diff options
author | Vivien Kraus <vivien@planete-kraus.eu> | 2021-09-20 11:25:29 +0200 |
---|---|---|
committer | Vivien Kraus <vivien@planete-kraus.eu> | 2021-09-21 22:28:51 +0200 |
commit | e910b3ba2ded990a5193f7ea0cfad525332e4171 (patch) | |
tree | b04e74e7c06e0a0fde5edd7ac0b8773db94cd515 /tests | |
parent | dcd329af1ec765ca0fac97ef2dc18a3177d34083 (diff) |
JWS: use GOOPS
Diffstat (limited to 'tests')
-rw-r--r-- | tests/Makefile.am | 3 | ||||
-rw-r--r-- | tests/authorization-endpoint-submit-form.scm | 6 | ||||
-rw-r--r-- | tests/dpop-proof-iat-in-future.scm | 17 | ||||
-rw-r--r-- | tests/dpop-proof-iat-too-late.scm | 23 | ||||
-rw-r--r-- | tests/dpop-proof-invalid-ath.scm | 34 | ||||
-rw-r--r-- | tests/dpop-proof-no-ath.scm | 19 | ||||
-rw-r--r-- | tests/dpop-proof-no-explicit-exp.scm | 86 | ||||
-rw-r--r-- | tests/dpop-proof-no-explicit-iat.scm | 83 | ||||
-rw-r--r-- | tests/dpop-proof-replay.scm | 23 | ||||
-rw-r--r-- | tests/dpop-proof-valid-ath.scm | 35 | ||||
-rw-r--r-- | tests/dpop-proof-valid.scm | 11 | ||||
-rw-r--r-- | tests/dpop-proof-wrong-htm.scm | 17 | ||||
-rw-r--r-- | tests/dpop-proof-wrong-htu.scm | 17 | ||||
-rw-r--r-- | tests/dpop-proof-wrong-key.scm | 17 | ||||
-rw-r--r-- | tests/jws.scm | 70 | ||||
-rw-r--r-- | tests/resource-server.scm | 24 | ||||
-rw-r--r-- | tests/token-endpoint-issue.scm | 55 | ||||
-rw-r--r-- | tests/token-endpoint-refresh.scm | 63 |
18 files changed, 374 insertions, 229 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am index 251b6b0..99c834d 100644 --- a/tests/Makefile.am +++ b/tests/Makefile.am @@ -29,7 +29,6 @@ TESTS = %reldir%/load-library.scm \ %reldir%/jkt.scm \ %reldir%/verify.scm \ %reldir%/verification-failed.scm \ - %reldir%/jws.scm \ %reldir%/cache-valid.scm \ %reldir%/cache-revalidate.scm \ %reldir%/oidc-configuration.scm \ @@ -43,6 +42,8 @@ TESTS = %reldir%/load-library.scm \ %reldir%/dpop-proof-replay.scm \ %reldir%/dpop-proof-no-ath.scm \ %reldir%/dpop-proof-invalid-ath.scm \ + %reldir%/dpop-proof-no-explicit-exp.scm \ + %reldir%/dpop-proof-no-explicit-iat.scm \ %reldir%/client-manifest-public.scm \ %reldir%/client-manifest.scm \ %reldir%/client-manifest-fraudulent.scm \ diff --git a/tests/authorization-endpoint-submit-form.scm b/tests/authorization-endpoint-submit-form.scm index 37059fe..2fc7197 100644 --- a/tests/authorization-endpoint-submit-form.scm +++ b/tests/authorization-endpoint-submit-form.scm @@ -107,8 +107,8 @@ (exit 9)) (let ((parsed (parameterize ((p:current-date 60)) - (authorization-code-decode - (car (assoc-ref args "code")) - key)))) + (decode <authorization-code> + (car (assoc-ref args "code")) + #:issuer-key key)))) (unless parsed (exit 10))))))))) diff --git a/tests/dpop-proof-iat-in-future.scm b/tests/dpop-proof-iat-in-future.scm index f212643..7e6a3b1 100644 --- a/tests/dpop-proof-iat-in-future.scm +++ b/tests/dpop-proof-iat-in-future.scm @@ -32,10 +32,11 @@ (define cnf (jkt jwk)) (define proof (parameterize ((p:current-date 10)) - (issue-dpop-proof - jwk - #:htm 'GET - #:htu (string->uri "https://example.com/res#frag")))) + (issue <dpop-proof> + jwk + #:jwk (public-key jwk) + #:htm 'GET + #:htu (string->uri "https://example.com/res#frag")))) (with-exception-handler (lambda (error) (unless (and (signed-in-future? error) @@ -46,10 +47,10 @@ (raise-exception error))) (lambda () (parameterize ((p:current-date 0)) - (dpop-proof-decode 'GET - (string->uri "https://example.com/res?query") - proof - cnf)) + (decode <dpop-proof> proof + #:method 'GET + #:uri (string->uri "https://example.com/res?query") + #:cnf/check cnf)) (exit 2)) #:unwind? #t #:unwind-for-type &signed-in-future))) diff --git a/tests/dpop-proof-iat-too-late.scm b/tests/dpop-proof-iat-too-late.scm index 149e814..8019d1d 100644 --- a/tests/dpop-proof-iat-too-late.scm +++ b/tests/dpop-proof-iat-too-late.scm @@ -32,24 +32,25 @@ (define cnf (jkt jwk)) (define proof (parameterize ((p:current-date 0)) - (issue-dpop-proof - jwk - #:htm 'GET - #:htu (string->uri "https://example.com/res#frag")))) + (issue <dpop-proof> + jwk + #:jwk (public-key jwk) + #:htm 'GET + #:htu (string->uri "https://example.com/res#frag")))) (with-exception-handler (lambda (error) (unless (and (expired? error) (eqv? (time-second (date->time-utc (error-expiration-date error))) - 120) + 30) (eqv? (time-second (date->time-utc (error-current-date error))) - 600)) + 60)) (raise-exception error))) (lambda () - (parameterize ((p:current-date 600)) - (dpop-proof-decode 'GET - (string->uri "https://example.com/res?query") - proof - cnf)) + (parameterize ((p:current-date 60)) + (decode <dpop-proof> proof + #:method 'GET + #:uri (string->uri "https://example.com/res?query") + #:cnf/check cnf)) (exit 2)) #:unwind? #t #:unwind-for-type &expired))) diff --git a/tests/dpop-proof-invalid-ath.scm b/tests/dpop-proof-invalid-ath.scm index a82cf47..8c33e77 100644 --- a/tests/dpop-proof-invalid-ath.scm +++ b/tests/dpop-proof-invalid-ath.scm @@ -33,20 +33,20 @@ (define cnf (jkt jwk)) (define access-token (parameterize ((p:current-date 10)) - (issue-access-token - idp-key - #:webid (string->uri "https://data.provider/subject") - #:iss (string->uri "https://identity.provider") - #:validity 3600 - #:client-key jwk - #:client-id (string->uri "https://client")))) + (issue <access-token> + idp-key + #:webid (string->uri "https://data.provider/subject") + #:iss (string->uri "https://identity.provider") + #:client-key jwk + #:client-id (string->uri "https://client")))) (define proof (parameterize ((p:current-date 0)) - (issue-dpop-proof - jwk - #:htm 'GET - #:htu (string->uri "https://example.com/res?query") - #:access-token "aaaaaaaaaaaaaaa"))) + (issue <dpop-proof> + jwk + #:jwk (public-key jwk) + #:htm 'GET + #:htu (string->uri "https://example.com/res?query") + #:access-token "aaaaaaaaaaaaaaa"))) (with-exception-handler (lambda (error) (unless (and (dpop-invalid-ath? error) @@ -57,11 +57,11 @@ (raise-exception error))) (lambda () (parameterize ((p:current-date 10)) - (dpop-proof-decode 'GET - (string->uri "https://example.com/res?query") - proof - cnf - #:access-token access-token)) + (decode <dpop-proof> proof + #:method 'GET + #:uri (string->uri "https://example.com/res?query") + #:cnf/check cnf + #:access-token access-token)) (exit 2)) #:unwind? #t #:unwind-for-type &dpop-invalid-ath))) diff --git a/tests/dpop-proof-no-ath.scm b/tests/dpop-proof-no-ath.scm index ec37836..60c9cee 100644 --- a/tests/dpop-proof-no-ath.scm +++ b/tests/dpop-proof-no-ath.scm @@ -31,10 +31,11 @@ (define cnf (jkt jwk)) (define proof (parameterize ((p:current-date 0)) - (issue-dpop-proof - jwk - #:htm 'GET - #:htu (string->uri "https://example.com/res?query")))) + (issue <dpop-proof> + jwk + #:jwk (public-key jwk) + #:htm 'GET + #:htu (string->uri "https://example.com/res?query")))) (with-exception-handler (lambda (error) (unless (and (dpop-invalid-ath? error) @@ -45,11 +46,11 @@ (raise-exception error))) (lambda () (parameterize ((p:current-date 10)) - (dpop-proof-decode 'GET - (string->uri "https://example.com/res?query") - proof - cnf - #:access-token "aaa")) + (decode <dpop-proof> proof + #:method 'GET + #:uri (string->uri "https://example.com/res?query") + #:cnf/check cnf + #:access-token "aaa")) (exit 2)) #:unwind? #t #:unwind-for-type &dpop-invalid-ath))) diff --git a/tests/dpop-proof-no-explicit-exp.scm b/tests/dpop-proof-no-explicit-exp.scm new file mode 100644 index 0000000..c485cac --- /dev/null +++ b/tests/dpop-proof-no-explicit-exp.scm @@ -0,0 +1,86 @@ +;; disfluid, implementation of the Solid specification +;; Copyright (C) 2021 Vivien Kraus + +;; This program is free software: you can redistribute it and/or modify +;; it under the terms of the GNU Affero General Public License as +;; published by the Free Software Foundation, either version 3 of the +;; License, or (at your option) any later version. + +;; This program is distributed in the hope that it will be useful, +;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;; GNU Affero General Public License for more details. + +;; You should have received a copy of the GNU Affero General Public License +;; along with this program. If not, see <https://www.gnu.org/licenses/>. + +(use-modules (webid-oidc dpop-proof) + (webid-oidc access-token) + (webid-oidc jwk) + (webid-oidc jws) + (webid-oidc testing) + (webid-oidc errors) + ((webid-oidc stubs) #:prefix stubs:) + ((webid-oidc parameters) #:prefix p:) + (web uri) + (srfi srfi-19) + (web response) + (ice-9 receive) + (oop goops)) + +(define-class <dpop-proof-with-exp> (<dpop-proof>)) + +(define malicious-jwt-created? #f) + +(define-method (token->jwt (token <dpop-proof-with-exp>)) + (set! malicious-jwt-created? #t) + (receive (header payload) (next-method) + (values header + `((exp . ,(time-second (date->time-utc (exp token)))) + ,@payload)))) + +(with-test-environment + "dpop-proof-no-explicit-exp" + (lambda () + (define jwk (generate-key #:n-size 2048)) + (define idp-key (generate-key #:n-size 2048)) + (define cnf (jkt jwk)) + (define access-token + (parameterize ((p:current-date 0)) + (issue <access-token> + idp-key + #:webid (string->uri "https://data.provider/subject") + #:iss (string->uri "https://identity.provider") + #:client-key jwk + #:client-id (string->uri "https://client")))) + (define proof + (parameterize ((p:current-date 0)) + (issue <dpop-proof-with-exp> + jwk + #:jwk (public-key jwk) + #:htm 'GET + #:htu (string->uri "https://example.com/res?query") + #:validity 3600 ;; Obviously too long: the decoder + ;; should ignore this value and make it + ;; obsolete after 120 seconds. + #:access-token access-token))) + (unless malicious-jwt-created? + (exit 1)) + (with-exception-handler + (lambda (error) + (unless (and (expired? error) + (eqv? (time-second (date->time-utc (error-expiration-date error))) + 30) + (eqv? (time-second (date->time-utc (error-current-date error))) + 60)) + (raise-exception error))) + (lambda () + (parameterize ((p:current-date 60)) + (decode <dpop-proof> proof + #:method 'GET + #:uri (string->uri "https://example.com/res?query") + #:cnf/check cnf + #:access-token access-token)) + (exit 2)) + #:unwind? #t + #:unwind-for-type &expired))) diff --git a/tests/dpop-proof-no-explicit-iat.scm b/tests/dpop-proof-no-explicit-iat.scm new file mode 100644 index 0000000..671dfa0 --- /dev/null +++ b/tests/dpop-proof-no-explicit-iat.scm @@ -0,0 +1,83 @@ +;; disfluid, implementation of the Solid specification +;; Copyright (C) 2021 Vivien Kraus + +;; This program is free software: you can redistribute it and/or modify +;; it under the terms of the GNU Affero General Public License as +;; published by the Free Software Foundation, either version 3 of the +;; License, or (at your option) any later version. + +;; This program is distributed in the hope that it will be useful, +;; but WITHOUT ANY WARRANTY; without even the implied warranty of +;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +;; GNU Affero General Public License for more details. + +;; You should have received a copy of the GNU Affero General Public License +;; along with this program. If not, see <https://www.gnu.org/licenses/>. + +(use-modules (webid-oidc dpop-proof) + (webid-oidc access-token) + (webid-oidc jwk) + (webid-oidc jws) + (webid-oidc testing) + (webid-oidc errors) + ((webid-oidc stubs) #:prefix stubs:) + ((webid-oidc parameters) #:prefix p:) + (web uri) + (srfi srfi-19) + (web response) + (ice-9 receive) + (ice-9 match) + (oop goops)) + +(define-class <dpop-proof-without-iat> (<dpop-proof>)) + +(define malicious-jwt-created? #f) + +(define-method (token->jwt (token <dpop-proof-without-iat>)) + (set! malicious-jwt-created? #t) + ;; Omit the iat field; check that we don’t provide a default + (receive (header payload) (next-method) + (values header + (filter (match-lambda + (('iat . _) #f) + (else #t)) + payload)))) + +(with-test-environment + "dpop-proof-no-explicit-iat" + (lambda () + (define jwk (generate-key #:n-size 2048)) + (define idp-key (generate-key #:n-size 2048)) + (define cnf (jkt jwk)) + (define access-token + (parameterize ((p:current-date 10)) + (issue <access-token> + idp-key + #:webid (string->uri "https://data.provider/subject") + #:iss (string->uri "https://identity.provider") + #:client-key jwk + #:client-id (string->uri "https://client")))) + (define proof + (parameterize ((p:current-date 0)) + (issue <dpop-proof-without-iat> + jwk + #:jwk (public-key jwk) + #:htm 'GET + #:htu (string->uri "https://example.com/res?query") + #:access-token access-token))) + (unless malicious-jwt-created? + (exit 1)) + (with-exception-handler + (lambda (error) + (unless (invalid-jws? error) ;; iat should not be missing + (exit 2))) + (lambda () + (parameterize ((p:current-date 180)) + (decode <dpop-proof> proof + #:method 'GET + #:uri (string->uri "https://example.com/res?query") + #:cnf/check cnf + #:access-token access-token)) + (exit 3)) + #:unwind? #t + #:unwind-for-type &invalid-jws))) diff --git a/tests/dpop-proof-replay.scm b/tests/dpop-proof-replay.scm index 19e6a30..5720d93 100644 --- a/tests/dpop-proof-replay.scm +++ b/tests/dpop-proof-replay.scm @@ -31,23 +31,24 @@ (define cnf (jkt jwk)) (define proof (parameterize ((p:current-date 0)) - (issue-dpop-proof - jwk - #:htm 'GET - #:htu (string->uri "https://example.com/res#frag")))) - (define (decode) + (issue <dpop-proof> + jwk + #:jwk (public-key jwk) + #:htm 'GET + #:htu (string->uri "https://example.com/res#frag")))) + (define (do-decode) (parameterize ((p:current-date 10)) - (dpop-proof-decode 'GET - (string->uri "https://example.com/res?query") - proof - cnf))) - (define decoded-once (decode)) + (decode <dpop-proof> proof + #:method 'GET + #:uri (string->uri "https://example.com/res?query") + #:cnf/check cnf))) + (define decoded-once (do-decode)) (with-exception-handler (lambda (error) (unless (jti-found? error) (raise-exception error))) (lambda () - (decode) + (do-decode) (exit 2)) #:unwind? #t #:unwind-for-type &jti-found))) diff --git a/tests/dpop-proof-valid-ath.scm b/tests/dpop-proof-valid-ath.scm index 2a27e88..afcc9cd 100644 --- a/tests/dpop-proof-valid-ath.scm +++ b/tests/dpop-proof-valid-ath.scm @@ -31,26 +31,27 @@ (define cnf (jkt jwk)) (define access-token (parameterize ((p:current-date 10)) - (issue-access-token - idp-key - #:webid (string->uri "https://data.provider/subject") - #:iss (string->uri "https://identity.provider") - #:validity 3600 - #:client-key jwk - #:client-id (string->uri "https://client")))) + (issue <access-token> + idp-key + #:webid "https://data.provider/subject" + #:iss "https://identity.provider" + #:client-key jwk + #:client-id "https://client"))) (define proof (parameterize ((p:current-date 0)) - (issue-dpop-proof - jwk - #:htm 'GET - #:htu (string->uri "https://example.com/res#frag") - #:access-token access-token))) + (issue <dpop-proof> + jwk + #:jwk (public-key jwk) + #:htm 'GET + #:htu "https://example.com/res#frag" + #:access-token access-token))) (define decoded (parameterize ((p:current-date 10)) - (dpop-proof-decode 'GET - (string->uri "https://example.com/res?query") - proof - cnf - #:access-token access-token))) + (decode <dpop-proof> + proof + #:method 'GET + #:uri (string->uri "https://example.com/res?query") + #:cnf/check cnf + #:access-token access-token))) (unless decoded (exit 1)))) diff --git a/tests/dpop-proof-valid.scm b/tests/dpop-proof-valid.scm index 71ef602..1ef50d4 100644 --- a/tests/dpop-proof-valid.scm +++ b/tests/dpop-proof-valid.scm @@ -30,15 +30,16 @@ (define cnf (jkt jwk)) (define proof (parameterize ((p:current-date 0)) - (issue-dpop-proof + (issue <dpop-proof> jwk + #:jwk (public-key jwk) #:htm 'GET #:htu (string->uri "https://example.com/res#frag")))) (define decoded (parameterize ((p:current-date 10)) - (dpop-proof-decode 'GET - (string->uri "https://example.com/res?query") - proof - cnf))) + (decode <dpop-proof> proof + #:method 'GET + #:uri (string->uri "https://example.com/res?query") + #:cnf/check cnf))) (unless decoded (exit 1)))) diff --git a/tests/dpop-proof-wrong-htm.scm b/tests/dpop-proof-wrong-htm.scm index 1e94f72..b59dc9a 100644 --- a/tests/dpop-proof-wrong-htm.scm +++ b/tests/dpop-proof-wrong-htm.scm @@ -31,10 +31,11 @@ (define cnf (jkt jwk)) (define proof (parameterize ((p:current-date 0)) - (issue-dpop-proof - jwk - #:htm 'POST - #:htu (string->uri "https://example.com/res#frag")))) + (issue <dpop-proof> + jwk + #:jwk (public-key jwk) + #:htm 'POST + #:htu (string->uri "https://example.com/res#frag")))) (with-exception-handler (lambda (error) (unless (and (dpop-method-mismatch? error) @@ -45,10 +46,10 @@ (raise-exception error))) (lambda () (parameterize ((p:current-date 10)) - (dpop-proof-decode 'GET - (string->uri "https://example.com/res?query") - proof - cnf)) + (decode <dpop-proof> proof + #:method 'GET + #:uri (string->uri "https://example.com/res?query") + #:cnf/jkt cnf)) (exit 2)) #:unwind? #t #:unwind-for-type &dpop-method-mismatch))) diff --git a/tests/dpop-proof-wrong-htu.scm b/tests/dpop-proof-wrong-htu.scm index 299060e..68303d9 100644 --- a/tests/dpop-proof-wrong-htu.scm +++ b/tests/dpop-proof-wrong-htu.scm @@ -31,10 +31,11 @@ (define cnf (jkt jwk)) (define proof (parameterize ((p:current-date 0)) - (issue-dpop-proof - jwk - #:htm 'GET - #:htu (string->uri "https://example.com/other-res#frag")))) + (issue <dpop-proof> + jwk + #:jwk (public-key jwk) + #:htm 'GET + #:htu (string->uri "https://example.com/other-res#frag")))) (with-exception-handler (lambda (error) (unless (and (dpop-uri-mismatch? error) @@ -45,10 +46,10 @@ (raise-exception error))) (lambda () (parameterize ((p:current-date 10)) - (dpop-proof-decode 'GET - (string->uri "https://example.com/res?query") - proof - cnf)) + (decode <dpop-proof> proof + #:method 'GET + #:uri (string->uri "https://example.com/res?query") + #:cnf/jkt cnf)) (exit 2)) #:unwind? #t #:unwind-for-type &dpop-uri-mismatch))) diff --git a/tests/dpop-proof-wrong-key.scm b/tests/dpop-proof-wrong-key.scm index 1f3d033..cb5d4e5 100644 --- a/tests/dpop-proof-wrong-key.scm +++ b/tests/dpop-proof-wrong-key.scm @@ -31,20 +31,21 @@ (define cnf (jkt (generate-key #:n-size 2048))) (define proof (parameterize ((p:current-date 0)) - (issue-dpop-proof - jwk - #:htm 'GET - #:htu (string->uri "https://example.com/res#frag")))) + (issue <dpop-proof> + jwk + #:jwk (public-key jwk) + #:htm 'GET + #:htu (string->uri "https://example.com/res#frag")))) (with-exception-handler (lambda (error) (unless (dpop-unconfirmed-key? error) (raise-exception error))) (lambda () (parameterize ((p:current-date 10)) - (dpop-proof-decode 'GET - (string->uri "https://example.com/res?query") - proof - cnf)) + (decode <dpop-proof> proof + #:method 'GET + #:uri (string->uri "https://example.com/res?query") + #:cnf/check cnf)) (exit 2)) #:unwind? #t #:unwind-for-type &dpop-unconfirmed-key))) diff --git a/tests/jws.scm b/tests/jws.scm deleted file mode 100644 index a5c9330..0000000 --- a/tests/jws.scm +++ /dev/null @@ -1,70 +0,0 @@ -;; disfluid, implementation of the Solid specification -;; Copyright (C) 2020, 2021 Vivien Kraus - -;; This program is free software: you can redistribute it and/or modify -;; it under the terms of the GNU Affero General Public License as -;; published by the Free Software Foundation, either version 3 of the -;; License, or (at your option) any later version. - -;; This program is distributed in the hope that it will be useful, -;; but WITHOUT ANY WARRANTY; without even the implied warranty of -;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the -;; GNU Affero General Public License for more details. - -;; You should have received a copy of the GNU Affero General Public License -;; along with this program. If not, see <https://www.gnu.org/licenses/>. - -(use-modules (webid-oidc stubs) - (webid-oidc jwk) - (webid-oidc jws) - (webid-oidc testing)) - -(with-test-environment - "jws" - (lambda () - (let* ((key - (jwk->key - (json-string->scm "{\"kty\":\"RSA\",\"e\":\"AQAB\",\"kid\":\"db7cdbbf-0ca3-48da-abf6-8f34002a4651\",\"n\":\"nzyis1ZjfNB0bBgKFMSvvkTtwlvBsaJq7S5wA-kzeVOVpVWwkWdVha4s38XM_pa_yr47av7-z3VTmvDRyAHcaT92whREFpLv9cj5lTeJSibyr_Mrm_YtjCZVWgaOYIhwrXwKLqPr_11inWsAkfIytvHWTxZYEcXLgAXFuUuaS3uF9gEiNQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0e-lf4s4OxQawWD79J9_5d3Ry0vbV3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWbV6L11BWkpzGXSW4Hv43qa-GSYOD2QU68Mb59oSk2OB-BtOLpJofmbGEGgvmwyCI9Mw\"}"))) - (other-key (generate-key #:n-size 2048)) - (encoded "eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.hZnl5amPk_I3tb4O-Otci_5XZdVWhPlFyVRvcqSwnDo_srcysDvhhKOD01DigPK1lJvTSTolyUgKGtpLqMfRDXQlekRsF4XhAjYZTmcynf-C-6wO5EI4wYewLNKFGGJzHAknMgotJFjDi_NCVSjHsW3a10nTao1lB82FRS305T226Q0VqNVJVWhE4G0JQvi2TssRtCxYTqzXVt22iDKkXeZJARZ1paXHGV5Kd1CljcZtkNZYIGcwnj65gvuCwohbkIxAnhZMJXCLaVvHqv9l-AAUV7esZvkQR1IpwBAiDQJh4qxPjFGylyXrHMqh5NlT_pWL2ZoULWTg_TJjMO9TuQ") - (expected-alg "PS256") - (expected-typ "JWT") - (expected-sub "1234567890") - (expected-name "John Doe") - (expected-admin #t) - (expected-iat 1516239022) - (parsed (jws-decode encoded (lambda (jws) - (and (jws? jws) - key)))) - (parsed-header (car parsed)) - (parsed-payload (cdr parsed)) - (alg (jws-alg parsed)) - (typ (assq-ref parsed-header 'typ)) - (sub (assq-ref parsed-payload 'sub)) - (name (assq-ref parsed-payload 'name)) - (admin (assq-ref parsed-payload 'admin)) - (iat (assq-ref parsed-payload 'iat)) - (re-encoded (jws-encode parsed other-key)) - (re-parsed (jws-decode re-encoded (lambda (jws) other-key))) - (re-parsed-header (car re-parsed)) - (re-parsed-payload (cdr re-parsed)) - (re-alg (jws-alg re-parsed)) - (re-typ (assq-ref re-parsed-header 'typ)) - (re-sub (assq-ref re-parsed-payload 'sub)) - (re-name (assq-ref re-parsed-payload 'name)) - (re-admin (assq-ref re-parsed-payload 'admin)) - (re-iat (assq-ref re-parsed-payload 'iat))) - (unless (and (equal? alg expected-alg) - (equal? re-alg expected-alg) - (equal? typ expected-typ) - (equal? re-typ expected-typ) - (equal? sub expected-sub) - (equal? re-sub expected-sub) - (equal? name expected-name) - (equal? re-name expected-name) - (equal? admin expected-admin) - (equal? re-admin expected-admin) - (equal? iat expected-iat) - (equal? re-iat expected-iat)) - (format (current-error-port) - "The JWS test failed."))))) diff --git a/tests/resource-server.scm b/tests/resource-server.scm index 02b7e46..a8032b1 100644 --- a/tests/resource-server.scm +++ b/tests/resource-server.scm @@ -57,23 +57,23 @@ (else (exit 1)))) (define access-token (parameterize ((p:current-date 10)) - (issue-access-token - idp-key - #:webid subject - #:iss (string->uri "https://identity.provider") - #:validity 3600 - #:client-key client-key - #:client-id (string->uri "https://client")))) + (issue <access-token> + idp-key + #:webid subject + #:iss (string->uri "https://identity.provider") + #:client-key client-key + #:client-id (string->uri "https://client")))) (define uri (string->uri "https://resource.server/resource")) (define server-uri (string->uri "https://resource.server/")) (define method 'GET) (define dpop-proof (parameterize ((p:current-date 15)) - (issue-dpop-proof - client-key - #:htm method - #:htu uri - #:access-token access-token))) + (issue <dpop-proof> + client-key + #:jwk (public-key client-key) + #:htm method + #:htu uri + #:access-token access-token))) (define rq (call-with-input-string (format #f "GET /resource HTTP/1.1\r\n\ diff --git a/tests/token-endpoint-issue.scm b/tests/token-endpoint-issue.scm index c80658c..0815c30 100644 --- a/tests/token-endpoint-issue.scm +++ b/tests/token-endpoint-issue.scm @@ -43,11 +43,10 @@ (define validity 3600) (define authz (parameterize ((p:current-date 0)) - (issue-authorization-code - key - #:validity 120 - #:webid subject - #:client-id client))) + (issue <authorization-code> + key + #:webid subject + #:client-id client))) (define endpoint (make-token-endpoint (string->uri "https://token-endpoint-issue.scm/token") @@ -56,11 +55,12 @@ ;; The code is fake! (let ((dpop (parameterize ((p:current-date 0)) - (issue-dpop-proof - client-key - #:htm 'POST - #:htu (string->uri - "https://token-endpoint-issue.scm/token"))))) + (issue <dpop-proof> + client-key + #:jwk (public-key client-key) + #:htm 'POST + #:htu (string->uri + "https://token-endpoint-issue.scm/token"))))) (parameterize ((p:current-date 0)) (endpoint (build-request (string->uri @@ -75,11 +75,12 @@ (receive (response response-body . _) (let ((dpop (parameterize ((p:current-date 10)) - (issue-dpop-proof - client-key - #:htm 'POST - #:htu (string->uri - "https://token-endpoint-issue.scm/token"))))) + (issue <dpop-proof> + client-key + #:jwk (public-key client-key) + #:htm 'POST + #:htu (string->uri + "https://token-endpoint-issue.scm/token"))))) (parameterize ((p:current-date 10)) (endpoint (build-request (string->uri @@ -101,11 +102,29 @@ (exit 6)) (unless refresh-token-enc (exit 7)) - (let ((access-token (jws-decode access-token-enc - (lambda (h) key)))) + (let ((access-token + (parameterize ((p:current-date 20)) + (decode <access-token> access-token-enc + #:http-request + (lambda* (uri . args) + (cond + ((equal? uri (string->uri "https://issuer.token-endpoint-issue.scm/.well-known/openid-configuration")) + (values (build-response #:headers '((content-type application/json))) + "{ + \"jwks_uri\": \"https://token-endpoint-issue.scm/keys\", + \"token_endpoint\": \"https://token-endpoint-issue.scm/token\", + \"authorization_endpoint\": \"https://token-endpoint-issue.scm/authorize\", + \"solid_oidc_supported\": \"https://solidproject.org/TR/solid-oidc\" +}")) + ((equal? uri (string->uri "https://token-endpoint-issue.scm/keys")) + (values (build-response #:headers '((content-type application/json))) + (stubs:scm->json-string `((keys . ,(list->vector (list (key->jwk key)))))))) + (else + (format (current-error-port) "Unknown URI: ~s\n" (uri->string uri)) + (exit 11)))))))) (unless access-token (exit 8)) - (let ((access-token-cnf/jkt (access-token-cnf/jkt access-token))) + (let ((access-token-cnf/jkt (cnf/jkt access-token))) (unless access-token-cnf/jkt (exit 9)) (unless (string=? access-token-cnf/jkt (jkt client-key)) diff --git a/tests/token-endpoint-refresh.scm b/tests/token-endpoint-refresh.scm index f14d648..f0174b8 100644 --- a/tests/token-endpoint-refresh.scm +++ b/tests/token-endpoint-refresh.scm @@ -19,6 +19,7 @@ (webid-oidc refresh-token) (webid-oidc dpop-proof) (webid-oidc jwk) + (webid-oidc access-token) (webid-oidc jws) (webid-oidc jti) (webid-oidc testing) @@ -50,11 +51,12 @@ ;; The refresh token is fake! (let ((dpop (parameterize ((p:current-date 0)) - (issue-dpop-proof - client-key - #:htm 'POST - #:htu (string->uri - "https://token-endpoint-issue.scm/token"))))) + (issue <dpop-proof> + client-key + #:jwk (public-key client-key) + #:htm 'POST + #:htu (string->uri + "https://token-endpoint-issue.scm/token"))))) (parameterize ((p:current-date 0)) (endpoint (build-request (string->uri @@ -69,11 +71,12 @@ (receive (response response-body user error) (let ((dpop (parameterize ((p:current-date 10)) - (issue-dpop-proof - client-key - #:htm 'POST - #:htu (string->uri - "https://token-endpoint-issue.scm/token"))))) + (issue <dpop-proof> + client-key + #:jwk (public-key client-key) + #:htm 'POST + #:htu (string->uri + "https://token-endpoint-issue.scm/token"))))) (parameterize ((p:current-date 10)) (endpoint (build-request (string->uri @@ -94,17 +97,31 @@ (exit 6)) (unless refresh-token-enc (exit 7)) - (let ((access-token (jws-decode access-token-enc - (lambda (h) key)))) + (let ((access-token + (parameterize ((p:current-date 20)) + (decode <access-token> access-token-enc + #:http-request + (lambda* (uri . args) + (cond + ((equal? uri (string->uri "https://issuer.token-endpoint-issue.scm/.well-known/openid-configuration")) + (values (build-response #:headers '((content-type application/json))) + "{ + \"jwks_uri\": \"https://token-endpoint-issue.scm/keys\", + \"token_endpoint\": \"https://token-endpoint-issue.scm/token\", + \"authorization_endpoint\": \"https://token-endpoint-issue.scm/authorize\", + \"solid_oidc_supported\": \"https://solidproject.org/TR/solid-oidc\" +}")) + ((equal? uri (string->uri "https://token-endpoint-issue.scm/keys")) + (values (build-response #:headers '((content-type application/json))) + (stubs:scm->json-string `((keys . ,(list->vector (list (key->jwk key)))))))) + (else + (exit 8)))))))) (unless access-token - (exit 8)) - (let ((access-token-cnf (assq-ref access-token 'cnf))) - (unless access-token-cnf - (exit 9)) - (let ((access-token-cnf/jkt (assq-ref access-token-cnf 'jkt))) - (unless access-token-cnf/jkt - (exit 10)) - (unless (string=? access-token-cnf/jkt (jkt client-key)) - (exit 11)))) - (unless (string=? refresh-token-enc refresh-code) - (exit 12))))))))) + (exit 9)) + (let ((access-token-cnf/jkt (cnf/jkt access-token))) + (unless access-token-cnf/jkt + (exit 10)) + (unless (string=? access-token-cnf/jkt (jkt client-key)) + (exit 11)))) + (unless (string=? refresh-token-enc refresh-code) + (exit 12)))))))) |