-
Notifications
You must be signed in to change notification settings - Fork 0
/
token_test.go
133 lines (117 loc) · 3.39 KB
/
token_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
package securelogin
import (
"fmt"
"net/url"
"testing"
"time"
)
var (
accessAllScope = url.Values{"access": []string{"all"}}
changeScope = url.Values{
"to": []string{"..."},
"mode": []string{"change"},
}
badChangeScope = url.Values{
"to": []string{"..."},
"mode": []string{"nochange"},
}
multiModeScope = url.Values{
"to": []string{"..."},
"mode": []string{"nochange", "change"},
}
noModeChangeScope = url.Values{
"to": []string{"..."},
"nomode": []string{"change"},
}
)
func TestTokenVerify(t *testing.T) {
var cases = []struct {
opt []Option
mod tokmod
err string
}{
{[]Option{o}, tokAlive, ""},
{[]Option{o}, tokExpired, "expired token"},
{[]Option{o}, tokInvalidSignature, "invalid signature"},
{[]Option{o, WithPublicKey([]byte("wrong"))}, tokAlive, "invalid signature"},
{[]Option{o}, tokSmallPublicKey, "invalid signature"},
{[]Option{o}, tokInvalidProvider, "invalid provider"},
{[]Option{o}, tokInvalidClient, "invalid client"},
{[]Option{o, WithHMAC, WithSecret([]byte("wrong"))}, tokAlive, "invalid HMAC signature"},
{[]Option{o, WithHMAC}, tokInvalidHMAC, "invalid HMAC signature"},
{[]Option{o, WithConnect}, tokInvalidClient, ""},
{[]Option{o, WithoutExpire}, tokNoMod, ""},
{[]Option{o, WithChange}, tokAlive, "not mode=change token"},
{[]Option{o, WithChange}, tokScopeChange(changeScope), ""},
{[]Option{o, WithChange}, tokScopeChange(multiModeScope), ""},
{[]Option{o, WithChange}, tokScopeChange(badChangeScope), "not mode=change token"},
{[]Option{o, WithChange}, tokScopeChange(noModeChangeScope), "not mode=change token"},
{[]Option{o, WithScope(changeScope)}, tokScopeChange(badChangeScope), "invalid scope"},
{[]Option{o, WithScope(changeScope)}, tokScopeChange(accessAllScope), "invalid scope"},
{[]Option{o, WithScope(multiModeScope)}, tokScopeChange(changeScope), "invalid scope"},
}
token, err := UnmarshalString(token)
if err != nil {
t.Skipf("UnmarshalToken has failed with %q, skipping Verify")
}
for i, c := range cases {
t.Run(fmt.Sprintf("%d", i), func(t *testing.T) {
token := c.mod(token)
err := token.Verify(c.opt...)
if c.err == "" {
if err != nil {
t.Fatalf("Unexpected error: %s", err)
}
} else {
if err == nil {
t.Fatalf("Expected error; got nil")
}
if c.err != err.Error() {
t.Fatalf("Expected error %s; got %s", c.err, err)
}
}
})
}
}
var o = WithOrigins("https://cobased.com")
type tokmod func(Token) Token
func tokNoMod(t Token) Token {
return t
}
func tokAlive(t Token) Token {
t.ExpireAt = time.Now().Add(1 * time.Hour)
return t
}
func tokExpired(t Token) Token {
t.ExpireAt = time.Now().Add(-1 * time.Hour)
return t
}
func tokInvalidSignature(t Token) Token {
t.Signature = []byte{0xD, 0xE, 0xD, 0xB, 0xE, 0xE, 0xE, 0xF}
return t
}
// This shouldn't even call ed25519.Verify, but fail on checking size of the key
func tokSmallPublicKey(t Token) Token {
t.PublicKey = t.PublicKey[:len(t.PublicKey)-2]
return t
}
func tokInvalidHMAC(t Token) Token {
t.HMACSignature = []byte{0xD, 0xE, 0xD, 0xB, 0xE, 0xE, 0xE, 0xF}
return t
}
func tokInvalidProvider(t Token) Token {
t.Provider = "evilcorp.com"
return t
}
func tokInvalidClient(t Token) Token {
t = tokAlive(t)
t.Client = "evilcorp.com"
return t
}
func tokScopeChange(scope url.Values) func(t Token) Token {
return func(t Token) Token {
t = tokAlive(t)
t.Scope = scope
return t
}
}