go.etcd.io/etcd@v3.3.27+incompatible/auth/jwt_test.go

go.etcd.io/etcd@v3.3.27+incompatible/auth/jwt_test.go (about)

     1  // Copyright 2017 The etcd Authors
     2  //
     3  // Licensed under the Apache License, Version 2.0 (the "License");
     4  // you may not use this file except in compliance with the License.
     5  // You may obtain a copy of the License at
     6  //
     7  //     http://www.apache.org/licenses/LICENSE-2.0
     8  //
     9  // Unless required by applicable law or agreed to in writing, software
    10  // distributed under the License is distributed on an "AS IS" BASIS,
    11  // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    12  // See the License for the specific language governing permissions and
    13  // limitations under the License.
    14  
    15  package auth
    16  
    17  import (
    18  	"context"
    19  	"fmt"
    20  	"testing"
    21  )
    22  
    23  const (
    24  	jwtPubKey  = "../integration/fixtures/server.crt"
    25  	jwtPrivKey = "../integration/fixtures/server.key.insecure"
    26  )
    27  
    28  func TestJWTInfo(t *testing.T) {
    29  	opts := map[string]string{
    30  		"pub-key":     jwtPubKey,
    31  		"priv-key":    jwtPrivKey,
    32  		"sign-method": "RS256",
    33  	}
    34  	jwt, err := newTokenProviderJWT(opts)
    35  	if err != nil {
    36  		t.Fatal(err)
    37  	}
    38  	token, aerr := jwt.assign(context.TODO(), "abc", 123)
    39  	if aerr != nil {
    40  		t.Fatal(err)
    41  	}
    42  	ai, ok := jwt.info(context.TODO(), token, 123)
    43  	if !ok {
    44  		t.Fatalf("failed to authenticate with token %s", token)
    45  	}
    46  	if ai.Revision != 123 {
    47  		t.Fatalf("expected revision 123, got %d", ai.Revision)
    48  	}
    49  	ai, ok = jwt.info(context.TODO(), "aaa", 120)
    50  	if ok || ai != nil {
    51  		t.Fatalf("expected aaa to fail to authenticate, got %+v", ai)
    52  	}
    53  }
    54  
    55  func TestJWTBad(t *testing.T) {
    56  	opts := map[string]string{
    57  		"pub-key":     jwtPubKey,
    58  		"priv-key":    jwtPrivKey,
    59  		"sign-method": "RS256",
    60  	}
    61  	// private key instead of public key
    62  	opts["pub-key"] = jwtPrivKey
    63  	if _, err := newTokenProviderJWT(opts); err == nil {
    64  		t.Fatalf("expected failure on missing public key")
    65  	}
    66  	opts["pub-key"] = jwtPubKey
    67  
    68  	// public key instead of private key
    69  	opts["priv-key"] = jwtPubKey
    70  	if _, err := newTokenProviderJWT(opts); err == nil {
    71  		t.Fatalf("expected failure on missing public key")
    72  	}
    73  	opts["priv-key"] = jwtPrivKey
    74  
    75  	// missing signing option
    76  	delete(opts, "sign-method")
    77  	if _, err := newTokenProviderJWT(opts); err == nil {
    78  		t.Fatal("expected error on missing option")
    79  	}
    80  	opts["sign-method"] = "RS256"
    81  
    82  	// bad file for pubkey
    83  	opts["pub-key"] = "whatever"
    84  	if _, err := newTokenProviderJWT(opts); err == nil {
    85  		t.Fatalf("expected failure on missing public key")
    86  	}
    87  	opts["pub-key"] = jwtPubKey
    88  
    89  	// bad file for private key
    90  	opts["priv-key"] = "whatever"
    91  	if _, err := newTokenProviderJWT(opts); err == nil {
    92  		t.Fatalf("expeceted failure on missing private key")
    93  	}
    94  	opts["priv-key"] = jwtPrivKey
    95  }
    96  
    97  // testJWTOpts is useful for passing to NewTokenProvider which requires a string.
    98  func testJWTOpts() string {
    99  	return fmt.Sprintf("%s,pub-key=%s,priv-key=%s,sign-method=RS256", tokenTypeJWT, jwtPubKey, jwtPrivKey)
   100  }