validation_test.go

Documentation: gopkg.in/square/go-jose.v2/jwt

     1  /*-
     2   * Copyright 2016 Zbigniew Mandziejewicz
     3   * Copyright 2016 Square, Inc.
     4   *
     5   * Licensed under the Apache License, Version 2.0 (the "License");
     6   * you may not use this file except in compliance with the License.
     7   * You may obtain a copy of the License at
     8   *
     9   *     http://www.apache.org/licenses/LICENSE-2.0
    10   *
    11   * Unless required by applicable law or agreed to in writing, software
    12   * distributed under the License is distributed on an "AS IS" BASIS,
    13   * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
    14   * See the License for the specific language governing permissions and
    15   * limitations under the License.
    16   */
    17  
    18  package jwt
    19  
    20  import (
    21  	"testing"
    22  	"time"
    23  
    24  	"github.com/stretchr/testify/assert"
    25  )
    26  
    27  func TestFieldsMatch(t *testing.T) {
    28  	c := Claims{
    29  		Issuer:   "issuer",
    30  		Subject:  "subject",
    31  		Audience: []string{"a1", "a2"},
    32  		ID:       "42",
    33  	}
    34  
    35  	valid := []Expected{
    36  		{Issuer: "issuer"},
    37  		{Subject: "subject"},
    38  		{Audience: Audience{"a1", "a2"}},
    39  		{Audience: Audience{"a2", "a1"}},
    40  		{ID: "42"},
    41  	}
    42  
    43  	for _, v := range valid {
    44  		assert.NoError(t, c.Validate(v))
    45  	}
    46  
    47  	invalid := []struct {
    48  		Expected Expected
    49  		Error    error
    50  	}{
    51  		{Expected{Issuer: "invalid-issuer"}, ErrInvalidIssuer},
    52  		{Expected{Subject: "invalid-subject"}, ErrInvalidSubject},
    53  		{Expected{Audience: Audience{"invalid-audience"}}, ErrInvalidAudience},
    54  		{Expected{ID: "invalid-id"}, ErrInvalidID},
    55  	}
    56  
    57  	for _, v := range invalid {
    58  		assert.Equal(t, v.Error, c.Validate(v.Expected))
    59  	}
    60  }
    61  
    62  func TestExpiryAndNotBefore(t *testing.T) {
    63  	now := time.Date(2016, 1, 1, 12, 0, 0, 0, time.UTC)
    64  	twelveHoursAgo := now.Add(-12 * time.Hour)
    65  
    66  	c := Claims{
    67  		IssuedAt:  NewNumericDate(twelveHoursAgo),
    68  		NotBefore: NewNumericDate(twelveHoursAgo),
    69  		Expiry:    NewNumericDate(now),
    70  	}
    71  
    72  	// expired - default leeway (1 minute)
    73  	assert.NoError(t, c.Validate(Expected{Time: now}))
    74  	err := c.Validate(Expected{Time: now.Add(2 * DefaultLeeway)})
    75  	if assert.Error(t, err) {
    76  		assert.Equal(t, err, ErrExpired)
    77  	}
    78  
    79  	// expired - no leeway
    80  	assert.NoError(t, c.ValidateWithLeeway(Expected{Time: now}, 0))
    81  	err = c.ValidateWithLeeway(Expected{Time: now.Add(1 * time.Second)}, 0)
    82  	if assert.Error(t, err) {
    83  		assert.Equal(t, err, ErrExpired)
    84  	}
    85  
    86  	// not before - default leeway (1 minute)
    87  	assert.NoError(t, c.Validate(Expected{Time: twelveHoursAgo}))
    88  	err = c.Validate(Expected{Time: twelveHoursAgo.Add(-2 * DefaultLeeway)})
    89  	if assert.Error(t, err) {
    90  		assert.Equal(t, err, ErrNotValidYet)
    91  	}
    92  }
    93  
    94  func TestIssuedInFuture(t *testing.T) {
    95  	now := time.Date(2016, 1, 1, 12, 0, 0, 0, time.UTC)
    96  	oneHourInThePast := now.Add(-time.Hour)
    97  	oneHourInTheFuture := now.Add(time.Hour)
    98  
    99  	c := Claims{
   100  		IssuedAt:  NewNumericDate(now),
   101  		NotBefore: NewNumericDate(oneHourInThePast),
   102  		Expiry:    NewNumericDate(oneHourInTheFuture),
   103  	}
   104  
   105  	// defaults: valid right now, or in the future
   106  	assert.NoError(t, c.Validate(Expected{Time: now}))
   107  	assert.NoError(t, c.Validate(Expected{Time: now.Add(2 * DefaultLeeway)}))
   108  
   109  	// cannot be issued in the future
   110  	err := c.Validate(Expected{Time: now.Add(-2 * DefaultLeeway)})
   111  	if assert.Error(t, err) {
   112  		assert.Equal(t, err, ErrIssuedInTheFuture)
   113  	}
   114  	err = c.Validate(Expected{Time: now.Add(-DefaultLeeway - 1)})
   115  	if assert.Error(t, err) {
   116  		assert.Equal(t, err, ErrIssuedInTheFuture)
   117  	}
   118  
   119  	// valid when we are within the default leeway
   120  	assert.NoError(t, c.Validate(Expected{Time: now.Add(-DefaultLeeway)}))
   121  
   122  	// no leeway: valid up to the exact time; expired if issued one ns in the future
   123  	assert.NoError(t, c.ValidateWithLeeway(Expected{Time: now}, 0))
   124  	err = c.ValidateWithLeeway(Expected{Time: now.Add(-1)}, 0)
   125  	if assert.Error(t, err) {
   126  		assert.Equal(t, err, ErrIssuedInTheFuture)
   127  	}
   128  }
   129  
   130  func TestOptionalDateClaims(t *testing.T) {
   131  	var epoch time.Time
   132  
   133  	testCases := []struct {
   134  		name  string
   135  		claim Claims
   136  		want  error
   137  	}{
   138  		{
   139  			"no claims",
   140  			Claims{},
   141  			nil,
   142  		},
   143  		{
   144  			"fail nbf",
   145  			Claims{NotBefore: NewNumericDate(time.Now())},
   146  			ErrNotValidYet,
   147  		},
   148  		{
   149  			"fail exp",
   150  			Claims{Expiry: NewNumericDate(epoch.Add(-7 * 24 * time.Hour))},
   151  			ErrExpired,
   152  		},
   153  		{
   154  			"fail iat",
   155  			Claims{IssuedAt: NewNumericDate(time.Now())},
   156  			ErrIssuedInTheFuture,
   157  		},
   158  	}
   159  
   160  	for _, tc := range testCases {
   161  		t.Run(tc.name, func(t *testing.T) {
   162  			expect := Expected{}.WithTime(epoch.Add(-24 * time.Hour))
   163  			err := tc.claim.Validate(expect)
   164  			assert.Equal(t, tc.want, err)
   165  		})
   166  	}
   167  }
   168
View as plain text