From 2d02f2dfa03497f03a30120b14076c684019cbe0 Mon Sep 17 00:00:00 2001
From: Bobby DeSimone <1544881+desimone@users.noreply.github.com>
Date: Fri, 22 May 2020 14:21:24 -0700
Subject: [PATCH] authenticate: add tests to signing endpoints (#759)

Signed-off-by: Bobby DeSimone <bobbydesimone@gmail.com>
---
 authenticate/authenticate_test.go | 12 ++++++++++
 authenticate/handlers_test.go     | 37 +++++++++++++++++++++++++++++++
 2 files changed, 49 insertions(+)

diff --git a/authenticate/authenticate_test.go b/authenticate/authenticate_test.go
index 5de5c66a3..2a520c27e 100644
--- a/authenticate/authenticate_test.go
+++ b/authenticate/authenticate_test.go
@@ -97,6 +97,15 @@ func TestNew(t *testing.T) {
 	emptyProviderURL.Provider = "oidc"
 	emptyProviderURL.ProviderURL = ""
 
+	goodSigningKey := newTestOptions(t)
+	goodSigningKey.SigningKey = "LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUpCMFZkbko1VjEvbVlpYUlIWHhnd2Q0Yzd5YWRTeXMxb3Y0bzA1b0F3ekdvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFVUc1eENQMEpUVDFINklvbDhqS3VUSVBWTE0wNENnVzlQbEV5cE5SbVdsb29LRVhSOUhUMwpPYnp6aktZaWN6YjArMUt3VjJmTVRFMTh1dy82MXJVQ0JBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo="
+
+	badSigningKey := newTestOptions(t)
+	badSigningKey.SigningKey = "%"
+
+	badSigninKeyPublic := newTestOptions(t)
+	badSigninKeyPublic.SigningKey = "LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJFakNCdWdJSkFNWUdtVzhpYWd1TU1Bb0dDQ3FHU000OUJBTUNNQkV4RHpBTkJnTlZCQU1NQm5WdWRYTmwKWkRBZ0Z3MHlNREExTWpJeU1EUTFNalJhR0E4ME56VTRNRFF4T1RJd05EVXlORm93RVRFUE1BMEdBMVVFQXd3RwpkVzUxYzJWa01Ga3dFd1lIS29aSXpqMENBUVlJS29aSXpqMERBUWNEUWdBRVVHNXhDUDBKVFQxSDZJb2w4akt1ClRJUFZMTTA0Q2dXOVBsRXlwTlJtV2xvb0tFWFI5SFQzT2J6empLWWljemIwKzFLd1YyZk1URTE4dXcvNjFyVUMKQkRBS0JnZ3Foa2pPUFFRREFnTkhBREJFQWlBSFFDUFh2WG5oeHlDTGNhZ3N3eWt4RUM1NFV5RmdyUVJVRmVCYwpPUzVCSFFJZ1Y3T2FXY2pMeHdsRlIrWDZTQ2daZDI5bXBtOVZKNnpXQURhWGdEN3FURW89Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K"
+
 	tests := []struct {
 		name string
 		opts *config.Options
@@ -110,6 +119,9 @@ func TestNew(t *testing.T) {
 		{"bad provider", badProvider, true},
 		{"bad cache url", badGRPCConn, true},
 		{"empty provider url", emptyProviderURL, true},
+		{"good signing key", goodSigningKey, false},
+		{"bad signing key", badSigningKey, true},
+		{"bad public signing key", badSigninKeyPublic, true},
 	}
 	for _, tt := range tests {
 		t.Run(tt.name, func(t *testing.T) {
diff --git a/authenticate/handlers_test.go b/authenticate/handlers_test.go
index 5ffc27f0d..2ba95a583 100644
--- a/authenticate/handlers_test.go
+++ b/authenticate/handlers_test.go
@@ -29,6 +29,7 @@ import (
 	"github.com/golang/mock/gomock"
 	"github.com/google/go-cmp/cmp"
 	"github.com/gorilla/mux"
+	"github.com/stretchr/testify/assert"
 	"golang.org/x/crypto/chacha20poly1305"
 	"golang.org/x/oauth2"
 	"gopkg.in/square/go-jose.v2/jwt"
@@ -591,3 +592,39 @@ func TestAuthenticate_Refresh(t *testing.T) {
 		})
 	}
 }
+
+func TestWellKnownEndpoint(t *testing.T) {
+	auth := testAuthenticate()
+
+	h := auth.Handler()
+	if h == nil {
+		t.Error("handler cannot be nil")
+	}
+	req := httptest.NewRequest("GET", "/.well-known/pomerium/", nil)
+	req.Header.Set("Accept", "application/json")
+	rr := httptest.NewRecorder()
+	h.ServeHTTP(rr, req)
+	body := rr.Body.String()
+	expected := `{"jwks_uri":"https://auth.example.com/.well-known/pomerium/jwks.json","authentication_callback_endpoint":"https://auth.example.com/oauth2/callback","api_refresh_endpoint":"https://auth.example.com/api/v1/refresh"}`
+	assert.Equal(t, body, expected)
+}
+
+func TestJwksEndpoint(t *testing.T) {
+	o := newTestOptions(t)
+	o.SigningKey = "LS0tLS1CRUdJTiBFQyBQUklWQVRFIEtFWS0tLS0tCk1IY0NBUUVFSUpCMFZkbko1VjEvbVlpYUlIWHhnd2Q0Yzd5YWRTeXMxb3Y0bzA1b0F3ekdvQW9HQ0NxR1NNNDkKQXdFSG9VUURRZ0FFVUc1eENQMEpUVDFINklvbDhqS3VUSVBWTE0wNENnVzlQbEV5cE5SbVdsb29LRVhSOUhUMwpPYnp6aktZaWN6YjArMUt3VjJmTVRFMTh1dy82MXJVQ0JBPT0KLS0tLS1FTkQgRUMgUFJJVkFURSBLRVktLS0tLQo="
+	auth, err := New(*o)
+	if err != nil {
+		t.Fatal(err)
+	}
+	h := auth.Handler()
+	if h == nil {
+		t.Error("handler cannot be nil")
+	}
+	req := httptest.NewRequest("GET", "/.well-known/pomerium/jwks.json", nil)
+	req.Header.Set("Accept", "application/json")
+	rr := httptest.NewRecorder()
+	h.ServeHTTP(rr, req)
+	body := rr.Body.String()
+	expected := `{"keys":[{"use":"sig","kty":"EC","kid":"5b419ade1895fec2d2def6cd33b1b9a018df60db231dc5ecb85cbed6d942813c","crv":"P-256","alg":"ES256","x":"UG5xCP0JTT1H6Iol8jKuTIPVLM04CgW9PlEypNRmWlo","y":"KChF0fR09zm884ymInM29PtSsFdnzExNfLsP-ta1AgQ"}]}`
+	assert.Equal(t, body, expected)
+}