blob: 7c09195243b2d0e115c2f0a9353ce611cb9d2462 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
|
;; disfluid, implementation of the Solid specification
;; Copyright (C) 2021 Vivien Kraus
;; This program is free software: you can redistribute it and/or modify
;; it under the terms of the GNU Affero General Public License as
;; published by the Free Software Foundation, either version 3 of the
;; License, or (at your option) any later version.
;; This program is distributed in the hope that it will be useful,
;; but WITHOUT ANY WARRANTY; without even the implied warranty of
;; MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
;; GNU Affero General Public License for more details.
;; You should have received a copy of the GNU Affero General Public License
;; along with this program. If not, see <https://www.gnu.org/licenses/>.
(define-module (tests dpop-proof-no-explicit-iat)
#:use-module (webid-oidc dpop-proof)
#:use-module (webid-oidc access-token)
#:use-module (webid-oidc jwk)
#:use-module (webid-oidc jws)
#:use-module (webid-oidc testing)
#:use-module (webid-oidc errors)
#:use-module ((webid-oidc stubs) #:prefix stubs:)
#:use-module ((webid-oidc parameters) #:prefix p:)
#:use-module (web uri)
#:use-module (srfi srfi-19)
#:use-module (web response)
#:use-module (ice-9 receive)
#:use-module (ice-9 match)
#:use-module (oop goops)
#:declarative? #t)
(define-class <dpop-proof-without-iat> (<dpop-proof>)
#:module-name '(tests dpop-proof-no-explicit-iat))
(define malicious-jwt-created? #f)
(define-method (token->jwt (token <dpop-proof-without-iat>))
(set! malicious-jwt-created? #t)
;; Omit the iat field; check that we don’t provide a default
(receive (header payload) (next-method)
(values header
(filter (match-lambda
(('iat . _) #f)
(else #t))
payload))))
(with-test-environment
"dpop-proof-no-explicit-iat"
(lambda ()
(define jwk (generate-key #:n-size 2048))
(define idp-key (generate-key #:n-size 2048))
(define cnf (jkt jwk))
(define access-token
(parameterize ((p:current-date 10))
(issue <access-token>
idp-key
#:webid (string->uri "https://data.provider/subject")
#:iss (string->uri "https://identity.provider")
#:client-key jwk
#:client-id (string->uri "https://client"))))
(define proof
(parameterize ((p:current-date 0))
(issue <dpop-proof-without-iat>
jwk
#:jwk (public-key jwk)
#:htm 'GET
#:htu (string->uri "https://example.com/res?query")
#:access-token access-token)))
(unless malicious-jwt-created?
(exit 1))
(with-exception-handler
(lambda (error)
(unless (invalid-jws? error) ;; iat should not be missing
(exit 2)))
(lambda ()
(parameterize ((p:current-date 180))
(decode <dpop-proof> proof
#:method 'GET
#:uri (string->uri "https://example.com/res?query")
#:cnf/check cnf
#:access-token access-token))
(exit 3))
#:unwind? #t
#:unwind-for-type &invalid-jws)))
|