diff options
| author | Vivien Kraus <vivien@planete-kraus.eu> | 2020-11-30 21:39:32 +0100 |
|---|---|---|
| committer | Vivien Kraus <vivien@planete-kraus.eu> | 2021-06-19 15:44:36 +0200 |
| commit | 0dfaa2a0a9f9772557b06ca7542d4c1b915d7b0c (patch) | |
| tree | 5251e4c081af9bb751826889d8f92ed8687523f3 /tests | |
| parent | b3f41c0fa861a668c054bdce92c8fb86707a784c (diff) | |
Implement the DPoP proof
Diffstat (limited to 'tests')
| -rw-r--r-- | tests/Makefile.am | 9 | ||||
| -rw-r--r-- | tests/dpop-proof-iat-in-future.scm | 37 | ||||
| -rw-r--r-- | tests/dpop-proof-iat-too-late.scm | 37 | ||||
| -rw-r--r-- | tests/dpop-proof-replay.scm | 40 | ||||
| -rw-r--r-- | tests/dpop-proof-valid.scm | 30 | ||||
| -rw-r--r-- | tests/dpop-proof-wrong-htm.scm | 37 | ||||
| -rw-r--r-- | tests/dpop-proof-wrong-htu.scm | 37 | ||||
| -rw-r--r-- | tests/dpop-proof-wrong-key.scm | 37 |
8 files changed, 263 insertions, 1 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index 1959c84..37a4a82 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -16,7 +16,14 @@ TESTS = %reldir%/load-library.scm \ %reldir%/jws.scm \ %reldir%/cache-valid.scm \ %reldir%/cache-revalidate.scm \ - %reldir%/oidc-configuration.scm + %reldir%/oidc-configuration.scm \ + %reldir%/dpop-proof-valid.scm \ + %reldir%/dpop-proof-wrong-htm.scm \ + %reldir%/dpop-proof-wrong-htu.scm \ + %reldir%/dpop-proof-iat-in-future.scm \ + %reldir%/dpop-proof-iat-too-late.scm \ + %reldir%/dpop-proof-wrong-key.scm \ + %reldir%/dpop-proof-replay.scm EXTRA_DIST += $(TESTS) diff --git a/tests/dpop-proof-iat-in-future.scm b/tests/dpop-proof-iat-in-future.scm new file mode 100644 index 0000000..7444a02 --- /dev/null +++ b/tests/dpop-proof-iat-in-future.scm @@ -0,0 +1,37 @@ +(use-modules (webid-oidc dpop-proof) + (webid-oidc jti) + (webid-oidc jwk) + (webid-oidc testing) + (webid-oidc errors) + (web uri) + (srfi srfi-19) + (web response)) + +(with-test-environment + "dpop-proof-iat-in-future" + (lambda () + (define jwk (generate-key #:n-size 2048)) + (define cnf (jkt jwk)) + (define blacklist (make-jti-list)) + (define proof + (issue-dpop-proof + jwk + #:alg 'RS256 + #:htm 'GET + #:htu (string->uri "https://example.com/res#frag") + #:iat (time-utc->date (make-time time-utc 0 10)))) + (with-exception-handler + (lambda (error) + (unless ((record-predicate &dpop-signed-in-future) + ((record-accessor &cannot-decode-dpop-proof 'cause) error)) + (raise-exception error))) + (lambda () + (dpop-proof-decode (time-utc->date (make-time time-utc 0 0)) + blacklist + 'GET + (string->uri "https://example.com/res?query") + proof + cnf) + (exit 2)) + #:unwind? #t + #:unwind-for-type &cannot-decode-dpop-proof))) diff --git a/tests/dpop-proof-iat-too-late.scm b/tests/dpop-proof-iat-too-late.scm new file mode 100644 index 0000000..1a56f22 --- /dev/null +++ b/tests/dpop-proof-iat-too-late.scm @@ -0,0 +1,37 @@ +(use-modules (webid-oidc dpop-proof) + (webid-oidc jti) + (webid-oidc jwk) + (webid-oidc testing) + (webid-oidc errors) + (web uri) + (srfi srfi-19) + (web response)) + +(with-test-environment + "dpop-proof-iat-too-late" + (lambda () + (define jwk (generate-key #:n-size 2048)) + (define cnf (jkt jwk)) + (define blacklist (make-jti-list)) + (define proof + (issue-dpop-proof + jwk + #:alg 'RS256 + #:htm 'GET + #:htu (string->uri "https://example.com/res#frag") + #:iat (time-utc->date (make-time time-utc 0 0)))) + (with-exception-handler + (lambda (error) + (unless ((record-predicate &dpop-too-old) + ((record-accessor &cannot-decode-dpop-proof 'cause) error)) + (raise-exception error))) + (lambda () + (dpop-proof-decode (time-utc->date (make-time time-utc 0 600)) + blacklist + 'GET + (string->uri "https://example.com/res?query") + proof + cnf) + (exit 2)) + #:unwind? #t + #:unwind-for-type &cannot-decode-dpop-proof))) diff --git a/tests/dpop-proof-replay.scm b/tests/dpop-proof-replay.scm new file mode 100644 index 0000000..b527dce --- /dev/null +++ b/tests/dpop-proof-replay.scm @@ -0,0 +1,40 @@ +(use-modules (webid-oidc dpop-proof) + (webid-oidc jti) + (webid-oidc jwk) + (webid-oidc testing) + (webid-oidc errors) + (web uri) + (srfi srfi-19) + (web response)) + +(with-test-environment + "dpop-proof-replay" + (lambda () + (define jwk (generate-key #:n-size 2048)) + (define cnf (jkt jwk)) + (define blacklist (make-jti-list)) + (define proof + (issue-dpop-proof + jwk + #:alg 'RS256 + #:htm 'GET + #:htu (string->uri "https://example.com/res#frag") + #:iat (time-utc->date (make-time time-utc 0 0)))) + (define (decode) + (dpop-proof-decode (time-utc->date (make-time time-utc 0 10)) + blacklist + 'GET + (string->uri "https://example.com/res?query") + proof + cnf)) + (define decoded-once (decode)) + (with-exception-handler + (lambda (error) + (unless ((record-predicate &jti-found) + ((record-accessor &cannot-decode-dpop-proof 'cause) error)) + (raise-exception error))) + (lambda () + (decode) + (exit 2)) + #:unwind? #t + #:unwind-for-type &cannot-decode-dpop-proof))) diff --git a/tests/dpop-proof-valid.scm b/tests/dpop-proof-valid.scm new file mode 100644 index 0000000..a05a223 --- /dev/null +++ b/tests/dpop-proof-valid.scm @@ -0,0 +1,30 @@ +(use-modules (webid-oidc dpop-proof) + (webid-oidc jti) + (webid-oidc jwk) + (webid-oidc testing) + (web uri) + (srfi srfi-19) + (web response)) + +(with-test-environment + "dpop-proof-valid" + (lambda () + (define jwk (generate-key #:n-size 2048)) + (define cnf (jkt jwk)) + (define blacklist (make-jti-list)) + (define proof + (issue-dpop-proof + jwk + #:alg 'RS256 + #:htm 'GET + #:htu (string->uri "https://example.com/res#frag") + #:iat (time-utc->date (make-time time-utc 0 0)))) + (define decoded + (dpop-proof-decode (time-utc->date (make-time time-utc 0 10)) + blacklist + 'GET + (string->uri "https://example.com/res?query") + proof + cnf)) + (unless decoded + (exit 1)))) diff --git a/tests/dpop-proof-wrong-htm.scm b/tests/dpop-proof-wrong-htm.scm new file mode 100644 index 0000000..4531a44 --- /dev/null +++ b/tests/dpop-proof-wrong-htm.scm @@ -0,0 +1,37 @@ +(use-modules (webid-oidc dpop-proof) + (webid-oidc jti) + (webid-oidc jwk) + (webid-oidc testing) + (webid-oidc errors) + (web uri) + (srfi srfi-19) + (web response)) + +(with-test-environment + "dpop-proof-wrong-htm" + (lambda () + (define jwk (generate-key #:n-size 2048)) + (define cnf (jkt jwk)) + (define blacklist (make-jti-list)) + (define proof + (issue-dpop-proof + jwk + #:alg 'RS256 + #:htm 'POST + #:htu (string->uri "https://example.com/res#frag") + #:iat (time-utc->date (make-time time-utc 0 0)))) + (with-exception-handler + (lambda (error) + (unless ((record-predicate &dpop-method-mismatch) + ((record-accessor &cannot-decode-dpop-proof 'cause) error)) + (raise-exception error))) + (lambda () + (dpop-proof-decode (time-utc->date (make-time time-utc 0 10)) + blacklist + 'GET + (string->uri "https://example.com/res?query") + proof + cnf) + (exit 2)) + #:unwind? #t + #:unwind-for-type &cannot-decode-dpop-proof))) diff --git a/tests/dpop-proof-wrong-htu.scm b/tests/dpop-proof-wrong-htu.scm new file mode 100644 index 0000000..f8ecb29 --- /dev/null +++ b/tests/dpop-proof-wrong-htu.scm @@ -0,0 +1,37 @@ +(use-modules (webid-oidc dpop-proof) + (webid-oidc jti) + (webid-oidc jwk) + (webid-oidc testing) + (webid-oidc errors) + (web uri) + (srfi srfi-19) + (web response)) + +(with-test-environment + "dpop-proof-wrong-htu" + (lambda () + (define jwk (generate-key #:n-size 2048)) + (define cnf (jkt jwk)) + (define blacklist (make-jti-list)) + (define proof + (issue-dpop-proof + jwk + #:alg 'RS256 + #:htm 'GET + #:htu (string->uri "https://example.com/other-res#frag") + #:iat (time-utc->date (make-time time-utc 0 0)))) + (with-exception-handler + (lambda (error) + (unless ((record-predicate &dpop-uri-mismatch) + ((record-accessor &cannot-decode-dpop-proof 'cause) error)) + (raise-exception error))) + (lambda () + (dpop-proof-decode (time-utc->date (make-time time-utc 0 10)) + blacklist + 'GET + (string->uri "https://example.com/res?query") + proof + cnf) + (exit 2)) + #:unwind? #t + #:unwind-for-type &cannot-decode-dpop-proof))) diff --git a/tests/dpop-proof-wrong-key.scm b/tests/dpop-proof-wrong-key.scm new file mode 100644 index 0000000..9ea98ee --- /dev/null +++ b/tests/dpop-proof-wrong-key.scm @@ -0,0 +1,37 @@ +(use-modules (webid-oidc dpop-proof) + (webid-oidc jti) + (webid-oidc jwk) + (webid-oidc testing) + (webid-oidc errors) + (web uri) + (srfi srfi-19) + (web response)) + +(with-test-environment + "dpop-proof-wrong-key" + (lambda () + (define jwk (generate-key #:n-size 2048)) + (define cnf (jkt (generate-key #:n-size 2048))) + (define blacklist (make-jti-list)) + (define proof + (issue-dpop-proof + jwk + #:alg 'RS256 + #:htm 'GET + #:htu (string->uri "https://example.com/res#frag") + #:iat (time-utc->date (make-time time-utc 0 0)))) + (with-exception-handler + (lambda (error) + (unless ((record-predicate &dpop-unconfirmed-key) + ((record-accessor &cannot-decode-dpop-proof 'cause) error)) + (raise-exception error))) + (lambda () + (dpop-proof-decode (time-utc->date (make-time time-utc 0 10)) + blacklist + 'GET + (string->uri "https://example.com/res?query") + proof + cnf) + (exit 2)) + #:unwind? #t + #:unwind-for-type &cannot-decode-dpop-proof))) |