mirror of
https://github.com/pomerium/pomerium.git
synced 2025-04-30 10:56:28 +02:00
93 lines
2.7 KiB
Go
93 lines
2.7 KiB
Go
package handlers_test
|
|
|
|
import (
|
|
"crypto/ecdsa"
|
|
"crypto/elliptic"
|
|
"encoding/base64"
|
|
"encoding/json"
|
|
"math/rand"
|
|
"net/http"
|
|
"net/http/httptest"
|
|
"testing"
|
|
|
|
"github.com/stretchr/testify/assert"
|
|
"github.com/stretchr/testify/require"
|
|
|
|
"github.com/pomerium/pomerium/internal/deterministicecdsa"
|
|
"github.com/pomerium/pomerium/internal/handlers"
|
|
"github.com/pomerium/pomerium/pkg/cryptutil"
|
|
"github.com/pomerium/pomerium/pkg/hpke"
|
|
)
|
|
|
|
func TestJWKSHandler(t *testing.T) {
|
|
t.Parallel()
|
|
|
|
rnd := rand.New(rand.NewSource(1))
|
|
signingKey1, err := deterministicecdsa.GenerateKey(elliptic.P256(), rnd)
|
|
require.NoError(t, err)
|
|
signingKey2, err := deterministicecdsa.GenerateKey(elliptic.P256(), rnd)
|
|
require.NoError(t, err)
|
|
|
|
rawSigningKey1, err := cryptutil.EncodePrivateKey(signingKey1)
|
|
require.NoError(t, err)
|
|
rawSigningKey2, err := cryptutil.EncodePrivateKey(signingKey2)
|
|
require.NoError(t, err)
|
|
|
|
jwkSigningKey1, err := cryptutil.PublicJWKFromBytes(rawSigningKey1)
|
|
require.NoError(t, err)
|
|
jwkSigningKey2, err := cryptutil.PublicJWKFromBytes(rawSigningKey2)
|
|
require.NoError(t, err)
|
|
|
|
hpkePrivateKey, err := hpke.GeneratePrivateKey()
|
|
require.NoError(t, err)
|
|
|
|
t.Run("cors", func(t *testing.T) {
|
|
w := httptest.NewRecorder()
|
|
r := httptest.NewRequest(http.MethodOptions, "/", nil)
|
|
r.Header.Set("Origin", "https://www.example.com")
|
|
r.Header.Set("Access-Control-Request-Method", "GET")
|
|
handlers.JWKSHandler(nil, hpkePrivateKey.PublicKey()).ServeHTTP(w, r)
|
|
assert.Equal(t, http.StatusNoContent, w.Result().StatusCode)
|
|
})
|
|
t.Run("keys", func(t *testing.T) {
|
|
w := httptest.NewRecorder()
|
|
r := httptest.NewRequest(http.MethodGet, "/", nil)
|
|
handlers.JWKSHandler(
|
|
append(rawSigningKey1, rawSigningKey2...),
|
|
hpkePrivateKey.PublicKey(),
|
|
).ServeHTTP(w, r)
|
|
|
|
var expect any = map[string]any{
|
|
"keys": []any{
|
|
map[string]any{
|
|
"kty": "EC",
|
|
"kid": jwkSigningKey1.KeyID,
|
|
"crv": "P-256",
|
|
"alg": "ES256",
|
|
"use": "sig",
|
|
"x": base64.RawURLEncoding.EncodeToString(jwkSigningKey1.Key.(*ecdsa.PublicKey).X.Bytes()),
|
|
"y": base64.RawURLEncoding.EncodeToString(jwkSigningKey1.Key.(*ecdsa.PublicKey).Y.Bytes()),
|
|
},
|
|
map[string]any{
|
|
"kty": "EC",
|
|
"kid": jwkSigningKey2.KeyID,
|
|
"crv": "P-256",
|
|
"alg": "ES256",
|
|
"use": "sig",
|
|
"x": base64.RawURLEncoding.EncodeToString(jwkSigningKey2.Key.(*ecdsa.PublicKey).X.Bytes()),
|
|
"y": base64.RawURLEncoding.EncodeToString(jwkSigningKey2.Key.(*ecdsa.PublicKey).Y.Bytes()),
|
|
},
|
|
map[string]any{
|
|
"kty": "OKP",
|
|
"kid": "pomerium/hpke",
|
|
"crv": "X25519",
|
|
"x": hpkePrivateKey.PublicKey().String(),
|
|
},
|
|
},
|
|
}
|
|
var actual any
|
|
err := json.Unmarshal(w.Body.Bytes(), &actual)
|
|
assert.NoError(t, err)
|
|
assert.Equal(t, expect, actual)
|
|
})
|
|
}
|