TUN-8331: Add unit testing for AccessJWTValidator middleware

cloudflare · Apr 11, 2024 · b9898a9 · b9898a9
1 parent 6876821
commit b9898a9
Showing 1 changed file with 126 additions and 0 deletions.
diff --git a/ingress/middleware/jwtvalidator_test.go b/ingress/middleware/jwtvalidator_test.go
@@ -0,0 +1,126 @@
+package middleware
+
+import (
+	"context"
+	"crypto"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/rand"
+	"encoding/json"
+	"fmt"
+	"net/http/httptest"
+	"testing"
+	"time"
+
+	"github.com/coreos/go-oidc/v3/oidc"
+	"github.com/go-jose/go-jose/v4"
+	"github.com/go-jose/go-jose/v4/jwt"
+	"github.com/stretchr/testify/assert"
+	"github.com/stretchr/testify/require"
+)
+
+var (
+	issuer = fmt.Sprintf(cloudflareAccessCertsURL, "testteam")
+)
+
+type accessTokenClaims struct {
+	Email string `json:"email"`
+	Type  string `json:"type"`
+	jwt.Claims
+}
+
+func TestJWTValidator(t *testing.T) {
+	req := httptest.NewRequest("GET", "http://example.com", nil)
+
+	key, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
+	require.NoError(t, err)
+	issued := time.Now()
+	claims := accessTokenClaims{
+		Email: "[email protected]",
+		Type:  "app",
+		Claims: jwt.Claims{
+			Issuer:   issuer,
+			Subject:  "ee239b7a-e3e6-4173-972a-8fbe9d99c04f",
+			Audience: []string{""},
+			Expiry:   jwt.NewNumericDate(issued.Add(time.Hour)),
+			IssuedAt: jwt.NewNumericDate(issued),
+		},
+	}
+	token := signToken(t, claims, key)
+	req.Header.Add(headerKeyAccessJWTAssertion, token)
+
+	keySet := oidc.StaticKeySet{PublicKeys: []crypto.PublicKey{key.Public()}}
+	config := &oidc.Config{
+		SkipClientIDCheck:    true,
+		SupportedSigningAlgs: []string{string(jose.ES256)},
+	}
+	verifier := oidc.NewVerifier(issuer, &keySet, config)
+
+	tests := []struct {
+		name    string
+		audTags []string
+		aud     jwt.Audience
+		error   bool
+	}{
+		{
+			name: "valid",
+			audTags: []string{
+				"0bc545634b1732494b3f9472794a549c883fabd48de9dfe0e0413e59c3f96c38",
+				"d7ec5b7fda23ffa8f8c8559fb37c66a2278208a78dbe376a3394b5ffec6911ba",
+			},
+			aud:   jwt.Audience{"d7ec5b7fda23ffa8f8c8559fb37c66a2278208a78dbe376a3394b5ffec6911ba"},
+			error: false,
+		},
+		{
+			name: "invalid no match",
+			audTags: []string{
+				"0bc545634b1732494b3f9472794a549c883fabd48de9dfe0e0413e59c3f96c38",
+				"d7ec5b7fda23ffa8f8c8559fb37c66a2278208a78dbe376a3394b5ffec6911ba",
+			},
+			aud:   jwt.Audience{"09dc377143841843ecca28b196bdb1ec1675af38c8b7b60c7def5876c8877157"},
+			error: true,
+		},
+		{
+			name:    "invalid empty check",
+			audTags: []string{},
+			aud:     jwt.Audience{"09dc377143841843ecca28b196bdb1ec1675af38c8b7b60c7def5876c8877157"},
+			error:   true,
+		},
+		{
+			name: "invalid absent aud",
+			audTags: []string{
+				"0bc545634b1732494b3f9472794a549c883fabd48de9dfe0e0413e59c3f96c38",
+				"d7ec5b7fda23ffa8f8c8559fb37c66a2278208a78dbe376a3394b5ffec6911ba",
+			},
+			aud:   jwt.Audience{""},
+			error: true,
+		},
+	}
+	for _, test := range tests {
+		t.Run(test.name, func(t *testing.T) {
+			validator := JWTValidator{
+				IDTokenVerifier: verifier,
+				audTags:         test.audTags,
+			}
+			claims.Audience = test.aud
+			token := signToken(t, claims, key)
+			req.Header.Set(headerKeyAccessJWTAssertion, token)
+
+			result, err := validator.Handle(context.Background(), req)
+			assert.NoError(t, err)
+			assert.Equal(t, test.error, result.ShouldFilterRequest)
+		})
+	}
+}
+
+func signToken(t *testing.T, token accessTokenClaims, key *ecdsa.PrivateKey) string {
+	signer, err := jose.NewSigner(jose.SigningKey{Algorithm: jose.ES256, Key: key}, &jose.SignerOptions{})
+	require.NoError(t, err)
+	payload, err := json.Marshal(token)
+	require.NoError(t, err)
+	jws, err := signer.Sign(payload)
+	require.NoError(t, err)
+	jwt, err := jws.CompactSerialize()
+	require.NoError(t, err)
+	return jwt
+}