jwtauth_test.go

/**
 * Copyright (c) 2015 Intel Corporation
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *    http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */
package main

import (
	"encoding/hex"
	"encoding/json"
	"net/http"
	"net/http/httptest"
	"net/url"
	"strings"
	"testing"
	"time"

	"github.com/dgrijalva/jwt-go"
	"github.com/gorilla/mux"
	"github.com/stretchr/testify/assert"
)

func TestJWTAuth_Validate(t *testing.T) {
	jwtAuth := NewJwtAuth()

	r := mux.NewRouter()
	r.HandleFunc(testDeviceKeysURIHandlerPath, handleDeviceKeyRequest)
	ts := httptest.NewServer(r)

	defer ts.Close()

	args.Server.DeviceKeysURI = "http://localhost:" +
		getServerPortFromRawURL(ts.URL) + testDeviceKeysURIPath

	req, err := http.NewRequest("GET", "http://localhost", nil)
	if err != nil {
		t.Error(err)
	}

	req.Header.Del("Authorization")
	assert.False(t, jwtAuth.Validate(req), "Requests must have an Authorization header")

	// Test request with incorrect header
	req.Header.Set("Authorization", "WHAT")
	assert.False(t, jwtAuth.Validate(req), "Requests should have properly formatted Authorization headers")

	// Test valid EC JWT
	validEcJWT, err := getJWT(jwt.SigningMethodES256, goodDeviceID, ecPrivateKey)
	if err != nil {
		t.Error(err)
	}
	req.Header.Set("Authorization", "Bearer "+validEcJWT)
	assert.True(t, jwtAuth.Validate(req), "Valid EC JWT must be accepted")

	// Test valid RS JWT
	validRsJWT, err := getJWT(jwt.SigningMethodRS256, goodDeviceID, rsaPrivateKey)
	if err != nil {
		t.Error(err)
	}
	req.Header.Set("Authorization", "Bearer "+validRsJWT)
	assert.True(t, jwtAuth.Validate(req), "Valid RS JWT must be accepted")

	// Test valid ES JWT with invalid public key
	invalidEcJWT, err := getJWT(jwt.SigningMethodES256, badDeviceID, ecPrivateKey)
	if err != nil {
		t.Error(err)
	}
	req.Header.Set("Authorization", "Bearer "+invalidEcJWT)
	assert.False(t, jwtAuth.Validate(req), "Device with invalid EC public key must be rejected")

	// Test valid RS JWT with invalid public key
	invalidRsJWT, err := getJWT(jwt.SigningMethodRS256, badDeviceID, rsaPrivateKey)
	if err != nil {
		t.Error(err)
	}
	req.Header.Set("Authorization", "Bearer "+invalidRsJWT)
	assert.False(t, jwtAuth.Validate(req), "Device with invalid RSA public key must be rejected")
}

func getJWT(signingMethod jwt.SigningMethod, deviceID string, key string) (string, error) {
	token := jwt.New(signingMethod)
	token.Claims[deviceIDJWTPayloadFieldName] = deviceID
	token.Claims[iatJWTPayloadFieldName] = time.Now().Unix()

	keyStrBytes, err := hex.DecodeString(key)
	if err != nil {
		return "", err
	}

	var keyBytes interface{}
	switch signingMethod {
	case jwt.SigningMethodES256:
		keyBytes, err = jwt.ParseECPrivateKeyFromPEM(keyStrBytes)
		if err != nil {
			return "", err
		}
	case jwt.SigningMethodRS256:
		keyBytes, err = jwt.ParseRSAPrivateKeyFromPEM(keyStrBytes)
		if err != nil {
			return "", err
		}
	}

	tokenString, err := token.SignedString(keyBytes)
	return tokenString, err
}

func TestGetPublicKeyFromDeviceKeysAPI(t *testing.T) {
	publicKeyBytes, err := hex.DecodeString(samplePublicKeyStr)
	if err != nil {
		t.Error(err)
	}

	r := mux.NewRouter()
	r.HandleFunc(testDeviceKeysURIHandlerPath, handleSimpleDeviceKeyRequest)
	ts := httptest.NewServer(r)
	defer ts.Close()

	args.Server.DeviceKeysURI = "http://localhost:" +
		getServerPortFromRawURL(ts.URL) + testDeviceKeysURIPath

	res, err := getPublicKeyFromDeviceKeysAPI(validSampleDeviceID, validSampleAlg)
	if err != nil {
		t.Error(err)
	}
	assert.Equal(t, publicKeyBytes, res, "The correct public key must be returned if the API knows the device_id and alg")

	res, err = getPublicKeyFromDeviceKeysAPI("wrong_id", "ES256")
	assert.Nil(t, res, "No public key should be returned for an incorrect device_id")
	if err == nil {
		assert.NotNil(t, err, "Getting public key of unknown device must return error")
	}
}

func TestBuildDeviceKeyRequestURL(t *testing.T) {
	origURL := "http://example.com/test/:device_id/key"
	deviceID := "test"
	alg := "ES256"
	expectedURL := strings.Replace(origURL, ":device_id", deviceID, 1) + "?alg=" + alg
	res, err := buildDeviceKeyRequestURL(origURL, deviceID, alg)
	if err != nil {
		t.Error(err)
	}
	assert.Equal(t, expectedURL, res, "Device key request URL must have correct params")
}

func TestIsJWTIATAcceptable(t *testing.T) {
	// Set the tolerable JWT age for testing
	args.Server.TolerableJWTAge = 1

	assert.False(t, isJWTIATAcceptable(time.Now().Add(-1*time.Hour)),
		"Old JWTs should not be accepted")
	assert.True(t, isJWTIATAcceptable(time.Now().Add(-50*time.Second)),
		"JWT with valid age must be accepted")
}

const (
	validSampleDeviceID string = "test_device"
	validSampleAlg      string = "ES256"
	samplePublicKeyStr  string = "6556"

	goodDeviceID string = "test_device"
	badDeviceID  string = "bad_device"
	esAlg        string = "ES256"
	//rsAlg               string = "RS256"
	ecPrivateKey        string = "2d2d2d2d2d424547494e2045432050524956415445204b45592d2d2d2d2d0a4d48634341514545494f384c546a42746b4d366b326373792b6e4a6b5655786866396b4751485a5534784a6d4c73344d513430446f416f4743437147534d34390a417745486f5551445167414532586f55426861592b4d79706332732b48736f374151432b6370312b655135513931656343336a2b6d533133454a4855654e43480a3533615057705868685341326556435645675048675a7a48436c6e6a7336317a67773d3d0a2d2d2d2d2d454e442045432050524956415445204b45592d2d2d2d2d0a"
	rsaPrivateKey       string = "2d2d2d2d2d424547494e205253412050524956415445204b45592d2d2d2d2d0a4d49494a4b77494241414b434167454139713567394543486b486c6c4349677554792f6c3445436b5952624245374255664672452f5130455471616e787537350a327571596a327243334e365a565a72793352662f4b51794648386e376837414a68754f4655486e34695255717450344d6f48743746706552374667364d73572f0a413671474154515845747871387053376f716a5631334d746b3951776a396c65684636424d794242654258717a7436627732386c49515657584556595a6f72460a587a6b42336338336c4a525847696a347a494c6131626674724b385165746c384c346a736262676e48626a49704c4c455055714e6f744e4677775279476447510a6b55786a395956686534376148646e56384a422b7a42537269434c2f6941723263353038584b485755786f4371327373684b51555347357835775549784366360a57626e3570596142684d5147684c724d4e6e4833694c516436783659524271666951444173377a574a38473679674459532b69442b5136637a76557575622b6d0a76516555455a2b67316770545a6d63642b6d57446b382f62555653354f316237756a2f4a372b6974656a4a64757a3974755974677038416b55617473364b726a0a592b7051484841635a4553685a6e4245786d2b73626a3944416c50334c654b317a4861486c6a7354484c5173597765374b655a7677576d306a594b4e6832642b0a4148756e78396473424449596a6e6c30424b374547426f7a7a49316c2f477172315a4653302b794c2b422b72657a377836706d654f4f5768514a427051536f490a4d4d564955783370716244614d58327a4b7a7463356b7166315849595a76396f764258597039666a72436f33697343354176364f62487732734f55425a384c490a5648456f34352b6b67715932394d4e6e6e303638387756574349325275327764675a7774684330695255563263526a4e41547a433756596467387343417745410a41514b434167454177396f6c5469666875686f33316a4e52475476394e6a50386a72306a4a482b75524746493332537a55384c4c6d493171514a356237426f6d0a686e67526f3737334c67543861466e785a424459724a31656f774d48654b4b75616941744854424c564374567964556a58564f624f5735355075376e6f424c380a6374516638574f584b676b455a782b6951796d494f4e3272526b74474a784a6f4348445755644b364e73754b3368472f7846696d584275336f75652f444a32570a456c684959354f2b485a6d544a335831745648314d7152304463575865584670565261393773326b4d736c37644a687258652b73713855514539786a7a4b354f0a664777707a754f43455a4b587157364c316656376a6b617437354d614e71326a58613163437a3933524153467568412b544e355a5847776c503549426e4b4d540a4f42627532666a355a417a4f4c484a6441717a79316265526a4a505661672f66534a764f6a426a592b664e4838352b4735743179662f77333777756d644376630a5a5a784c626178336f4434364e4a62623937784367722b776753787334685a2f6974316943597954584c684c6355475a554b57435a794d394d54744342706c550a2b7338664552744e73436e73624a4e364e3358694337424d6c464b545532415333694a653468574e72455556422b316d507847596e694254696241664770315a0a4f67456e4e52794a366845666c5838716247436c2f4e5935754930755246384e51734531762b664e4a6b4b66576e62642b4e333435332f387777345238306b580a70586e3747484f4c4370487136736a577356425a5931495533384439586d747864326c55332b4e57432f546672533677344b4d307a2f6f78555a4e69616e4b730a384551775a2f736e6454483846724843747077736f316a366553524f68305a6d697462735a4b525a7a6e686d53764971637a6b43676745424150395a5841386f0a426255503573765567485074594b4b762f6d677735436d6b2b6d31336c622f753956344f307a7935646141634e57764734663351444a313854783343643557310a586b63466a7343536d31644945647367543547692b72646544525039366f474158484458783034674f4578756741672f327534423830394d2f647666746a78350a6a675442775034637371464d7a64357a65487a32544a4962436d58487764304456337a36664c4b4d794f4748795a6c7552386452456f6d49344a784c2f4843780a4c46676c4732463057696268486f4159584139384458797975425348724f57426a692b324f647346745639524f4c67374d557532716e2b7459754854496b4b2b0a7772496f43637a765a6e7a4f2b65494b5255766471484e676347526e5a376b7168302b35444b6272727630526a616b43337a336b7579726e73747131737545420a6e3144373079694a49575964517738436767454241506450584d716644435a6e3054654a2f636f37367863774b484b73536b45576d414e3544334566506862370a4c7933354579706477386d612b48667755786a724332427461713868384d53477730313659776a342b494f356a426a5361776c7651344a3147483143367139790a7238733057346d5a4a5356526536763172646f5a756169494552586a794977573948706437515a6754436663466e2b41783851595856316b55704f41564b746f0a6c44644f6365694664675643617576664e6f6c6b4a69465065683539734b734f6836656b5444345863462f374a496d4769656a68704570323261636c74746b310a35417366354775457a4d4a6b55446661764f506e574f366c562b73652b666c46357a38493538365a5550596a423545746a67704646395036446d7333724644350a637178306e2b5339446e556964676a4b7154765a4f7a30317a54346236774c6d44534f4f75534c586734554367674542414f49756769662b75496434625752520a642f4b33366d6851346c58694d4d68656c5744506b337275724c4e4443494e36643646364f797562674753316d2b63487a494338312f5a704c2f6854434f36310a4c686f7a4158594b2b6441304145626162565576446b446c7458785339667a533932746b57633530325855486a30444948766c62414f347963635475357764760a336836596a4b616c753631633864686455576c3064746c5263336146336c7939376459763144677641692b674e583555477a6a3236635863656a3464714649370a6f50746458776e794365484262615475486259357338476262356e396e4f50502b366452703538773932707368447753466b755948486e6f78556250786c61630a48446b6a6b523554494b7968792b7466476b386c645441455a74554d51684f39496b53522f74776461696446367a4348436474484a51712f79434951336972430a785333526236734367674542414e7a4f3352694548514d46576f567544557a4e5a72395458696e55726f2b6972714d624b62426b70726b36474176434156796f0a547a446e7a73533372466e704d6b55734c44366c33535236396c467333704f6152376a4570394e5a752f753266643479306d533070486c31756f4f434165432b0a2f6131754c532b427358477a326c49672b724243716b4a3646467056466c584645506e6478624364754c3761796a47696179414c536f326f562f3178617236690a757064446a396439656d48394b78592b73646762664f75646b333059636f4a567878334c532f6f4752346649507a6e464639766e446e53746179694c6c7852770a67366c6b69304c7a6141644c2f646c4667315149576b51344a356e6552366e73745a367439416d70564e4c536b633350793650724630314e4378667a495066480a334f71306c424b5262377868336b52756a777650505774664834674a334437426b556b43676745424149666c626e466a373569434e4f685451636544427965580a777357476c69333470562f76304c4b2b4d41366744557257582b305a534b76695878315630796d66503152782b6c3565365a6771564649316e575457735975710a66785443517546746e33627a4f5249426538427964694d7558632f64656e4267725173427935496e435372734c69386d4568304a5743473255792f6e586b49490a5833515761696c414666346d7861762f524176692b5541422f4b6854624b4c4449344f4a6f37786846694a654c504741646b6662464f47703037525a4a4930650a466741646a42775765343775616e3536492b6e6637517854764b4b755455764a6549384a5238385037583842736d706767536f39505264772f704a494e51526b0a4b4972326150465a4531537769586231506b412b7042355a39484e70522f762f5665647359716f3050462f56502f706576572f504878384c315872664e7a383d0a2d2d2d2d2d454e44205253412050524956415445204b45592d2d2d2d2d0a"
	validECPublicKey    string = "2d2d2d2d2d424547494e205055424c4943204b45592d2d2d2d2d0a4d466b77457759484b6f5a497a6a3043415159494b6f5a497a6a3044415163445167414532586f55426861592b4d79706332732b48736f374151432b6370312b0a655135513931656343336a2b6d533133454a4855654e43483533615057705868685341326556435645675048675a7a48436c6e6a7336317a67773d3d0a2d2d2d2d2d454e44205055424c4943204b45592d2d2d2d2d0a"
	invalidECPublicKey  string = "dd"
	validRSAPublicKey   string = "2d2d2d2d2d424547494e205055424c4943204b45592d2d2d2d2d0a4d494943496a414e42676b71686b6947397730424151454641414f43416738414d49494343674b434167454139713567394543486b486c6c4349677554792f6c0a3445436b5952624245374255664672452f5130455471616e78753735327571596a327243334e365a565a72793352662f4b51794648386e376837414a68754f460a55486e34695255717450344d6f48743746706552374667364d73572f413671474154515845747871387053376f716a5631334d746b3951776a396c65684636420a4d794242654258717a7436627732386c49515657584556595a6f7246587a6b42336338336c4a525847696a347a494c6131626674724b385165746c384c346a730a6262676e48626a49704c4c455055714e6f744e4677775279476447516b55786a395956686534376148646e56384a422b7a42537269434c2f69417232633530380a584b485755786f4371327373684b515553473578357755497843663657626e3570596142684d5147684c724d4e6e4833694c51643678365952427166695144410a73377a574a38473679674459532b69442b5136637a76557575622b6d76516555455a2b67316770545a6d63642b6d57446b382f62555653354f316237756a2f4a0a372b6974656a4a64757a3974755974677038416b55617473364b726a592b7051484841635a4553685a6e4245786d2b73626a3944416c50334c654b317a4861480a6c6a7354484c5173597765374b655a7677576d306a594b4e6832642b4148756e78396473424449596a6e6c30424b374547426f7a7a49316c2f477172315a46530a302b794c2b422b72657a377836706d654f4f5768514a427051536f494d4d564955783370716244614d58327a4b7a7463356b7166315849595a76396f764258590a7039666a72436f33697343354176364f62487732734f55425a384c495648456f34352b6b67715932394d4e6e6e303638387756574349325275327764675a77740a684330695255563263526a4e41547a4337565964673873434177454141513d3d0a2d2d2d2d2d454e44205055424c4943204b45592d2d2d2d2d0a"
	invalidRSAPublicKey string = "dd"

	testDeviceKeysURIPath        string = "/devices/:" + deviceIDJWTPayloadFieldName + "/key"
	testDeviceKeysURIHandlerPath string = "/devices/{" + deviceIDJWTPayloadFieldName + "}/key"
)

func getServerPortFromRawURL(rawURL string) string {
	url, err := url.Parse(rawURL)
	if err != nil {
		return ""
	}
	return url.Host[strings.Index(url.Host, ":")+1:]
}

func handleSimpleDeviceKeyRequest(w http.ResponseWriter, r *http.Request) {
	if mux.Vars(r)[deviceIDJWTPayloadFieldName] != validSampleDeviceID ||
		r.FormValue(jwtAlgFieldName) != validSampleAlg {
		w.WriteHeader(404)
		return
	}
	respBody := DeviceKeyResponseBody{PublicKey: samplePublicKeyStr}

	js, _ := json.Marshal(respBody)

	w.Header().Set("Content-Type", "application/json")
	w.Write(js)
}

func handleDeviceKeyRequest(w http.ResponseWriter, r *http.Request) {
	var respBody DeviceKeyResponseBody

	deviceID := mux.Vars(r)[deviceIDJWTPayloadFieldName]
	alg := r.FormValue(jwtAlgFieldName)
	if deviceID == goodDeviceID {
		if alg == esAlg {
			respBody = DeviceKeyResponseBody{PublicKey: validECPublicKey}
		} else {
			respBody = DeviceKeyResponseBody{PublicKey: validRSAPublicKey}
		}
	} else {
		if alg == esAlg {
			respBody = DeviceKeyResponseBody{PublicKey: invalidECPublicKey}
		} else {
			respBody = DeviceKeyResponseBody{PublicKey: invalidRSAPublicKey}
		}
	}

	js, _ := json.Marshal(respBody)

	w.Header().Set("Content-Type", "application/json")
	w.Write(js)
}