3pp-mirror/pomerium
1
0
Fork 0
mirror of https://github.com/pomerium/pomerium.git synced 2025-04-30 10:56:28 +02:00
Code Issues Projects Releases Packages Wiki Activity

add integration test for Pomerium JWT (#4472)

Browse source 
Add an integration test case to verify properties of the Pomerium
attestation JWT:

 - The 'iat' and 'exp' timestamps should be plain integers.
 - The JWT should contain an issuer and audience claim.
 - A JWT retrieved from the /.pomerium/jwt endpoint should contain all
   the same data as a JWT from the X-Pomerium-Jwt-Assertion header.
This commit is contained in:
Kenneth Jenkins 2023-08-17 13:23:16 -07:00 committed by GitHub
parent e448909042
commit c6b7927e1c
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
1 changed files with 71 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

71
integration/policy_test.go
View file

@ -1,12 +1,16 @@
package main package main
import ( import (
"bytes"
"context" "context"
"crypto/tls" "crypto/tls"
"encoding/base64"
"encoding/json" "encoding/json"
"io" "io"
"net/http" "net/http"
"net/url" "net/url"
"regexp"
"strings"
"testing" "testing"
"time" "time"
@ -496,3 +500,70 @@ func TestMultipleDownstreamClientCAs(t *testing.T) {
assert.Equal(t, httputil.StatusInvalidClientCertificate, res.StatusCode) assert.Equal(t, httputil.StatusInvalidClientCertificate, res.StatusCode)
}) })
} }
func TestPomeriumJWT(t *testing.T) {
ctx, clearTimeout := context.WithTimeout(context.Background(), time.Second*30)
defer clearTimeout()
client := getClient(t)
// Obtain a Pomerium attestation JWT from the httpdetails service.
res, err := flows.Authenticate(ctx, client,
mustParseURL("https://restricted-httpdetails.localhost.pomerium.io/"),
flows.WithEmail("user1@dogs.test"))
require.NoError(t, err)
defer res.Body.Close()
var m map[string]interface{}
err = json.NewDecoder(res.Body).Decode(&m)
require.NoError(t, err)
headers, ok := m["headers"].(map[string]interface{})
require.True(t, ok)
headerJWT, ok := headers["x-pomerium-jwt-assertion"].(string)
require.True(t, ok)
// Manually decode the payload section of the JWT in order to verify the
// format of the iat and exp timestamps.
// (https://github.com/pomerium/pomerium/issues/4149)
p := rawJWTPayload(t, headerJWT)
var digitsOnly = regexp.MustCompile(`^\d+$`)
assert.Regexp(t, digitsOnly, p["iat"])
assert.Regexp(t, digitsOnly, p["exp"])
// Also verify the issuer and audience claims.
assert.Equal(t, "restricted-httpdetails.localhost.pomerium.io", p["iss"])
assert.Equal(t, "restricted-httpdetails.localhost.pomerium.io", p["aud"])
// Obtain a Pomerium attestation JWT from the /.pomerium/jwt endpoint. The
// contents should be identical to the JWT header (except possibly the
// timestamps). (https://github.com/pomerium/pomerium/issues/4210)
res, err = client.Get("https://restricted-httpdetails.localhost.pomerium.io/.pomerium/jwt")
require.NoError(t, err)
defer res.Body.Close()
spaJWT, err := io.ReadAll(res.Body)
require.NoError(t, err)
p2 := rawJWTPayload(t, string(spaJWT))
// Remove timestamps before comparing.
delete(p, "iat")
delete(p, "exp")
delete(p2, "iat")
delete(p2, "exp")
assert.Equal(t, p, p2)
}
func rawJWTPayload(t *testing.T, jwt string) map[string]interface{} {
t.Helper()
s := strings.Split(jwt, ".")
require.Equal(t, 3, len(s), "unexpected JWT format")
payload, err := base64.RawURLEncoding.DecodeString(s[1])
require.NoError(t, err, "JWT payload could not be decoded")
d := json.NewDecoder(bytes.NewReader(payload))
d.UseNumber()
var decoded map[string]interface{}
err = d.Decode(&decoded)
require.NoError(t, err, "JWT payload could not be deserialized")
return decoded
}