mirror of https://github.com/minio/minio.git
240 lines
7.3 KiB
Go
240 lines
7.3 KiB
Go
|
package jwt_test
|
||
|
|
||
|
import (
|
||
|
"encoding/json"
|
||
|
"fmt"
|
||
|
"github.com/dgrijalva/jwt-go"
|
||
|
"io/ioutil"
|
||
|
"net/http"
|
||
|
"reflect"
|
||
|
"testing"
|
||
|
"time"
|
||
|
)
|
||
|
|
||
|
var (
|
||
|
jwtTestDefaultKey []byte
|
||
|
defaultKeyFunc jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return jwtTestDefaultKey, nil }
|
||
|
emptyKeyFunc jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return nil, nil }
|
||
|
errorKeyFunc jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return nil, fmt.Errorf("error loading key") }
|
||
|
nilKeyFunc jwt.Keyfunc = nil
|
||
|
)
|
||
|
|
||
|
var jwtTestData = []struct {
|
||
|
name string
|
||
|
tokenString string
|
||
|
keyfunc jwt.Keyfunc
|
||
|
claims map[string]interface{}
|
||
|
valid bool
|
||
|
errors uint32
|
||
|
parser *jwt.Parser
|
||
|
}{
|
||
|
{
|
||
|
"basic",
|
||
|
"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.FhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
|
||
|
defaultKeyFunc,
|
||
|
map[string]interface{}{"foo": "bar"},
|
||
|
true,
|
||
|
0,
|
||
|
nil,
|
||
|
},
|
||
|
{
|
||
|
"basic expired",
|
||
|
"", // autogen
|
||
|
defaultKeyFunc,
|
||
|
map[string]interface{}{"foo": "bar", "exp": float64(time.Now().Unix() - 100)},
|
||
|
false,
|
||
|
jwt.ValidationErrorExpired,
|
||
|
nil,
|
||
|
},
|
||
|
{
|
||
|
"basic nbf",
|
||
|
"", // autogen
|
||
|
defaultKeyFunc,
|
||
|
map[string]interface{}{"foo": "bar", "nbf": float64(time.Now().Unix() + 100)},
|
||
|
false,
|
||
|
jwt.ValidationErrorNotValidYet,
|
||
|
nil,
|
||
|
},
|
||
|
{
|
||
|
"expired and nbf",
|
||
|
"", // autogen
|
||
|
defaultKeyFunc,
|
||
|
map[string]interface{}{"foo": "bar", "nbf": float64(time.Now().Unix() + 100), "exp": float64(time.Now().Unix() - 100)},
|
||
|
false,
|
||
|
jwt.ValidationErrorNotValidYet | jwt.ValidationErrorExpired,
|
||
|
nil,
|
||
|
},
|
||
|
{
|
||
|
"basic invalid",
|
||
|
"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.EhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
|
||
|
defaultKeyFunc,
|
||
|
map[string]interface{}{"foo": "bar"},
|
||
|
false,
|
||
|
jwt.ValidationErrorSignatureInvalid,
|
||
|
nil,
|
||
|
},
|
||
|
{
|
||
|
"basic nokeyfunc",
|
||
|
"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.FhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
|
||
|
nilKeyFunc,
|
||
|
map[string]interface{}{"foo": "bar"},
|
||
|
false,
|
||
|
jwt.ValidationErrorUnverifiable,
|
||
|
nil,
|
||
|
},
|
||
|
{
|
||
|
"basic nokey",
|
||
|
"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.FhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
|
||
|
emptyKeyFunc,
|
||
|
map[string]interface{}{"foo": "bar"},
|
||
|
false,
|
||
|
jwt.ValidationErrorSignatureInvalid,
|
||
|
nil,
|
||
|
},
|
||
|
{
|
||
|
"basic errorkey",
|
||
|
"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.FhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
|
||
|
errorKeyFunc,
|
||
|
map[string]interface{}{"foo": "bar"},
|
||
|
false,
|
||
|
jwt.ValidationErrorUnverifiable,
|
||
|
nil,
|
||
|
},
|
||
|
{
|
||
|
"invalid signing method",
|
||
|
"",
|
||
|
defaultKeyFunc,
|
||
|
map[string]interface{}{"foo": "bar"},
|
||
|
false,
|
||
|
jwt.ValidationErrorSignatureInvalid,
|
||
|
&jwt.Parser{ValidMethods: []string{"HS256"}},
|
||
|
},
|
||
|
{
|
||
|
"valid signing method",
|
||
|
"",
|
||
|
defaultKeyFunc,
|
||
|
map[string]interface{}{"foo": "bar"},
|
||
|
true,
|
||
|
0,
|
||
|
&jwt.Parser{ValidMethods: []string{"RS256", "HS256"}},
|
||
|
},
|
||
|
{
|
||
|
"JSON Number",
|
||
|
"",
|
||
|
defaultKeyFunc,
|
||
|
map[string]interface{}{"foo": json.Number("123.4")},
|
||
|
true,
|
||
|
0,
|
||
|
&jwt.Parser{UseJSONNumber: true},
|
||
|
},
|
||
|
}
|
||
|
|
||
|
func init() {
|
||
|
var e error
|
||
|
if jwtTestDefaultKey, e = ioutil.ReadFile("test/sample_key.pub"); e != nil {
|
||
|
panic(e)
|
||
|
}
|
||
|
}
|
||
|
|
||
|
func makeSample(c map[string]interface{}) string {
|
||
|
key, e := ioutil.ReadFile("test/sample_key")
|
||
|
if e != nil {
|
||
|
panic(e.Error())
|
||
|
}
|
||
|
|
||
|
token := jwt.New(jwt.SigningMethodRS256)
|
||
|
token.Claims = c
|
||
|
s, e := token.SignedString(key)
|
||
|
|
||
|
if e != nil {
|
||
|
panic(e.Error())
|
||
|
}
|
||
|
|
||
|
return s
|
||
|
}
|
||
|
|
||
|
func TestParser_Parse(t *testing.T) {
|
||
|
for _, data := range jwtTestData {
|
||
|
if data.tokenString == "" {
|
||
|
data.tokenString = makeSample(data.claims)
|
||
|
}
|
||
|
|
||
|
var token *jwt.Token
|
||
|
var err error
|
||
|
if data.parser != nil {
|
||
|
token, err = data.parser.Parse(data.tokenString, data.keyfunc)
|
||
|
} else {
|
||
|
token, err = jwt.Parse(data.tokenString, data.keyfunc)
|
||
|
}
|
||
|
|
||
|
if !reflect.DeepEqual(data.claims, token.Claims) {
|
||
|
t.Errorf("[%v] Claims mismatch. Expecting: %v Got: %v", data.name, data.claims, token.Claims)
|
||
|
}
|
||
|
if data.valid && err != nil {
|
||
|
t.Errorf("[%v] Error while verifying token: %T:%v", data.name, err, err)
|
||
|
}
|
||
|
if !data.valid && err == nil {
|
||
|
t.Errorf("[%v] Invalid token passed validation", data.name)
|
||
|
}
|
||
|
if data.errors != 0 {
|
||
|
if err == nil {
|
||
|
t.Errorf("[%v] Expecting error. Didn't get one.", data.name)
|
||
|
} else {
|
||
|
// compare the bitfield part of the error
|
||
|
if e := err.(*jwt.ValidationError).Errors; e != data.errors {
|
||
|
t.Errorf("[%v] Errors don't match expectation. %v != %v", data.name, e, data.errors)
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
if data.valid && token.Signature == "" {
|
||
|
t.Errorf("[%v] Signature is left unpopulated after parsing", data.name)
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
func TestParseRequest(t *testing.T) {
|
||
|
// Bearer token request
|
||
|
for _, data := range jwtTestData {
|
||
|
// FIXME: custom parsers are not supported by this helper. skip tests that require them
|
||
|
if data.parser != nil {
|
||
|
t.Logf("Skipping [%v]. Custom parsers are not supported by ParseRequest", data.name)
|
||
|
continue
|
||
|
}
|
||
|
|
||
|
if data.tokenString == "" {
|
||
|
data.tokenString = makeSample(data.claims)
|
||
|
}
|
||
|
|
||
|
r, _ := http.NewRequest("GET", "/", nil)
|
||
|
r.Header.Set("Authorization", fmt.Sprintf("Bearer %v", data.tokenString))
|
||
|
token, err := jwt.ParseFromRequest(r, data.keyfunc)
|
||
|
|
||
|
if token == nil {
|
||
|
t.Errorf("[%v] Token was not found: %v", data.name, err)
|
||
|
continue
|
||
|
}
|
||
|
if !reflect.DeepEqual(data.claims, token.Claims) {
|
||
|
t.Errorf("[%v] Claims mismatch. Expecting: %v Got: %v", data.name, data.claims, token.Claims)
|
||
|
}
|
||
|
if data.valid && err != nil {
|
||
|
t.Errorf("[%v] Error while verifying token: %v", data.name, err)
|
||
|
}
|
||
|
if !data.valid && err == nil {
|
||
|
t.Errorf("[%v] Invalid token passed validation", data.name)
|
||
|
}
|
||
|
}
|
||
|
}
|
||
|
|
||
|
// Helper method for benchmarking various methods
|
||
|
func benchmarkSigning(b *testing.B, method jwt.SigningMethod, key interface{}) {
|
||
|
t := jwt.New(method)
|
||
|
b.RunParallel(func(pb *testing.PB) {
|
||
|
for pb.Next() {
|
||
|
if _, err := t.SignedString(key); err != nil {
|
||
|
b.Fatal(err)
|
||
|
}
|
||
|
}
|
||
|
})
|
||
|
|
||
|
}
|