JustAnotherArchivist
/
transfer.sh
forked from kiska/transfer.sh
1
0
Fork 1
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
307 Commits
17 Branches
34 MiB
 
 
 
Tree: 6d23a8f5f3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6d23a8f5f3'
${ noResults }
transfer.sh/vendor/golang.org/x/oauth2/jwt/jwt_test.go

296 lines
8.9 KiB
Raw Blame History 

  1. // Copyright 2014 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. package jwt

  6. 

  7. import (

  8. 	"context"

  9. 	"encoding/base64"

  10. 	"encoding/json"

  11. 	"fmt"

  12. 	"net/http"

  13. 	"net/http/httptest"

  14. 	"strings"

  15. 	"testing"

  16. 

  17. 	"golang.org/x/oauth2"

  18. 	"golang.org/x/oauth2/jws"

  19. )

  20. 

  21. var dummyPrivateKey = []byte(`-----BEGIN RSA PRIVATE KEY-----

  22. MIIEpAIBAAKCAQEAx4fm7dngEmOULNmAs1IGZ9Apfzh+BkaQ1dzkmbUgpcoghucE

  23. DZRnAGd2aPyB6skGMXUytWQvNYav0WTR00wFtX1ohWTfv68HGXJ8QXCpyoSKSSFY

  24. fuP9X36wBSkSX9J5DVgiuzD5VBdzUISSmapjKm+DcbRALjz6OUIPEWi1Tjl6p5RK

  25. 1w41qdbmt7E5/kGhKLDuT7+M83g4VWhgIvaAXtnhklDAggilPPa8ZJ1IFe31lNlr

  26. k4DRk38nc6sEutdf3RL7QoH7FBusI7uXV03DC6dwN1kP4GE7bjJhcRb/7jYt7CQ9

  27. /E9Exz3c0yAp0yrTg0Fwh+qxfH9dKwN52S7SBwIDAQABAoIBAQCaCs26K07WY5Jt

  28. 3a2Cw3y2gPrIgTCqX6hJs7O5ByEhXZ8nBwsWANBUe4vrGaajQHdLj5OKfsIDrOvn

  29. 2NI1MqflqeAbu/kR32q3tq8/Rl+PPiwUsW3E6Pcf1orGMSNCXxeducF2iySySzh3

  30. nSIhCG5uwJDWI7a4+9KiieFgK1pt/Iv30q1SQS8IEntTfXYwANQrfKUVMmVF9aIK

  31. 6/WZE2yd5+q3wVVIJ6jsmTzoDCX6QQkkJICIYwCkglmVy5AeTckOVwcXL0jqw5Kf

  32. 5/soZJQwLEyBoQq7Kbpa26QHq+CJONetPP8Ssy8MJJXBT+u/bSseMb3Zsr5cr43e

  33. DJOhwsThAoGBAPY6rPKl2NT/K7XfRCGm1sbWjUQyDShscwuWJ5+kD0yudnT/ZEJ1

  34. M3+KS/iOOAoHDdEDi9crRvMl0UfNa8MAcDKHflzxg2jg/QI+fTBjPP5GOX0lkZ9g

  35. z6VePoVoQw2gpPFVNPPTxKfk27tEzbaffvOLGBEih0Kb7HTINkW8rIlzAoGBAM9y

  36. 1yr+jvfS1cGFtNU+Gotoihw2eMKtIqR03Yn3n0PK1nVCDKqwdUqCypz4+ml6cxRK

  37. J8+Pfdh7D+ZJd4LEG6Y4QRDLuv5OA700tUoSHxMSNn3q9As4+T3MUyYxWKvTeu3U

  38. f2NWP9ePU0lV8ttk7YlpVRaPQmc1qwooBA/z/8AdAoGAW9x0HWqmRICWTBnpjyxx

  39. QGlW9rQ9mHEtUotIaRSJ6K/F3cxSGUEkX1a3FRnp6kPLcckC6NlqdNgNBd6rb2rA

  40. cPl/uSkZP42Als+9YMoFPU/xrrDPbUhu72EDrj3Bllnyb168jKLa4VBOccUvggxr

  41. Dm08I1hgYgdN5huzs7y6GeUCgYEAj+AZJSOJ6o1aXS6rfV3mMRve9bQ9yt8jcKXw

  42. 5HhOCEmMtaSKfnOF1Ziih34Sxsb7O2428DiX0mV/YHtBnPsAJidL0SdLWIapBzeg

  43. KHArByIRkwE6IvJvwpGMdaex1PIGhx5i/3VZL9qiq/ElT05PhIb+UXgoWMabCp84

  44. OgxDK20CgYAeaFo8BdQ7FmVX2+EEejF+8xSge6WVLtkaon8bqcn6P0O8lLypoOhd

  45. mJAYH8WU+UAy9pecUnDZj14LAGNVmYcse8HFX71MoshnvCTFEPVo4rZxIAGwMpeJ

  46. 5jgQ3slYLpqrGlcbLgUXBUgzEO684Wk/UV9DFPlHALVqCfXQ9dpJPg==

  47. -----END RSA PRIVATE KEY-----`)

  48. 

  49. func TestJWTFetch_JSONResponse(t *testing.T) {

  50. 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

  51. 		w.Header().Set("Content-Type", "application/json")

  52. 		w.Write([]byte(`{

  53. 			"access_token": "90d64460d14870c08c81352a05dedd3465940a7c",

  54. 			"scope": "user",

  55. 			"token_type": "bearer",

  56. 			"expires_in": 3600

  57. 		}`))

  58. 	}))

  59. 	defer ts.Close()

  60. 

  61. 	conf := &Config{

  62. 		Email:      "aaa@xxx.com",

  63. 		PrivateKey: dummyPrivateKey,

  64. 		TokenURL:   ts.URL,

  65. 	}

  66. 	tok, err := conf.TokenSource(context.Background()).Token()

  67. 	if err != nil {

  68. 		t.Fatal(err)

  69. 	}

  70. 	if !tok.Valid() {

  71. 		t.Errorf("got invalid token: %v", tok)

  72. 	}

  73. 	if got, want := tok.AccessToken, "90d64460d14870c08c81352a05dedd3465940a7c"; got != want {

  74. 		t.Errorf("access token = %q; want %q", got, want)

  75. 	}

  76. 	if got, want := tok.TokenType, "bearer"; got != want {

  77. 		t.Errorf("token type = %q; want %q", got, want)

  78. 	}

  79. 	if got := tok.Expiry.IsZero(); got {

  80. 		t.Errorf("token expiry = %v, want none", got)

  81. 	}

  82. 	scope := tok.Extra("scope")

  83. 	if got, want := scope, "user"; got != want {

  84. 		t.Errorf("scope = %q; want %q", got, want)

  85. 	}

  86. }

  87. 

  88. func TestJWTFetch_BadResponse(t *testing.T) {

  89. 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

  90. 		w.Header().Set("Content-Type", "application/json")

  91. 		w.Write([]byte(`{"scope": "user", "token_type": "bearer"}`))

  92. 	}))

  93. 	defer ts.Close()

  94. 

  95. 	conf := &Config{

  96. 		Email:      "aaa@xxx.com",

  97. 		PrivateKey: dummyPrivateKey,

  98. 		TokenURL:   ts.URL,

  99. 	}

  100. 	tok, err := conf.TokenSource(context.Background()).Token()

  101. 	if err != nil {

  102. 		t.Fatal(err)

  103. 	}

  104. 	if tok == nil {

  105. 		t.Fatalf("got nil token; want token")

  106. 	}

  107. 	if tok.Valid() {

  108. 		t.Errorf("got invalid token: %v", tok)

  109. 	}

  110. 	if got, want := tok.AccessToken, ""; got != want {

  111. 		t.Errorf("access token = %q; want %q", got, want)

  112. 	}

  113. 	if got, want := tok.TokenType, "bearer"; got != want {

  114. 		t.Errorf("token type = %q; want %q", got, want)

  115. 	}

  116. 	scope := tok.Extra("scope")

  117. 	if got, want := scope, "user"; got != want {

  118. 		t.Errorf("token scope = %q; want %q", got, want)

  119. 	}

  120. }

  121. 

  122. func TestJWTFetch_BadResponseType(t *testing.T) {

  123. 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

  124. 		w.Header().Set("Content-Type", "application/json")

  125. 		w.Write([]byte(`{"access_token":123, "scope": "user", "token_type": "bearer"}`))

  126. 	}))

  127. 	defer ts.Close()

  128. 	conf := &Config{

  129. 		Email:      "aaa@xxx.com",

  130. 		PrivateKey: dummyPrivateKey,

  131. 		TokenURL:   ts.URL,

  132. 	}

  133. 	tok, err := conf.TokenSource(context.Background()).Token()

  134. 	if err == nil {

  135. 		t.Error("got a token; expected error")

  136. 		if got, want := tok.AccessToken, ""; got != want {

  137. 			t.Errorf("access token = %q; want %q", got, want)

  138. 		}

  139. 	}

  140. }

  141. 

  142. func TestJWTFetch_Assertion(t *testing.T) {

  143. 	var assertion string

  144. 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

  145. 		r.ParseForm()

  146. 		assertion = r.Form.Get("assertion")

  147. 

  148. 		w.Header().Set("Content-Type", "application/json")

  149. 		w.Write([]byte(`{

  150. 			"access_token": "90d64460d14870c08c81352a05dedd3465940a7c",

  151. 			"scope": "user",

  152. 			"token_type": "bearer",

  153. 			"expires_in": 3600

  154. 		}`))

  155. 	}))

  156. 	defer ts.Close()

  157. 

  158. 	conf := &Config{

  159. 		Email:        "aaa@xxx.com",

  160. 		PrivateKey:   dummyPrivateKey,

  161. 		PrivateKeyID: "ABCDEFGHIJKLMNOPQRSTUVWXYZ",

  162. 		TokenURL:     ts.URL,

  163. 	}

  164. 

  165. 	_, err := conf.TokenSource(context.Background()).Token()

  166. 	if err != nil {

  167. 		t.Fatalf("Failed to fetch token: %v", err)

  168. 	}

  169. 

  170. 	parts := strings.Split(assertion, ".")

  171. 	if len(parts) != 3 {

  172. 		t.Fatalf("assertion = %q; want 3 parts", assertion)

  173. 	}

  174. 	gotjson, err := base64.RawURLEncoding.DecodeString(parts[0])

  175. 	if err != nil {

  176. 		t.Fatalf("invalid token header; err = %v", err)

  177. 	}

  178. 

  179. 	got := jws.Header{}

  180. 	if err := json.Unmarshal(gotjson, &got); err != nil {

  181. 		t.Errorf("failed to unmarshal json token header = %q; err = %v", gotjson, err)

  182. 	}

  183. 

  184. 	want := jws.Header{

  185. 		Algorithm: "RS256",

  186. 		Typ:       "JWT",

  187. 		KeyID:     "ABCDEFGHIJKLMNOPQRSTUVWXYZ",

  188. 	}

  189. 	if got != want {

  190. 		t.Errorf("access token header = %q; want %q", got, want)

  191. 	}

  192. }

  193. 

  194. func TestJWTFetch_AssertionPayload(t *testing.T) {

  195. 	var assertion string

  196. 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

  197. 		r.ParseForm()

  198. 		assertion = r.Form.Get("assertion")

  199. 

  200. 		w.Header().Set("Content-Type", "application/json")

  201. 		w.Write([]byte(`{

  202. 			"access_token": "90d64460d14870c08c81352a05dedd3465940a7c",

  203. 			"scope": "user",

  204. 			"token_type": "bearer",

  205. 			"expires_in": 3600

  206. 		}`))

  207. 	}))

  208. 	defer ts.Close()

  209. 

  210. 	for _, conf := range []*Config{

  211. 		{

  212. 			Email:        "aaa1@xxx.com",

  213. 			PrivateKey:   dummyPrivateKey,

  214. 			PrivateKeyID: "ABCDEFGHIJKLMNOPQRSTUVWXYZ",

  215. 			TokenURL:     ts.URL,

  216. 		},

  217. 		{

  218. 			Email:        "aaa2@xxx.com",

  219. 			PrivateKey:   dummyPrivateKey,

  220. 			PrivateKeyID: "ABCDEFGHIJKLMNOPQRSTUVWXYZ",

  221. 			TokenURL:     ts.URL,

  222. 			Audience:     "https://example.com",

  223. 		},

  224. 	} {

  225. 		t.Run(conf.Email, func(t *testing.T) {

  226. 			_, err := conf.TokenSource(context.Background()).Token()

  227. 			if err != nil {

  228. 				t.Fatalf("Failed to fetch token: %v", err)

  229. 			}

  230. 

  231. 			parts := strings.Split(assertion, ".")

  232. 			if len(parts) != 3 {

  233. 				t.Fatalf("assertion = %q; want 3 parts", assertion)

  234. 			}

  235. 			gotjson, err := base64.RawURLEncoding.DecodeString(parts[1])

  236. 			if err != nil {

  237. 				t.Fatalf("invalid token payload; err = %v", err)

  238. 			}

  239. 

  240. 			claimSet := jws.ClaimSet{}

  241. 			if err := json.Unmarshal(gotjson, &claimSet); err != nil {

  242. 				t.Errorf("failed to unmarshal json token payload = %q; err = %v", gotjson, err)

  243. 			}

  244. 

  245. 			if got, want := claimSet.Iss, conf.Email; got != want {

  246. 				t.Errorf("payload email = %q; want %q", got, want)

  247. 			}

  248. 			if got, want := claimSet.Scope, strings.Join(conf.Scopes, " "); got != want {

  249. 				t.Errorf("payload scope = %q; want %q", got, want)

  250. 			}

  251. 			aud := conf.TokenURL

  252. 			if conf.Audience != "" {

  253. 				aud = conf.Audience

  254. 			}

  255. 			if got, want := claimSet.Aud, aud; got != want {

  256. 				t.Errorf("payload audience = %q; want %q", got, want)

  257. 			}

  258. 			if got, want := claimSet.Sub, conf.Subject; got != want {

  259. 				t.Errorf("payload subject = %q; want %q", got, want)

  260. 			}

  261. 			if got, want := claimSet.Prn, conf.Subject; got != want {

  262. 				t.Errorf("payload prn = %q; want %q", got, want)

  263. 			}

  264. 		})

  265. 	}

  266. }

  267. 

  268. func TestTokenRetrieveError(t *testing.T) {

  269. 	ts := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {

  270. 		w.Header().Set("Content-type", "application/json")

  271. 		w.WriteHeader(http.StatusBadRequest)

  272. 		w.Write([]byte(`{"error": "invalid_grant"}`))

  273. 	}))

  274. 	defer ts.Close()

  275. 

  276. 	conf := &Config{

  277. 		Email:      "aaa@xxx.com",

  278. 		PrivateKey: dummyPrivateKey,

  279. 		TokenURL:   ts.URL,

  280. 	}

  281. 

  282. 	_, err := conf.TokenSource(context.Background()).Token()

  283. 	if err == nil {

  284. 		t.Fatalf("got no error, expected one")

  285. 	}

  286. 	_, ok := err.(*oauth2.RetrieveError)

  287. 	if !ok {

  288. 		t.Fatalf("got %T error, expected *RetrieveError", err)

  289. 	}

  290. 	// Test error string for backwards compatibility

  291. 	expected := fmt.Sprintf("oauth2: cannot fetch token: %v\nResponse: %s", "400 Bad Request", `{"error": "invalid_grant"}`)

  292. 	if errStr := err.Error(); errStr != expected {

  293. 		t.Fatalf("got %#v, expected %#v", errStr, expected)

  294. 	}

  295. }