aboutsummaryrefslogtreecommitdiffhomepage
path: root/test/core/security/jwt_verifier_test.c
diff options
context:
space:
mode:
Diffstat (limited to 'test/core/security/jwt_verifier_test.c')
-rw-r--r--test/core/security/jwt_verifier_test.c106
1 files changed, 88 insertions, 18 deletions
diff --git a/test/core/security/jwt_verifier_test.c b/test/core/security/jwt_verifier_test.c
index f8afba8d6d..a9bd976a39 100644
--- a/test/core/security/jwt_verifier_test.c
+++ b/test/core/security/jwt_verifier_test.c
@@ -166,6 +166,13 @@ static const char claims_without_time_constraint[] =
" \"jti\": \"jwtuniqueid\","
" \"foo\": \"bar\"}";
+static const char claims_with_bad_subject[] =
+ "{ \"aud\": \"https://foo.com\","
+ " \"iss\": \"evil@blah.foo.com\","
+ " \"sub\": \"juju@blah.foo.com\","
+ " \"jti\": \"jwtuniqueid\","
+ " \"foo\": \"bar\"}";
+
static const char invalid_claims[] =
"{ \"aud\": \"https://foo.com\","
" \"iss\": 46," /* Issuer cannot be a number. */
@@ -179,13 +186,46 @@ typedef struct {
const char *expected_subject;
} verifier_test_config;
+static void test_jwt_issuer_email_domain(void) {
+ const char *d = grpc_jwt_issuer_email_domain("https://foo.com");
+ GPR_ASSERT(d == NULL);
+ d = grpc_jwt_issuer_email_domain("foo.com");
+ GPR_ASSERT(d == NULL);
+ d = grpc_jwt_issuer_email_domain("");
+ GPR_ASSERT(d == NULL);
+ d = grpc_jwt_issuer_email_domain("@");
+ GPR_ASSERT(d == NULL);
+ d = grpc_jwt_issuer_email_domain("bar@foo");
+ GPR_ASSERT(strcmp(d, "foo") == 0);
+ d = grpc_jwt_issuer_email_domain("bar@foo.com");
+ GPR_ASSERT(strcmp(d, "foo.com") == 0);
+ d = grpc_jwt_issuer_email_domain("bar@blah.foo.com");
+ GPR_ASSERT(strcmp(d, "foo.com") == 0);
+ d = grpc_jwt_issuer_email_domain("bar.blah@blah.foo.com");
+ GPR_ASSERT(strcmp(d, "foo.com") == 0);
+ d = grpc_jwt_issuer_email_domain("bar.blah@baz.blah.foo.com");
+ GPR_ASSERT(strcmp(d, "foo.com") == 0);
+
+ /* This is not a very good parser but make sure we do not crash on these weird
+ inputs. */
+ d = grpc_jwt_issuer_email_domain("@foo");
+ GPR_ASSERT(strcmp(d, "foo") == 0);
+ d = grpc_jwt_issuer_email_domain("bar@.");
+ GPR_ASSERT(d != NULL);
+ d = grpc_jwt_issuer_email_domain("bar@..");
+ GPR_ASSERT(d != NULL);
+ d = grpc_jwt_issuer_email_domain("bar@...");
+ GPR_ASSERT(d != NULL);
+}
+
static void test_claims_success(void) {
grpc_jwt_claims *claims;
grpc_slice s = grpc_slice_from_copied_string(claims_without_time_constraint);
grpc_json *json = grpc_json_parse_string_with_len(
(char *)GRPC_SLICE_START_PTR(s), GRPC_SLICE_LENGTH(s));
GPR_ASSERT(json != NULL);
- claims = grpc_jwt_claims_from_json(json, s);
+ grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT;
+ claims = grpc_jwt_claims_from_json(&exec_ctx, json, s);
GPR_ASSERT(claims != NULL);
GPR_ASSERT(grpc_jwt_claims_json(claims) == json);
GPR_ASSERT(strcmp(grpc_jwt_claims_audience(claims), "https://foo.com") == 0);
@@ -194,7 +234,8 @@ static void test_claims_success(void) {
GPR_ASSERT(strcmp(grpc_jwt_claims_id(claims), "jwtuniqueid") == 0);
GPR_ASSERT(grpc_jwt_claims_check(claims, "https://foo.com") ==
GRPC_JWT_VERIFIER_OK);
- grpc_jwt_claims_destroy(claims);
+ grpc_jwt_claims_destroy(&exec_ctx, claims);
+ grpc_exec_ctx_finish(&exec_ctx);
}
static void test_expired_claims_failure(void) {
@@ -206,7 +247,8 @@ static void test_expired_claims_failure(void) {
gpr_timespec exp_exp = {120, 0, GPR_CLOCK_REALTIME};
gpr_timespec exp_nbf = {60, 0, GPR_CLOCK_REALTIME};
GPR_ASSERT(json != NULL);
- claims = grpc_jwt_claims_from_json(json, s);
+ grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT;
+ claims = grpc_jwt_claims_from_json(&exec_ctx, json, s);
GPR_ASSERT(claims != NULL);
GPR_ASSERT(grpc_jwt_claims_json(claims) == json);
GPR_ASSERT(strcmp(grpc_jwt_claims_audience(claims), "https://foo.com") == 0);
@@ -219,14 +261,17 @@ static void test_expired_claims_failure(void) {
GPR_ASSERT(grpc_jwt_claims_check(claims, "https://foo.com") ==
GRPC_JWT_VERIFIER_TIME_CONSTRAINT_FAILURE);
- grpc_jwt_claims_destroy(claims);
+ grpc_jwt_claims_destroy(&exec_ctx, claims);
+ grpc_exec_ctx_finish(&exec_ctx);
}
static void test_invalid_claims_failure(void) {
grpc_slice s = grpc_slice_from_copied_string(invalid_claims);
grpc_json *json = grpc_json_parse_string_with_len(
(char *)GRPC_SLICE_START_PTR(s), GRPC_SLICE_LENGTH(s));
- GPR_ASSERT(grpc_jwt_claims_from_json(json, s) == NULL);
+ grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT;
+ GPR_ASSERT(grpc_jwt_claims_from_json(&exec_ctx, json, s) == NULL);
+ grpc_exec_ctx_finish(&exec_ctx);
}
static void test_bad_audience_claims_failure(void) {
@@ -235,11 +280,28 @@ static void test_bad_audience_claims_failure(void) {
grpc_json *json = grpc_json_parse_string_with_len(
(char *)GRPC_SLICE_START_PTR(s), GRPC_SLICE_LENGTH(s));
GPR_ASSERT(json != NULL);
- claims = grpc_jwt_claims_from_json(json, s);
+ grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT;
+ claims = grpc_jwt_claims_from_json(&exec_ctx, json, s);
GPR_ASSERT(claims != NULL);
GPR_ASSERT(grpc_jwt_claims_check(claims, "https://bar.com") ==
GRPC_JWT_VERIFIER_BAD_AUDIENCE);
- grpc_jwt_claims_destroy(claims);
+ grpc_jwt_claims_destroy(&exec_ctx, claims);
+ grpc_exec_ctx_finish(&exec_ctx);
+}
+
+static void test_bad_subject_claims_failure(void) {
+ grpc_jwt_claims *claims;
+ grpc_slice s = grpc_slice_from_copied_string(claims_with_bad_subject);
+ grpc_json *json = grpc_json_parse_string_with_len(
+ (char *)GRPC_SLICE_START_PTR(s), GRPC_SLICE_LENGTH(s));
+ GPR_ASSERT(json != NULL);
+ grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT;
+ claims = grpc_jwt_claims_from_json(&exec_ctx, json, s);
+ GPR_ASSERT(claims != NULL);
+ GPR_ASSERT(grpc_jwt_claims_check(claims, "https://foo.com") ==
+ GRPC_JWT_VERIFIER_BAD_SUBJECT);
+ grpc_jwt_claims_destroy(&exec_ctx, claims);
+ grpc_exec_ctx_finish(&exec_ctx);
}
static char *json_key_str(const char *last_part) {
@@ -294,18 +356,18 @@ static int httpcli_get_google_keys_for_email(
"/robot/v1/metadata/x509/"
"777-abaslkan11hlb6nmim3bpspl31ud@developer."
"gserviceaccount.com") == 0);
- grpc_exec_ctx_sched(exec_ctx, on_done, GRPC_ERROR_NONE, NULL);
+ grpc_closure_sched(exec_ctx, on_done, GRPC_ERROR_NONE);
return 1;
}
-static void on_verification_success(void *user_data,
+static void on_verification_success(grpc_exec_ctx *exec_ctx, void *user_data,
grpc_jwt_verifier_status status,
grpc_jwt_claims *claims) {
GPR_ASSERT(status == GRPC_JWT_VERIFIER_OK);
GPR_ASSERT(claims != NULL);
GPR_ASSERT(user_data == (void *)expected_user_data);
GPR_ASSERT(strcmp(grpc_jwt_claims_audience(claims), expected_audience) == 0);
- grpc_jwt_claims_destroy(claims);
+ grpc_jwt_claims_destroy(exec_ctx, claims);
}
static void test_jwt_verifier_google_email_issuer_success(void) {
@@ -338,7 +400,7 @@ static int httpcli_get_custom_keys_for_email(
GPR_ASSERT(request->handshaker == &grpc_httpcli_ssl);
GPR_ASSERT(strcmp(request->host, "keys.bar.com") == 0);
GPR_ASSERT(strcmp(request->http.path, "/jwk/foo@bar.com") == 0);
- grpc_exec_ctx_sched(exec_ctx, on_done, GRPC_ERROR_NONE, NULL);
+ grpc_closure_sched(exec_ctx, on_done, GRPC_ERROR_NONE);
return 1;
}
@@ -372,7 +434,7 @@ static int httpcli_get_jwk_set(grpc_exec_ctx *exec_ctx,
GPR_ASSERT(request->handshaker == &grpc_httpcli_ssl);
GPR_ASSERT(strcmp(request->host, "www.googleapis.com") == 0);
GPR_ASSERT(strcmp(request->http.path, "/oauth2/v3/certs") == 0);
- grpc_exec_ctx_sched(exec_ctx, on_done, GRPC_ERROR_NONE, NULL);
+ grpc_closure_sched(exec_ctx, on_done, GRPC_ERROR_NONE);
return 1;
}
@@ -387,7 +449,7 @@ static int httpcli_get_openid_config(grpc_exec_ctx *exec_ctx,
GPR_ASSERT(strcmp(request->http.path, GRPC_OPENID_CONFIG_URL_SUFFIX) == 0);
grpc_httpcli_set_override(httpcli_get_jwk_set,
httpcli_post_should_not_be_called);
- grpc_exec_ctx_sched(exec_ctx, on_done, GRPC_ERROR_NONE, NULL);
+ grpc_closure_sched(exec_ctx, on_done, GRPC_ERROR_NONE);
return 1;
}
@@ -413,7 +475,8 @@ static void test_jwt_verifier_url_issuer_success(void) {
grpc_httpcli_set_override(NULL, NULL);
}
-static void on_verification_key_retrieval_error(void *user_data,
+static void on_verification_key_retrieval_error(grpc_exec_ctx *exec_ctx,
+ void *user_data,
grpc_jwt_verifier_status status,
grpc_jwt_claims *claims) {
GPR_ASSERT(status == GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR);
@@ -427,7 +490,7 @@ static int httpcli_get_bad_json(grpc_exec_ctx *exec_ctx,
grpc_httpcli_response *response) {
*response = http_response(200, gpr_strdup("{\"bad\": \"stuff\"}"));
GPR_ASSERT(request->handshaker == &grpc_httpcli_ssl);
- grpc_exec_ctx_sched(exec_ctx, on_done, GRPC_ERROR_NONE, NULL);
+ grpc_closure_sched(exec_ctx, on_done, GRPC_ERROR_NONE);
return 1;
}
@@ -483,7 +546,11 @@ static void corrupt_jwt_sig(char *jwt) {
uint8_t *sig_bytes;
char *last_dot = strrchr(jwt, '.');
GPR_ASSERT(last_dot != NULL);
- sig = grpc_base64_decode(last_dot + 1, 1);
+ {
+ grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT;
+ sig = grpc_base64_decode(&exec_ctx, last_dot + 1, 1);
+ grpc_exec_ctx_finish(&exec_ctx);
+ }
GPR_ASSERT(!GRPC_SLICE_IS_EMPTY(sig));
sig_bytes = GRPC_SLICE_START_PTR(sig);
(*sig_bytes)++; /* Corrupt first byte. */
@@ -494,7 +561,8 @@ static void corrupt_jwt_sig(char *jwt) {
grpc_slice_unref(sig);
}
-static void on_verification_bad_signature(void *user_data,
+static void on_verification_bad_signature(grpc_exec_ctx *exec_ctx,
+ void *user_data,
grpc_jwt_verifier_status status,
grpc_jwt_claims *claims) {
GPR_ASSERT(status == GRPC_JWT_VERIFIER_BAD_SIGNATURE);
@@ -535,7 +603,7 @@ static int httpcli_get_should_not_be_called(grpc_exec_ctx *exec_ctx,
return 1;
}
-static void on_verification_bad_format(void *user_data,
+static void on_verification_bad_format(grpc_exec_ctx *exec_ctx, void *user_data,
grpc_jwt_verifier_status status,
grpc_jwt_claims *claims) {
GPR_ASSERT(status == GRPC_JWT_VERIFIER_BAD_FORMAT);
@@ -563,10 +631,12 @@ static void test_jwt_verifier_bad_format(void) {
int main(int argc, char **argv) {
grpc_test_init(argc, argv);
grpc_init();
+ test_jwt_issuer_email_domain();
test_claims_success();
test_expired_claims_failure();
test_invalid_claims_failure();
test_bad_audience_claims_failure();
+ test_bad_subject_claims_failure();
test_jwt_verifier_google_email_issuer_success();
test_jwt_verifier_custom_email_issuer_success();
test_jwt_verifier_url_issuer_success();
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-09 18:48:44 +0000