mirror of
https://github.com/twofas/2fas-server.git
synced 2025-01-05 22:15:56 +01:00
171 lines
3.9 KiB
Go
171 lines
3.9 KiB
Go
package sign
|
|
|
|
import (
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"crypto/rand"
|
|
"errors"
|
|
"testing"
|
|
"time"
|
|
|
|
"github.com/aws/aws-sdk-go/aws"
|
|
"github.com/aws/aws-sdk-go/aws/credentials"
|
|
"github.com/aws/aws-sdk-go/aws/session"
|
|
"github.com/aws/aws-sdk-go/service/kms"
|
|
"github.com/golang-jwt/jwt/v5"
|
|
"github.com/google/uuid"
|
|
)
|
|
|
|
type ecdsaSigningMethodWithStaticKey struct {
|
|
privateKey *ecdsa.PrivateKey
|
|
}
|
|
|
|
func (e ecdsaSigningMethodWithStaticKey) Verify(signingString string, sig []byte, key interface{}) error {
|
|
panic("not needed")
|
|
}
|
|
|
|
func (e ecdsaSigningMethodWithStaticKey) Sign(signingString string, key interface{}) ([]byte, error) {
|
|
return jwt.SigningMethodES256.Sign(signingString, e.privateKey)
|
|
}
|
|
|
|
func (e ecdsaSigningMethodWithStaticKey) Alg() string {
|
|
return jwt.SigningMethodES256.Alg()
|
|
}
|
|
|
|
func TestSignAndVerifyHappyPath(t *testing.T) {
|
|
srv := createTestService(t)
|
|
|
|
now := time.Now()
|
|
|
|
token, err := srv.SignAndEncode(Message{
|
|
ConnectionID: uuid.New().String(),
|
|
ExpiresAt: now.Add(time.Hour),
|
|
ConnectionType: ConnectionTypeBrowserExtensionProxy,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
_, err = srv.CanI(token, ConnectionTypeBrowserExtensionProxy)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
}
|
|
|
|
func createTestService(t *testing.T) Service {
|
|
t.Helper()
|
|
|
|
pk, err := ecdsa.GenerateKey(elliptic.P256(), rand.Reader)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
srv := Service{
|
|
publicKey: &pk.PublicKey,
|
|
signingMethod: ecdsaSigningMethodWithStaticKey{
|
|
privateKey: pk,
|
|
},
|
|
}
|
|
return srv
|
|
}
|
|
|
|
func TestSignAndVerify(t *testing.T) {
|
|
sess, err := session.NewSession(&aws.Config{
|
|
Region: aws.String("us-east-1"),
|
|
Credentials: credentials.NewStaticCredentials("test", "test", ""),
|
|
S3ForcePathStyle: aws.Bool(true),
|
|
Endpoint: aws.String("http://localhost:4566"),
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
kmsClient := kms.New(sess)
|
|
srv := createTestService(t)
|
|
now := time.Now()
|
|
|
|
tests := []struct {
|
|
name string
|
|
tokenFn func() string
|
|
expectedError error
|
|
}{
|
|
{
|
|
name: "not even jwt token",
|
|
tokenFn: func() string {
|
|
return "xxx"
|
|
},
|
|
expectedError: jwt.ErrTokenMalformed,
|
|
},
|
|
{
|
|
name: "token is expired",
|
|
tokenFn: func() string {
|
|
token, err := srv.SignAndEncode(Message{
|
|
ConnectionID: uuid.New().String(),
|
|
ExpiresAt: now.Add(-time.Hour),
|
|
ConnectionType: ConnectionTypeBrowserExtensionProxy,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
return token
|
|
},
|
|
expectedError: jwt.ErrTokenExpired,
|
|
},
|
|
{
|
|
name: "invalid claim",
|
|
tokenFn: func() string {
|
|
token, err := srv.SignAndEncode(Message{
|
|
ConnectionID: uuid.New().String(),
|
|
ExpiresAt: now.Add(time.Hour),
|
|
ConnectionType: ConnectionTypeBrowserExtensionWait,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
return token
|
|
},
|
|
expectedError: ErrInvalidClaims,
|
|
},
|
|
{
|
|
name: "invalid signature",
|
|
tokenFn: func() string {
|
|
resp, err := kmsClient.CreateKey(&kms.CreateKeyInput{
|
|
KeySpec: aws.String("ECC_NIST_P256"),
|
|
KeyUsage: aws.String("SIGN_VERIFY"),
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
serviceWithAnotherKey, err := NewService(*resp.KeyMetadata.KeyId, kmsClient)
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
|
|
token, err := serviceWithAnotherKey.SignAndEncode(Message{
|
|
ConnectionID: uuid.New().String(),
|
|
ExpiresAt: now.Add(-time.Hour),
|
|
ConnectionType: ConnectionTypeBrowserExtensionProxy,
|
|
})
|
|
if err != nil {
|
|
t.Fatal(err)
|
|
}
|
|
return token
|
|
},
|
|
expectedError: jwt.ErrTokenSignatureInvalid,
|
|
},
|
|
}
|
|
|
|
for _, tc := range tests {
|
|
t.Run(tc.name, func(t *testing.T) {
|
|
token := tc.tokenFn()
|
|
_, err := srv.CanI(token, ConnectionTypeBrowserExtensionProxy)
|
|
if err == nil {
|
|
t.Fatalf("Expected error %v, got nil", tc.expectedError)
|
|
}
|
|
if !errors.Is(err, tc.expectedError) {
|
|
t.Fatalf("Expected error %v, got %v", tc.expectedError, err)
|
|
}
|
|
})
|
|
}
|
|
|
|
}
|