archive-gh-me/gitpod
1
0
Fork 0
mirror of https://github.com/gitpod-io/gitpod.git synced 2025-12-08 17:36:30 +00:00
Code Issues Projects Releases Wiki Activity
gitpod/components/public-api-server/pkg/jws/rsa256_test.go
Milan Pavlik d069f76edc
[public-api] Refactor JWT Sign/Verify to be reusable for OIDC - WEB-206 (#17327) 
* [public-api] Refactor JWT Sign/Verify to be reusable for OIDC

* fix
2023-04-24 15:14:45 +08:00

65 lines
2.0 KiB
Go
Raw Blame History

// Copyright (c) 2023 Gitpod GmbH. All rights reserved.
// Licensed under the GNU Affero General Public License (AGPL).
// See License.AGPL.txt in the project root for license information.
package jws_test
import (
"testing"
"time"
"github.com/gitpod-io/gitpod/public-api-server/pkg/jws"
"github.com/gitpod-io/gitpod/public-api-server/pkg/jws/jwstest"
"github.com/golang-jwt/jwt/v5"
"github.com/stretchr/testify/require"
)
func TestRSA256SignVerify(t *testing.T) {
keyset := jwstest.GenerateKeySet(t)
rsa256, err := jws.NewRSA256(keyset)
require.NoError(t, err)
claims := &jwt.RegisteredClaims{
Subject: "user-id",
Issuer: "test-issuer",
ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour)),
IssuedAt: jwt.NewNumericDate(time.Now()),
}
token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
signed, err := rsa256.Sign(token)
require.NoError(t, err)
require.Equal(t, keyset.Signing.ID, token.Header[jws.KeyIDName], "signer must add key ID header")
verified, err := rsa256.Verify(signed, &jwt.RegisteredClaims{})
require.NoError(t, err)
require.Equal(t, claims, verified.Claims)
}
func TestRSA256VerifyWithOlderKey(t *testing.T) {
keyset := jwstest.GenerateKeySet(t)
// manually sign with older key
// this simulates a scenario where we issued a token with an older key, which we've since moved into our Validating keys
validating := keyset.Validating[0]
claims := &jwt.RegisteredClaims{
Subject: "user-id",
Issuer: "test-issuer",
ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour)),
IssuedAt: jwt.NewNumericDate(time.Now()),
}
token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)
token.Header[jws.KeyIDName] = validating.ID
signed, err := token.SignedString(validating.Private)
require.NoError(t, err)
// use our "newer" setup with a new signing key
rsa256, err := jws.NewRSA256(keyset)
require.NoError(t, err)
verified, err := rsa256.Verify(signed, &jwt.RegisteredClaims{})
require.NoError(t, err)
require.Equal(t, claims, verified.Claims)
}
Reference in New Issue View Git Blame Copy Permalink