fix: handle keys without use in FindMatchingKey

2022-01-28 09:42:42 +01:00 · 2022-01-28 09:42:42 +01:00 · bcd9ec8d85
commit bcd9ec8d85
parent f103b56e95
2 changed files with 129 additions and 8 deletions
--- a/pkg/oidc/keyset_test.go
+++ b/pkg/oidc/keyset_test.go
@ -139,6 +139,27 @@ func TestFindKey(t *testing.T) {
 				err: nil,
 			},
 		},
+		{
+			"single key no use, jwt with kid, match",
+			args{
+				keyID:       "id",
+				use:         KeyUseSignature,
+				expectedAlg: "RS256",
+				keys: []jose.JSONWebKey{
+					{
+						KeyID: "id",
+						Key:   &rsa.PublicKey{},
+					},
+				},
+			},
+			res{
+				key: jose.JSONWebKey{
+					KeyID: "id",
+					Key:   &rsa.PublicKey{},
+				},
+				err: nil,
+			},
+		},
 		{
 			"single key wrong kid, ErrKeyNone",
 			args{
@ -304,6 +325,94 @@ func TestFindKey(t *testing.T) {
 				err: nil,
 			},
 		},
+		{
+			"multiple keys, no use, jwt with kid, match",
+			args{
+				keyID:       "id1",
+				use:         KeyUseSignature,
+				expectedAlg: "RS256",
+				keys: []jose.JSONWebKey{
+					{
+						KeyID: "id1",
+						Key:   &rsa.PublicKey{},
+					},
+					{
+						KeyID: "id2",
+						Key:   &rsa.PublicKey{},
+					},
+				},
+			},
+			res{
+				key: jose.JSONWebKey{
+					KeyID: "id1",
+					Key:   &rsa.PublicKey{},
+				},
+				err: nil,
+			},
+		},
+		{
+			"multiple keys, no use, jwt without kid, ErrKeyMultiple",
+			args{
+				use:         KeyUseSignature,
+				expectedAlg: "RS256",
+				keys: []jose.JSONWebKey{
+					{
+						KeyID: "id1",
+						Key:   &rsa.PublicKey{},
+					},
+					{
+						KeyID: "id2",
+						Key:   &rsa.PublicKey{},
+					},
+				},
+			},
+			res{
+				key: jose.JSONWebKey{},
+				err: ErrKeyMultiple,
+			},
+		},
+		{
+			"multiple keys, no use or id, jwt with kid, ErrKeyMultiple",
+			args{
+				use:         KeyUseSignature,
+				expectedAlg: "RS256",
+				keyID:       "id1",
+				keys: []jose.JSONWebKey{
+					{
+						Key: &rsa.PublicKey{},
+					},
+					{
+						Key: &rsa.PublicKey{},
+					},
+				},
+			},
+			res{
+				key: jose.JSONWebKey{},
+				err: ErrKeyMultiple,
+			},
+		},
+		{
+			"multiple keys (only one matching alg), jwt with kid, match",
+			args{
+				use:         KeyUseSignature,
+				expectedAlg: "RS256",
+				keyID:       "id1",
+				keys: []jose.JSONWebKey{
+					{
+						Key: &rsa.PublicKey{},
+					},
+					{
+						Key: &ecdsa.PublicKey{},
+					},
+				},
+			},
+			res{
+				key: jose.JSONWebKey{
+					Key: &rsa.PublicKey{},
+				},
+				err: nil,
+			},
+		},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {