jwt_test.go 4.8 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204
  1. // Copyright 2017 The etcd Authors
  2. //
  3. // Licensed under the Apache License, Version 2.0 (the "License");
  4. // you may not use this file except in compliance with the License.
  5. // You may obtain a copy of the License at
  6. //
  7. // http://www.apache.org/licenses/LICENSE-2.0
  8. //
  9. // Unless required by applicable law or agreed to in writing, software
  10. // distributed under the License is distributed on an "AS IS" BASIS,
  11. // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  12. // See the License for the specific language governing permissions and
  13. // limitations under the License.
  14. package auth
  15. import (
  16. "context"
  17. "fmt"
  18. "testing"
  19. "go.uber.org/zap"
  20. )
  21. const (
  22. jwtRSAPubKey = "../integration/fixtures/server.crt"
  23. jwtRSAPrivKey = "../integration/fixtures/server.key.insecure"
  24. jwtECPubKey = "../integration/fixtures/server-ecdsa.crt"
  25. jwtECPrivKey = "../integration/fixtures/server-ecdsa.key.insecure"
  26. )
  27. func TestJWTInfo(t *testing.T) {
  28. optsMap := map[string]map[string]string{
  29. "RSA-priv": {
  30. "priv-key": jwtRSAPrivKey,
  31. "sign-method": "RS256",
  32. "ttl": "1h",
  33. },
  34. "RSA": {
  35. "pub-key": jwtRSAPubKey,
  36. "priv-key": jwtRSAPrivKey,
  37. "sign-method": "RS256",
  38. },
  39. "RSAPSS-priv": {
  40. "priv-key": jwtRSAPrivKey,
  41. "sign-method": "PS256",
  42. },
  43. "RSAPSS": {
  44. "pub-key": jwtRSAPubKey,
  45. "priv-key": jwtRSAPrivKey,
  46. "sign-method": "PS256",
  47. },
  48. "ECDSA-priv": {
  49. "priv-key": jwtECPrivKey,
  50. "sign-method": "ES256",
  51. },
  52. "ECDSA": {
  53. "pub-key": jwtECPubKey,
  54. "priv-key": jwtECPrivKey,
  55. "sign-method": "ES256",
  56. },
  57. "HMAC": {
  58. "priv-key": jwtECPrivKey, // any file, raw bytes used as shared secret
  59. "sign-method": "HS256",
  60. },
  61. }
  62. for k, opts := range optsMap {
  63. t.Run(k, func(tt *testing.T) {
  64. testJWTInfo(tt, opts)
  65. })
  66. }
  67. }
  68. func testJWTInfo(t *testing.T, opts map[string]string) {
  69. lg := zap.NewNop()
  70. jwt, err := newTokenProviderJWT(lg, opts)
  71. if err != nil {
  72. t.Fatal(err)
  73. }
  74. ctx := context.TODO()
  75. token, aerr := jwt.assign(ctx, "abc", 123)
  76. if aerr != nil {
  77. t.Fatalf("%#v", aerr)
  78. }
  79. ai, ok := jwt.info(ctx, token, 123)
  80. if !ok {
  81. t.Fatalf("failed to authenticate with token %s", token)
  82. }
  83. if ai.Revision != 123 {
  84. t.Fatalf("expected revision 123, got %d", ai.Revision)
  85. }
  86. ai, ok = jwt.info(ctx, "aaa", 120)
  87. if ok || ai != nil {
  88. t.Fatalf("expected aaa to fail to authenticate, got %+v", ai)
  89. }
  90. // test verify-only provider
  91. if opts["pub-key"] != "" && opts["priv-key"] != "" {
  92. t.Run("verify-only", func(t *testing.T) {
  93. newOpts := make(map[string]string, len(opts))
  94. for k, v := range opts {
  95. newOpts[k] = v
  96. }
  97. delete(newOpts, "priv-key")
  98. verify, err := newTokenProviderJWT(lg, newOpts)
  99. if err != nil {
  100. t.Fatal(err)
  101. }
  102. ai, ok := verify.info(ctx, token, 123)
  103. if !ok {
  104. t.Fatalf("failed to authenticate with token %s", token)
  105. }
  106. if ai.Revision != 123 {
  107. t.Fatalf("expected revision 123, got %d", ai.Revision)
  108. }
  109. ai, ok = verify.info(ctx, "aaa", 120)
  110. if ok || ai != nil {
  111. t.Fatalf("expected aaa to fail to authenticate, got %+v", ai)
  112. }
  113. _, aerr := verify.assign(ctx, "abc", 123)
  114. if aerr != ErrVerifyOnly {
  115. t.Fatalf("unexpected error when attempting to sign with public key: %v", aerr)
  116. }
  117. })
  118. }
  119. }
  120. func TestJWTBad(t *testing.T) {
  121. var badCases = map[string]map[string]string{
  122. "no options": {},
  123. "invalid method": {
  124. "sign-method": "invalid",
  125. },
  126. "rsa no key": {
  127. "sign-method": "RS256",
  128. },
  129. "invalid ttl": {
  130. "sign-method": "RS256",
  131. "ttl": "forever",
  132. },
  133. "rsa invalid public key": {
  134. "sign-method": "RS256",
  135. "pub-key": jwtRSAPrivKey,
  136. "priv-key": jwtRSAPrivKey,
  137. },
  138. "rsa invalid private key": {
  139. "sign-method": "RS256",
  140. "pub-key": jwtRSAPubKey,
  141. "priv-key": jwtRSAPubKey,
  142. },
  143. "hmac no key": {
  144. "sign-method": "HS256",
  145. },
  146. "hmac pub key": {
  147. "sign-method": "HS256",
  148. "pub-key": jwtRSAPubKey,
  149. },
  150. "missing public key file": {
  151. "sign-method": "HS256",
  152. "pub-key": "missing-file",
  153. },
  154. "missing private key file": {
  155. "sign-method": "HS256",
  156. "priv-key": "missing-file",
  157. },
  158. "ecdsa no key": {
  159. "sign-method": "ES256",
  160. },
  161. "ecdsa invalid public key": {
  162. "sign-method": "ES256",
  163. "pub-key": jwtECPrivKey,
  164. "priv-key": jwtECPrivKey,
  165. },
  166. "ecdsa invalid private key": {
  167. "sign-method": "ES256",
  168. "pub-key": jwtECPubKey,
  169. "priv-key": jwtECPubKey,
  170. },
  171. }
  172. lg := zap.NewNop()
  173. for k, v := range badCases {
  174. t.Run(k, func(t *testing.T) {
  175. _, err := newTokenProviderJWT(lg, v)
  176. if err == nil {
  177. t.Errorf("expected error for options %v", v)
  178. }
  179. })
  180. }
  181. }
  182. // testJWTOpts is useful for passing to NewTokenProvider which requires a string.
  183. func testJWTOpts() string {
  184. return fmt.Sprintf("%s,pub-key=%s,priv-key=%s,sign-method=RS256", tokenTypeJWT, jwtRSAPubKey, jwtRSAPrivKey)
  185. }