/
jwt.go
352 lines (287 loc) · 7.82 KB
/
jwt.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
package assertions
import (
"fmt"
"math"
"strconv"
"testing"
"time"
"github.com/golang-jwt/jwt/v4"
"github.com/muonsoft/api-testing/assertjson"
"github.com/stretchr/testify/assert"
)
// JWTAssertion is used to build a chain of assertions for the JWT node.
type JWTAssertion struct {
t TestingT
messagePrefix string
token *jwt.Token
}
// WithJWT asserts that the JSON node has a string value with JWT.
func (a *StringAssertion) WithJWT(keyFunc jwt.Keyfunc, msgAndArgs ...interface{}) *JWTAssertion {
if a == nil {
return nil
}
a.t.Helper()
token, err := jwt.Parse(a.value, keyFunc)
if err == nil {
return &JWTAssertion{t: a.t, messagePrefix: a.messagePrefix, token: token}
}
a.fail(
fmt.Sprintf(`is JWT: %s`, err.Error()),
msgAndArgs...,
)
return nil
}
// WithAlgorithm asserts that the JWT is signed with expected algorithm ("alg" header).
func (a *JWTAssertion) WithAlgorithm(alg string, msgAndArgs ...interface{}) *JWTAssertion {
if a == nil {
return nil
}
a.t.Helper()
if a.token.Method.Alg() != alg {
a.fail(
fmt.Sprintf(
`is JWT with algorithm "%s", actual is "%s"`,
alg,
a.token.Method.Alg(),
),
msgAndArgs...,
)
}
return a
}
// WithHeader executes JSON assertion on JWT header.
func (a *JWTAssertion) WithHeader(jsonAssert assertjson.JSONAssertFunc) *JWTAssertion {
if a == nil {
return nil
}
a.t.Helper()
jsonAssert(assertjson.NewAssertJSON(
a.t,
a.messagePrefix+`is JWT with header: `,
a.token.Header,
))
return a
}
// WithPayload executes JSON assertion on JWT payload.
func (a *JWTAssertion) WithPayload(jsonAssert assertjson.JSONAssertFunc) *JWTAssertion {
if a == nil {
return nil
}
a.t.Helper()
jsonAssert(assertjson.NewAssertJSON(
a.t,
a.messagePrefix+`is JWT with payload: `,
map[string]interface{}(a.token.Claims.(jwt.MapClaims)),
))
return a
}
// WithID asserts that the JWT has id field ("jti" field in payload) with the expected value.
func (a *JWTAssertion) WithID(expected string, msgAndArgs ...interface{}) *JWTAssertion {
if a == nil {
return nil
}
a.t.Helper()
return a.assertStringField("id", "jti", expected, msgAndArgs...)
}
// WithIssuer asserts that the JWT has issuer field ("iss" field in payload) with the expected value.
func (a *JWTAssertion) WithIssuer(expected string, msgAndArgs ...interface{}) *JWTAssertion {
if a == nil {
return nil
}
a.t.Helper()
return a.assertStringField("issuer", "iss", expected, msgAndArgs...)
}
// WithSubject asserts that the JWT has subject field ("sub" field in payload) with the expected value.
func (a *JWTAssertion) WithSubject(expected string, msgAndArgs ...interface{}) *JWTAssertion {
if a == nil {
return nil
}
a.t.Helper()
return a.assertStringField("subject", "sub", expected, msgAndArgs...)
}
// WithAudience asserts that the JWT has audience field ("aud" field in payload) with the expected values.
func (a *JWTAssertion) WithAudience(expected []string, msgAndArgs ...interface{}) *JWTAssertion {
if a == nil {
return nil
}
a.t.Helper()
return a.assertStringsField("audience", "aud", expected, msgAndArgs...)
}
// WithExpiresAt asserts that the JWT has expired at field ("exp" field in payload).
// It runs TimeAssertion on its value.
func (a *JWTAssertion) WithExpiresAt() *TimeAssertion {
if a == nil {
return nil
}
a.t.Helper()
return a.assertTimeField("expires at", "exp")
}
// WithNotBefore asserts that the JWT has not before field ("nbf" field in payload).
// It runs TimeAssertion on its value.
func (a *JWTAssertion) WithNotBefore() *TimeAssertion {
if a == nil {
return nil
}
a.t.Helper()
return a.assertTimeField("not before", "nbf")
}
// WithIssuedAt asserts that the JWT has issued at field ("iat" field in payload).
// It runs TimeAssertion on its value.
func (a *JWTAssertion) WithIssuedAt() *TimeAssertion {
if a == nil {
return nil
}
a.t.Helper()
return a.assertTimeField("issued at", "iat")
}
// Value returns decoded jwt.Token. If parsing fails it will return empty struct.
func (a *JWTAssertion) Value() *jwt.Token {
if a == nil {
return &jwt.Token{}
}
a.t.Helper()
return a.token
}
// Assert asserts that the JWT is satisfied by the user function assertFunc.
func (a *JWTAssertion) Assert(assertFunc func(tb testing.TB, token *jwt.Token)) *JWTAssertion {
if a == nil {
return nil
}
a.t.Helper()
assertFunc(a.t.(testing.TB), a.token)
return a
}
func (a *JWTAssertion) assertStringField(title string, name string, expected string, msgAndArgs ...interface{}) *JWTAssertion {
a.t.Helper()
raw, exist := a.token.Claims.(jwt.MapClaims)[name]
if !exist {
return a.failOnMissingField(title, name, strconv.Quote(expected), msgAndArgs...)
}
value, ok := raw.(string)
if !ok {
return a.failOnUnexpectedType(title, name, strconv.Quote(expected), "string is expected", msgAndArgs...)
}
if value != expected {
return a.failOnNotEqual(title, name, strconv.Quote(expected), strconv.Quote(value), msgAndArgs...)
}
return a
}
func (a *JWTAssertion) assertStringsField(title string, name string, expected []string, msgAndArgs ...interface{}) *JWTAssertion {
a.t.Helper()
raw, exist := a.token.Claims.(jwt.MapClaims)[name]
if !exist {
return a.failOnMissingField(title, name, wrapArray(formatStrings(expected)), msgAndArgs...)
}
actual, ok := castToStrings(raw)
if !ok {
return a.failOnUnexpectedType(title, name, wrapArray(formatStrings(expected)), "string or array of strings expected", msgAndArgs...)
}
if !areStringsEqual(actual, expected) {
return a.failOnNotEqual(title, name, wrapArray(formatStrings(expected)), wrapArray(formatStrings(actual)), msgAndArgs...)
}
return a
}
func (a *JWTAssertion) assertTimeField(title string, name string) *TimeAssertion {
raw, exist := a.token.Claims.(jwt.MapClaims)[name]
if !exist {
a.failOnMissingField(title, name, "")
return nil
}
value, ok := raw.(float64)
if !ok {
a.failOnUnexpectedType(title, name, "", "number is expected")
return nil
}
return &TimeAssertion{
t: a.t,
message: fmt.Sprintf(`%sis JWT with %s ("%s"): `, a.messagePrefix, title, name),
layout: time.RFC3339,
value: timeFromFloat(value),
}
}
func (a *JWTAssertion) failOnMissingField(title, name, expected string, msgAndArgs ...interface{}) *JWTAssertion {
a.t.Helper()
if expected != "" {
expected = " " + expected
}
a.fail(
fmt.Sprintf(
`is JWT with %s ("%s")%s: field does not exist`,
title,
name,
expected,
),
msgAndArgs...,
)
return a
}
func (a *JWTAssertion) failOnUnexpectedType(title, name, expected, expectedType string, msgAndArgs ...interface{}) *JWTAssertion {
a.t.Helper()
a.fail(
fmt.Sprintf(
`is JWT with %s ("%s") %s: %s`,
title,
name,
expected,
expectedType,
),
msgAndArgs...,
)
return a
}
func (a *JWTAssertion) failOnNotEqual(title, name, expected, actual string, msgAndArgs ...interface{}) *JWTAssertion {
a.t.Helper()
a.fail(
fmt.Sprintf(
`is JWT with %s ("%s") %s, actual is %s`,
title,
name,
expected,
actual,
),
msgAndArgs...,
)
return a
}
func (a *JWTAssertion) fail(message string, msgAndArgs ...interface{}) {
a.t.Helper()
assert.Fail(a.t, a.messagePrefix+message, msgAndArgs...)
}
func castToStrings(raw interface{}) ([]string, bool) {
var actual []string
switch v := raw.(type) {
case string:
actual = append(actual, v)
case []string:
actual = v
case []interface{}:
for _, vv := range v {
vs, ok := vv.(string)
if !ok {
return nil, false
}
actual = append(actual, vs)
}
default:
return nil, false
}
return actual, true
}
func timeFromFloat(value float64) time.Time {
round, frac := math.Modf(value)
return time.Unix(int64(round), int64(frac*1e9))
}
func areStringsEqual(s1, s2 []string) bool {
if len(s1) != len(s2) {
return false
}
for i, s := range s1 {
if s != s2[i] {
return false
}
}
return true
}
func wrapArray(s string) string {
return "[" + s + "]"
}