add unit tests to oidc verifier

2023-03-20 18:07:38 +02:00 · 2023-03-20 18:07:38 +02:00 · d877539236
commit d877539236
parent 9c7bcae539
4 changed files with 515 additions and 8 deletions
--- a/internal/testutil/token.go
+++ b/internal/testutil/token.go
@ -17,7 +17,7 @@ type KeySet struct{}

 // VerifySignature implments op.KeySet.
 func (KeySet) VerifySignature(ctx context.Context, jws *jose.JSONWebSignature) (payload []byte, err error) {
-	if ctx.Err() != nil {
+	if err = ctx.Err(); err != nil {
 		return nil, err
 	}

--- a/pkg/oidc/verifier.go
+++ b/pkg/oidc/verifier.go
@ -130,6 +130,11 @@ func CheckAudience(claims Claims, clientID string) error {
 	return nil
 }

+// CheckAuthorizedParty checks azp (authorized party) claim requirements.
+//
+// If the ID Token contains multiple audiences, the Client SHOULD verify that an azp Claim is present.
+// If an azp Claim is present, the Client SHOULD verify that its client_id is the Claim Value.
+// https://openid.net/specs/openid-connect-core-1_0.html#IDTokenValidation
 func CheckAuthorizedParty(claims Claims, clientID string) error {
 	if len(claims.GetAudience()) > 1 {
 		if claims.GetAuthorizedParty() == "" {
@ -176,26 +181,26 @@ func CheckSignature(ctx context.Context, token string, payload []byte, claims Cl
 }

 func CheckExpiration(claims Claims, offset time.Duration) error {
-	expiration := claims.GetExpiration().Round(time.Second)
-	if !time.Now().UTC().Add(offset).Before(expiration) {
+	expiration := claims.GetExpiration()
+	if !time.Now().Add(offset).Before(expiration) {
 		return ErrExpired
 	}
 	return nil
 }

 func CheckIssuedAt(claims Claims, maxAgeIAT, offset time.Duration) error {
-	issuedAt := claims.GetIssuedAt().Round(time.Second)
+	issuedAt := claims.GetIssuedAt()
 	if issuedAt.IsZero() {
 		return ErrIatMissing
 	}
-	nowWithOffset := time.Now().UTC().Add(offset).Round(time.Second)
+	nowWithOffset := time.Now().Add(offset).Round(time.Second)
 	if issuedAt.After(nowWithOffset) {
 		return fmt.Errorf("%w: (iat: %v, now with offset: %v)", ErrIatInFuture, issuedAt, nowWithOffset)
 	}
 	if maxAgeIAT == 0 {
 		return nil
 	}
-	maxAge := time.Now().UTC().Add(-maxAgeIAT).Round(time.Second)
+	maxAge := time.Now().Add(-maxAgeIAT)
 	if issuedAt.Before(maxAge) {
 		return fmt.Errorf("%w: must not be older than %v, but was %v (%v to old)", ErrIatToOld, maxAge, issuedAt, maxAge.Sub(issuedAt))
 	}
@ -225,8 +230,8 @@ func CheckAuthTime(claims Claims, maxAge time.Duration) error {
 	if claims.GetAuthTime().IsZero() {
 		return ErrAuthTimeNotPresent
 	}
-	authTime := claims.GetAuthTime().Round(time.Second)
-	maxAuthTime := time.Now().UTC().Add(-maxAge).Round(time.Second)
+	authTime := claims.GetAuthTime()
+	maxAuthTime := time.Now().Add(-maxAge).Round(time.Second)
 	if authTime.Before(maxAuthTime) {
 		return fmt.Errorf("%w: must not be older than %v, but was %v (%v to old)", ErrAuthTimeToOld, maxAge, authTime, maxAuthTime.Sub(authTime))
 	}
--- a/pkg/oidc/verifier_parse_test.go
+++ b/pkg/oidc/verifier_parse_test.go
@ -0,0 +1,128 @@
+package oidc_test
+
+import (
+	"context"
+	"encoding/json"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+	tu "github.com/zitadel/oidc/v2/internal/testutil"
+	"github.com/zitadel/oidc/v2/pkg/oidc"
+)
+
+func TestParseToken(t *testing.T) {
+	token, wantClaims := tu.ValidIDToken()
+	wantClaims.SignatureAlg = "" // unset, because is not part of the JSON payload
+
+	wantPayload, err := json.Marshal(wantClaims)
+	require.NoError(t, err)
+
+	tests := []struct {
+		name        string
+		tokenString string
+		wantErr     bool
+	}{
+		{
+			name:        "split error",
+			tokenString: "nope",
+			wantErr:     true,
+		},
+		{
+			name:        "base64 error",
+			tokenString: "foo.~.bar",
+			wantErr:     true,
+		},
+		{
+			name:        "success",
+			tokenString: token,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			gotClaims := new(oidc.IDTokenClaims)
+			gotPayload, err := oidc.ParseToken(tt.tokenString, gotClaims)
+			if tt.wantErr {
+				assert.Error(t, err)
+				return
+			}
+			require.NoError(t, err)
+			assert.Equal(t, wantClaims, gotClaims)
+			assert.JSONEq(t, string(wantPayload), string(gotPayload))
+		})
+	}
+}
+
+func TestCheckSignature(t *testing.T) {
+	errCtx, cancel := context.WithCancel(context.Background())
+	cancel()
+
+	token, _ := tu.ValidIDToken()
+	payload, err := oidc.ParseToken(token, &oidc.IDTokenClaims{})
+	require.NoError(t, err)
+
+	type args struct {
+		ctx              context.Context
+		token            string
+		payload          []byte
+		supportedSigAlgs []string
+	}
+	tests := []struct {
+		name    string
+		args    args
+		wantErr error
+	}{
+		{
+			name: "parse error",
+			args: args{
+				ctx:     context.Background(),
+				token:   "~",
+				payload: payload,
+			},
+			wantErr: oidc.ErrParse,
+		},
+		{
+			name: "default sigAlg",
+			args: args{
+				ctx:     context.Background(),
+				token:   token,
+				payload: payload,
+			},
+		},
+		{
+			name: "unsupported sigAlg",
+			args: args{
+				ctx:              context.Background(),
+				token:            token,
+				payload:          payload,
+				supportedSigAlgs: []string{"foo", "bar"},
+			},
+			wantErr: oidc.ErrSignatureUnsupportedAlg,
+		},
+		{
+			name: "verify error",
+			args: args{
+				ctx:     errCtx,
+				token:   token,
+				payload: payload,
+			},
+			wantErr: oidc.ErrSignatureInvalid,
+		},
+		{
+			name: "inequal payloads",
+			args: args{
+				ctx:     context.Background(),
+				token:   token,
+				payload: []byte{0, 1, 2},
+			},
+			wantErr: oidc.ErrSignatureInvalidPayload,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			claims := new(oidc.TokenClaims)
+			err := oidc.CheckSignature(tt.args.ctx, tt.args.token, tt.args.payload, claims, tt.args.supportedSigAlgs, tu.KeySet{})
+			assert.ErrorIs(t, err, tt.wantErr)
+		})
+	}
+}
--- a/pkg/oidc/verifier_test.go
+++ b/pkg/oidc/verifier_test.go
@ -0,0 +1,374 @@
+package oidc
+
+import (
+	"errors"
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+func TestDecryptToken(t *testing.T) {
+	const tokenString = "ABC"
+	got, err := DecryptToken(tokenString)
+	require.NoError(t, err)
+	assert.Equal(t, tokenString, got)
+}
+
+func TestDefaultACRVerifier(t *testing.T) {
+	acrVerfier := DefaultACRVerifier([]string{"foo", "bar"})
+
+	tests := []struct {
+		name    string
+		acr     string
+		wantErr string
+	}{
+		{
+			name: "ok",
+			acr:  "bar",
+		},
+		{
+			name:    "error",
+			acr:     "hello",
+			wantErr: "expected one of: [foo bar], got: \"hello\"",
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := acrVerfier(tt.acr)
+			if tt.wantErr != "" {
+				assert.EqualError(t, err, tt.wantErr)
+				return
+			}
+			require.NoError(t, err)
+		})
+	}
+}
+
+func TestCheckSubject(t *testing.T) {
+	tests := []struct {
+		name    string
+		claims  Claims
+		wantErr error
+	}{
+		{
+			name:    "missing",
+			claims:  &TokenClaims{},
+			wantErr: ErrSubjectMissing,
+		},
+		{
+			name: "ok",
+			claims: &TokenClaims{
+				Subject: "foo",
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := CheckSubject(tt.claims)
+			assert.ErrorIs(t, err, tt.wantErr)
+		})
+	}
+}
+
+func TestCheckIssuer(t *testing.T) {
+	const issuer = "foo.bar"
+	tests := []struct {
+		name    string
+		claims  Claims
+		wantErr error
+	}{
+		{
+			name:    "missing",
+			claims:  &TokenClaims{},
+			wantErr: ErrIssuerInvalid,
+		},
+		{
+			name: "wrong",
+			claims: &TokenClaims{
+				Issuer: "wrong",
+			},
+			wantErr: ErrIssuerInvalid,
+		},
+		{
+			name: "ok",
+			claims: &TokenClaims{
+				Issuer: issuer,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := CheckIssuer(tt.claims, issuer)
+			assert.ErrorIs(t, err, tt.wantErr)
+		})
+	}
+}
+
+func TestCheckAudience(t *testing.T) {
+	const clientID = "foo.bar"
+	tests := []struct {
+		name    string
+		claims  Claims
+		wantErr error
+	}{
+		{
+			name:    "missing",
+			claims:  &TokenClaims{},
+			wantErr: ErrAudience,
+		},
+		{
+			name: "wrong",
+			claims: &TokenClaims{
+				Audience: []string{"wrong"},
+			},
+			wantErr: ErrAudience,
+		},
+		{
+			name: "ok",
+			claims: &TokenClaims{
+				Audience: []string{clientID},
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := CheckAudience(tt.claims, clientID)
+			assert.ErrorIs(t, err, tt.wantErr)
+		})
+	}
+}
+
+func TestCheckAuthorizedParty(t *testing.T) {
+	const clientID = "foo.bar"
+	tests := []struct {
+		name    string
+		claims  Claims
+		wantErr error
+	}{
+		{
+			name: "single audience, no azp",
+			claims: &TokenClaims{
+				Audience: []string{clientID},
+			},
+		},
+		{
+			name: "multiple audience, no azp",
+			claims: &TokenClaims{
+				Audience: []string{clientID, "other"},
+			},
+			wantErr: ErrAzpMissing,
+		},
+		{
+			name: "single audience, with azp",
+			claims: &TokenClaims{
+				Audience:        []string{clientID},
+				AuthorizedParty: clientID,
+			},
+		},
+		{
+			name: "multiple audience, with azp",
+			claims: &TokenClaims{
+				Audience:        []string{clientID, "other"},
+				AuthorizedParty: clientID,
+			},
+		},
+		{
+			name: "wrong azp",
+			claims: &TokenClaims{
+				AuthorizedParty: "wrong",
+			},
+			wantErr: ErrAzpInvalid,
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := CheckAuthorizedParty(tt.claims, clientID)
+			assert.ErrorIs(t, err, tt.wantErr)
+		})
+	}
+}
+
+func TestCheckExpiration(t *testing.T) {
+	const offset = time.Minute
+	tests := []struct {
+		name    string
+		claims  Claims
+		wantErr error
+	}{
+		{
+			name:    "missing",
+			claims:  &TokenClaims{},
+			wantErr: ErrExpired,
+		},
+		{
+			name: "expired",
+			claims: &TokenClaims{
+				Expiration: FromTime(time.Now().Add(-2 * offset)),
+			},
+			wantErr: ErrExpired,
+		},
+		{
+			name: "valid",
+			claims: &TokenClaims{
+				Expiration: FromTime(time.Now().Add(2 * offset)),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := CheckExpiration(tt.claims, offset)
+			assert.ErrorIs(t, err, tt.wantErr)
+		})
+	}
+}
+
+func TestCheckIssuedAt(t *testing.T) {
+	const offset = time.Minute
+	tests := []struct {
+		name      string
+		maxAgeIAT time.Duration
+		claims    Claims
+		wantErr   error
+	}{
+		{
+			name:    "missing",
+			claims:  &TokenClaims{},
+			wantErr: ErrIatMissing,
+		},
+		{
+			name: "future",
+			claims: &TokenClaims{
+				IssuedAt: FromTime(time.Now().Add(time.Hour)),
+			},
+			wantErr: ErrIatInFuture,
+		},
+		{
+			name: "no max",
+			claims: &TokenClaims{
+				IssuedAt: FromTime(time.Now()),
+			},
+		},
+		{
+			name:      "past max",
+			maxAgeIAT: time.Minute,
+			claims: &TokenClaims{
+				IssuedAt: FromTime(time.Now().Add(-time.Hour)),
+			},
+			wantErr: ErrIatToOld,
+		},
+		{
+			name:      "within max",
+			maxAgeIAT: time.Hour,
+			claims: &TokenClaims{
+				IssuedAt: FromTime(time.Now()),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := CheckIssuedAt(tt.claims, tt.maxAgeIAT, offset)
+			assert.ErrorIs(t, err, tt.wantErr)
+		})
+	}
+}
+
+func TestCheckNonce(t *testing.T) {
+	const nonce = "123"
+	tests := []struct {
+		name    string
+		claims  Claims
+		wantErr error
+	}{
+		{
+			name:    "missing",
+			claims:  &TokenClaims{},
+			wantErr: ErrNonceInvalid,
+		},
+		{
+			name: "wrong",
+			claims: &TokenClaims{
+				Nonce: "wrong",
+			},
+			wantErr: ErrNonceInvalid,
+		},
+		{
+			name: "ok",
+			claims: &TokenClaims{
+				Nonce: nonce,
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := CheckNonce(tt.claims, nonce)
+			assert.ErrorIs(t, err, tt.wantErr)
+		})
+	}
+}
+
+func TestCheckAuthorizationContextClassReference(t *testing.T) {
+	tests := []struct {
+		name    string
+		acr     ACRVerifier
+		wantErr error
+	}{
+		{
+			name:    "error",
+			acr:     func(s string) error { return errors.New("oops") },
+			wantErr: ErrAcrInvalid,
+		},
+		{
+			name: "ok",
+			acr:  func(s string) error { return nil },
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := CheckAuthorizationContextClassReference(&IDTokenClaims{}, tt.acr)
+			assert.ErrorIs(t, err, tt.wantErr)
+		})
+	}
+}
+
+func TestCheckAuthTime(t *testing.T) {
+	tests := []struct {
+		name    string
+		claims  Claims
+		maxAge  time.Duration
+		wantErr error
+	}{
+		{
+			name:   "no max age",
+			claims: &TokenClaims{},
+		},
+		{
+			name:    "missing",
+			claims:  &TokenClaims{},
+			maxAge:  time.Minute,
+			wantErr: ErrAuthTimeNotPresent,
+		},
+		{
+			name:   "expired",
+			maxAge: time.Minute,
+			claims: &TokenClaims{
+				AuthTime: FromTime(time.Now().Add(-time.Hour)),
+			},
+			wantErr: ErrAuthTimeToOld,
+		},
+		{
+			name:   "ok",
+			maxAge: time.Minute,
+			claims: &TokenClaims{
+				AuthTime: NowTime(),
+			},
+		},
+	}
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			err := CheckAuthTime(tt.claims, tt.maxAge)
+			assert.ErrorIs(t, err, tt.wantErr)
+		})
+	}
+}