summaryrefslogtreecommitdiff
path: root/tests
diff options
context:
space:
mode:
authorVivien Kraus <vivien@planete-kraus.eu>2021-09-20 11:25:29 +0200
committerVivien Kraus <vivien@planete-kraus.eu>2021-09-21 22:28:51 +0200
commite910b3ba2ded990a5193f7ea0cfad525332e4171 (patch)
treeb04e74e7c06e0a0fde5edd7ac0b8773db94cd515 /tests
parentdcd329af1ec765ca0fac97ef2dc18a3177d34083 (diff)
JWS: use GOOPS
Diffstat (limited to 'tests')
-rw-r--r--tests/Makefile.am3
-rw-r--r--tests/authorization-endpoint-submit-form.scm6
-rw-r--r--tests/dpop-proof-iat-in-future.scm17
-rw-r--r--tests/dpop-proof-iat-too-late.scm23
-rw-r--r--tests/dpop-proof-invalid-ath.scm34
-rw-r--r--tests/dpop-proof-no-ath.scm19
-rw-r--r--tests/dpop-proof-no-explicit-exp.scm86
-rw-r--r--tests/dpop-proof-no-explicit-iat.scm83
-rw-r--r--tests/dpop-proof-replay.scm23
-rw-r--r--tests/dpop-proof-valid-ath.scm35
-rw-r--r--tests/dpop-proof-valid.scm11
-rw-r--r--tests/dpop-proof-wrong-htm.scm17
-rw-r--r--tests/dpop-proof-wrong-htu.scm17
-rw-r--r--tests/dpop-proof-wrong-key.scm17
-rw-r--r--tests/jws.scm70
-rw-r--r--tests/resource-server.scm24
-rw-r--r--tests/token-endpoint-issue.scm55
-rw-r--r--tests/token-endpoint-refresh.scm63
18 files changed, 374 insertions, 229 deletions
diff --git a/tests/Makefile.am b/tests/Makefile.am
index 251b6b0..99c834d 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -29,7 +29,6 @@ TESTS = %reldir%/load-library.scm \
%reldir%/jkt.scm \
%reldir%/verify.scm \
%reldir%/verification-failed.scm \
- %reldir%/jws.scm \
%reldir%/cache-valid.scm \
%reldir%/cache-revalidate.scm \
%reldir%/oidc-configuration.scm \
@@ -43,6 +42,8 @@ TESTS = %reldir%/load-library.scm \
%reldir%/dpop-proof-replay.scm \
%reldir%/dpop-proof-no-ath.scm \
%reldir%/dpop-proof-invalid-ath.scm \
+ %reldir%/dpop-proof-no-explicit-exp.scm \
+ %reldir%/dpop-proof-no-explicit-iat.scm \
%reldir%/client-manifest-public.scm \
%reldir%/client-manifest.scm \
%reldir%/client-manifest-fraudulent.scm \
diff --git a/tests/authorization-endpoint-submit-form.scm b/tests/authorization-endpoint-submit-form.scm
index 37059fe..2fc7197 100644
--- a/tests/authorization-endpoint-submit-form.scm
+++ b/tests/authorization-endpoint-submit-form.scm
@@ -107,8 +107,8 @@
(exit 9))
(let ((parsed
(parameterize ((p:current-date 60))
- (authorization-code-decode
- (car (assoc-ref args "code"))
- key))))
+ (decode <authorization-code>
+ (car (assoc-ref args "code"))
+ #:issuer-key key))))
(unless parsed
(exit 10)))))))))
diff --git a/tests/dpop-proof-iat-in-future.scm b/tests/dpop-proof-iat-in-future.scm
index f212643..7e6a3b1 100644
--- a/tests/dpop-proof-iat-in-future.scm
+++ b/tests/dpop-proof-iat-in-future.scm
@@ -32,10 +32,11 @@
(define cnf (jkt jwk))
(define proof
(parameterize ((p:current-date 10))
- (issue-dpop-proof
- jwk
- #:htm 'GET
- #:htu (string->uri "https://example.com/res#frag"))))
+ (issue <dpop-proof>
+ jwk
+ #:jwk (public-key jwk)
+ #:htm 'GET
+ #:htu (string->uri "https://example.com/res#frag"))))
(with-exception-handler
(lambda (error)
(unless (and (signed-in-future? error)
@@ -46,10 +47,10 @@
(raise-exception error)))
(lambda ()
(parameterize ((p:current-date 0))
- (dpop-proof-decode 'GET
- (string->uri "https://example.com/res?query")
- proof
- cnf))
+ (decode <dpop-proof> proof
+ #:method 'GET
+ #:uri (string->uri "https://example.com/res?query")
+ #:cnf/check cnf))
(exit 2))
#:unwind? #t
#:unwind-for-type &signed-in-future)))
diff --git a/tests/dpop-proof-iat-too-late.scm b/tests/dpop-proof-iat-too-late.scm
index 149e814..8019d1d 100644
--- a/tests/dpop-proof-iat-too-late.scm
+++ b/tests/dpop-proof-iat-too-late.scm
@@ -32,24 +32,25 @@
(define cnf (jkt jwk))
(define proof
(parameterize ((p:current-date 0))
- (issue-dpop-proof
- jwk
- #:htm 'GET
- #:htu (string->uri "https://example.com/res#frag"))))
+ (issue <dpop-proof>
+ jwk
+ #:jwk (public-key jwk)
+ #:htm 'GET
+ #:htu (string->uri "https://example.com/res#frag"))))
(with-exception-handler
(lambda (error)
(unless (and (expired? error)
(eqv? (time-second (date->time-utc (error-expiration-date error)))
- 120)
+ 30)
(eqv? (time-second (date->time-utc (error-current-date error)))
- 600))
+ 60))
(raise-exception error)))
(lambda ()
- (parameterize ((p:current-date 600))
- (dpop-proof-decode 'GET
- (string->uri "https://example.com/res?query")
- proof
- cnf))
+ (parameterize ((p:current-date 60))
+ (decode <dpop-proof> proof
+ #:method 'GET
+ #:uri (string->uri "https://example.com/res?query")
+ #:cnf/check cnf))
(exit 2))
#:unwind? #t
#:unwind-for-type &expired)))
diff --git a/tests/dpop-proof-invalid-ath.scm b/tests/dpop-proof-invalid-ath.scm
index a82cf47..8c33e77 100644
--- a/tests/dpop-proof-invalid-ath.scm
+++ b/tests/dpop-proof-invalid-ath.scm
@@ -33,20 +33,20 @@
(define cnf (jkt jwk))
(define access-token
(parameterize ((p:current-date 10))
- (issue-access-token
- idp-key
- #:webid (string->uri "https://data.provider/subject")
- #:iss (string->uri "https://identity.provider")
- #:validity 3600
- #:client-key jwk
- #:client-id (string->uri "https://client"))))
+ (issue <access-token>
+ idp-key
+ #:webid (string->uri "https://data.provider/subject")
+ #:iss (string->uri "https://identity.provider")
+ #:client-key jwk
+ #:client-id (string->uri "https://client"))))
(define proof
(parameterize ((p:current-date 0))
- (issue-dpop-proof
- jwk
- #:htm 'GET
- #:htu (string->uri "https://example.com/res?query")
- #:access-token "aaaaaaaaaaaaaaa")))
+ (issue <dpop-proof>
+ jwk
+ #:jwk (public-key jwk)
+ #:htm 'GET
+ #:htu (string->uri "https://example.com/res?query")
+ #:access-token "aaaaaaaaaaaaaaa")))
(with-exception-handler
(lambda (error)
(unless (and (dpop-invalid-ath? error)
@@ -57,11 +57,11 @@
(raise-exception error)))
(lambda ()
(parameterize ((p:current-date 10))
- (dpop-proof-decode 'GET
- (string->uri "https://example.com/res?query")
- proof
- cnf
- #:access-token access-token))
+ (decode <dpop-proof> proof
+ #:method 'GET
+ #:uri (string->uri "https://example.com/res?query")
+ #:cnf/check cnf
+ #:access-token access-token))
(exit 2))
#:unwind? #t
#:unwind-for-type &dpop-invalid-ath)))
diff --git a/tests/dpop-proof-no-ath.scm b/tests/dpop-proof-no-ath.scm
index ec37836..60c9cee 100644
--- a/tests/dpop-proof-no-ath.scm
+++ b/tests/dpop-proof-no-ath.scm
@@ -31,10 +31,11 @@
(define cnf (jkt jwk))
(define proof
(parameterize ((p:current-date 0))
- (issue-dpop-proof
- jwk
- #:htm 'GET
- #:htu (string->uri "https://example.com/res?query"))))
+ (issue <dpop-proof>
+ jwk
+ #:jwk (public-key jwk)
+ #:htm 'GET
+ #:htu (string->uri "https://example.com/res?query"))))
(with-exception-handler
(lambda (error)
(unless (and (dpop-invalid-ath? error)
@@ -45,11 +46,11 @@
(raise-exception error)))
(lambda ()
(parameterize ((p:current-date 10))
- (dpop-proof-decode 'GET
- (string->uri "https://example.com/res?query")
- proof
- cnf
- #:access-token "aaa"))
+ (decode <dpop-proof> proof
+ #:method 'GET
+ #:uri (string->uri "https://example.com/res?query")
+ #:cnf/check cnf
+ #:access-token "aaa"))
(exit 2))
#:unwind? #t
#:unwind-for-type &dpop-invalid-ath)))
diff --git a/tests/dpop-proof-no-explicit-exp.scm b/tests/dpop-proof-no-explicit-exp.scm
new file mode 100644
index 0000000..c485cac
--- /dev/null
+++ b/tests/dpop-proof-no-explicit-exp.scm
@@ -0,0 +1,86 @@
+;; disfluid, implementation of the Solid specification
+;; Copyright (C) 2021 Vivien Kraus
+
+;; This program is free software: you can redistribute it and/or modify
+;; it under the terms of the GNU Affero General Public License as
+;; published by the Free Software Foundation, either version 3 of the
+;; License, or (at your option) any later version.
+
+;; This program is distributed in the hope that it will be useful,
+;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;; GNU Affero General Public License for more details.
+
+;; You should have received a copy of the GNU Affero General Public License
+;; along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+(use-modules (webid-oidc dpop-proof)
+ (webid-oidc access-token)
+ (webid-oidc jwk)
+ (webid-oidc jws)
+ (webid-oidc testing)
+ (webid-oidc errors)
+ ((webid-oidc stubs) #:prefix stubs:)
+ ((webid-oidc parameters) #:prefix p:)
+ (web uri)
+ (srfi srfi-19)
+ (web response)
+ (ice-9 receive)
+ (oop goops))
+
+(define-class <dpop-proof-with-exp> (<dpop-proof>))
+
+(define malicious-jwt-created? #f)
+
+(define-method (token->jwt (token <dpop-proof-with-exp>))
+ (set! malicious-jwt-created? #t)
+ (receive (header payload) (next-method)
+ (values header
+ `((exp . ,(time-second (date->time-utc (exp token))))
+ ,@payload))))
+
+(with-test-environment
+ "dpop-proof-no-explicit-exp"
+ (lambda ()
+ (define jwk (generate-key #:n-size 2048))
+ (define idp-key (generate-key #:n-size 2048))
+ (define cnf (jkt jwk))
+ (define access-token
+ (parameterize ((p:current-date 0))
+ (issue <access-token>
+ idp-key
+ #:webid (string->uri "https://data.provider/subject")
+ #:iss (string->uri "https://identity.provider")
+ #:client-key jwk
+ #:client-id (string->uri "https://client"))))
+ (define proof
+ (parameterize ((p:current-date 0))
+ (issue <dpop-proof-with-exp>
+ jwk
+ #:jwk (public-key jwk)
+ #:htm 'GET
+ #:htu (string->uri "https://example.com/res?query")
+ #:validity 3600 ;; Obviously too long: the decoder
+ ;; should ignore this value and make it
+ ;; obsolete after 120 seconds.
+ #:access-token access-token)))
+ (unless malicious-jwt-created?
+ (exit 1))
+ (with-exception-handler
+ (lambda (error)
+ (unless (and (expired? error)
+ (eqv? (time-second (date->time-utc (error-expiration-date error)))
+ 30)
+ (eqv? (time-second (date->time-utc (error-current-date error)))
+ 60))
+ (raise-exception error)))
+ (lambda ()
+ (parameterize ((p:current-date 60))
+ (decode <dpop-proof> proof
+ #:method 'GET
+ #:uri (string->uri "https://example.com/res?query")
+ #:cnf/check cnf
+ #:access-token access-token))
+ (exit 2))
+ #:unwind? #t
+ #:unwind-for-type &expired)))
diff --git a/tests/dpop-proof-no-explicit-iat.scm b/tests/dpop-proof-no-explicit-iat.scm
new file mode 100644
index 0000000..671dfa0
--- /dev/null
+++ b/tests/dpop-proof-no-explicit-iat.scm
@@ -0,0 +1,83 @@
+;; disfluid, implementation of the Solid specification
+;; Copyright (C) 2021 Vivien Kraus
+
+;; This program is free software: you can redistribute it and/or modify
+;; it under the terms of the GNU Affero General Public License as
+;; published by the Free Software Foundation, either version 3 of the
+;; License, or (at your option) any later version.
+
+;; This program is distributed in the hope that it will be useful,
+;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+;; GNU Affero General Public License for more details.
+
+;; You should have received a copy of the GNU Affero General Public License
+;; along with this program. If not, see <https://www.gnu.org/licenses/>.
+
+(use-modules (webid-oidc dpop-proof)
+ (webid-oidc access-token)
+ (webid-oidc jwk)
+ (webid-oidc jws)
+ (webid-oidc testing)
+ (webid-oidc errors)
+ ((webid-oidc stubs) #:prefix stubs:)
+ ((webid-oidc parameters) #:prefix p:)
+ (web uri)
+ (srfi srfi-19)
+ (web response)
+ (ice-9 receive)
+ (ice-9 match)
+ (oop goops))
+
+(define-class <dpop-proof-without-iat> (<dpop-proof>))
+
+(define malicious-jwt-created? #f)
+
+(define-method (token->jwt (token <dpop-proof-without-iat>))
+ (set! malicious-jwt-created? #t)
+ ;; Omit the iat field; check that we don’t provide a default
+ (receive (header payload) (next-method)
+ (values header
+ (filter (match-lambda
+ (('iat . _) #f)
+ (else #t))
+ payload))))
+
+(with-test-environment
+ "dpop-proof-no-explicit-iat"
+ (lambda ()
+ (define jwk (generate-key #:n-size 2048))
+ (define idp-key (generate-key #:n-size 2048))
+ (define cnf (jkt jwk))
+ (define access-token
+ (parameterize ((p:current-date 10))
+ (issue <access-token>
+ idp-key
+ #:webid (string->uri "https://data.provider/subject")
+ #:iss (string->uri "https://identity.provider")
+ #:client-key jwk
+ #:client-id (string->uri "https://client"))))
+ (define proof
+ (parameterize ((p:current-date 0))
+ (issue <dpop-proof-without-iat>
+ jwk
+ #:jwk (public-key jwk)
+ #:htm 'GET
+ #:htu (string->uri "https://example.com/res?query")
+ #:access-token access-token)))
+ (unless malicious-jwt-created?
+ (exit 1))
+ (with-exception-handler
+ (lambda (error)
+ (unless (invalid-jws? error) ;; iat should not be missing
+ (exit 2)))
+ (lambda ()
+ (parameterize ((p:current-date 180))
+ (decode <dpop-proof> proof
+ #:method 'GET
+ #:uri (string->uri "https://example.com/res?query")
+ #:cnf/check cnf
+ #:access-token access-token))
+ (exit 3))
+ #:unwind? #t
+ #:unwind-for-type &invalid-jws)))
diff --git a/tests/dpop-proof-replay.scm b/tests/dpop-proof-replay.scm
index 19e6a30..5720d93 100644
--- a/tests/dpop-proof-replay.scm
+++ b/tests/dpop-proof-replay.scm
@@ -31,23 +31,24 @@
(define cnf (jkt jwk))
(define proof
(parameterize ((p:current-date 0))
- (issue-dpop-proof
- jwk
- #:htm 'GET
- #:htu (string->uri "https://example.com/res#frag"))))
- (define (decode)
+ (issue <dpop-proof>
+ jwk
+ #:jwk (public-key jwk)
+ #:htm 'GET
+ #:htu (string->uri "https://example.com/res#frag"))))
+ (define (do-decode)
(parameterize ((p:current-date 10))
- (dpop-proof-decode 'GET
- (string->uri "https://example.com/res?query")
- proof
- cnf)))
- (define decoded-once (decode))
+ (decode <dpop-proof> proof
+ #:method 'GET
+ #:uri (string->uri "https://example.com/res?query")
+ #:cnf/check cnf)))
+ (define decoded-once (do-decode))
(with-exception-handler
(lambda (error)
(unless (jti-found? error)
(raise-exception error)))
(lambda ()
- (decode)
+ (do-decode)
(exit 2))
#:unwind? #t
#:unwind-for-type &jti-found)))
diff --git a/tests/dpop-proof-valid-ath.scm b/tests/dpop-proof-valid-ath.scm
index 2a27e88..afcc9cd 100644
--- a/tests/dpop-proof-valid-ath.scm
+++ b/tests/dpop-proof-valid-ath.scm
@@ -31,26 +31,27 @@
(define cnf (jkt jwk))
(define access-token
(parameterize ((p:current-date 10))
- (issue-access-token
- idp-key
- #:webid (string->uri "https://data.provider/subject")
- #:iss (string->uri "https://identity.provider")
- #:validity 3600
- #:client-key jwk
- #:client-id (string->uri "https://client"))))
+ (issue <access-token>
+ idp-key
+ #:webid "https://data.provider/subject"
+ #:iss "https://identity.provider"
+ #:client-key jwk
+ #:client-id "https://client")))
(define proof
(parameterize ((p:current-date 0))
- (issue-dpop-proof
- jwk
- #:htm 'GET
- #:htu (string->uri "https://example.com/res#frag")
- #:access-token access-token)))
+ (issue <dpop-proof>
+ jwk
+ #:jwk (public-key jwk)
+ #:htm 'GET
+ #:htu "https://example.com/res#frag"
+ #:access-token access-token)))
(define decoded
(parameterize ((p:current-date 10))
- (dpop-proof-decode 'GET
- (string->uri "https://example.com/res?query")
- proof
- cnf
- #:access-token access-token)))
+ (decode <dpop-proof>
+ proof
+ #:method 'GET
+ #:uri (string->uri "https://example.com/res?query")
+ #:cnf/check cnf
+ #:access-token access-token)))
(unless decoded
(exit 1))))
diff --git a/tests/dpop-proof-valid.scm b/tests/dpop-proof-valid.scm
index 71ef602..1ef50d4 100644
--- a/tests/dpop-proof-valid.scm
+++ b/tests/dpop-proof-valid.scm
@@ -30,15 +30,16 @@
(define cnf (jkt jwk))
(define proof
(parameterize ((p:current-date 0))
- (issue-dpop-proof
+ (issue <dpop-proof>
jwk
+ #:jwk (public-key jwk)
#:htm 'GET
#:htu (string->uri "https://example.com/res#frag"))))
(define decoded
(parameterize ((p:current-date 10))
- (dpop-proof-decode 'GET
- (string->uri "https://example.com/res?query")
- proof
- cnf)))
+ (decode <dpop-proof> proof
+ #:method 'GET
+ #:uri (string->uri "https://example.com/res?query")
+ #:cnf/check cnf)))
(unless decoded
(exit 1))))
diff --git a/tests/dpop-proof-wrong-htm.scm b/tests/dpop-proof-wrong-htm.scm
index 1e94f72..b59dc9a 100644
--- a/tests/dpop-proof-wrong-htm.scm
+++ b/tests/dpop-proof-wrong-htm.scm
@@ -31,10 +31,11 @@
(define cnf (jkt jwk))
(define proof
(parameterize ((p:current-date 0))
- (issue-dpop-proof
- jwk
- #:htm 'POST
- #:htu (string->uri "https://example.com/res#frag"))))
+ (issue <dpop-proof>
+ jwk
+ #:jwk (public-key jwk)
+ #:htm 'POST
+ #:htu (string->uri "https://example.com/res#frag"))))
(with-exception-handler
(lambda (error)
(unless (and (dpop-method-mismatch? error)
@@ -45,10 +46,10 @@
(raise-exception error)))
(lambda ()
(parameterize ((p:current-date 10))
- (dpop-proof-decode 'GET
- (string->uri "https://example.com/res?query")
- proof
- cnf))
+ (decode <dpop-proof> proof
+ #:method 'GET
+ #:uri (string->uri "https://example.com/res?query")
+ #:cnf/jkt cnf))
(exit 2))
#:unwind? #t
#:unwind-for-type &dpop-method-mismatch)))
diff --git a/tests/dpop-proof-wrong-htu.scm b/tests/dpop-proof-wrong-htu.scm
index 299060e..68303d9 100644
--- a/tests/dpop-proof-wrong-htu.scm
+++ b/tests/dpop-proof-wrong-htu.scm
@@ -31,10 +31,11 @@
(define cnf (jkt jwk))
(define proof
(parameterize ((p:current-date 0))
- (issue-dpop-proof
- jwk
- #:htm 'GET
- #:htu (string->uri "https://example.com/other-res#frag"))))
+ (issue <dpop-proof>
+ jwk
+ #:jwk (public-key jwk)
+ #:htm 'GET
+ #:htu (string->uri "https://example.com/other-res#frag"))))
(with-exception-handler
(lambda (error)
(unless (and (dpop-uri-mismatch? error)
@@ -45,10 +46,10 @@
(raise-exception error)))
(lambda ()
(parameterize ((p:current-date 10))
- (dpop-proof-decode 'GET
- (string->uri "https://example.com/res?query")
- proof
- cnf))
+ (decode <dpop-proof> proof
+ #:method 'GET
+ #:uri (string->uri "https://example.com/res?query")
+ #:cnf/jkt cnf))
(exit 2))
#:unwind? #t
#:unwind-for-type &dpop-uri-mismatch)))
diff --git a/tests/dpop-proof-wrong-key.scm b/tests/dpop-proof-wrong-key.scm
index 1f3d033..cb5d4e5 100644
--- a/tests/dpop-proof-wrong-key.scm
+++ b/tests/dpop-proof-wrong-key.scm
@@ -31,20 +31,21 @@
(define cnf (jkt (generate-key #:n-size 2048)))
(define proof
(parameterize ((p:current-date 0))
- (issue-dpop-proof
- jwk
- #:htm 'GET
- #:htu (string->uri "https://example.com/res#frag"))))
+ (issue <dpop-proof>
+ jwk
+ #:jwk (public-key jwk)
+ #:htm 'GET
+ #:htu (string->uri "https://example.com/res#frag"))))
(with-exception-handler
(lambda (error)
(unless (dpop-unconfirmed-key? error)
(raise-exception error)))
(lambda ()
(parameterize ((p:current-date 10))
- (dpop-proof-decode 'GET
- (string->uri "https://example.com/res?query")
- proof
- cnf))
+ (decode <dpop-proof> proof
+ #:method 'GET
+ #:uri (string->uri "https://example.com/res?query")
+ #:cnf/check cnf))
(exit 2))
#:unwind? #t
#:unwind-for-type &dpop-unconfirmed-key)))
diff --git a/tests/jws.scm b/tests/jws.scm
deleted file mode 100644
index a5c9330..0000000
--- a/tests/jws.scm
+++ /dev/null
@@ -1,70 +0,0 @@
-;; disfluid, implementation of the Solid specification
-;; Copyright (C) 2020, 2021 Vivien Kraus
-
-;; This program is free software: you can redistribute it and/or modify
-;; it under the terms of the GNU Affero General Public License as
-;; published by the Free Software Foundation, either version 3 of the
-;; License, or (at your option) any later version.
-
-;; This program is distributed in the hope that it will be useful,
-;; but WITHOUT ANY WARRANTY; without even the implied warranty of
-;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
-;; GNU Affero General Public License for more details.
-
-;; You should have received a copy of the GNU Affero General Public License
-;; along with this program. If not, see <https://www.gnu.org/licenses/>.
-
-(use-modules (webid-oidc stubs)
- (webid-oidc jwk)
- (webid-oidc jws)
- (webid-oidc testing))
-
-(with-test-environment
- "jws"
- (lambda ()
- (let* ((key
- (jwk->key
- (json-string->scm "{\"kty\":\"RSA\",\"e\":\"AQAB\",\"kid\":\"db7cdbbf-0ca3-48da-abf6-8f34002a4651\",\"n\":\"nzyis1ZjfNB0bBgKFMSvvkTtwlvBsaJq7S5wA-kzeVOVpVWwkWdVha4s38XM_pa_yr47av7-z3VTmvDRyAHcaT92whREFpLv9cj5lTeJSibyr_Mrm_YtjCZVWgaOYIhwrXwKLqPr_11inWsAkfIytvHWTxZYEcXLgAXFuUuaS3uF9gEiNQwzGTU1v0FqkqTBr4B8nW3HCN47XUu0t8Y0e-lf4s4OxQawWD79J9_5d3Ry0vbV3Am1FtGJiJvOwRsIfVChDpYStTcHTCMqtvWbV6L11BWkpzGXSW4Hv43qa-GSYOD2QU68Mb59oSk2OB-BtOLpJofmbGEGgvmwyCI9Mw\"}")))
- (other-key (generate-key #:n-size 2048))
- (encoded "eyJhbGciOiJQUzI1NiIsInR5cCI6IkpXVCJ9.eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWUsImlhdCI6MTUxNjIzOTAyMn0.hZnl5amPk_I3tb4O-Otci_5XZdVWhPlFyVRvcqSwnDo_srcysDvhhKOD01DigPK1lJvTSTolyUgKGtpLqMfRDXQlekRsF4XhAjYZTmcynf-C-6wO5EI4wYewLNKFGGJzHAknMgotJFjDi_NCVSjHsW3a10nTao1lB82FRS305T226Q0VqNVJVWhE4G0JQvi2TssRtCxYTqzXVt22iDKkXeZJARZ1paXHGV5Kd1CljcZtkNZYIGcwnj65gvuCwohbkIxAnhZMJXCLaVvHqv9l-AAUV7esZvkQR1IpwBAiDQJh4qxPjFGylyXrHMqh5NlT_pWL2ZoULWTg_TJjMO9TuQ")
- (expected-alg "PS256")
- (expected-typ "JWT")
- (expected-sub "1234567890")
- (expected-name "John Doe")
- (expected-admin #t)
- (expected-iat 1516239022)
- (parsed (jws-decode encoded (lambda (jws)
- (and (jws? jws)
- key))))
- (parsed-header (car parsed))
- (parsed-payload (cdr parsed))
- (alg (jws-alg parsed))
- (typ (assq-ref parsed-header 'typ))
- (sub (assq-ref parsed-payload 'sub))
- (name (assq-ref parsed-payload 'name))
- (admin (assq-ref parsed-payload 'admin))
- (iat (assq-ref parsed-payload 'iat))
- (re-encoded (jws-encode parsed other-key))
- (re-parsed (jws-decode re-encoded (lambda (jws) other-key)))
- (re-parsed-header (car re-parsed))
- (re-parsed-payload (cdr re-parsed))
- (re-alg (jws-alg re-parsed))
- (re-typ (assq-ref re-parsed-header 'typ))
- (re-sub (assq-ref re-parsed-payload 'sub))
- (re-name (assq-ref re-parsed-payload 'name))
- (re-admin (assq-ref re-parsed-payload 'admin))
- (re-iat (assq-ref re-parsed-payload 'iat)))
- (unless (and (equal? alg expected-alg)
- (equal? re-alg expected-alg)
- (equal? typ expected-typ)
- (equal? re-typ expected-typ)
- (equal? sub expected-sub)
- (equal? re-sub expected-sub)
- (equal? name expected-name)
- (equal? re-name expected-name)
- (equal? admin expected-admin)
- (equal? re-admin expected-admin)
- (equal? iat expected-iat)
- (equal? re-iat expected-iat))
- (format (current-error-port)
- "The JWS test failed.")))))
diff --git a/tests/resource-server.scm b/tests/resource-server.scm
index 02b7e46..a8032b1 100644
--- a/tests/resource-server.scm
+++ b/tests/resource-server.scm
@@ -57,23 +57,23 @@
(else (exit 1))))
(define access-token
(parameterize ((p:current-date 10))
- (issue-access-token
- idp-key
- #:webid subject
- #:iss (string->uri "https://identity.provider")
- #:validity 3600
- #:client-key client-key
- #:client-id (string->uri "https://client"))))
+ (issue <access-token>
+ idp-key
+ #:webid subject
+ #:iss (string->uri "https://identity.provider")
+ #:client-key client-key
+ #:client-id (string->uri "https://client"))))
(define uri (string->uri "https://resource.server/resource"))
(define server-uri (string->uri "https://resource.server/"))
(define method 'GET)
(define dpop-proof
(parameterize ((p:current-date 15))
- (issue-dpop-proof
- client-key
- #:htm method
- #:htu uri
- #:access-token access-token)))
+ (issue <dpop-proof>
+ client-key
+ #:jwk (public-key client-key)
+ #:htm method
+ #:htu uri
+ #:access-token access-token)))
(define rq
(call-with-input-string
(format #f "GET /resource HTTP/1.1\r\n\
diff --git a/tests/token-endpoint-issue.scm b/tests/token-endpoint-issue.scm
index c80658c..0815c30 100644
--- a/tests/token-endpoint-issue.scm
+++ b/tests/token-endpoint-issue.scm
@@ -43,11 +43,10 @@
(define validity 3600)
(define authz
(parameterize ((p:current-date 0))
- (issue-authorization-code
- key
- #:validity 120
- #:webid subject
- #:client-id client)))
+ (issue <authorization-code>
+ key
+ #:webid subject
+ #:client-id client)))
(define endpoint
(make-token-endpoint
(string->uri "https://token-endpoint-issue.scm/token")
@@ -56,11 +55,12 @@
;; The code is fake!
(let ((dpop
(parameterize ((p:current-date 0))
- (issue-dpop-proof
- client-key
- #:htm 'POST
- #:htu (string->uri
- "https://token-endpoint-issue.scm/token")))))
+ (issue <dpop-proof>
+ client-key
+ #:jwk (public-key client-key)
+ #:htm 'POST
+ #:htu (string->uri
+ "https://token-endpoint-issue.scm/token")))))
(parameterize ((p:current-date 0))
(endpoint
(build-request (string->uri
@@ -75,11 +75,12 @@
(receive (response response-body . _)
(let ((dpop
(parameterize ((p:current-date 10))
- (issue-dpop-proof
- client-key
- #:htm 'POST
- #:htu (string->uri
- "https://token-endpoint-issue.scm/token")))))
+ (issue <dpop-proof>
+ client-key
+ #:jwk (public-key client-key)
+ #:htm 'POST
+ #:htu (string->uri
+ "https://token-endpoint-issue.scm/token")))))
(parameterize ((p:current-date 10))
(endpoint
(build-request (string->uri
@@ -101,11 +102,29 @@
(exit 6))
(unless refresh-token-enc
(exit 7))
- (let ((access-token (jws-decode access-token-enc
- (lambda (h) key))))
+ (let ((access-token
+ (parameterize ((p:current-date 20))
+ (decode <access-token> access-token-enc
+ #:http-request
+ (lambda* (uri . args)
+ (cond
+ ((equal? uri (string->uri "https://issuer.token-endpoint-issue.scm/.well-known/openid-configuration"))
+ (values (build-response #:headers '((content-type application/json)))
+ "{
+ \"jwks_uri\": \"https://token-endpoint-issue.scm/keys\",
+ \"token_endpoint\": \"https://token-endpoint-issue.scm/token\",
+ \"authorization_endpoint\": \"https://token-endpoint-issue.scm/authorize\",
+ \"solid_oidc_supported\": \"https://solidproject.org/TR/solid-oidc\"
+}"))
+ ((equal? uri (string->uri "https://token-endpoint-issue.scm/keys"))
+ (values (build-response #:headers '((content-type application/json)))
+ (stubs:scm->json-string `((keys . ,(list->vector (list (key->jwk key))))))))
+ (else
+ (format (current-error-port) "Unknown URI: ~s\n" (uri->string uri))
+ (exit 11))))))))
(unless access-token
(exit 8))
- (let ((access-token-cnf/jkt (access-token-cnf/jkt access-token)))
+ (let ((access-token-cnf/jkt (cnf/jkt access-token)))
(unless access-token-cnf/jkt
(exit 9))
(unless (string=? access-token-cnf/jkt (jkt client-key))
diff --git a/tests/token-endpoint-refresh.scm b/tests/token-endpoint-refresh.scm
index f14d648..f0174b8 100644
--- a/tests/token-endpoint-refresh.scm
+++ b/tests/token-endpoint-refresh.scm
@@ -19,6 +19,7 @@
(webid-oidc refresh-token)
(webid-oidc dpop-proof)
(webid-oidc jwk)
+ (webid-oidc access-token)
(webid-oidc jws)
(webid-oidc jti)
(webid-oidc testing)
@@ -50,11 +51,12 @@
;; The refresh token is fake!
(let ((dpop
(parameterize ((p:current-date 0))
- (issue-dpop-proof
- client-key
- #:htm 'POST
- #:htu (string->uri
- "https://token-endpoint-issue.scm/token")))))
+ (issue <dpop-proof>
+ client-key
+ #:jwk (public-key client-key)
+ #:htm 'POST
+ #:htu (string->uri
+ "https://token-endpoint-issue.scm/token")))))
(parameterize ((p:current-date 0))
(endpoint
(build-request (string->uri
@@ -69,11 +71,12 @@
(receive (response response-body user error)
(let ((dpop
(parameterize ((p:current-date 10))
- (issue-dpop-proof
- client-key
- #:htm 'POST
- #:htu (string->uri
- "https://token-endpoint-issue.scm/token")))))
+ (issue <dpop-proof>
+ client-key
+ #:jwk (public-key client-key)
+ #:htm 'POST
+ #:htu (string->uri
+ "https://token-endpoint-issue.scm/token")))))
(parameterize ((p:current-date 10))
(endpoint
(build-request (string->uri
@@ -94,17 +97,31 @@
(exit 6))
(unless refresh-token-enc
(exit 7))
- (let ((access-token (jws-decode access-token-enc
- (lambda (h) key))))
+ (let ((access-token
+ (parameterize ((p:current-date 20))
+ (decode <access-token> access-token-enc
+ #:http-request
+ (lambda* (uri . args)
+ (cond
+ ((equal? uri (string->uri "https://issuer.token-endpoint-issue.scm/.well-known/openid-configuration"))
+ (values (build-response #:headers '((content-type application/json)))
+ "{
+ \"jwks_uri\": \"https://token-endpoint-issue.scm/keys\",
+ \"token_endpoint\": \"https://token-endpoint-issue.scm/token\",
+ \"authorization_endpoint\": \"https://token-endpoint-issue.scm/authorize\",
+ \"solid_oidc_supported\": \"https://solidproject.org/TR/solid-oidc\"
+}"))
+ ((equal? uri (string->uri "https://token-endpoint-issue.scm/keys"))
+ (values (build-response #:headers '((content-type application/json)))
+ (stubs:scm->json-string `((keys . ,(list->vector (list (key->jwk key))))))))
+ (else
+ (exit 8))))))))
(unless access-token
- (exit 8))
- (let ((access-token-cnf (assq-ref access-token 'cnf)))
- (unless access-token-cnf
- (exit 9))
- (let ((access-token-cnf/jkt (assq-ref access-token-cnf 'jkt)))
- (unless access-token-cnf/jkt
- (exit 10))
- (unless (string=? access-token-cnf/jkt (jkt client-key))
- (exit 11))))
- (unless (string=? refresh-token-enc refresh-code)
- (exit 12)))))))))
+ (exit 9))
+ (let ((access-token-cnf/jkt (cnf/jkt access-token)))
+ (unless access-token-cnf/jkt
+ (exit 10))
+ (unless (string=? access-token-cnf/jkt (jkt client-key))
+ (exit 11))))
+ (unless (string=? refresh-token-enc refresh-code)
+ (exit 12))))))))
generated by cgit v1.2.3 (git 2.44.0) at 2024-05-19 17:15:57 +0000