Skip to content
GitLab
Menu
Projects
Groups
Snippets
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Menu
Open sidebar
IRMA
Github mirrors
irmago
Commits
7167a5be
Commit
7167a5be
authored
Nov 22, 2019
by
Ruben Nijveld
Committed by
Sietse Ringers
Feb 05, 2020
Browse files
Add tests for HMAC and PSK authentication methods for the server
parent
70e08ff7
Changes
2
Hide whitespace changes
Inline
Side-by-side
server/requestorserver/auth.go
View file @
7167a5be
...
...
@@ -195,12 +195,12 @@ func jwtAuthenticate(
if
err
!=
nil
{
return
true
,
nil
,
""
,
server
.
RemoteError
(
server
.
ErrorInvalidRequest
,
err
.
Error
())
}
if
!
claims
.
VerifyIssuedAt
(
time
.
Now
()
.
Unix
(),
true
)
{
return
true
,
nil
,
""
,
server
.
RemoteError
(
server
.
ErrorUnauthorized
,
"jwt not yet valid"
)
}
if
time
.
Unix
(
claims
.
IssuedAt
,
0
)
.
Add
(
time
.
Duration
(
maxRequestAge
)
*
time
.
Second
)
.
Before
(
time
.
Now
())
{
return
true
,
nil
,
""
,
server
.
RemoteError
(
server
.
ErrorUnauthorized
,
"jwt too old"
)
}
if
!
claims
.
VerifyIssuedAt
(
time
.
Now
()
.
Unix
(),
true
)
{
return
true
,
nil
,
""
,
server
.
RemoteError
(
server
.
ErrorUnauthorized
,
"jwt not yet valid"
)
}
// Read JWT contents
parsedJwt
,
err
:=
irma
.
ParseRequestorJwt
(
claims
.
Subject
,
requestorJwt
)
...
...
server/requestorserver/auth_test.go
0 → 100644
View file @
7167a5be
package
requestorserver
import
(
"encoding/json"
"github.com/dgrijalva/jwt-go"
irma
"github.com/privacybydesign/irmago"
"github.com/privacybydesign/irmago/server"
"github.com/sirupsen/logrus"
"github.com/stretchr/testify/require"
"testing"
"time"
)
func
TestPresharedKeyAuthenticator_Authenticate
(
t
*
testing
.
T
)
{
authenticator
:=
PresharedKeyAuthenticator
{
presharedkeys
:
map
[
string
]
string
{
"token"
:
"my_requestor"
,
}}
validRequestBody
:=
[]
byte
(
`{"request": {"@context":"https://irma.app/ld/request/disclosure/v2","disclose":[[["irma-demo.RU.studentCard.studentID"]]]}}`
)
t
.
Run
(
"valid"
,
func
(
t
*
testing
.
T
)
{
requestHeaders
:=
map
[
string
][]
string
{
"Authorization"
:
{
"token"
},
"Content-Type"
:
{
"application/json"
},
}
applies
,
parsedRequest
,
requestor
,
err
:=
authenticator
.
Authenticate
(
requestHeaders
,
validRequestBody
)
if
err
!=
nil
{
require
.
NoError
(
t
,
err
)
}
require
.
True
(
t
,
applies
)
require
.
Equal
(
t
,
"irma-demo.RU.studentCard.studentID"
,
parsedRequest
.
SessionRequest
()
.
Disclosure
()
.
Disclose
[
0
][
0
][
0
]
.
Type
.
String
())
require
.
Equal
(
t
,
"my_requestor"
,
requestor
)
})
// tests below here will give warnings
server
.
Logger
.
SetLevel
(
logrus
.
ErrorLevel
)
t
.
Run
(
"invalid content"
,
func
(
t
*
testing
.
T
)
{
requestHeaders
:=
map
[
string
][]
string
{
"Authorization"
:
{
"token"
},
"Content-Type"
:
{
"application/json"
},
}
invalidRequestBody
:=
[]
byte
(
`{}`
)
applies
,
_
,
_
,
err
:=
authenticator
.
Authenticate
(
requestHeaders
,
invalidRequestBody
)
require
.
Error
(
t
,
err
)
require
.
True
(
t
,
applies
)
})
t
.
Run
(
"invalid token"
,
func
(
t
*
testing
.
T
)
{
requestHeaders
:=
map
[
string
][]
string
{
"Authorization"
:
{
"invalid"
},
"Content-Type"
:
{
"application/json"
},
}
applies
,
_
,
_
,
err
:=
authenticator
.
Authenticate
(
requestHeaders
,
validRequestBody
)
require
.
True
(
t
,
applies
)
require
.
Error
(
t
,
err
)
})
t
.
Run
(
"no authorization header"
,
func
(
t
*
testing
.
T
)
{
requestHeaders
:=
map
[
string
][]
string
{
"UnusedHeader"
:
{
"token"
},
"Content-Type"
:
{
"application/json"
},
}
applies
,
_
,
_
,
err
:=
authenticator
.
Authenticate
(
requestHeaders
,
validRequestBody
)
require
.
False
(
t
,
applies
)
if
err
!=
nil
{
require
.
NoError
(
t
,
err
)
}
})
t
.
Run
(
"without content type"
,
func
(
t
*
testing
.
T
)
{
requestHeaders
:=
map
[
string
][]
string
{
"Authorization"
:
{
"token"
},
}
applies
,
_
,
_
,
err
:=
authenticator
.
Authenticate
(
requestHeaders
,
validRequestBody
)
require
.
False
(
t
,
applies
)
if
err
!=
nil
{
require
.
NoError
(
t
,
err
)
}
})
}
func
TestHmacAuthenticator_Authenticate
(
t
*
testing
.
T
)
{
key
:=
[]
byte
(
"953BCAB6F25F3622619A9A16BE895"
)
invalidKey
:=
[]
byte
(
"A5BB219FFB6199756DF8A284A3392"
)
authenticator
:=
HmacAuthenticator
{
hmackeys
:
map
[
string
]
interface
{}{
"my_requestor"
:
key
,
},
maxRequestAge
:
500
,
}
disclosureRequestData
:=
`{"@context":"https://irma.app/ld/request/disclosure/v2","disclose":[[["irma-demo.RU.studentCard.studentID"]]]}`
disclosureRequest
:=
&
irma
.
DisclosureRequest
{}
require
.
NoError
(
t
,
json
.
Unmarshal
([]
byte
(
disclosureRequestData
),
disclosureRequest
))
j
:=
irma
.
NewServiceProviderJwt
(
"my_requestor"
,
disclosureRequest
)
validJwtData
,
jErr
:=
j
.
Sign
(
jwt
.
SigningMethodHS256
,
key
)
require
.
NoError
(
t
,
jErr
)
requestHeaders
:=
map
[
string
][]
string
{
"Content-Type"
:
{
"text/plain"
},
}
t
.
Run
(
"valid"
,
func
(
t
*
testing
.
T
)
{
applies
,
parsedRequest
,
requestor
,
err
:=
authenticator
.
Authenticate
(
requestHeaders
,
[]
byte
(
validJwtData
))
if
err
!=
nil
{
require
.
NoError
(
t
,
err
)
}
require
.
True
(
t
,
applies
)
require
.
Equal
(
t
,
"irma-demo.RU.studentCard.studentID"
,
parsedRequest
.
SessionRequest
()
.
Disclosure
()
.
Disclose
[
0
][
0
][
0
]
.
Type
.
String
())
require
.
Equal
(
t
,
"my_requestor"
,
requestor
)
})
server
.
Logger
.
SetLevel
(
logrus
.
ErrorLevel
)
t
.
Run
(
"invalid jwt requestor"
,
func
(
t
*
testing
.
T
)
{
j
:=
irma
.
NewServiceProviderJwt
(
"another_requestor"
,
disclosureRequest
)
invalidJwtData
,
jErr
:=
j
.
Sign
(
jwt
.
SigningMethodHS256
,
key
)
require
.
NoError
(
t
,
jErr
)
applies
,
_
,
_
,
err
:=
authenticator
.
Authenticate
(
requestHeaders
,
[]
byte
(
invalidJwtData
))
require
.
True
(
t
,
applies
)
require
.
Error
(
t
,
err
)
})
t
.
Run
(
"empty jwt data"
,
func
(
t
*
testing
.
T
)
{
claims
:=
(
*
jwt
.
MapClaims
)(
&
map
[
string
]
interface
{}{
"sub"
:
"verification_request"
,
"iss"
:
"my_requestor"
,
"iat"
:
time
.
Now
()
.
Unix
(),
"sprequest"
:
map
[
string
]
interface
{}{},
})
emptyJwtData
,
jErr
:=
jwt
.
NewWithClaims
(
jwt
.
SigningMethodHS256
,
claims
)
.
SignedString
(
key
)
require
.
NoError
(
t
,
jErr
)
applies
,
_
,
_
,
err
:=
authenticator
.
Authenticate
(
requestHeaders
,
[]
byte
(
emptyJwtData
))
require
.
True
(
t
,
applies
)
require
.
Error
(
t
,
err
)
require
.
Equal
(
t
,
string
(
server
.
ErrorInvalidRequest
.
Type
),
err
.
ErrorName
)
})
t
.
Run
(
"old jwt data"
,
func
(
t
*
testing
.
T
)
{
j
:=
irma
.
NewServiceProviderJwt
(
"my_requestor"
,
disclosureRequest
)
j
.
IssuedAt
=
(
irma
.
Timestamp
)(
time
.
Unix
(
0
,
0
))
invalidJwtData
,
jErr
:=
j
.
Sign
(
jwt
.
SigningMethodHS256
,
key
)
require
.
NoError
(
t
,
jErr
)
applies
,
_
,
_
,
err
:=
authenticator
.
Authenticate
(
requestHeaders
,
[]
byte
(
invalidJwtData
))
require
.
True
(
t
,
applies
)
require
.
Error
(
t
,
err
)
require
.
Equal
(
t
,
string
(
server
.
ErrorUnauthorized
.
Type
),
err
.
ErrorName
)
})
t
.
Run
(
"jwt data not yet valid"
,
func
(
t
*
testing
.
T
)
{
j
:=
irma
.
NewServiceProviderJwt
(
"my_requestor"
,
disclosureRequest
)
j
.
IssuedAt
=
(
irma
.
Timestamp
)(
time
.
Now
()
.
AddDate
(
1
,
0
,
0
))
invalidJwtData
,
jErr
:=
j
.
Sign
(
jwt
.
SigningMethodHS256
,
key
)
require
.
NoError
(
t
,
jErr
)
applies
,
_
,
_
,
err
:=
authenticator
.
Authenticate
(
requestHeaders
,
[]
byte
(
invalidJwtData
))
require
.
True
(
t
,
applies
)
require
.
Error
(
t
,
err
)
require
.
Equal
(
t
,
string
(
server
.
ErrorInvalidRequest
.
Type
),
err
.
ErrorName
)
})
t
.
Run
(
"jwt signed using invalid key"
,
func
(
t
*
testing
.
T
)
{
j
:=
irma
.
NewServiceProviderJwt
(
"my_requestor"
,
disclosureRequest
)
invalidJwtData
,
jErr
:=
j
.
Sign
(
jwt
.
SigningMethodHS256
,
invalidKey
)
require
.
NoError
(
t
,
jErr
)
applies
,
_
,
_
,
err
:=
authenticator
.
Authenticate
(
requestHeaders
,
[]
byte
(
invalidJwtData
))
require
.
True
(
t
,
applies
)
require
.
Error
(
t
,
err
)
})
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment