Commit 01536c1f authored by Sietse Ringers's avatar Sietse Ringers
Browse files

Support symmetric HMAC JWTs in session unit tests

parent 794b6a6a
...@@ -68,6 +68,10 @@ var JwtServerConfiguration = &irmaserver.Configuration{ ...@@ -68,6 +68,10 @@ var JwtServerConfiguration = &irmaserver.Configuration{
AuthenticationMethod: irmaserver.AuthenticationMethodToken, AuthenticationMethod: irmaserver.AuthenticationMethodToken,
AuthenticationKey: "xa6=*&9?8jeUu5>.f-%rVg`f63pHim", AuthenticationKey: "xa6=*&9?8jeUu5>.f-%rVg`f63pHim",
}, },
"requestor3": {
AuthenticationMethod: irmaserver.AuthenticationMethodHmac,
AuthenticationKey: "eGE2PSomOT84amVVdTU+LmYtJXJWZ2BmNjNwSGltCg==",
},
}, },
JwtPrivateKey: filepath.Join(testdata, "jwtkeys", "sk.pem"), JwtPrivateKey: filepath.Join(testdata, "jwtkeys", "sk.pem"),
} }
package sessiontest package sessiontest
import ( import (
"encoding/base64"
"encoding/json" "encoding/json"
"io/ioutil" "io/ioutil"
"path/filepath" "path/filepath"
...@@ -119,12 +120,16 @@ func startSession(t *testing.T, request irma.SessionRequest, sessiontype string) ...@@ -119,12 +120,16 @@ func startSession(t *testing.T, request irma.SessionRequest, sessiontype string)
switch TestType { switch TestType {
case "apiserver": case "apiserver":
url := "http://localhost:8088/irma_api_server/api/v2/" + sessiontype url := "http://localhost:8088/irma_api_server/api/v2/" + sessiontype
err = irma.NewHTTPTransport(url).Post("", &qr, getJwt(t, request, sessiontype, false)) err = irma.NewHTTPTransport(url).Post("", &qr, getJwt(t, request, sessiontype, jwt.SigningMethodNone))
token = qr.URL token = qr.URL
qr.URL = url + "/" + qr.URL qr.URL = url + "/" + qr.URL
case "irmaserver-jwt": case "irmaserver-jwt":
url := "http://localhost:48682" url := "http://localhost:48682"
err = irma.NewHTTPTransport(url).Post("session", &qr, getJwt(t, request, sessiontype, true)) err = irma.NewHTTPTransport(url).Post("session", &qr, getJwt(t, request, sessiontype, jwt.SigningMethodRS256))
token = tokenFromURL(qr.URL)
case "irmaserver-hmac-jwt":
url := "http://localhost:48682"
err = irma.NewHTTPTransport(url).Post("session", &qr, getJwt(t, request, sessiontype, jwt.SigningMethodHS256))
token = tokenFromURL(qr.URL) token = tokenFromURL(qr.URL)
case "irmaserver": case "irmaserver":
url := "http://localhost:48682" url := "http://localhost:48682"
...@@ -146,7 +151,7 @@ func tokenFromURL(url string) string { ...@@ -146,7 +151,7 @@ func tokenFromURL(url string) string {
return parts[len(parts)-1] return parts[len(parts)-1]
} }
func getJwt(t *testing.T, request irma.SessionRequest, sessiontype string, signed bool) string { func getJwt(t *testing.T, request irma.SessionRequest, sessiontype string, alg jwt.SigningMethod) string {
var jwtcontents irma.RequestorJwt var jwtcontents irma.RequestorJwt
var kid string var kid string
switch sessiontype { switch sessiontype {
...@@ -163,7 +168,9 @@ func getJwt(t *testing.T, request irma.SessionRequest, sessiontype string, signe ...@@ -163,7 +168,9 @@ func getJwt(t *testing.T, request irma.SessionRequest, sessiontype string, signe
var j string var j string
var err error var err error
if signed {
switch alg {
case jwt.SigningMethodRS256:
skbts, err := ioutil.ReadFile(filepath.Join(test.FindTestdataFolder(t), "jwtkeys", "requestor1-sk.pem")) skbts, err := ioutil.ReadFile(filepath.Join(test.FindTestdataFolder(t), "jwtkeys", "requestor1-sk.pem"))
require.NoError(t, err) require.NoError(t, err)
sk, err := jwt.ParseRSAPrivateKeyFromPEM(skbts) sk, err := jwt.ParseRSAPrivateKeyFromPEM(skbts)
...@@ -171,7 +178,13 @@ func getJwt(t *testing.T, request irma.SessionRequest, sessiontype string, signe ...@@ -171,7 +178,13 @@ func getJwt(t *testing.T, request irma.SessionRequest, sessiontype string, signe
tok := jwt.NewWithClaims(jwt.SigningMethodRS256, jwtcontents) tok := jwt.NewWithClaims(jwt.SigningMethodRS256, jwtcontents)
tok.Header["kid"] = "requestor1" tok.Header["kid"] = "requestor1"
j, err = tok.SignedString(sk) j, err = tok.SignedString(sk)
} else { case jwt.SigningMethodHS256:
tok := jwt.NewWithClaims(jwt.SigningMethodHS256, jwtcontents)
tok.Header["kid"] = "requestor3"
bts, err := base64.StdEncoding.DecodeString(JwtServerConfiguration.Requestors["requestor3"].AuthenticationKey)
require.NoError(t, err)
j, err = tok.SignedString(bts)
case jwt.SigningMethodNone:
tok := jwt.NewWithClaims(jwt.SigningMethodNone, jwtcontents) tok := jwt.NewWithClaims(jwt.SigningMethodNone, jwtcontents)
tok.Header["kid"] = kid tok.Header["kid"] = kid
j, err = tok.SignedString(jwt.UnsafeAllowNoneSignatureType) j, err = tok.SignedString(jwt.UnsafeAllowNoneSignatureType)
...@@ -187,7 +200,7 @@ func sessionHelper(t *testing.T, request irma.SessionRequest, sessiontype string ...@@ -187,7 +200,7 @@ func sessionHelper(t *testing.T, request irma.SessionRequest, sessiontype string
defer test.ClearTestStorage(t) defer test.ClearTestStorage(t)
} }
if TestType == "irmaserver" || TestType == "irmaserver-jwt" { if TestType == "irmaserver" || TestType == "irmaserver-jwt" || TestType == "irmaserver-hmac-jwt" {
StartIrmaServer(JwtServerConfiguration) StartIrmaServer(JwtServerConfiguration)
defer StopIrmaServer() defer StopIrmaServer()
} }
......
...@@ -83,12 +83,12 @@ func (hauth *HmacAuthenticator) Initialize(name string, requestor Requestor) err ...@@ -83,12 +83,12 @@ func (hauth *HmacAuthenticator) Initialize(name string, requestor Requestor) err
if requestor.AuthenticationKey == "" { if requestor.AuthenticationKey == "" {
return errors.Errorf("Requestor %s had no authentication key") return errors.Errorf("Requestor %s had no authentication key")
} }
var bts []byte if bts, err := base64.StdEncoding.DecodeString(requestor.AuthenticationKey); err != nil {
if _, err := base64.StdEncoding.Decode(bts, []byte(requestor.AuthenticationKey)); err != nil {
return err return err
} else {
hauth.hmackeys[name] = bts
return nil
} }
hauth.hmackeys[name] = bts
return nil
} }
func (pkauth *PublicKeyAuthenticator) Authenticate( func (pkauth *PublicKeyAuthenticator) Authenticate(
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment