T) { t.Run(data.name, func(t *testing.T) {
// If the token string is blank, use helper function to generate string // If the token string is blank, use helper function to generate string
if data.tokenString == "" { if data.tokenString == "" {
data.tokenString = test.MakeSampleToken(data.claims, privateKey) data.tokenString = signToken(data.claims, data.signingMethod)
} }
// Parse the token // Parse the token
@ -285,7 +352,7 @@ func TestParser_Parse(t *testing.T) {
if data.errors != 0 { if data.errors != 0 {
if err == nil { if err == nil {
t.Errorf("[%v] Expecting error. Didn't get one.", data.name) t.Errorf("[%v] Expecting error. Didn't get one.", data.name)
} else { } else {
ve := err.(*jwt.ValidationError) ve := err.(*jwt.ValidationError)
@ -299,15 +366,20 @@ func TestParser_Parse(t *testing.T) {
} }
} }
} }
if data.valid && token.Signature == "" { if data.valid {
t.Errorf("[%v] Signature is left unpopulated after parsing", data.name) if token.Signature == "" {
t.Errorf("[%v] Signature is left unpopulated after parsing", data.name)
}
if !token.Valid {
// The 'Valid' field should be set to true when invoking Parse()
t.Errorf("[%v] Token.Valid field mismatch. Expecting true, got %v", data.name, token.Valid)
}
} }
}) })
} }
} }
func TestParser_ParseUnverified(t *testing.T) { func TestParser_ParseUnverified(t *testing.T) {
privateKey := test.LoadRSAPrivateKeyFromDisk("test/sample_key")
// Iterate over test data set and run tests // Iterate over test data set and run tests
for _, data := range jwtTestData { for _, data := range jwtTestData {
@ -319,7 +391,7 @@ func TestParser_ParseUnverified(t *testing.T) {
t.Run(data.name, func(t *testing.T) { t.Run(data.name, func(t *testing.T) {
// If the token string is blank, use helper function to generate string // If the token string is blank, use helper function to generate string
if data.tokenString == "" { if data.tokenString == "" {
data.tokenString = test.MakeSampleToken(data.claims, privateKey) data.tokenString = signToken(data.claims, data.signingMethod)
} }
// Parse the token // Parse the token
@ -351,18 +423,25 @@ func TestParser_ParseUnverified(t *testing.T) {
if data.valid && err != nil { if data.valid && err != nil {
t.Errorf("[%v] Error while verifying token: %T:%v", data.name, err, err) t.Errorf("[%v] Error while verifying token: %T:%v", data.name, err, err)
} }
if token.Valid {
// The 'Valid' field should not be set to true when invoking ParseUnverified()
t.Errorf("[%v] Token.Valid field mismatch. Expecting false, got %v", data.name, token.Valid)
}
if token.Signature != "" {
// The signature was not validated, hence the 'Signature' field is not populated.
t.Errorf("[%v] Token.Signature field mismatch. Expecting '', got %v", data.name, token.Signature)
}
}) })
} }
} }
func BenchmarkParseUnverified(b *testing.B) { func BenchmarkParseUnverified(b *testing.B) {
privateKey := test.LoadRSAPrivateKeyFromDisk("test/sample_key")
// Iterate over test data set and run tests // Iterate over test data set and run tests
for _, data := range jwtTestData { for _, data := range jwtTestData {
// If the token string is blank, use helper function to generate string // If the token string is blank, use helper function to generate string
if data.tokenString == "" { if data.tokenString == "" {
data.tokenString = test.MakeSampleToken(data.claims, privateKey) data.tokenString = signToken(data.claims, data.signingMethod)
} }
// Parse the token // Parse the token

View File

@ -65,7 +65,7 @@ func TestParseRequest(t *testing.T) {
// Bearer token request // Bearer token request
for _, data := range requestTestData { for _, data := range requestTestData {
// Make token from claims // Make token from claims
tokenString := test.MakeSampleToken(data.claims, privateKey) tokenString := test.MakeSampleToken(data.claims, jwt.SigningMethodRS256, privateKey)
// Make query string // Make query string
for k, vv := range data.query { for k, vv := range data.query {

View File

@ -1,6 +1,7 @@
package test package test
import ( import (
"crypto"
"crypto/rsa" "crypto/rsa"
"io/ioutil" "io/ioutil"
@ -31,8 +32,9 @@ func LoadRSAPublicKeyFromDisk(location string) *rsa.PublicKey {
return key return key
} }
func MakeSampleToken(c jwt.Claims, key interface{}) string { // MakeSampleToken creates and returns a encoded JWT token that has been signed with the specified cryptographic key.
token := jwt.NewWithClaims(jwt.SigningMethodRS256, c) func MakeSampleToken(c jwt.Claims, method jwt.SigningMethod, key interface{}) string {
token := jwt.NewWithClaims(method, c)
s, e := token.SignedString(key) s, e := token.SignedString(key)
if e != nil { if e != nil {
@ -41,3 +43,27 @@ func MakeSampleToken(c jwt.Claims, key interface{}) string {
return s return s
} }
func LoadECPrivateKeyFromDisk(location string) crypto.PrivateKey {
keyData, e := ioutil.ReadFile(location)
if e != nil {
panic(e.Error())
}
key, e := jwt.ParseECPrivateKeyFromPEM(keyData)
if e != nil {
panic(e.Error())
}
return key
}
func LoadECPublicKeyFromDisk(location string) crypto.PublicKey {
keyData, e := ioutil.ReadFile(location)
if e != nil {
panic(e.Error())
}
key, e := jwt.ParseECPublicKeyFromPEM(keyData)
if e != nil {
panic(e.Error())
}
return key
}