mirrors/prosody
1
0
Fork 0
mirror of https://github.com/bjc/prosody.git synced 2025-04-03 21:27:38 +03:00
Code Issues Projects Releases Packages Wiki Activity Actions

util.jwt: Overhaul of tests to use declarative approach

Browse source 
Now we can consistently apply the same tests to every algorithm, instead of
duplicating code.
This commit is contained in:
Matthew Wild 2022-07-02 14:22:20 +01:00
parent 4d94a62f9b
commit 74351799e9
2 changed files with 195 additions and 111 deletions
Download patch file Download diff file Expand all files Collapse all files

62
spec/inputs/test_keys.lua
View file

@ -1,4 +1,5 @@
local test_keys = {
-- ECDSA keypair from jwt.io
ecdsa_private_pem = [[
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgevZzL1gdAFr88hb2
@ -14,6 +15,23 @@ q9UU8I5mEovUf86QZ7kOBIjJwqnzD1omageEHWwHdBO6B+dFabmdT9POxg==
-----END PUBLIC KEY-----
]];
-- Self-generated ECDSA keypair
alt_ecdsa_private_pem = [[
-----BEGIN PRIVATE KEY-----
MIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQgQnn4AHz2Zy+JMAgp
AZfKAm9F3s6791PstPf5XjHtETKhRANCAAScv9jI3+BOXXlCOXwmQYosIbl9mf4V
uOwfIoCYSLylAghyxO0n2of8Kji+D+4C1zxNKmZIQa4s8neaIIzXnMY1
-----END PRIVATE KEY-----
]];
alt_ecdsa_public_pem = [[
-----BEGIN PUBLIC KEY-----
MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEnL/YyN/gTl15Qjl8JkGKLCG5fZn+
FbjsHyKAmEi8pQIIcsTtJ9qH/Co4vg/uAtc8TSpmSEGuLPJ3miCM15zGNQ==
-----END PUBLIC KEY-----
]];
-- Self-generated EdDSA (Ed25519) keypair
eddsa_private_pem = [[
-----BEGIN PRIVATE KEY-----
MC4CAQAwBQYDK2VwBCIEIOmrajEfnqdzdJzkJ4irQMCGbYRqrl0RlwPHIw+a5b7M
@ -26,6 +44,7 @@ MCowBQYDK2VwAyEAFipbSXeGvPVK7eA4+hIOdutZTUUyXswVSbMGi0j1QKE=
-----END PUBLIC KEY-----
]];
-- RSA keypair from jwt.io
rsa_private_pem = [[
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQC7VJTUt9Us8cKj
@ -69,6 +88,49 @@ mwIDAQAB
-----END PUBLIC KEY-----
]];
-- Self-generated RSA keypair
alt_rsa_private_pem = [[
-----BEGIN RSA PRIVATE KEY-----
MIIEowIBAAKCAQEA4bt6kor2TomqRXfjCFe6T42ibatloyHntZCUdlDDAkUh4oJ/
4jDCXAUMYqmEsZKCPXxUGQgrmSmNnJPEDMTq3XLDsjhyN4stxEi0UVAiqqBkcEnk
qbQIJSc9v5gpQF8IuJFWRvSNic0uClFL5W9R2s5AHcOhdFYKeDuitqHT5r+dC7cy
WZs5YleKaESxmK6i6wMVhL9adAilTuETyMH0yLSh+aXsPYhjns4AbjGmiKOjqd5w
sPwllEg6rGcIUi/o79z9HN8yLMXq3XNFCCA8RI4Zh3cADI1I5fe6wk1ETN+30cDw
dGQ+uQbaQrzqmKVRNjZcorMwBjsOX5AMQBFx7wIDAQABAoIBAGxj5pZpTZ4msnEL
ASQnY9oBS4ZXr8UmaamgU/mADDOR2JR4T0ngWeNvtSPG/GV70TgO9B7U8oJoFoyh
05jCEXjmO5vfSNDs7rv6oUMONKczvybABKGMRgD5F8hhGyXCvGBLwV7u3OvXbw0b
PlNcIbTsJpNkNam0CvDyyc3iZOq+HjIqituREV7lDw0rFeAR2YfEWn4VjZsQRZUZ
XkpQJ5silrXgGemIEGqVA4YyM7i2HmTiLozfVYaVckMc02VFgOaoK9Z/wGlBxtS5
evc/IGErSA4dc7uXBEeVjhtZoBkof2JV9BNt4hl4KN9wX3tkEX5Aq1K2lirSmg2r
k+UEtwkCgYEA/5uYg25OR+jCFY/7uNS8e32Re1lgDeO+TeT1m+hcF1gCb2GBLifL
yprnuytaz1/mPqawfwbilaxntLBoa5cmNKB3zDsgv4sM451yGZ0oxU0dXpDVHblu
3nhxcaOXtb8jiSsr2MqgMbFlu7m8OupIliS+s8Pq72s6HUQQRKbJ+9MCgYEA4hQl
1W/7nDI2SR4Q3UapQnaUjmDVxX5OD+E4RpKuRF6xF7Ao2CLZusMVo8WN8YiSQP2c
RnzQNKgAVy/1zlhaaQDTs2TmSy9iStbuNZ8P+Gh6kmQXuHxwPyURSmwdpgZdL3+D
8tt6pQNQ0vsLjA9VwHmzIT+rsxPmTxKNvBdNK/UCgYByP6zqyioJMDtYAfRkiAn7
NIQLW0Z4ztvn2zgAyNoowPjNqgpgg/8t/xEm8tjzKg0y4bSwAnbSqa3s8JCrznKQ
QU1qpt8bXl6TenNeiYWIstA2zYvEbnbkz3b9cT7FSLrse7RsgR0bOQyc3QcKWl+5
ZJEsrpxbCVV/cUXIObi8awKBgQDOI8rfk+0bXhlrkBOWf/CjnpYUQK2LF4C8MALt
Lp/hzWmyjLihYx2eknUv0Fl966ZXxidxiisaaDlvRlbeIGfHqK5fu9fUpE7+qH2p
vPCF81YYF1YdrLF4kiby8iQSl2juf1nj3kY1IhHXXnsH6Y+qIg24emLntXRhkyxT
XffK5QKBgGbzEvVgDkerw1SiefAaZnLumJJXBlKjJ00Sq8YLeViyFC/sr4EfG/cV
7VYRhBw3e7RcYSBAA7uv8i3iIeCFjFooIZUARqXk4+yW753tY5nSJTWfkR7Bp5Pa
9jKloxckbZKMjH23a+ABOxomY3l93KOBvjLvMYqccuREOwaT12cn
-----END RSA PRIVATE KEY-----
]];
alt_rsa_public_pem = [[
-----BEGIN PUBLIC KEY-----
MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4bt6kor2TomqRXfjCFe6
T42ibatloyHntZCUdlDDAkUh4oJ/4jDCXAUMYqmEsZKCPXxUGQgrmSmNnJPEDMTq
3XLDsjhyN4stxEi0UVAiqqBkcEnkqbQIJSc9v5gpQF8IuJFWRvSNic0uClFL5W9R
2s5AHcOhdFYKeDuitqHT5r+dC7cyWZs5YleKaESxmK6i6wMVhL9adAilTuETyMH0
yLSh+aXsPYhjns4AbjGmiKOjqd5wsPwllEg6rGcIUi/o79z9HN8yLMXq3XNFCCA8
RI4Zh3cADI1I5fe6wk1ETN+30cDwdGQ+uQbaQrzqmKVRNjZcorMwBjsOX5AMQBFx
7wIDAQAB
-----END PUBLIC KEY-----
]];
};
return test_keys;

244
spec/util_jwt_spec.lua
View file

@ -21,131 +21,153 @@ describe("util.jwt", function ()
assert.falsy(ok)
end);
it("validates HS256", function ()
local verify = jwt.new_verifier("HS256", "your-256-bit-secret");
local result = {verify([[eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c]])};
assert.same({
true; -- success
{ -- payload
sub = "1234567890";
name = "John Doe";
iat = 1516239022;
local test_cases = {
{
algorithm = "HS256";
keys = {
{ "your-256-bit-secret", "your-256-bit-secret" };
{ "another-secret", "another-secret" };
};
}, result);
{
name = "jwt.io reference";
[[eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiaWF0IjoxNTE2MjM5MDIyfQ.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c]];
{ -- payload
sub = "1234567890";
name = "John Doe";
iat = 1516239022;
};
};
};
{
algorithm = "ES256";
keys = {
{ test_keys.ecdsa_private_pem, test_keys.ecdsa_public_pem };
{ test_keys.alt_ecdsa_private_pem, test_keys.alt_ecdsa_public_pem };
};
{
name = "jwt.io reference";
[[eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.tyh-VfuzIxCyGYDlkBA7DfyjrqmSHu6pQ2hoZuFqUSLPNY2N0mpHb3nk5K17HWP_3cYHBw7AhHale5wky6-sVA]];
{ -- payload
sub = "1234567890";
name = "John Doe";
admin = true;
iat = 1516239022;
};
};
};
{
algorithm = "RS256";
keys = {
{ test_keys.rsa_private_pem, test_keys.rsa_public_pem };
{ test_keys.alt_rsa_private_pem, test_keys.alt_rsa_public_pem };
};
{
name = "jwt.io reference";
[[eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.NHVaYe26MbtOYhSKkoKYdFVomg4i8ZJd8_-RU8VNbftc4TSMb4bXP3l3YlNWACwyXPGffz5aXHc6lty1Y2t4SWRqGteragsVdZufDn5BlnJl9pdR_kdVFUsra2rWKEofkZeIC4yWytE58sMIihvo9H1ScmmVwBcQP6XETqYd0aSHp1gOa9RdUPDvoXQ5oqygTqVtxaDr6wUFKrKItgBMzWIdNZ6y7O9E0DhEPTbE9rfBo6KTFsHAZnMg4k68CDp2woYIaXbmYTWcvbzIuHO7_37GT79XdIwkm95QJ7hYC9RiwrV7mesbY4PAahERJawntho0my942XheVLmGwLMBkQ]];
{ -- payload
sub = "1234567890";
name = "John Doe";
admin = true;
iat = 1516239022;
};
};
};
{
algorithm = "PS256";
keys = {
{ test_keys.rsa_private_pem, test_keys.rsa_public_pem };
{ test_keys.alt_rsa_private_pem, test_keys.alt_rsa_public_pem };
};
{
name = "jwt.io reference";
[[eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.iOeNU4dAFFeBwNj6qdhdvm-IvDQrTa6R22lQVJVuWJxorJfeQww5Nwsra0PjaOYhAMj9jNMO5YLmud8U7iQ5gJK2zYyepeSuXhfSi8yjFZfRiSkelqSkU19I-Ja8aQBDbqXf2SAWA8mHF8VS3F08rgEaLCyv98fLLH4vSvsJGf6ueZSLKDVXz24rZRXGWtYYk_OYYTVgR1cg0BLCsuCvqZvHleImJKiWmtS0-CymMO4MMjCy_FIl6I56NqLE9C87tUVpo1mT-kbg5cHDD8I7MjCW5Iii5dethB4Vid3mZ6emKjVYgXrtkOQ-JyGMh6fnQxEFN1ft33GX2eRHluK9eg]];
{ -- payload
sub = "1234567890";
name = "John Doe";
admin = true;
iat = 1516239022;
};
};
};
};
end);
local function do_verify_test(algorithm, verifying_key, token, expect_payload)
local verify = jwt.new_verifier(algorithm, verifying_key);
it("validates ES256", function ()
local private_key = test_keys.ecdsa_private_pem;
local sign = jwt.new_signer("ES256", private_key);
assert.is_string(token);
local result = {verify(token)};
if expect_payload then
assert.same({
true; -- success
expect_payload; -- payload
}, result);
else
assert.same({
false;
"signature-mismatch";
}, result);
end
end
local token = sign({
local function do_sign_verify_test(algorithm, signing_key, verifying_key, expect_success, expect_token)
local sign = jwt.new_signer(algorithm, signing_key);
local test_payload = {
sub = "1234567890";
name = "John Doe";
admin = true;
iat = 1516239022;
});
};
local public_key = test_keys.ecdsa_public_pem;
local verify = jwt.new_verifier("ES256", public_key);
local token = sign(test_payload);
local result = {verify(token)};
assert.same({
true; -- success
{ -- payload
sub = "1234567890";
name = "John Doe";
admin = true;
iat = 1516239022;
};
}, result);
if expect_token then
assert.equal(expect_token, token);
end
local result = {verify[[eyJhbGciOiJFUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.tyh-VfuzIxCyGYDlkBA7DfyjrqmSHu6pQ2hoZuFqUSLPNY2N0mpHb3nk5K17HWP_3cYHBw7AhHale5wky6-sVA]]};
assert.same({
true; -- success
{ -- payload
sub = "1234567890";
name = "John Doe";
admin = true;
iat = 1516239022;
};
}, result);
end);
do_verify_test(algorithm, verifying_key, token, expect_success and test_payload or false);
end
it("validates RS256", function ()
local private_key = test_keys.rsa_private_pem;
local sign = jwt.new_signer("RS256", private_key);
local token = sign({
sub = "1234567890";
name = "John Doe";
admin = true;
iat = 1516239022;
});
for _, algorithm_tests in ipairs(test_cases) do
local algorithm = algorithm_tests.algorithm;
local keypairs = algorithm_tests.keys;
describe(algorithm, function ()
it("can do basic sign and verify", function ()
for _, keypair in ipairs(keypairs) do
local signing_key, verifying_key = keypair[1], keypair[2];
do_sign_verify_test(algorithm, keypair[1], keypair[2], true);
end
end);
local public_key = test_keys.rsa_public_pem;
local verify = jwt.new_verifier("RS256", public_key);
local result = {verify(token)};
assert.same({
true; -- success
{ -- payload
sub = "1234567890";
name = "John Doe";
admin = true;
iat = 1516239022;
};
}, result);
local result = {verify[[eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.NHVaYe26MbtOYhSKkoKYdFVomg4i8ZJd8_-RU8VNbftc4TSMb4bXP3l3YlNWACwyXPGffz5aXHc6lty1Y2t4SWRqGteragsVdZufDn5BlnJl9pdR_kdVFUsra2rWKEofkZeIC4yWytE58sMIihvo9H1ScmmVwBcQP6XETqYd0aSHp1gOa9RdUPDvoXQ5oqygTqVtxaDr6wUFKrKItgBMzWIdNZ6y7O9E0DhEPTbE9rfBo6KTFsHAZnMg4k68CDp2woYIaXbmYTWcvbzIuHO7_37GT79XdIwkm95QJ7hYC9RiwrV7mesbY4PAahERJawntho0my942XheVLmGwLMBkQ]]};
assert.same({
true; -- success
{ -- payload
sub = "1234567890";
name = "John Doe";
admin = true;
iat = 1516239022;
};
}, result);
end);
it("validates PS256", function ()
local private_key = test_keys.rsa_private_pem;
local sign = jwt.new_signer("PS256", private_key);
local token = sign({
sub = "1234567890";
name = "John Doe";
admin = true;
iat = 1516239022;
});
local public_key = test_keys.rsa_public_pem;
local verify = jwt.new_verifier("PS256", public_key);
local result = {verify(token)};
assert.same({
true; -- success
{ -- payload
sub = "1234567890";
name = "John Doe";
admin = true;
iat = 1516239022;
};
}, result);
local result = {verify[[eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.iOeNU4dAFFeBwNj6qdhdvm-IvDQrTa6R22lQVJVuWJxorJfeQww5Nwsra0PjaOYhAMj9jNMO5YLmud8U7iQ5gJK2zYyepeSuXhfSi8yjFZfRiSkelqSkU19I-Ja8aQBDbqXf2SAWA8mHF8VS3F08rgEaLCyv98fLLH4vSvsJGf6ueZSLKDVXz24rZRXGWtYYk_OYYTVgR1cg0BLCsuCvqZvHleImJKiWmtS0-CymMO4MMjCy_FIl6I56NqLE9C87tUVpo1mT-kbg5cHDD8I7MjCW5Iii5dethB4Vid3mZ6emKjVYgXrtkOQ-JyGMh6fnQxEFN1ft33GX2eRHluK9eg]]};
assert.same({
true; -- success
{ -- payload
sub = "1234567890";
name = "John Doe";
admin = true;
iat = 1516239022;
};
}, result);
end);
if #keypairs >= 2 then
it("rejects invalid tokens", function ()
do_sign_verify_test(algorithm, keypairs[1][1], keypairs[2][2], false);
end);
else
pending("rejects invalid tokens", function ()
error("Needs at least 2 key pairs");
end);
end
if #algorithm_tests > 0 then
for test_n, test_case in ipairs(algorithm_tests) do
it("can verify "..(test_case.name or (("test case %d"):format(test_n))), function ()
do_verify_test(
algorithm,
test_case.verifying_key or keypairs[1][2],
test_case[1],
test_case[2]
);
end);
end
else
pending("can verify reference tokens", function ()
error("No test tokens provided");
end);
end
end);
end
end);