diff options
Diffstat (limited to 'test/core/security/jwt_verifier_test.c')
-rw-r--r-- | test/core/security/jwt_verifier_test.c | 106 |
1 files changed, 88 insertions, 18 deletions
diff --git a/test/core/security/jwt_verifier_test.c b/test/core/security/jwt_verifier_test.c index f8afba8d6d..a9bd976a39 100644 --- a/test/core/security/jwt_verifier_test.c +++ b/test/core/security/jwt_verifier_test.c @@ -166,6 +166,13 @@ static const char claims_without_time_constraint[] = " \"jti\": \"jwtuniqueid\"," " \"foo\": \"bar\"}"; +static const char claims_with_bad_subject[] = + "{ \"aud\": \"https://foo.com\"," + " \"iss\": \"evil@blah.foo.com\"," + " \"sub\": \"juju@blah.foo.com\"," + " \"jti\": \"jwtuniqueid\"," + " \"foo\": \"bar\"}"; + static const char invalid_claims[] = "{ \"aud\": \"https://foo.com\"," " \"iss\": 46," /* Issuer cannot be a number. */ @@ -179,13 +186,46 @@ typedef struct { const char *expected_subject; } verifier_test_config; +static void test_jwt_issuer_email_domain(void) { + const char *d = grpc_jwt_issuer_email_domain("https://foo.com"); + GPR_ASSERT(d == NULL); + d = grpc_jwt_issuer_email_domain("foo.com"); + GPR_ASSERT(d == NULL); + d = grpc_jwt_issuer_email_domain(""); + GPR_ASSERT(d == NULL); + d = grpc_jwt_issuer_email_domain("@"); + GPR_ASSERT(d == NULL); + d = grpc_jwt_issuer_email_domain("bar@foo"); + GPR_ASSERT(strcmp(d, "foo") == 0); + d = grpc_jwt_issuer_email_domain("bar@foo.com"); + GPR_ASSERT(strcmp(d, "foo.com") == 0); + d = grpc_jwt_issuer_email_domain("bar@blah.foo.com"); + GPR_ASSERT(strcmp(d, "foo.com") == 0); + d = grpc_jwt_issuer_email_domain("bar.blah@blah.foo.com"); + GPR_ASSERT(strcmp(d, "foo.com") == 0); + d = grpc_jwt_issuer_email_domain("bar.blah@baz.blah.foo.com"); + GPR_ASSERT(strcmp(d, "foo.com") == 0); + + /* This is not a very good parser but make sure we do not crash on these weird + inputs. */ + d = grpc_jwt_issuer_email_domain("@foo"); + GPR_ASSERT(strcmp(d, "foo") == 0); + d = grpc_jwt_issuer_email_domain("bar@."); + GPR_ASSERT(d != NULL); + d = grpc_jwt_issuer_email_domain("bar@.."); + GPR_ASSERT(d != NULL); + d = grpc_jwt_issuer_email_domain("bar@..."); + GPR_ASSERT(d != NULL); +} + static void test_claims_success(void) { grpc_jwt_claims *claims; grpc_slice s = grpc_slice_from_copied_string(claims_without_time_constraint); grpc_json *json = grpc_json_parse_string_with_len( (char *)GRPC_SLICE_START_PTR(s), GRPC_SLICE_LENGTH(s)); GPR_ASSERT(json != NULL); - claims = grpc_jwt_claims_from_json(json, s); + grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT; + claims = grpc_jwt_claims_from_json(&exec_ctx, json, s); GPR_ASSERT(claims != NULL); GPR_ASSERT(grpc_jwt_claims_json(claims) == json); GPR_ASSERT(strcmp(grpc_jwt_claims_audience(claims), "https://foo.com") == 0); @@ -194,7 +234,8 @@ static void test_claims_success(void) { GPR_ASSERT(strcmp(grpc_jwt_claims_id(claims), "jwtuniqueid") == 0); GPR_ASSERT(grpc_jwt_claims_check(claims, "https://foo.com") == GRPC_JWT_VERIFIER_OK); - grpc_jwt_claims_destroy(claims); + grpc_jwt_claims_destroy(&exec_ctx, claims); + grpc_exec_ctx_finish(&exec_ctx); } static void test_expired_claims_failure(void) { @@ -206,7 +247,8 @@ static void test_expired_claims_failure(void) { gpr_timespec exp_exp = {120, 0, GPR_CLOCK_REALTIME}; gpr_timespec exp_nbf = {60, 0, GPR_CLOCK_REALTIME}; GPR_ASSERT(json != NULL); - claims = grpc_jwt_claims_from_json(json, s); + grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT; + claims = grpc_jwt_claims_from_json(&exec_ctx, json, s); GPR_ASSERT(claims != NULL); GPR_ASSERT(grpc_jwt_claims_json(claims) == json); GPR_ASSERT(strcmp(grpc_jwt_claims_audience(claims), "https://foo.com") == 0); @@ -219,14 +261,17 @@ static void test_expired_claims_failure(void) { GPR_ASSERT(grpc_jwt_claims_check(claims, "https://foo.com") == GRPC_JWT_VERIFIER_TIME_CONSTRAINT_FAILURE); - grpc_jwt_claims_destroy(claims); + grpc_jwt_claims_destroy(&exec_ctx, claims); + grpc_exec_ctx_finish(&exec_ctx); } static void test_invalid_claims_failure(void) { grpc_slice s = grpc_slice_from_copied_string(invalid_claims); grpc_json *json = grpc_json_parse_string_with_len( (char *)GRPC_SLICE_START_PTR(s), GRPC_SLICE_LENGTH(s)); - GPR_ASSERT(grpc_jwt_claims_from_json(json, s) == NULL); + grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT; + GPR_ASSERT(grpc_jwt_claims_from_json(&exec_ctx, json, s) == NULL); + grpc_exec_ctx_finish(&exec_ctx); } static void test_bad_audience_claims_failure(void) { @@ -235,11 +280,28 @@ static void test_bad_audience_claims_failure(void) { grpc_json *json = grpc_json_parse_string_with_len( (char *)GRPC_SLICE_START_PTR(s), GRPC_SLICE_LENGTH(s)); GPR_ASSERT(json != NULL); - claims = grpc_jwt_claims_from_json(json, s); + grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT; + claims = grpc_jwt_claims_from_json(&exec_ctx, json, s); GPR_ASSERT(claims != NULL); GPR_ASSERT(grpc_jwt_claims_check(claims, "https://bar.com") == GRPC_JWT_VERIFIER_BAD_AUDIENCE); - grpc_jwt_claims_destroy(claims); + grpc_jwt_claims_destroy(&exec_ctx, claims); + grpc_exec_ctx_finish(&exec_ctx); +} + +static void test_bad_subject_claims_failure(void) { + grpc_jwt_claims *claims; + grpc_slice s = grpc_slice_from_copied_string(claims_with_bad_subject); + grpc_json *json = grpc_json_parse_string_with_len( + (char *)GRPC_SLICE_START_PTR(s), GRPC_SLICE_LENGTH(s)); + GPR_ASSERT(json != NULL); + grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT; + claims = grpc_jwt_claims_from_json(&exec_ctx, json, s); + GPR_ASSERT(claims != NULL); + GPR_ASSERT(grpc_jwt_claims_check(claims, "https://foo.com") == + GRPC_JWT_VERIFIER_BAD_SUBJECT); + grpc_jwt_claims_destroy(&exec_ctx, claims); + grpc_exec_ctx_finish(&exec_ctx); } static char *json_key_str(const char *last_part) { @@ -294,18 +356,18 @@ static int httpcli_get_google_keys_for_email( "/robot/v1/metadata/x509/" "777-abaslkan11hlb6nmim3bpspl31ud@developer." "gserviceaccount.com") == 0); - grpc_exec_ctx_sched(exec_ctx, on_done, GRPC_ERROR_NONE, NULL); + grpc_closure_sched(exec_ctx, on_done, GRPC_ERROR_NONE); return 1; } -static void on_verification_success(void *user_data, +static void on_verification_success(grpc_exec_ctx *exec_ctx, void *user_data, grpc_jwt_verifier_status status, grpc_jwt_claims *claims) { GPR_ASSERT(status == GRPC_JWT_VERIFIER_OK); GPR_ASSERT(claims != NULL); GPR_ASSERT(user_data == (void *)expected_user_data); GPR_ASSERT(strcmp(grpc_jwt_claims_audience(claims), expected_audience) == 0); - grpc_jwt_claims_destroy(claims); + grpc_jwt_claims_destroy(exec_ctx, claims); } static void test_jwt_verifier_google_email_issuer_success(void) { @@ -338,7 +400,7 @@ static int httpcli_get_custom_keys_for_email( GPR_ASSERT(request->handshaker == &grpc_httpcli_ssl); GPR_ASSERT(strcmp(request->host, "keys.bar.com") == 0); GPR_ASSERT(strcmp(request->http.path, "/jwk/foo@bar.com") == 0); - grpc_exec_ctx_sched(exec_ctx, on_done, GRPC_ERROR_NONE, NULL); + grpc_closure_sched(exec_ctx, on_done, GRPC_ERROR_NONE); return 1; } @@ -372,7 +434,7 @@ static int httpcli_get_jwk_set(grpc_exec_ctx *exec_ctx, GPR_ASSERT(request->handshaker == &grpc_httpcli_ssl); GPR_ASSERT(strcmp(request->host, "www.googleapis.com") == 0); GPR_ASSERT(strcmp(request->http.path, "/oauth2/v3/certs") == 0); - grpc_exec_ctx_sched(exec_ctx, on_done, GRPC_ERROR_NONE, NULL); + grpc_closure_sched(exec_ctx, on_done, GRPC_ERROR_NONE); return 1; } @@ -387,7 +449,7 @@ static int httpcli_get_openid_config(grpc_exec_ctx *exec_ctx, GPR_ASSERT(strcmp(request->http.path, GRPC_OPENID_CONFIG_URL_SUFFIX) == 0); grpc_httpcli_set_override(httpcli_get_jwk_set, httpcli_post_should_not_be_called); - grpc_exec_ctx_sched(exec_ctx, on_done, GRPC_ERROR_NONE, NULL); + grpc_closure_sched(exec_ctx, on_done, GRPC_ERROR_NONE); return 1; } @@ -413,7 +475,8 @@ static void test_jwt_verifier_url_issuer_success(void) { grpc_httpcli_set_override(NULL, NULL); } -static void on_verification_key_retrieval_error(void *user_data, +static void on_verification_key_retrieval_error(grpc_exec_ctx *exec_ctx, + void *user_data, grpc_jwt_verifier_status status, grpc_jwt_claims *claims) { GPR_ASSERT(status == GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR); @@ -427,7 +490,7 @@ static int httpcli_get_bad_json(grpc_exec_ctx *exec_ctx, grpc_httpcli_response *response) { *response = http_response(200, gpr_strdup("{\"bad\": \"stuff\"}")); GPR_ASSERT(request->handshaker == &grpc_httpcli_ssl); - grpc_exec_ctx_sched(exec_ctx, on_done, GRPC_ERROR_NONE, NULL); + grpc_closure_sched(exec_ctx, on_done, GRPC_ERROR_NONE); return 1; } @@ -483,7 +546,11 @@ static void corrupt_jwt_sig(char *jwt) { uint8_t *sig_bytes; char *last_dot = strrchr(jwt, '.'); GPR_ASSERT(last_dot != NULL); - sig = grpc_base64_decode(last_dot + 1, 1); + { + grpc_exec_ctx exec_ctx = GRPC_EXEC_CTX_INIT; + sig = grpc_base64_decode(&exec_ctx, last_dot + 1, 1); + grpc_exec_ctx_finish(&exec_ctx); + } GPR_ASSERT(!GRPC_SLICE_IS_EMPTY(sig)); sig_bytes = GRPC_SLICE_START_PTR(sig); (*sig_bytes)++; /* Corrupt first byte. */ @@ -494,7 +561,8 @@ static void corrupt_jwt_sig(char *jwt) { grpc_slice_unref(sig); } -static void on_verification_bad_signature(void *user_data, +static void on_verification_bad_signature(grpc_exec_ctx *exec_ctx, + void *user_data, grpc_jwt_verifier_status status, grpc_jwt_claims *claims) { GPR_ASSERT(status == GRPC_JWT_VERIFIER_BAD_SIGNATURE); @@ -535,7 +603,7 @@ static int httpcli_get_should_not_be_called(grpc_exec_ctx *exec_ctx, return 1; } -static void on_verification_bad_format(void *user_data, +static void on_verification_bad_format(grpc_exec_ctx *exec_ctx, void *user_data, grpc_jwt_verifier_status status, grpc_jwt_claims *claims) { GPR_ASSERT(status == GRPC_JWT_VERIFIER_BAD_FORMAT); @@ -563,10 +631,12 @@ static void test_jwt_verifier_bad_format(void) { int main(int argc, char **argv) { grpc_test_init(argc, argv); grpc_init(); + test_jwt_issuer_email_domain(); test_claims_success(); test_expired_claims_failure(); test_invalid_claims_failure(); test_bad_audience_claims_failure(); + test_bad_subject_claims_failure(); test_jwt_verifier_google_email_issuer_success(); test_jwt_verifier_custom_email_issuer_success(); test_jwt_verifier_url_issuer_success(); |