[spec] add tests for ES256/ES512

3scale · Feb 3, 2025 · 7ad24bf · 7ad24bf
1 parent e9d2a13
commit 7ad24bf
Show file tree

Hide file tree

Showing 5 changed files with 127 additions and 45 deletions.
diff --git a/spec/fixtures/certs.lua b/spec/fixtures/certs.lua
@@ -0,0 +1,49 @@
+return {
+rsa_public_key = [[
+-----BEGIN PUBLIC KEY-----
+MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALClz96cDQ965ENYMfZzG+Acu25lpx2K
+NpAALBQ+catCA59us7+uLY5rjQR6SOgZpCz5PJiKNAdRPDJMXSmXqM0CAwEAAQ==
+-----END PUBLIC KEY-----
+]],
+rsa_private_key = [[
+-----BEGIN RSA PRIVATE KEY-----
+MIIBPAIBAAJBALClz96cDQ965ENYMfZzG+Acu25lpx2KNpAALBQ+catCA59us7+u
+LY5rjQR6SOgZpCz5PJiKNAdRPDJMXSmXqM0CAwEAAQJBAJnwZa4BIACVf8aQXToA
+JhKv90bFn1TG1bW38LHTmQs8EM9XCmghLWCje7d/NbUrUceotIOnjtv/xHTywGt2
+NwECIQDhvMZDQ+ZRRbbwONcvO9G7h6hFgy0okiv6JciZccvtxQIhAMhUTAWgV1hQ
+O2yWTRYRQZosEIsFB3kZfsLMeTKjk8dpAiEAslsZ92m9n3dKrJDsjFhiRR5ROOMF
+Gior7xBNZ9e+vdUCIDsjf4nNqttcXB6TRFB2aapsxbl0k58xYpV5LXJAjfi5AiEA
+vRaSauBfRCP3JgXHNgcDSW017/BtbwGiz8aITv6B0Fw=
+-----END RSA PRIVATE KEY-----
+]],
+es256_public_key = [[
+-----BEGIN PUBLIC KEY-----
+MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAERm/e/qZmgIyVSksHrHh1lzf9F6WT
+oTKnyWLfLdz8SZiaLVaI1GW3GekLwVlbKZUkmqUnKfrNs2U9DuJ3jSyX8A==
+-----END PUBLIC KEY-----
+]],
+es256_private_key = [[
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIA8Bv35dnS289gK/lBbp0bj3LzFuvFvZowNClcUW4E84oAoGCCqGSM49
+AwEHoUQDQgAERm/e/qZmgIyVSksHrHh1lzf9F6WToTKnyWLfLdz8SZiaLVaI1GW3
+GekLwVlbKZUkmqUnKfrNs2U9DuJ3jSyX8A==
+-----END EC PRIVATE KEY-----
+]],
+es512_public_key = [[
+-----BEGIN PUBLIC KEY-----
+MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQB85b81Iol6jVQwVuusRR4SYHUN6oP
+KhLWWyobYydIJ/VAmmEHg5Wi/VcYpP3/qlatMhuQPKjC/j4lfLal716byRoAcEtS
++V4w6yT1pIszwAovp8u4PJpEoe3f9JosV3Wvmzauk+o0uaW/cFiarb81hQDTD/Go
+xFWEYfqgS1kv+NpEJAA=
+-----END PUBLIC KEY-----
+]],
+es512_private_key = [[
+-----BEGIN EC PRIVATE KEY-----
+MIHcAgEBBEIBEsogZYirhy12UPSwJx3ps/6j9fRHdIrqzUfz8uDz1xZ4KGm1uzyQ
+oB355ifR/5IriiWzai1LZM+dyR1uS8wV2qKgBwYFK4EEACOhgYkDgYYABAHzlvzU
+iiXqNVDBW66xFHhJgdQ3qg8qEtZbKhtjJ0gn9UCaYQeDlaL9Vxik/f+qVq0yG5A8
+qML+PiV8tqXvXpvJGgBwS1L5XjDrJPWkizPACi+ny7g8mkSh7d/0mixXda+bNq6T
+6jS5pb9wWJqtvzWFANMP8ajEVYRh+qBLWS/42kQkAA==
+-----END EC PRIVATE KEY-----
+]],
+}
diff --git a/spec/fixtures/rsa.lua b/spec/fixtures/rsa.lua
diff --git a/spec/oauth/oidc_spec.lua b/spec/oauth/oidc_spec.lua
@@ -3,7 +3,7 @@ local _M = require('apicast.oauth.oidc')
 local jwt_validators = require('resty.jwt-validators')
 local jwt = require('resty.jwt')
 
-local rsa = require('fixtures.rsa')
+local certs = require('fixtures.certs')
 local ngx_variable = require('apicast.policy.ngx_variable')
 
 describe('OIDC', function()
@@ -43,19 +43,29 @@ describe('OIDC', function()
     local oidc_config = {
       issuer = 'https://example.com/auth/realms/apicast',
       config = { id_token_signing_alg_values_supported = { 'RS256', 'HS256' } },
-      keys = { somekid = { pem = rsa.pub, alg = 'RS256' } },
+      keys = { somekid = { pem = certs.rsa_public_key, alg = 'RS256' } },
+    }
+    local es256_oidc_config = {
+      issuer = 'https://example.com/auth/realms/apicast',
+      config = { id_token_signing_alg_values_supported = { 'ES256'} },
+      keys = { somekid = { pem = certs.es256_public_key, alg = 'ES256' } },
+    }
+    local es512_oidc_config = {
+      issuer = 'https://example.com/auth/realms/apicast',
+      config = { id_token_signing_alg_values_supported = { 'ES512' } },
+      keys = { somekid = { pem = certs.es512_public_key, alg = 'ES512' } },
     }
     local oidc_config_no_alg = {
       issuer = 'https://example.com/auth/realms/apicast',
       config = { id_token_signing_alg_values_supported = { 'RS256', 'HS256' } },
-      keys = { somekid = { pem = rsa.pub } },
+      keys = { somekid = { pem = certs.rsa_public_key } },
     }
 
     before_each(function() jwt_validators.set_system_clock(function() return 0 end) end)
 
-    it('successfully verifies token', function()
+    it('successfully verifies token using RS256', function()
       local oidc = _M.new(oidc_config)
-      local access_token = jwt:sign(rsa.private, {
+      local access_token = jwt:sign(certs.rsa_private_key, {
         header = { typ = 'JWT', alg = 'RS256', kid = 'somekid' },
         payload = {
           iss = oidc_config.issuer,
@@ -74,9 +84,51 @@ describe('OIDC', function()
       assert.equal(10, ttl)
     end)
 
+    it('successfully verifies token using ES256', function()
+      local oidc = _M.new(es256_oidc_config)
+      local access_token = jwt:sign(certs.es256_private_key, {
+        header = { typ = 'JWT', alg = 'ES256', kid = 'somekid' },
+        payload = {
+          iss = oidc_config.issuer,
+          aud = 'notused',
+          azp = 'ce3b2e5e',
+          sub = 'someone',
+          exp = ngx.now() + 10,
+        },
+      })
+
+      local credentials, ttl, _, err = oidc:transform_credentials({ access_token = access_token })
+
+      assert(credentials, err)
+
+      assert.same({ app_id  = "ce3b2e5e" }, credentials)
+      assert.equal(10, ttl)
+    end)
+
+    it('successfully verifies token using ES512', function()
+      local oidc = _M.new(es512_oidc_config)
+      local access_token = jwt:sign(certs.es512_private_key, {
+        header = { typ = 'JWT', alg = 'ES512', kid = 'somekid' },
+        payload = {
+          iss = oidc_config.issuer,
+          aud = 'notused',
+          azp = 'ce3b2e5e',
+          sub = 'someone',
+          exp = ngx.now() + 10,
+        },
+      })
+
+      local credentials, ttl, _, err = oidc:transform_credentials({ access_token = access_token })
+
+      assert(credentials, err)
+
+      assert.same({ app_id  = "ce3b2e5e" }, credentials)
+      assert.equal(10, ttl)
+    end)
+
     it('caches verification', function()
       local oidc = _M.new(oidc_config)
-      local access_token = jwt:sign(rsa.private, {
+      local access_token = jwt:sign(certs.rsa_private_key, {
         header = { typ = 'JWT', alg = 'RS256', kid = 'somekid' },
         payload = {
           iss = oidc_config.issuer,
@@ -103,7 +155,7 @@ describe('OIDC', function()
 
     it('verifies iss', function()
       local oidc = _M.new(oidc_config)
-      local access_token = jwt:sign(rsa.private, {
+      local access_token = jwt:sign(certs.rsa_private_key, {
         header = { typ = 'JWT', alg = 'RS256', kid = 'somekid' },
         payload = {
           iss = oidc_config.issuer,
@@ -124,7 +176,7 @@ describe('OIDC', function()
       stub(ngx, 'now', now)
 
       local oidc = _M.new(oidc_config)
-      local access_token = jwt:sign(rsa.private, {
+      local access_token = jwt:sign(certs.rsa_private_key, {
         header = { typ = 'JWT', alg = 'RS256', kid = 'somekid' },
         payload = {
           iss = oidc_config.issuer,
@@ -142,7 +194,7 @@ describe('OIDC', function()
 
     it('verifies iat', function()
       local oidc = _M.new(oidc_config)
-      local access_token = jwt:sign(rsa.private, {
+      local access_token = jwt:sign(certs.rsa_private_key, {
         header = { typ = 'JWT', alg = 'RS256', kid = 'somekid' },
         payload = {
           iss = oidc_config.issuer,
@@ -160,7 +212,7 @@ describe('OIDC', function()
 
     it('verifies exp', function()
       local oidc = _M.new(oidc_config, {})
-      local access_token = jwt:sign(rsa.private, {
+      local access_token = jwt:sign(certs.rsa_private_key, {
         header = { typ = 'JWT', alg = 'RS256', kid = 'somekid' },
         payload = {
           iss = oidc_config.issuer,
@@ -184,7 +236,7 @@ describe('OIDC', function()
 
     it('verifies alg', function()
       local oidc = _M.new(oidc_config)
-      local access_token = jwt:sign(rsa.private, {
+      local access_token = jwt:sign(certs.rsa_private_key, {
         header = { typ = 'JWT', alg = 'HS512' },
         payload = { },
       })
@@ -197,7 +249,7 @@ describe('OIDC', function()
 
     it('validation fails when typ is invalid', function()
       local oidc = _M.new(oidc_config)
-      local access_token = jwt:sign(rsa.private, {
+      local access_token = jwt:sign(certs.rsa_private_key, {
         header = { typ = 'JWT', alg = 'RS256', kid = 'somekid' },
         payload = {
           iss = oidc_config.issuer,
@@ -217,7 +269,7 @@ describe('OIDC', function()
 
     it('validation is successful when typ is included and is Bearer', function()
       local oidc = _M.new(oidc_config)
-      local access_token = jwt:sign(rsa.private, {
+      local access_token = jwt:sign(certs.rsa_private_key, {
         header = { typ = 'JWT', alg = 'RS256', kid = 'somekid' },
         payload = {
           iss = oidc_config.issuer,
@@ -236,7 +288,7 @@ describe('OIDC', function()
 
     it('validation fails when jwk.alg does not match jwt.header.alg', function()
       local oidc = _M.new(oidc_config)
-      local access_token = jwt:sign(rsa.private, {
+      local access_token = jwt:sign(certs.rsa_private_key, {
         header = { typ = 'JWT', alg = 'HS256', kid = 'somekid' },
         payload = {
           iss = oidc_config.issuer,
@@ -256,7 +308,7 @@ describe('OIDC', function()
 
     it('validation passes when jwk.alg matches jwt.header.alg', function()
       local oidc = _M.new(oidc_config)
-      local access_token = jwt:sign(rsa.private, {
+      local access_token = jwt:sign(certs.rsa_private_key, {
         header = { typ = 'JWT', alg = 'RS256', kid = 'somekid' },
         payload = {
           iss = oidc_config.issuer,
@@ -275,7 +327,7 @@ describe('OIDC', function()
 
     it('validation passes when jwk.alg does not exist', function()
       local oidc = _M.new(oidc_config_no_alg)
-      local access_token = jwt:sign(rsa.private, {
+      local access_token = jwt:sign(certs.rsa_private_key, {
         header = { typ = 'JWT', alg = 'RS256', kid = 'somekid' },
         payload = {
           iss = oidc_config.issuer,
@@ -294,7 +346,7 @@ describe('OIDC', function()
 
     it('token was signed by a different key', function()
       local oidc = _M.new(oidc_config)
-      local access_token = jwt:sign(rsa.private, {
+      local access_token = jwt:sign(certs.rsa_private_key, {
         header = { typ = 'JWT', alg = 'RS256', kid = 'otherkid' },
         payload = {
           iss = oidc_config.issuer,
@@ -312,7 +364,7 @@ describe('OIDC', function()
 
     it('token was signed by a different issuer', function()
       local oidc = _M.new(oidc_config)
-      local access_token = jwt:sign(rsa.private, {
+      local access_token = jwt:sign(certs.rsa_private_key, {
         header = { typ = 'JWT', alg = 'RS256', kid = 'somekid' },
         payload = {
           iss = 'other_issuer',
@@ -334,7 +386,7 @@ describe('OIDC', function()
         stub(ngx_variable, 'available_context', function(context) return context end)
       end)
 
-      local access_token = jwt:sign(rsa.private, {
+      local access_token = jwt:sign(certs.rsa_private_key, {
         header = { typ = 'JWT', alg = 'RS256', kid = 'somekid' },
         payload = {
           iss = oidc_config.issuer,
@@ -350,7 +402,7 @@ describe('OIDC', function()
         local config = {
           issuer = 'https://example.com/auth/realms/apicast',
           config = { id_token_signing_alg_values_supported = { 'RS256' } },
-          keys = { somekid = { pem = rsa.pub, alg = 'RS256' } }}
+          keys = { somekid = { pem = certs.rsa_public_key, alg = 'RS256' } }}
 
         for key,value in pairs(params) do
           config[key] = value

diff --git a/spec/policy/3scale_batcher/keys_helper_spec.lua b/spec/policy/3scale_batcher/keys_helper_spec.lua
@@ -2,7 +2,7 @@ local keys_helper = require 'apicast.policy.3scale_batcher.keys_helper'
 local Usage = require 'apicast.usage'
 local Transaction = require 'apicast.policy.3scale_batcher.transaction'
 local JWT = require('resty.jwt')
-local rsa = require('fixtures.rsa')
+local certs = require('fixtures.certs')
 
 local access_token = setmetatable({
   header = { typ = 'JWT', alg = 'RS256', kid = 'somekid' },
@@ -12,7 +12,7 @@ local access_token = setmetatable({
     aud = 'one',
     exp = ngx.now() + 3600,
   },
-}, { __tostring = function(jwt) return JWT:sign(rsa.private, jwt) end })
+}, { __tostring = function(jwt) return JWT:sign(certs.rsa_private_key, jwt) end })
 
 describe('Keys Helper', function()
   describe('.key_for_cached_auth', function()

diff --git a/spec/policy/oidc_authentication/oidc_authentication_spec.lua b/spec/policy/oidc_authentication/oidc_authentication_spec.lua
@@ -1,6 +1,6 @@
 local _M = require('apicast.policy.oidc_authentication')
 local JWT = require('resty.jwt')
-local rsa = require('fixtures.rsa')
+local certs = require('fixtures.certs')
 local OIDC = require('apicast.oauth.oidc')
 local http_ng = require 'resty.http_ng'
 
@@ -12,7 +12,7 @@ local access_token = setmetatable({
     aud = 'one',
     exp = ngx.now() + 3600,
   },
-}, { __tostring = function(jwt) return JWT:sign(rsa.private, jwt) end })
+}, { __tostring = function(jwt) return JWT:sign(certs.rsa_private_key, jwt) end })
 
 describe('oidc_authentication policy', function()
   describe('.new', function()
@@ -92,7 +92,7 @@ describe('oidc_authentication policy', function()
       ngx.var.http_authorization = 'Bearer ' .. tostring(access_token)
 
       policy.oidc.alg_whitelist = { RS256 = true }
-      policy.oidc.keys = { [access_token.header.kid] = { pem = rsa.pub } }
+      policy.oidc.keys = { [access_token.header.kid] = { pem = certs.rsa_public_key } }
 
       policy:rewrite(context)
 
@@ -185,7 +185,7 @@ describe('oidc_authentication policy', function()
       local oidc = OIDC.new{
         issuer = access_token.payload.iss,
         config = { id_token_signing_alg_values_supported = { access_token.header.alg } },
-        keys = { [access_token.header.kid] = { pem = rsa.pub, alg = access_token.header.alg }  },
+        keys = { [access_token.header.kid] = { pem = certs.rsa_public_key, alg = access_token.header.alg }  },
       }
       local policy = _M.new{ oidc = oidc }
       local jwt = oidc:parse(access_token)