jwt: Add JWT support for minio server.

Please read JWT.md before using this feature.
2025-11-28 21:18:10 -05:00 · 2016-01-21 16:28:15 -08:00
parent 9cb590d800
commit 0a9496462a
39 changed files with 3629 additions and 6 deletions
--- a/vendor/github.com/dgrijalva/jwt-go/parser_test.go
+++ b/vendor/github.com/dgrijalva/jwt-go/parser_test.go
@@ -0,0 +1,239 @@
+package jwt_test
+
+import (
+	"encoding/json"
+	"fmt"
+	"github.com/dgrijalva/jwt-go"
+	"io/ioutil"
+	"net/http"
+	"reflect"
+	"testing"
+	"time"
+)
+
+var (
+	jwtTestDefaultKey []byte
+	defaultKeyFunc    jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return jwtTestDefaultKey, nil }
+	emptyKeyFunc      jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return nil, nil }
+	errorKeyFunc      jwt.Keyfunc = func(t *jwt.Token) (interface{}, error) { return nil, fmt.Errorf("error loading key") }
+	nilKeyFunc        jwt.Keyfunc = nil
+)
+
+var jwtTestData = []struct {
+	name        string
+	tokenString string
+	keyfunc     jwt.Keyfunc
+	claims      map[string]interface{}
+	valid       bool
+	errors      uint32
+	parser      *jwt.Parser
+}{
+	{
+		"basic",
+		"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.FhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
+		defaultKeyFunc,
+		map[string]interface{}{"foo": "bar"},
+		true,
+		0,
+		nil,
+	},
+	{
+		"basic expired",
+		"", // autogen
+		defaultKeyFunc,
+		map[string]interface{}{"foo": "bar", "exp": float64(time.Now().Unix() - 100)},
+		false,
+		jwt.ValidationErrorExpired,
+		nil,
+	},
+	{
+		"basic nbf",
+		"", // autogen
+		defaultKeyFunc,
+		map[string]interface{}{"foo": "bar", "nbf": float64(time.Now().Unix() + 100)},
+		false,
+		jwt.ValidationErrorNotValidYet,
+		nil,
+	},
+	{
+		"expired and nbf",
+		"", // autogen
+		defaultKeyFunc,
+		map[string]interface{}{"foo": "bar", "nbf": float64(time.Now().Unix() + 100), "exp": float64(time.Now().Unix() - 100)},
+		false,
+		jwt.ValidationErrorNotValidYet | jwt.ValidationErrorExpired,
+		nil,
+	},
+	{
+		"basic invalid",
+		"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.EhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
+		defaultKeyFunc,
+		map[string]interface{}{"foo": "bar"},
+		false,
+		jwt.ValidationErrorSignatureInvalid,
+		nil,
+	},
+	{
+		"basic nokeyfunc",
+		"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.FhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
+		nilKeyFunc,
+		map[string]interface{}{"foo": "bar"},
+		false,
+		jwt.ValidationErrorUnverifiable,
+		nil,
+	},
+	{
+		"basic nokey",
+		"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.FhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
+		emptyKeyFunc,
+		map[string]interface{}{"foo": "bar"},
+		false,
+		jwt.ValidationErrorSignatureInvalid,
+		nil,
+	},
+	{
+		"basic errorkey",
+		"eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiJ9.eyJmb28iOiJiYXIifQ.FhkiHkoESI_cG3NPigFrxEk9Z60_oXrOT2vGm9Pn6RDgYNovYORQmmA0zs1AoAOf09ly2Nx2YAg6ABqAYga1AcMFkJljwxTT5fYphTuqpWdy4BELeSYJx5Ty2gmr8e7RonuUztrdD5WfPqLKMm1Ozp_T6zALpRmwTIW0QPnaBXaQD90FplAg46Iy1UlDKr-Eupy0i5SLch5Q-p2ZpaL_5fnTIUDlxC3pWhJTyx_71qDI-mAA_5lE_VdroOeflG56sSmDxopPEG3bFlSu1eowyBfxtu0_CuVd-M42RU75Zc4Gsj6uV77MBtbMrf4_7M_NUTSgoIF3fRqxrj0NzihIBg",
+		errorKeyFunc,
+		map[string]interface{}{"foo": "bar"},
+		false,
+		jwt.ValidationErrorUnverifiable,
+		nil,
+	},
+	{
+		"invalid signing method",
+		"",
+		defaultKeyFunc,
+		map[string]interface{}{"foo": "bar"},
+		false,
+		jwt.ValidationErrorSignatureInvalid,
+		&jwt.Parser{ValidMethods: []string{"HS256"}},
+	},
+	{
+		"valid signing method",
+		"",
+		defaultKeyFunc,
+		map[string]interface{}{"foo": "bar"},
+		true,
+		0,
+		&jwt.Parser{ValidMethods: []string{"RS256", "HS256"}},
+	},
+	{
+		"JSON Number",
+		"",
+		defaultKeyFunc,
+		map[string]interface{}{"foo": json.Number("123.4")},
+		true,
+		0,
+		&jwt.Parser{UseJSONNumber: true},
+	},
+}
+
+func init() {
+	var e error
+	if jwtTestDefaultKey, e = ioutil.ReadFile("test/sample_key.pub"); e != nil {
+		panic(e)
+	}
+}
+
+func makeSample(c map[string]interface{}) string {
+	key, e := ioutil.ReadFile("test/sample_key")
+	if e != nil {
+		panic(e.Error())
+	}
+
+	token := jwt.New(jwt.SigningMethodRS256)
+	token.Claims = c
+	s, e := token.SignedString(key)
+
+	if e != nil {
+		panic(e.Error())
+	}
+
+	return s
+}
+
+func TestParser_Parse(t *testing.T) {
+	for _, data := range jwtTestData {
+		if data.tokenString == "" {
+			data.tokenString = makeSample(data.claims)
+		}
+
+		var token *jwt.Token
+		var err error
+		if data.parser != nil {
+			token, err = data.parser.Parse(data.tokenString, data.keyfunc)
+		} else {
+			token, err = jwt.Parse(data.tokenString, data.keyfunc)
+		}
+
+		if !reflect.DeepEqual(data.claims, token.Claims) {
+			t.Errorf("[%v] Claims mismatch. Expecting: %v  Got: %v", data.name, data.claims, token.Claims)
+		}
+		if data.valid && err != nil {
+			t.Errorf("[%v] Error while verifying token: %T:%v", data.name, err, err)
+		}
+		if !data.valid && err == nil {
+			t.Errorf("[%v] Invalid token passed validation", data.name)
+		}
+		if data.errors != 0 {
+			if err == nil {
+				t.Errorf("[%v] Expecting error.  Didn't get one.", data.name)
+			} else {
+				// compare the bitfield part of the error
+				if e := err.(*jwt.ValidationError).Errors; e != data.errors {
+					t.Errorf("[%v] Errors don't match expectation.  %v != %v", data.name, e, data.errors)
+				}
+			}
+		}
+		if data.valid && token.Signature == "" {
+			t.Errorf("[%v] Signature is left unpopulated after parsing", data.name)
+		}
+	}
+}
+
+func TestParseRequest(t *testing.T) {
+	// Bearer token request
+	for _, data := range jwtTestData {
+		// FIXME: custom parsers are not supported by this helper.  skip tests that require them
+		if data.parser != nil {
+			t.Logf("Skipping [%v].  Custom parsers are not supported by ParseRequest", data.name)
+			continue
+		}
+
+		if data.tokenString == "" {
+			data.tokenString = makeSample(data.claims)
+		}
+
+		r, _ := http.NewRequest("GET", "/", nil)
+		r.Header.Set("Authorization", fmt.Sprintf("Bearer %v", data.tokenString))
+		token, err := jwt.ParseFromRequest(r, data.keyfunc)
+
+		if token == nil {
+			t.Errorf("[%v] Token was not found: %v", data.name, err)
+			continue
+		}
+		if !reflect.DeepEqual(data.claims, token.Claims) {
+			t.Errorf("[%v] Claims mismatch. Expecting: %v  Got: %v", data.name, data.claims, token.Claims)
+		}
+		if data.valid && err != nil {
+			t.Errorf("[%v] Error while verifying token: %v", data.name, err)
+		}
+		if !data.valid && err == nil {
+			t.Errorf("[%v] Invalid token passed validation", data.name)
+		}
+	}
+}
+
+// Helper method for benchmarking various methods
+func benchmarkSigning(b *testing.B, method jwt.SigningMethod, key interface{}) {
+	t := jwt.New(method)
+	b.RunParallel(func(pb *testing.PB) {
+		for pb.Next() {
+			if _, err := t.SignedString(key); err != nil {
+				b.Fatal(err)
+			}
+		}
+	})
+
+}