github.com/nats-io/jwt/v2@v2.5.6/test/decoder_migration_test.go (about) 1 /* 2 * Copyright 2020 The NATS Authors 3 * Licensed under the Apache License, Version 2.0 (the "License"); 4 * you may not use this file except in compliance with the License. 5 * You may obtain a copy of the License at 6 * 7 * http://www.apache.org/licenses/LICENSE-2.0 8 * 9 * Unless required by applicable law or agreed to in writing, software 10 * distributed under the License is distributed on an "AS IS" BASIS, 11 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. 12 * See the License for the specific language governing permissions and 13 * limitations under the License. 14 */ 15 16 package jwt 17 18 import ( 19 "strings" 20 "testing" 21 "time" 22 23 "github.com/nats-io/nkeys" 24 25 . "github.com/nats-io/jwt/v2" 26 v1jwt "github.com/nats-io/jwt/v2/v1compat" 27 ) 28 29 func createExport(sub string) *v1jwt.Export { 30 var e v1jwt.Export 31 e.Type = v1jwt.Service 32 e.Subject = v1jwt.Subject(sub) 33 e.Name = "foo" 34 e.TokenReq = true 35 e.ResponseType = v1jwt.ResponseTypeSingleton 36 return &e 37 } 38 39 func createImport(t *testing.T, e *v1jwt.Export, target string, signer nkeys.KeyPair) *v1jwt.Import { 40 var i v1jwt.Import 41 i.Account = target 42 i.Subject = e.Subject 43 i.Type = e.Type 44 i.Name = e.Name 45 if e.TokenReq { 46 i.Token = createActivation(t, e, target, signer) 47 i.To = v1jwt.Subject(e.Name) 48 } 49 return &i 50 } 51 52 func createActivation(t *testing.T, e *v1jwt.Export, target string, signer nkeys.KeyPair) string { 53 ac := v1jwt.NewActivationClaims(target) 54 ac.Name = e.Name 55 ac.ImportType = e.Type 56 s := strings.Replace(string(e.Subject), "*", target, -1) 57 ac.ImportSubject = v1jwt.Subject(s) 58 tok, err := ac.Encode(signer) 59 AssertNoError(err, t) 60 return tok 61 } 62 63 func TestMigrateOperator(t *testing.T) { 64 okp, err := nkeys.CreateOperator() 65 AssertNoError(err, t) 66 67 opk, err := okp.PublicKey() 68 AssertNoError(err, t) 69 70 sapk, err := okp.PublicKey() 71 AssertNoError(err, t) 72 73 oc := v1jwt.NewOperatorClaims(opk) 74 oc.Name = "O" 75 oc.Audience = "Audience" 76 77 now := time.Now() 78 oc.NotBefore = now.Unix() 79 e := now.Add(time.Hour) 80 oc.ClaimsData.Expires = e.Unix() 81 82 oc.Tags.Add("a") 83 84 oc.OperatorServiceURLs.Add("nats://localhost:4222") 85 oc.AccountServerURL = "http://localhost:9090/jwt/v1" 86 oc.SystemAccount = sapk 87 88 sk, err := nkeys.CreateOperator() 89 AssertNoError(err, t) 90 psk, err := sk.PublicKey() 91 AssertNoError(err, t) 92 oc.Operator.SigningKeys.Add(psk) 93 94 oc.Identities = append(oc.Identities, v1jwt.Identity{ 95 ID: "O", 96 Proof: "http://www.o.com/o", 97 }) 98 99 token, err := oc.Encode(okp) 100 AssertNoError(err, t) 101 102 c, err := Decode(token) 103 AssertNoError(err, t) 104 oc2, ok := c.(*OperatorClaims) 105 AssertTrue(ok, t) 106 107 equalOperators(t, oc, oc2) 108 AssertEquals(oc2.Version, 1, t) 109 } 110 111 func TestMigrateAccount(t *testing.T) { 112 okp, err := nkeys.CreateOperator() 113 AssertNoError(err, t) 114 115 akp, err := nkeys.CreateAccount() 116 AssertNoError(err, t) 117 apk, err := akp.PublicKey() 118 AssertNoError(err, t) 119 120 ac := v1jwt.NewAccountClaims(apk) 121 ac.Name = "A" 122 ac.Audience = "Audience" 123 124 now := time.Now() 125 ac.NotBefore = now.Unix() 126 e := now.Add(time.Hour) 127 ac.ClaimsData.Expires = e.Unix() 128 ac.Tags.Add("a") 129 130 // create an import 131 ea, err := nkeys.CreateAccount() 132 AssertNoError(err, t) 133 hex := createExport("help") 134 ac.Imports.Add(createImport(t, hex, apk, ea)) 135 136 // add an export 137 ac.Exports = append(ac.Exports, createExport("q")) 138 139 // add an identity 140 ac.Identities = append(ac.Identities, v1jwt.Identity{ 141 ID: "A", 142 Proof: "http://www.a.com/a", 143 }) 144 145 // set the limits 146 ac.Limits.Subs = 1 147 ac.Limits.Conn = 2 148 ac.Limits.LeafNodeConn = 4 149 ac.Limits.Imports = 8 150 ac.Limits.Exports = 16 151 ac.Limits.Data = 32 152 ac.Limits.Payload = 64 153 ac.Limits.WildcardExports = true 154 155 // add a signing key 156 sk, err := nkeys.CreateAccount() 157 AssertNoError(err, t) 158 psk, err := sk.PublicKey() 159 AssertNoError(err, t) 160 ac.Account.SigningKeys.Add(psk) 161 162 // add a revocation 163 ukp, err := nkeys.CreateUser() 164 AssertNoError(err, t) 165 upk, err := ukp.PublicKey() 166 AssertNoError(err, t) 167 ac.Revocations = make(map[string]int64) 168 ac.Revocations.Revoke(upk, time.Now()) 169 170 token, err := ac.Encode(okp) 171 AssertNoError(err, t) 172 173 c, err := Decode(token) 174 AssertNoError(err, t) 175 ac2, ok := c.(*AccountClaims) 176 AssertTrue(ok, t) 177 equalAccounts(t, ac, ac2) 178 AssertEquals(ac2.Version, 1, t) 179 } 180 181 func TestMigrateUser(t *testing.T) { 182 ukp, err := nkeys.CreateUser() 183 AssertNoError(err, t) 184 upk, err := ukp.PublicKey() 185 AssertNoError(err, t) 186 187 uc := v1jwt.NewUserClaims(upk) 188 uc.Name = "U" 189 uc.Audience = "Audience" 190 uc.Src = " 127.0.0.1/1 , 127.0.0.1/2 " 191 now := time.Now() 192 uc.NotBefore = now.Unix() 193 e := now.Add(time.Hour) 194 uc.ClaimsData.Expires = e.Unix() 195 uc.Tags.Add("a") 196 197 uc.Permissions.Sub.Allow.Add("q") 198 uc.Permissions.Sub.Deny.Add("d") 199 200 uc.Permissions.Pub.Allow.Add("help") 201 uc.Permissions.Pub.Deny.Add("pleh") 202 203 uc.Permissions.Resp = &v1jwt.ResponsePermission{} 204 uc.Permissions.Resp.MaxMsgs = 100 205 uc.Permissions.Resp.Expires = time.Second 206 207 uc.BearerToken = true 208 209 akp, err := nkeys.CreateAccount() 210 AssertNoError(err, t) 211 tok, err := uc.Encode(akp) 212 AssertNoError(err, t) 213 214 c, err := Decode(tok) 215 AssertNoError(err, t) 216 uc2, ok := c.(*UserClaims) 217 AssertTrue(ok, t) 218 AssertTrue(uc2.Limits.Payload == NoLimit, t) 219 AssertTrue(uc2.Limits.Subs == NoLimit, t) 220 AssertTrue(uc2.Limits.Data == NoLimit, t) 221 AssertTrue(len(uc2.Src) == 2, t) 222 AssertTrue(uc2.Src.Contains("127.0.0.1/1"), t) 223 AssertTrue(uc2.Src.Contains("127.0.0.1/2"), t) 224 AssertEquals(uc2.Version, 1, t) 225 equalUsers(t, uc, uc2) 226 } 227 228 func TestMigrateUserWithDeprecatedLimits(t *testing.T) { 229 ukp, err := nkeys.CreateUser() 230 AssertNoError(err, t) 231 upk, err := ukp.PublicKey() 232 AssertNoError(err, t) 233 akp, err := nkeys.CreateAccount() 234 AssertNoError(err, t) 235 uc := v1jwt.NewUserClaims(upk) 236 uc.Name = "U" 237 uc.Audience = "Audience" 238 uc.Max = 1 239 240 tok, err := uc.Encode(akp) 241 AssertNoError(err, t) 242 _, err = Decode(tok) 243 AssertNoError(err, t) 244 } 245 246 func TestMigrateUserToGeneric(t *testing.T) { 247 ukp, err := nkeys.CreateUser() 248 AssertNoError(err, t) 249 upk, err := ukp.PublicKey() 250 AssertNoError(err, t) 251 akp, err := nkeys.CreateAccount() 252 AssertNoError(err, t) 253 uc := v1jwt.NewUserClaims(upk) 254 uc.Name = "U" 255 uc.Audience = "Audience" 256 uc.Max = 1 257 uc.Tags = []string{"foo", "bar"} 258 259 tok, err := uc.Encode(akp) 260 AssertNoError(err, t) 261 uc2, err := DecodeGeneric(tok) 262 AssertNoError(err, t) 263 AssertTrue(string(uc2.ClaimType()) == string(uc.Type), t) 264 AssertTrue(uc2.Data["tags"].(TagList)[0] == uc.Tags[0], t) 265 } 266 267 func TestMigrateActivationWithDeprecatedLimits(t *testing.T) { 268 akp, err := nkeys.CreateAccount() 269 AssertNoError(err, t) 270 apk, err := akp.PublicKey() 271 AssertNoError(err, t) 272 acOrig := v1jwt.NewActivationClaims(apk) 273 274 ac := acOrig 275 ac.Max = 1 276 tok, err := ac.Encode(akp) 277 AssertNoError(err, t) 278 _, err = Decode(tok) 279 AssertNoError(err, t) 280 281 ac = acOrig 282 ac.Src = "foo" 283 tok, err = ac.Encode(akp) 284 AssertNoError(err, t) 285 _, err = Decode(tok) 286 AssertNoError(err, t) 287 288 ac = acOrig 289 ac.Limits.Payload = 5 290 tok, err = ac.Encode(akp) 291 AssertNoError(err, t) 292 _, err = Decode(tok) 293 AssertNoError(err, t) 294 295 ac = acOrig 296 ac.Times = append(ac.Times, v1jwt.TimeRange{ 297 Start: "15:43:22", 298 End: "27:11:11", 299 }) 300 tok, err = ac.Encode(akp) 301 AssertNoError(err, t) 302 _, err = Decode(tok) 303 AssertNoError(err, t) 304 } 305 306 func equalClaims(t *testing.T, o *v1jwt.ClaimsData, n *ClaimsData, gf *GenericFields) { 307 AssertEquals(o.Subject, n.Subject, t) 308 AssertEquals(o.Issuer, n.Issuer, t) 309 AssertEquals(o.Name, n.Name, t) 310 AssertEquals(o.Audience, n.Audience, t) 311 AssertEquals(o.NotBefore, n.NotBefore, t) 312 AssertEquals(o.Expires, n.Expires, t) 313 AssertEquals(string(o.Type), string(gf.Type), t) 314 AssertTrue(len(o.Tags) == len(gf.Tags), t) 315 for _, v := range gf.Tags { 316 AssertTrue(o.Tags.Contains(v), t) 317 } 318 } 319 320 func equalOperators(t *testing.T, o *v1jwt.OperatorClaims, n *OperatorClaims) { 321 equalClaims(t, &o.ClaimsData, &n.ClaimsData, &n.GenericFields) 322 for _, v := range o.OperatorServiceURLs { 323 AssertTrue(n.OperatorServiceURLs.Contains(v), t) 324 } 325 for _, v := range o.SigningKeys { 326 AssertTrue(n.Operator.SigningKeys.Contains(v), t) 327 } 328 AssertEquals(o.SystemAccount, o.Operator.SystemAccount, t) 329 } 330 331 func equalAccounts(t *testing.T, o *v1jwt.AccountClaims, n *AccountClaims) { 332 equalClaims(t, &o.ClaimsData, &n.ClaimsData, &n.GenericFields) 333 equalImports(t, o.Imports[0], n.Imports[0]) 334 equalExports(t, o.Exports[0], n.Exports[0]) 335 equalLimits(t, &o.Account.Limits, &n.Account.Limits) 336 for _, v := range o.SigningKeys { 337 AssertTrue(n.Account.SigningKeys.Contains(v), t) 338 } 339 } 340 341 func equalUsers(t *testing.T, o *v1jwt.UserClaims, n *UserClaims) { 342 equalClaims(t, &o.ClaimsData, &n.ClaimsData, &n.GenericFields) 343 for _, v := range o.Sub.Allow { 344 AssertTrue(n.Sub.Allow.Contains(v), t) 345 } 346 for _, v := range o.Pub.Allow { 347 AssertTrue(n.Pub.Allow.Contains(v), t) 348 } 349 for _, v := range o.Sub.Deny { 350 AssertTrue(n.Sub.Deny.Contains(v), t) 351 } 352 for _, v := range o.Pub.Deny { 353 AssertTrue(n.Pub.Deny.Contains(v), t) 354 } 355 if o.User.Resp == nil { 356 AssertNil(n.User.Resp, t) 357 } else { 358 AssertEquals(o.User.Resp.Expires, n.User.Resp.Expires, t) 359 AssertEquals(o.User.Resp.MaxMsgs, n.User.Resp.MaxMsgs, t) 360 } 361 if o.IssuerAccount != "" { 362 AssertEquals(o.IssuerAccount, n.User.IssuerAccount, t) 363 } 364 AssertEquals(o.User.BearerToken, n.User.BearerToken, t) 365 } 366 367 func equalExports(t *testing.T, o *v1jwt.Export, n *Export) { 368 AssertEquals(o.Name, n.Name, t) 369 AssertEquals(string(o.Subject), string(n.Subject), t) 370 AssertEquals(int(o.Type), int(n.Type), t) 371 AssertEquals(o.TokenReq, n.TokenReq, t) 372 AssertEquals(string(o.ResponseType), string(n.ResponseType), t) 373 } 374 375 func equalImports(t *testing.T, o *v1jwt.Import, n *Import) { 376 AssertEquals(o.Name, n.Name, t) 377 AssertEquals(string(o.Subject), string(n.Subject), t) 378 //lint:ignore SA1019 testing 379 AssertEquals(string(o.To), string(n.To), t) 380 AssertEquals(int(o.Type), int(n.Type), t) 381 382 if o.Token != "" { 383 ot, err := v1jwt.DecodeActivationClaims(o.Token) 384 AssertNoError(err, t) 385 nt, err := DecodeActivationClaims(n.Token) 386 AssertNoError(err, t) 387 equalActivation(t, ot, nt) 388 } 389 } 390 391 func equalActivation(t *testing.T, o *v1jwt.ActivationClaims, n *ActivationClaims) { 392 equalClaims(t, &o.ClaimsData, &n.ClaimsData, &n.Activation.GenericFields) 393 AssertEquals(string(o.ImportSubject), string(n.ImportSubject), t) 394 AssertEquals(int(o.ImportType), int(n.ImportType), t) 395 } 396 397 func equalLimits(t *testing.T, o *v1jwt.OperatorLimits, n *OperatorLimits) { 398 AssertEquals(o.Subs, n.Subs, t) 399 AssertEquals(o.Conn, n.Conn, t) 400 AssertEquals(o.LeafNodeConn, n.LeafNodeConn, t) 401 AssertEquals(o.Imports, n.Imports, t) 402 AssertEquals(o.Exports, n.Exports, t) 403 AssertEquals(o.Data, n.Data, t) 404 AssertEquals(o.Payload, n.Payload, t) 405 AssertEquals(o.WildcardExports, n.WildcardExports, t) 406 }