From 4d9a10165a6c7bf8df6f86f032bf7b3412e83ae6 Mon Sep 17 00:00:00 2001
From: Vivien Kraus <vivien@planete-kraus.eu>
Date: Thu, 22 Jul 2021 11:00:12 +0200
Subject: DPoP proof: support the "ath" claim

---
 tests/Makefile.am                |  3 ++
 tests/dpop-proof-invalid-ath.scm | 73 ++++++++++++++++++++++++++++++++++++++++
 tests/dpop-proof-no-ath.scm      | 59 ++++++++++++++++++++++++++++++++
 tests/dpop-proof-valid-ath.scm   | 60 +++++++++++++++++++++++++++++++++
 tests/resource-server.scm        |  3 +-
 5 files changed, 197 insertions(+), 1 deletion(-)
 create mode 100644 tests/dpop-proof-invalid-ath.scm
 create mode 100644 tests/dpop-proof-no-ath.scm
 create mode 100644 tests/dpop-proof-valid-ath.scm

(limited to 'tests')

diff --git a/tests/Makefile.am b/tests/Makefile.am
index dfcbefe..086ccbd 100644
--- a/tests/Makefile.am
+++ b/tests/Makefile.am
@@ -34,12 +34,15 @@ TESTS = %reldir%/load-library.scm \
   %reldir%/cache-revalidate.scm \
   %reldir%/oidc-configuration.scm \
   %reldir%/dpop-proof-valid.scm \
+  %reldir%/dpop-proof-valid-ath.scm \
   %reldir%/dpop-proof-wrong-htm.scm \
   %reldir%/dpop-proof-wrong-htu.scm \
   %reldir%/dpop-proof-iat-in-future.scm \
   %reldir%/dpop-proof-iat-too-late.scm \
   %reldir%/dpop-proof-wrong-key.scm \
   %reldir%/dpop-proof-replay.scm \
+  %reldir%/dpop-proof-no-ath.scm \
+  %reldir%/dpop-proof-invalid-ath.scm \
   %reldir%/client-manifest-public.scm \
   %reldir%/client-manifest.scm \
   %reldir%/client-manifest-fraudulent.scm \
diff --git a/tests/dpop-proof-invalid-ath.scm b/tests/dpop-proof-invalid-ath.scm
new file mode 100644
index 0000000..e802ffe
--- /dev/null
+++ b/tests/dpop-proof-invalid-ath.scm
@@ -0,0 +1,73 @@
+;; webid-oidc, implementation of the Solid specification
+;; Copyright (C) 2021  Vivien Kraus
+
+;; This program is free software: you can redistribute it and/or modify
+;; it under the terms of the GNU Affero General Public License as
+;; published by the Free Software Foundation, either version 3 of the
+;; License, or (at your option) any later version.
+
+;; This program is distributed in the hope that it will be useful,
+;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;; GNU Affero General Public License for more details.
+
+;; You should have received a copy of the GNU Affero General Public License
+;; along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+(use-modules (webid-oidc dpop-proof)
+             (webid-oidc access-token)
+             (webid-oidc jti)
+             (webid-oidc jwk)
+             (webid-oidc testing)
+             (webid-oidc errors)
+             ((webid-oidc stubs) #:prefix stubs:)
+             (web uri)
+             (srfi srfi-19)
+             (web response))
+
+(with-test-environment
+ "dpop-proof-invalid-ath"
+ (lambda ()
+   (define jwk (generate-key #:n-size 2048))
+   (define idp-key (generate-key #:n-size 2048))
+   (define cnf (jkt jwk))
+   (define blacklist (make-jti-list))
+   (define access-token
+     (issue-access-token
+      idp-key
+      #:alg 'RS256
+      #:webid "https://data.provider/subject"
+      #:iss "https://identity.provider"
+      #:iat 10
+      #:exp 3610
+      #:client-key jwk
+      #:client-id "https://client"))
+   (define proof
+     (issue-dpop-proof
+      jwk
+      #:alg 'RS256
+      #:htm 'GET
+      #:htu (string->uri "https://example.com/res?query")
+      #:iat (time-utc->date (make-time time-utc 0 0))
+      #:access-token "aaaaaaaaaaaaaaa"))
+   (with-exception-handler
+       (lambda (error)
+         (let ((cause
+                ((record-accessor &cannot-decode-dpop-proof 'cause) error)))
+           (unless (dpop-invalid-access-token-hash? cause)
+             (raise-exception error))
+           (unless (and (equal? (dpop-invalid-access-token-hash-hash cause)
+                                (stubs:hash 'SHA-256 "aaaaaaaaaaaaaaa"))
+                        (equal? (dpop-invalid-access-token-hash-access-token cause) access-token))
+             (exit 1))))
+     (lambda ()
+       (dpop-proof-decode (time-utc->date (make-time time-utc 0 10))
+                          blacklist
+                          'GET
+                          (string->uri "https://example.com/res?query")
+                          proof
+                          cnf
+                          #:access-token access-token)
+       (exit 2))
+     #:unwind? #t
+     #:unwind-for-type &cannot-decode-dpop-proof)))
diff --git a/tests/dpop-proof-no-ath.scm b/tests/dpop-proof-no-ath.scm
new file mode 100644
index 0000000..67b8a70
--- /dev/null
+++ b/tests/dpop-proof-no-ath.scm
@@ -0,0 +1,59 @@
+;; webid-oidc, implementation of the Solid specification
+;; Copyright (C) 2021  Vivien Kraus
+
+;; This program is free software: you can redistribute it and/or modify
+;; it under the terms of the GNU Affero General Public License as
+;; published by the Free Software Foundation, either version 3 of the
+;; License, or (at your option) any later version.
+
+;; This program is distributed in the hope that it will be useful,
+;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;; GNU Affero General Public License for more details.
+
+;; You should have received a copy of the GNU Affero General Public License
+;; along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+(use-modules (webid-oidc dpop-proof)
+             (webid-oidc jti)
+             (webid-oidc jwk)
+             (webid-oidc testing)
+             (webid-oidc errors)
+             (web uri)
+             (srfi srfi-19)
+             (web response))
+
+(with-test-environment
+ "dpop-proof-no-ath"
+ (lambda ()
+   (define jwk (generate-key #:n-size 2048))
+   (define cnf (jkt jwk))
+   (define blacklist (make-jti-list))
+   (define proof
+     (issue-dpop-proof
+      jwk
+      #:alg 'RS256
+      #:htm 'GET
+      #:htu (string->uri "https://example.com/res?query")
+      #:iat (time-utc->date (make-time time-utc 0 0))))
+   (with-exception-handler
+       (lambda (error)
+         (let ((cause
+                ((record-accessor &cannot-decode-dpop-proof 'cause) error)))
+           (unless (dpop-invalid-access-token-hash? cause)
+             (raise-exception error))
+           (when (dpop-invalid-access-token-hash-hash cause)
+             ;; An #f value for hash indicates that there was no ath
+             ;; claim
+             (exit 1))))
+     (lambda ()
+       (dpop-proof-decode (time-utc->date (make-time time-utc 0 10))
+                          blacklist
+                          'GET
+                          (string->uri "https://example.com/res?query")
+                          proof
+                          cnf
+                          #:access-token "aaa")
+       (exit 2))
+     #:unwind? #t
+     #:unwind-for-type &cannot-decode-dpop-proof)))
diff --git a/tests/dpop-proof-valid-ath.scm b/tests/dpop-proof-valid-ath.scm
new file mode 100644
index 0000000..259190f
--- /dev/null
+++ b/tests/dpop-proof-valid-ath.scm
@@ -0,0 +1,60 @@
+;; webid-oidc, implementation of the Solid specification
+;; Copyright (C) 2020, 2021  Vivien Kraus
+
+;; This program is free software: you can redistribute it and/or modify
+;; it under the terms of the GNU Affero General Public License as
+;; published by the Free Software Foundation, either version 3 of the
+;; License, or (at your option) any later version.
+
+;; This program is distributed in the hope that it will be useful,
+;; but WITHOUT ANY WARRANTY; without even the implied warranty of
+;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+;; GNU Affero General Public License for more details.
+
+;; You should have received a copy of the GNU Affero General Public License
+;; along with this program.  If not, see <https://www.gnu.org/licenses/>.
+
+(use-modules (webid-oidc dpop-proof)
+             (webid-oidc access-token)
+             (webid-oidc jti)
+             (webid-oidc jwk)
+             (webid-oidc testing)
+             (web uri)
+             (srfi srfi-19)
+             (web response))
+
+(with-test-environment
+ "dpop-proof-valid"
+ (lambda ()
+   (define jwk (generate-key #:n-size 2048))
+   (define idp-key (generate-key #:n-size 2048))
+   (define cnf (jkt jwk))
+   (define blacklist (make-jti-list))
+   (define access-token
+     (issue-access-token
+      idp-key
+      #:alg 'RS256
+      #:webid "https://data.provider/subject"
+      #:iss "https://identity.provider"
+      #:iat 10
+      #:exp 3610
+      #:client-key jwk
+      #:client-id "https://client"))
+   (define proof
+     (issue-dpop-proof
+      jwk
+      #:alg 'RS256
+      #:htm 'GET
+      #:htu (string->uri "https://example.com/res#frag")
+      #:iat (time-utc->date (make-time time-utc 0 0))
+      #:access-token access-token))
+   (define decoded
+     (dpop-proof-decode (time-utc->date (make-time time-utc 0 10))
+                        blacklist
+                        'GET
+                        (string->uri "https://example.com/res?query")
+                        proof
+                        cnf
+                        #:access-token access-token))
+   (unless decoded
+     (exit 1))))
diff --git a/tests/resource-server.scm b/tests/resource-server.scm
index 1a8e30a..ef5e0b7 100644
--- a/tests/resource-server.scm
+++ b/tests/resource-server.scm
@@ -73,7 +73,8 @@
       #:alg 'RS256
       #:htm method
       #:htu uri
-      #:iat (time-utc->date (make-time time-utc 0 15))))
+      #:iat (time-utc->date (make-time time-utc 0 15))
+      #:access-token access-token))
    (define rq
      (call-with-input-string
          (format #f "GET /resource HTTP/1.1\r\n\
-- 
cgit v1.2.3