mirror
/
oragono
mirror of https://github.com/oragono/oragono
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 67 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
5258 Commits
19 Branches
Tree: ee7f818674
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'ee7f818674'
${ noResults }
oragono/irc/jwt/bearer_test.go

bearer_test.go 5.2KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143 
  1. package jwt

  2. 

  3. import (

  4. 	"testing"

  5. 

  6. 	jwt "github.com/golang-jwt/jwt/v5"

  7. )

  8. 

  9. const (

  10. 	rsaTestPubKey = `-----BEGIN PUBLIC KEY-----

  11. MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAwhcCcXrfR/GmoPKxBi0H

  12. cUl2pUl4acq2m3abFtMMoYTydJdEhgYWfsXuragyEIVkJU1ZnrgedW0QJUcANRGO

  13. hP/B+MjBevDNsRXQECfhyjfzhz6KWZb4i7C2oImJuAjq/F4qGLdEGQDBpAzof8qv

  14. 9Zt5iN3GXY/EQtQVMFyR/7BPcbPLbHlOtzZ6tVEioXuUxQoai7x3Kc0jIcPWuyGa

  15. Q04IvsgdaWO6oH4fhPfyVsmX37rYUn79zcqPHS4ieWM1KN9qc7W+/UJIeiwAStpJ

  16. 8gv+OSMrijRZGgQGCeOO5U59GGJC4mqUczB+JFvrlAIv0rggNpl+qalngosNxukB

  17. uQIDAQAB

  18. -----END PUBLIC KEY-----`

  19. 

  20. 	rsaTestPrivKey = `-----BEGIN PRIVATE KEY-----

  21. MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDCFwJxet9H8aag

  22. 8rEGLQdxSXalSXhpyrabdpsW0wyhhPJ0l0SGBhZ+xe6tqDIQhWQlTVmeuB51bRAl

  23. RwA1EY6E/8H4yMF68M2xFdAQJ+HKN/OHPopZlviLsLagiYm4COr8XioYt0QZAMGk

  24. DOh/yq/1m3mI3cZdj8RC1BUwXJH/sE9xs8tseU63Nnq1USKhe5TFChqLvHcpzSMh

  25. w9a7IZpDTgi+yB1pY7qgfh+E9/JWyZffuthSfv3Nyo8dLiJ5YzUo32pztb79Qkh6

  26. LABK2knyC/45IyuKNFkaBAYJ447lTn0YYkLiapRzMH4kW+uUAi/SuCA2mX6pqWeC

  27. iw3G6QG5AgMBAAECggEARaAnejoP2ykvE1G8e3Cv2M33x/eBQMI9m6uCmz9+qnqc

  28. 14JkTIfmjffHVXie7RpNAKys16lJE+rZ/eVoh6EStVdiaDLsZYP45evjRcho0Tgd

  29. Hokq7FSiOMpd2V09kE1yrrHA/DjSLv38eTNAPIejc8IgaR7VyD6Is0iNiVnL7iLa

  30. mj1zB6+dSeQ5ICYkrihb1gA+SvECsjLZ/5XESXEdHJvxhC0vLAdHmdQf3BPPlrGg

  31. VHondxL5gt6MFykpOxTFA6f5JkSefhUR/2OcCDpMs6a5GUytjl3rA3aGT6v3CbnR

  32. ykD6PzyC20EUADQYF2pmJfzbxyRqfNdbSJwQv5QQYQKBgQD4rFdvgZC97L7WhZ5T

  33. axW8hRW2dH24GIqFT4ZnCg0suyMNshyGvDMuBfGvokN/yACmvsdE0/f57esar+ye

  34. l9RC+CzGUch08Ke5WdqwACOCNDpx0kJcXKTuLIgkvthdla/oAQQ9T7OgEwDrvaR0

  35. m8s/Z7Hb3hLD3xdOt6Xjrv/6xQKBgQDHzvbcIkhmWdvaPDT9NEu7psR/fxF5UjqU

  36. Cca/bfHhySRQs3A1CF57pfwpUqAcSivNf7O+3NI62AKoyMDYv0ek2h6hGk6g5GJ1

  37. SuXYfjcbkL6SWNV0InsgmzCjvxhyms83xZq7uMClEBvkiKVMdt6zFkwW9eRKtUuZ

  38. pzVK5RfqZQKBgF5SME/xGw+O7su7ntQROAtrh1LPWKgtVs093sLSgzDGQoN9XWiV

  39. lewNASEXMPcUy3pzvm2S4OoBnj1fISb+e9py+7i1aI1CgrvBIzvCsbU/TjPCBr21

  40. vjFA3trhMHw+vJwJVqxSwNUkoCLKqcg5F5yTHllBIGj/A34uFlQIGrvpAoGAextm

  41. d+1bhExbLBQqZdOh0cWHjjKBVqm2U93OKcYY4Q9oI5zbRqGYbUCwo9k3sxZz9JJ4

  42. 8eDmWsEaqlm+kA0SnFyTwJkP1wvAKhpykTf6xi4hbNP0+DACgu17Q3iLHJmLkQZc

  43. Nss3TrwlI2KZzgnzXo4fZYotFWasZMhkCngqiw0CgYEAmz2D70RYEauUNE1+zLhS

  44. 6Ox5+PF/8Z0rZOlTghMTfqYcDJa+qQe9pJp7RPgilsgemqo0XtgLKz3ATE5FmMa4

  45. HRRGXPkMNu6Hzz4Yk4eM/yJqckoEc8azV25myqQ+7QXTwZEvxVbtUWZtxfImGwq+

  46. s/uzBKNwWf9UPTeIt+4JScg=

  47. -----END PRIVATE KEY-----`

  48. )

  49. 

  50. func TestJWTBearerAuth(t *testing.T) {

  51. 	j := JWTAuthConfig{

  52. 		Enabled: true,

  53. 		Tokens: []JWTAuthTokenConfig{

  54. 			{

  55. 				Algorithm:     "rsa",

  56. 				KeyString:     rsaTestPubKey,

  57. 				AccountClaims: []string{"preferred_username", "email"},

  58. 				StripDomain:   "example.com",

  59. 			},

  60. 		},

  61. 	}

  62. 

  63. 	if err := j.Postprocess(); err != nil {

  64. 		t.Fatal(err)

  65. 	}

  66. 

  67. 	// fixed test vector signed with the RSA privkey:

  68. 	token := "eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJwcmVmZXJyZWRfdXNlcm5hbWUiOiJzbGluZ2FtbiJ9.caPZw2Dl4KZN-SErD5-WZB_lPPveHXaMCoUHxNebb94G9w3VaWDIRdngVU99JKx5nE_yRtpewkHHvXsQnNA_M63GBXGK7afXB8e-kV33QF3v9pXALMP5SzRwMgokyxas0RgHu4e4L0d7dn9o_nkdXp34GX3Pn1MVkUGBH6GdlbOdDHrs04pPQ0Qj-O2U0AIpnZq-X_GQs9ECJo4TlPKWR7Jlq5l9bS0dBnohea4FuqJr232je-dlRVkbCa7nrnFmsIsezsgA3Jb_j9Zu_iv460t_d2eaytbVp9P-DOVfzUfkBsKs-81URQEnTjW6ut445AJz2pxjX92X0GdmORpAkQ"

  69. 	accountName, err := j.Validate(token)

  70. 	if err != nil {

  71. 		t.Errorf("could not validate valid token: %v", err)

  72. 	}

  73. 	if accountName != "slingamn" {

  74. 		t.Errorf("incorrect account name for token: `%s`", accountName)

  75. 	}

  76. 

  77. 	// programmatically sign a new token, validate it

  78. 	privKey, err := jwt.ParseRSAPrivateKeyFromPEM([]byte(rsaTestPrivKey))

  79. 	if err != nil {

  80. 		t.Fatal(err)

  81. 	}

  82. 	jTok := jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims(map[string]any{"preferred_username": "slingamn"}))

  83. 	token, err = jTok.SignedString(privKey)

  84. 	if err != nil {

  85. 		t.Fatal(err)

  86. 	}

  87. 	accountName, err = j.Validate(token)

  88. 	if err != nil {

  89. 		t.Errorf("could not validate valid token: %v", err)

  90. 	}

  91. 	if accountName != "slingamn" {

  92. 		t.Errorf("incorrect account name for token: `%s`", accountName)

  93. 	}

  94. 

  95. 	// test expiration

  96. 	jTok = jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims(map[string]any{"preferred_username": "slingamn", "exp": 1675740865}))

  97. 	token, err = jTok.SignedString(privKey)

  98. 	if err != nil {

  99. 		t.Fatal(err)

  100. 	}

  101. 	accountName, err = j.Validate(token)

  102. 	if err == nil {

  103. 		t.Errorf("validated expired token")

  104. 	}

  105. 

  106. 	// test for the infamous algorithm confusion bug

  107. 	jTok = jwt.NewWithClaims(jwt.SigningMethodHS256, jwt.MapClaims(map[string]any{"preferred_username": "slingamn"}))

  108. 	token, err = jTok.SignedString([]byte(rsaTestPubKey))

  109. 	if err != nil {

  110. 		t.Fatal(err)

  111. 	}

  112. 	accountName, err = j.Validate(token)

  113. 	if err == nil {

  114. 		t.Errorf("validated HS256 token despite RSA being required")

  115. 	}

  116. 

  117. 	// test no valid claims

  118. 	jTok = jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims(map[string]any{"sub": "slingamn"}))

  119. 	token, err = jTok.SignedString(privKey)

  120. 	if err != nil {

  121. 		t.Fatal(err)

  122. 	}

  123. 

  124. 	accountName, err = j.Validate(token)

  125. 	if err != ErrNoValidAccountClaim {

  126. 		t.Errorf("expected ErrNoValidAccountClaim, got: %v", err)

  127. 	}

  128. 

  129. 	// test email addresses

  130. 	jTok = jwt.NewWithClaims(jwt.SigningMethodRS256, jwt.MapClaims(map[string]any{"email": "Slingamn@example.com"}))

  131. 	token, err = jTok.SignedString(privKey)

  132. 	if err != nil {

  133. 		t.Fatal(err)

  134. 	}

  135. 

  136. 	accountName, err = j.Validate(token)

  137. 	if err != nil {

  138. 		t.Errorf("could not validate valid token: %v", err)

  139. 	}

  140. 	if accountName != "Slingamn" {

  141. 		t.Errorf("incorrect account name for token: `%s`", accountName)

  142. 	}

  143. }