-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathksmjwt_test.go
126 lines (97 loc) · 3.22 KB
/
ksmjwt_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
package kmsjwt_test
import (
"context"
"errors"
"testing"
"github.com/golang-jwt/jwt/v4"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"github.com/spacelift-io/kmsjwt/v7"
)
func TestWithLocalStack(t *testing.T) {
const in = "sign me, please"
ctx := context.Background()
client := newKMSClient(t, ctx)
keyID := client.CreateKey(t, ctx)
t.Run("sign and verify", func(t *testing.T) {
signer, err := kmsjwt.New(ctx, client.KMS, keyID)
require.NoError(t, err, "new")
signature, err := signer.Sign(in, ctx)
require.NoError(t, err, "sign")
err = signer.Verify(in, signature, ctx)
assert.NoError(t, err, "verify")
})
t.Run("RFC compliance", func(t *testing.T) {
signer, err := kmsjwt.New(ctx, client.KMS, keyID)
require.NoError(t, err, "new")
signature, err := signer.Sign(in, ctx)
require.NoError(t, err, "sign")
builtinSigner := jwt.GetSigningMethod(signer.Alg())
require.NotNil(t, builtinSigner, "unknown algorithm")
publicKey := client.GetPublicKey(t, ctx, keyID)
err = builtinSigner.Verify(in, signature, publicKey)
assert.NoError(t, err, "verify")
})
}
func TestNew(t *testing.T) {
const keyID = "dummy"
t.Run("happy", func(t *testing.T) {
_, _ = newSignerAndStub(t)
})
t.Run("error preserved in chain from KMS", func(t *testing.T) {
ctx := context.Background()
want := errors.New("something went wrong")
_, err := kmsjwt.New(ctx, KMSStub{Err: want}, keyID)
assert.ErrorIs(t, err, want)
})
t.Run("wrong key type", func(t *testing.T) {
ctx := context.Background()
publicKey := encodedED25519PublicKey(t)
_, err := kmsjwt.New(ctx, KMSStub{PublicKey: publicKey}, keyID)
assert.ErrorContains(t, err, "cannot assert")
})
t.Run("key not parsable", func(t *testing.T) {
ctx := context.Background()
publicKey := []byte("something unexpected")
_, err := kmsjwt.New(ctx, KMSStub{PublicKey: publicKey}, keyID)
assert.ErrorContains(t, err, "could not parse")
})
}
func newSignerAndStub(t *testing.T) (kmsjwt.KMSJWT, *KMSStub) {
t.Helper()
const keyID = "dummy"
ctx := context.Background()
stub := &KMSStub{PublicKey: encodedRSAPublicKey(t)}
signer, err := kmsjwt.New(ctx, stub, keyID)
require.NoError(t, err, "creating signer")
return signer, stub
}
func TestKMSJWT_Alg(t *testing.T) {
// Valid values: https://datatracker.ietf.org/doc/html/rfc7518#section-3.1
const want = "PS512"
signer, _ := newSignerAndStub(t)
assert.Equal(t, want, signer.Alg(), "algorithm changed, that's MAJOR change")
}
func TestKMSJWT_Sign(t *testing.T) {
const signMe = "sign me, please"
t.Run("invalid key type", func(t *testing.T) {
signer, _ := newSignerAndStub(t)
_, err := signer.Sign(signMe, "foo")
assert.ErrorIs(t, err, jwt.ErrInvalidKeyType)
})
t.Run("error preserved in chain", func(t *testing.T) {
ctx := context.Background()
signer, stub := newSignerAndStub(t)
stub.Err = errors.New("something went wrong")
_, err := signer.Sign(signMe, ctx)
assert.ErrorIs(t, err, stub.Err)
})
}
func TestKMSJWT_Verify(t *testing.T) {
const signMe = "sign me, please"
t.Run("invalid key type", func(t *testing.T) {
signer, _ := newSignerAndStub(t)
err := signer.Verify(signMe, "invalid signature", "foo")
assert.ErrorIs(t, err, jwt.ErrInvalidKeyType)
})
}