github.com/nats-io/jwt/v2@v2.5.6/authorization_claims_test.go (about) 1 /* 2 * Copyright 2022 The NATS Authors 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16 package jwt 17 18 import ( 19 "testing" 20 21 "github.com/nats-io/nkeys" 22 ) 23 24 func TestNewAuthorizationRequestClaims(t *testing.T) { 25 skp, _ := nkeys.CreateServer() 26 27 kp, err := nkeys.CreateUser() 28 if err != nil { 29 t.Fatalf("Error creating user: %v", err) 30 } 31 pub, _ := kp.PublicKey() 32 33 // the subject of the claim is the user we are generating an authorization response 34 ac := NewAuthorizationRequestClaims(pub) 35 ac.Server.Name = "NATS-1" 36 37 vr := CreateValidationResults() 38 39 // Make sure that user nkey is required. 40 ac.Validate(vr) 41 if vr.IsEmpty() || !vr.IsBlocking(false) { 42 t.Fatalf("Expected blocking error on an nkey user not being specified") 43 } 44 45 // Make sure it is required to be valid public user nkey. 46 ac.UserNkey = "derek" 47 vr = CreateValidationResults() 48 ac.Validate(vr) 49 if vr.IsEmpty() || !vr.IsBlocking(false) { 50 t.Fatalf("Expected blocking error on invalid user nkey") 51 } 52 53 ac.UserNkey = pub 54 vr = CreateValidationResults() 55 ac.Validate(vr) 56 if !vr.IsEmpty() { 57 t.Fatal("Valid authorization request will have no validation results") 58 } 59 60 acJWT := encode(ac, skp, t) 61 62 ac2, err := DecodeAuthorizationRequestClaims(acJWT) 63 if err != nil { 64 t.Fatal("error decoding authorization request jwt", err) 65 } 66 67 AssertEquals(ac.String(), ac2.String(), t) 68 AssertEquals(ac.Server.Name, ac2.Server.Name, t) 69 } 70 71 func TestAuthorizationResponse_EmptyShouldFail(t *testing.T) { 72 rc := NewAuthorizationResponseClaims("$G") 73 vr := CreateValidationResults() 74 rc.Validate(vr) 75 if vr.IsEmpty() || !vr.IsBlocking(false) { 76 t.Fatal("Expected blocking errors") 77 } 78 errs := vr.Errors() 79 AssertEquals(3, len(errs), t) 80 AssertEquals("Subject must be a user public key", errs[0].Error(), t) 81 AssertEquals("Audience must be a server public key", errs[1].Error(), t) 82 AssertEquals("Error or Jwt is required", errs[2].Error(), t) 83 } 84 85 func TestAuthorizationResponse_SubjMustBeServer(t *testing.T) { 86 rc := NewAuthorizationResponseClaims(publicKey(createUserNKey(t), t)) 87 rc.Error = "bad" 88 vr := CreateValidationResults() 89 rc.Validate(vr) 90 if vr.IsEmpty() || !vr.IsBlocking(false) { 91 t.Fatal("Expected blocking errors") 92 } 93 errs := vr.Errors() 94 AssertEquals(1, len(errs), t) 95 AssertEquals("Audience must be a server public key", errs[0].Error(), t) 96 97 rc = NewAuthorizationResponseClaims(publicKey(createUserNKey(t), t)) 98 rc.Audience = publicKey(createServerNKey(t), t) 99 rc.Error = "bad" 100 vr = CreateValidationResults() 101 rc.Validate(vr) 102 AssertEquals(true, vr.IsEmpty(), t) 103 } 104 105 func TestAuthorizationResponse_OneOfErrOrJwt(t *testing.T) { 106 rc := NewAuthorizationResponseClaims(publicKey(createUserNKey(t), t)) 107 rc.Audience = publicKey(createServerNKey(t), t) 108 rc.Error = "bad" 109 rc.Jwt = "jwt" 110 vr := CreateValidationResults() 111 rc.Validate(vr) 112 if vr.IsEmpty() || !vr.IsBlocking(false) { 113 t.Fatal("Expected blocking errors") 114 } 115 errs := vr.Errors() 116 AssertEquals(1, len(errs), t) 117 AssertEquals("Only Error or Jwt can be set", errs[0].Error(), t) 118 } 119 120 func TestAuthorizationResponse_IssuerAccount(t *testing.T) { 121 rc := NewAuthorizationResponseClaims(publicKey(createUserNKey(t), t)) 122 rc.Audience = publicKey(createServerNKey(t), t) 123 rc.Jwt = "jwt" 124 rc.IssuerAccount = rc.Subject 125 vr := CreateValidationResults() 126 rc.Validate(vr) 127 if vr.IsEmpty() || !vr.IsBlocking(false) { 128 t.Fatal("Expected blocking errors") 129 } 130 errs := vr.Errors() 131 AssertEquals(1, len(errs), t) 132 AssertEquals("issuer_account is not an account public key", errs[0].Error(), t) 133 134 akp := createAccountNKey(t) 135 rc.IssuerAccount = publicKey(akp, t) 136 vr = CreateValidationResults() 137 rc.Validate(vr) 138 AssertEquals(true, vr.IsEmpty(), t) 139 } 140 141 func TestAuthorizationResponse_Decode(t *testing.T) { 142 rc := NewAuthorizationResponseClaims(publicKey(createUserNKey(t), t)) 143 rc.Audience = publicKey(createServerNKey(t), t) 144 rc.Jwt = "jwt" 145 akp := createAccountNKey(t) 146 tok, err := rc.Encode(akp) 147 AssertNoError(err, t) 148 149 r, err := DecodeAuthorizationResponseClaims(tok) 150 AssertNoError(err, t) 151 vr := CreateValidationResults() 152 r.Validate(vr) 153 AssertEquals(true, vr.IsEmpty(), t) 154 AssertEquals("jwt", r.Jwt, t) 155 AssertTrue(nkeys.IsValidPublicUserKey(r.Subject), t) 156 AssertTrue(nkeys.IsValidPublicServerKey(r.Audience), t) 157 }