HsmKeyManager related test fixes

ory · Aug 9, 2021 · 0356a40 · 0356a40
1 parent abbd3aa
commit 0356a40
Show file tree

Hide file tree

Showing 4 changed files with 119 additions and 3 deletions.
diff --git a/cmd/root_test.go b/cmd/root_test.go
@@ -24,6 +24,7 @@ import (
  "crypto/tls"
  "encoding/base64"
  "fmt"
+ "github.com/ory/hydra/internal"
  "io/ioutil"
  "net/http"
  "os"
@@ -73,13 +74,15 @@ func init() {
 func TestExecute(t *testing.T) {
  frontend := fmt.Sprintf("https://localhost:%d/", frontendPort)
  backend := fmt.Sprintf("https://localhost:%d/", backendPort)
+ conf := internal.NewConfigurationWithDefaults()
 
  rootCmd := NewRootCmd()
 
  for _, c := range []struct {
  args []string
  wait func() bool
  expectErr bool
+ skipTest bool
  }{
  {
  args: []string{"serve", "all", "--sqa-opt-out"},
@@ -116,13 +119,13 @@ func TestExecute(t *testing.T) {
  {args: []string{"clients", "create", "--skip-tls-verify", "--endpoint", backend, "--id", "public-foo"}},
  {args: []string{"clients", "create", "--skip-tls-verify", "--endpoint", backend, "--id", "confidential-foo", "--pgp-key", base64EncodedPGPPublicKey(t), "--grant-types", "client_credentials", "--response-types", "token"}},
  {args: []string{"clients", "delete", "--skip-tls-verify", "--endpoint", backend, "public-foo"}},
- {args: []string{"keys", "create", "--skip-tls-verify", "foo", "--endpoint", backend, "-a", "HS256"}},
+ {args: []string{"keys", "create", "--skip-tls-verify", "foo", "--endpoint", backend, "-a", "RS256"}},
  {args: []string{"keys", "get", "--skip-tls-verify", "--endpoint", backend, "foo"}},
  // {args: []string{"keys", "rotate", "--skip-tls-verify", "--endpoint", backend, "foo"}},
  {args: []string{"keys", "get", "--skip-tls-verify", "--endpoint", backend, "foo"}},
  {args: []string{"keys", "delete", "--skip-tls-verify", "--endpoint", backend, "foo"}},
- {args: []string{"keys", "import", "--skip-tls-verify", "--endpoint", backend, "import-1", "../test/stub/ecdh.key", "../test/stub/ecdh.pub"}},
- {args: []string{"keys", "import", "--skip-tls-verify", "--endpoint", backend, "import-2", "../test/stub/rsa.key", "../test/stub/rsa.pub"}},
+ {args: []string{"keys", "import", "--skip-tls-verify", "--endpoint", backend, "import-1", "../test/stub/ecdh.key", "../test/stub/ecdh.pub"}, skipTest: conf.HsmEnabled()},
+ {args: []string{"keys", "import", "--skip-tls-verify", "--endpoint", backend, "import-2", "../test/stub/rsa.key", "../test/stub/rsa.pub"}, skipTest: conf.HsmEnabled()},
  {args: []string{"token", "revoke", "--skip-tls-verify", "--endpoint", frontend, "--client-secret", "foobar", "--client-id", "foobarbaz", "foo"}},
  {args: []string{"token", "client", "--skip-tls-verify", "--endpoint", frontend, "--client-secret", "foobar", "--client-id", "foobarbaz"}},
  {args: []string{"help", "migrate", "sql"}},
@@ -132,6 +135,10 @@ func TestExecute(t *testing.T) {
  rootCmd.SetArgs(c.args)
 
  t.Run(fmt.Sprintf("command=%v", c.args), func(t *testing.T) {
+ if c.skipTest {
+ t.Skip("Hardware Security Module enabled. Skipping test.")
+ }
+
  if c.wait != nil {
  go func() {
  assert.Nil(t, rootCmd.Execute())

diff --git a/jwk/handler_test.go b/jwk/handler_test.go
@@ -46,6 +46,7 @@ func TestHandlerWellKnown(t *testing.T) {
 
  router := x.NewRouterPublic()
 
+ var kid = uuid.New()
  h := reg.KeyHandler()
  IDKS, err := reg.KeyManager().GenerateKeySet(context.TODO(), x.OpenIDConnectKeyName, kid, "RS256", "sig")
  require.NoError(t, err)

diff --git a/jwk/jwt_strategy_test.go b/jwk/jwt_strategy_test.go
@@ -85,3 +85,53 @@ func TestRS256JWTStrategy_withSoftwareKeyStore(t *testing.T) {
  assert.NoError(t, err)
  assert.Equal(t, "public:bar", kid)
 }
+
+func TestRS256JWTStrategy_withHardwareKeyStore(t *testing.T) {
+ conf := internal.NewConfigurationWithDefaults()
+ reg := internal.NewRegistryMemory(t, conf)
+
+ if !conf.HsmEnabled() {
+ t.Skip("Hardware Security Module not enabled. Skipping test.")
+ }
+
+ m := reg.KeyManager()
+
+ var kid1 = uuid.New()
+ _, err := m.GenerateKeySet(context.TODO(), "foo-set", kid1, "RS256", "sig")
+ require.NoError(t, err)
+
+ s, err := NewRS256JWTStrategy(*conf, reg, func() string {
+ return "foo-set"
+ })
+
+ require.NoError(t, err)
+ token, sig, err := s.Generate(context.TODO(), jwt2.MapClaims{"foo": "bar"}, &jwt.Headers{})
+ require.NoError(t, err)
+ assert.NotEmpty(t, token)
+ assert.NotEmpty(t, sig)
+
+ _, err = s.Validate(context.TODO(), token)
+ require.NoError(t, err)
+
+ kid, err := s.GetPublicKeyID(context.TODO())
+ assert.NoError(t, err)
+ assert.Equal(t, fmt.Sprintf("public:%s", kid1), kid)
+
+ err = m.DeleteKeySet(context.TODO(), "foo-set")
+ require.NoError(t, err)
+
+ var kid2 = uuid.New()
+ _, err = m.GenerateKeySet(context.TODO(), "foo-set", kid2, "RS256", "sig")
+
+ token, sig, err = s.Generate(context.TODO(), jwt2.MapClaims{"foo": "bar"}, &jwt.Headers{})
+ require.NoError(t, err)
+ assert.NotEmpty(t, token)
+ assert.NotEmpty(t, sig)
+
+ _, err = s.Validate(context.TODO(), token)
+ require.NoError(t, err)
+
+ kid, err = s.GetPublicKeyID(context.TODO())
+ assert.NoError(t, err)
+ assert.Equal(t, fmt.Sprintf("public:%s", kid2), kid)
+}
diff --git a/jwk/sdk_test.go b/jwk/sdk_test.go
@@ -54,6 +54,60 @@ func TestJWKSDK(t *testing.T) {
  sdk := client.NewHTTPClientWithConfig(nil, &client.TransportConfig{Schemes: []string{"http"}, Host: urlx.ParseOrPanic(server.URL).Host})
 
  t.Run("JSON Web Key", func(t *testing.T) {
+ if !conf.HsmEnabled() {
+ t.Skip("Hardware Security Module not enabled. Skipping test.")
+ }
+
+ t.Run("CreateJwkSetKey", func(t *testing.T) {
+ // Create a key called set-foo
+ resultKeys, err := sdk.Admin.CreateJSONWebKeySet(admin.NewCreateJSONWebKeySetParams().WithSet("set-foo").WithBody(&models.JSONWebKeySetGeneratorRequest{
+ Alg: pointerx.String("RS256"),
+ Kid: pointerx.String("key-bar"),
+ Use: pointerx.String("sig"),
+ }))
+ require.NoError(t, err)
+ require.Len(t, resultKeys.Payload.Keys, 1)
+ assert.Equal(t, "public:key-bar", *resultKeys.Payload.Keys[0].Kid)
+ assert.Equal(t, "RS256", *resultKeys.Payload.Keys[0].Alg)
+ assert.Equal(t, "sig", *resultKeys.Payload.Keys[0].Use)
+ })
+
+ var resultKeys *models.JSONWebKeySet
+ t.Run("GetJwkSetKey after create", func(t *testing.T) {
+ result, err := sdk.Admin.GetJSONWebKey(admin.NewGetJSONWebKeyParams().WithKid("key-bar").WithSet("set-foo"))
+ require.NoError(t, err)
+ require.Len(t, result.Payload.Keys, 1)
+ require.Equal(t, "public:key-bar", *result.Payload.Keys[0].Kid)
+ require.Equal(t, "RS256", *result.Payload.Keys[0].Alg)
+
+ resultKeys = result.Payload
+ })
+
+ t.Run("UpdateJwkSetKey", func(t *testing.T) {
+ require.Len(t, resultKeys.Keys, 1)
+ resultKeys.Keys[0].Alg = pointerx.String("RS256")
+
+ _, err := sdk.Admin.UpdateJSONWebKey(admin.NewUpdateJSONWebKeyParams().WithKid("key-bar").WithSet("set-foo").WithBody(resultKeys.Keys[0]))
+ require.Error(t, err)
+ })
+
+ t.Run("DeleteJwkSetKey after delete", func(t *testing.T) {
+ _, err := sdk.Admin.DeleteJSONWebKey(admin.NewDeleteJSONWebKeyParams().WithKid("key-bar").WithSet("set-foo"))
+ require.NoError(t, err)
+ })
+
+ t.Run("GetJwkSetKey after delete", func(t *testing.T) {
+ _, err := sdk.Admin.GetJSONWebKey(admin.NewGetJSONWebKeyParams().WithKid("key-bar").WithSet("set-foo"))
+ require.Error(t, err)
+ })
+
+ })
+
+ t.Run("JSON Web Key", func(t *testing.T) {
+ if conf.HsmEnabled() {
+ t.Skip("Hardware Security Module enabled. Skipping test.")
+ }
+
  t.Run("CreateJwkSetKey", func(t *testing.T) {
  // Create a key called set-foo
  resultKeys, err := sdk.Admin.CreateJSONWebKeySet(admin.NewCreateJSONWebKeySetParams().WithSet("set-foo").WithBody(&models.JSONWebKeySetGeneratorRequest{
@@ -102,6 +156,10 @@ func TestJWKSDK(t *testing.T) {
  })
 
  t.Run("JWK Set", func(t *testing.T) {
+ if conf.HsmEnabled() {
+ t.Skip("Hardware Security Module enabled. Skipping test.")
+ }
+
  t.Run("CreateJwkSetKey", func(t *testing.T) {
  resultKeys, err := sdk.Admin.CreateJSONWebKeySet(admin.NewCreateJSONWebKeySetParams().WithSet("set-foo2").WithBody(&models.JSONWebKeySetGeneratorRequest{
  Alg: pointerx.String("HS256"),