forked from jwt/ruby-jwt
/
decode_with_jwk_spec.rb
166 lines (144 loc) · 7.11 KB
/
decode_with_jwk_spec.rb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
# frozen_string_literal: true
RSpec.describe JWT do
describe '.decode for JWK usecase' do
let(:keypair) { OpenSSL::PKey::RSA.new(2048) }
let(:jwk) { JWT::JWK.new(keypair) }
let(:public_jwks) { { keys: [jwk.export, { kid: 'not_the_correct_one' }] } }
let(:token_payload) { {'data' => 'something'} }
let(:token_headers) { { kid: jwk.kid } }
let(:signed_token) { described_class.encode(token_payload, jwk.keypair, 'RS512', token_headers) }
context 'when JWK features are used manually' do
it 'is able to decode the token' do
payload, _header = described_class.decode(signed_token, nil, true, { algorithms: ['RS512'] }) do |header, _payload|
JWT::JWK.import(public_jwks[:keys].find { |key| key[:kid] == header['kid'] }).keypair
end
expect(payload).to eq(token_payload)
end
end
context 'when jwk keys are given as an array' do
context 'and kid is in the set' do
it 'is able to decode the token' do
payload, _header = described_class.decode(signed_token, nil, true, { algorithms: ['RS512'], jwks: public_jwks})
expect(payload).to eq(token_payload)
end
end
context 'and kid is not in the set' do
before do
public_jwks[:keys].first[:kid] = 'NOT_A_MATCH'
end
it 'raises an exception' do
expect { described_class.decode(signed_token, nil, true, { algorithms: ['RS512'], jwks: public_jwks}) }.to raise_error(
JWT::DecodeError, /Could not find public key for kid .*/
)
end
end
context 'no keys are found in the set' do
let(:public_jwks) { {keys: []} }
it 'raises an exception' do
expect { described_class.decode(signed_token, nil, true, { algorithms: ['RS512'], jwks: public_jwks}) }.to raise_error(
JWT::DecodeError, /No keys found in jwks/
)
end
end
context 'token does not know the kid' do
let(:token_headers) { {} }
it 'raises an exception' do
expect { described_class.decode(signed_token, nil, true, { algorithms: ['RS512'], jwks: public_jwks}) }.to raise_error(
JWT::DecodeError, 'No key id (kid) found from token headers'
)
end
end
end
context 'when jwk keys are loaded using a proc/lambda' do
it 'decodes the token' do
payload, _header = described_class.decode(signed_token, nil, true, { algorithms: ['RS512'], jwks: lambda { |_opts| public_jwks }})
expect(payload).to eq(token_payload)
end
end
context 'when jwk keys are rotated' do
it 'decodes the token' do
key_loader = ->(options) { options[:invalidate] ? public_jwks : { keys: [] } }
payload, _header = described_class.decode(signed_token, nil, true, { algorithms: ['RS512'], jwks: key_loader})
expect(payload).to eq(token_payload)
end
end
context 'when jwk keys are loaded from JSON with string keys' do
it 'decodes the token' do
key_loader = ->(options) { JSON.parse(JSON.generate(public_jwks)) }
payload, _header = described_class.decode(signed_token, nil, true, { algorithms: ['RS512'], jwks: key_loader})
expect(payload).to eq(token_payload)
end
end
context 'mixing algorithms using kid header' do
let(:hmac_jwk) { JWT::JWK.new('secret') }
let(:rsa_jwk) { JWT::JWK.new(OpenSSL::PKey::RSA.new(2048)) }
let(:ec_jwk_secp384r1) { JWT::JWK.new(OpenSSL::PKey::EC.new('secp384r1').generate_key) }
let(:ec_jwk_secp521r1) { JWT::JWK.new(OpenSSL::PKey::EC.new('secp521r1').generate_key) }
let(:jwks) { { keys: [hmac_jwk.export(include_private: true), rsa_jwk.export, ec_jwk_secp384r1.export, ec_jwk_secp521r1.export] } }
context 'when RSA key is pointed to as HMAC secret' do
let(:signed_token) { described_class.encode({'foo' => 'bar'}, 'is not really relevant in the scenario', 'HS256', { kid: rsa_jwk.kid }) }
it 'fails in some way' do
expect { described_class.decode(signed_token, nil, true, algorithms: ['HS256'], jwks: jwks) }.to(
raise_error do |e|
if defined?(RbNaCl)
expect(e).to be_a(NoMethodError)
expect(e.message).to match(/undefined method `bytesize'/)
else
expect(e).to be_a(TypeError)
expect(e.message).to eq('no implicit conversion of OpenSSL::PKey::RSA into String')
end
end
)
end
end
context 'when EC key is pointed to as HMAC secret' do
let(:signed_token) { described_class.encode({'foo' => 'bar'}, 'is not really relevant in the scenario', 'HS256', { kid: ec_jwk_secp384r1.kid }) }
it 'fails in some way' do
expect { described_class.decode(signed_token, nil, true, algorithms: ['HS256'], jwks: jwks) }.to(
raise_error do |e|
if defined?(RbNaCl)
expect(e).to be_a(NoMethodError)
expect(e.message).to match(/undefined method `bytesize'/)
else
expect(e).to be_a(TypeError)
expect(e.message).to eq('no implicit conversion of OpenSSL::PKey::EC into String')
end
end
)
end
end
context 'when EC key is pointed to as RSA public key' do
let(:signed_token) { described_class.encode({'foo' => 'bar'}, rsa_jwk.keypair, 'RS512', { kid: ec_jwk_secp384r1.kid }) }
it 'fails in some way' do
expect { described_class.decode(signed_token, nil, true, algorithms: ['RS512'], jwks: jwks) }.to(
raise_error(JWT::VerificationError, 'Signature verification raised')
)
end
end
context 'when HMAC secret is pointed to as RSA public key' do
let(:signed_token) { described_class.encode({'foo' => 'bar'}, rsa_jwk.keypair, 'RS512', { kid: hmac_jwk.kid }) }
it 'fails in some way' do
expect { described_class.decode(signed_token, nil, true, algorithms: ['RS512'], jwks: jwks) }.to(
raise_error(NoMethodError, /undefined method `verify' for \"secret\":String/)
)
end
end
context 'when HMAC secret is pointed to as EC public key' do
let(:signed_token) { described_class.encode({'foo' => 'bar'}, ec_jwk_secp384r1.keypair, 'ES384', { kid: hmac_jwk.kid }) }
it 'fails in some way' do
expect { described_class.decode(signed_token, nil, true, algorithms: ['ES384'], jwks: jwks) }.to(
raise_error(NoMethodError, /undefined method `group' for \"secret\":String/)
)
end
end
context 'when ES384 key is pointed to as ES512 key' do
let(:signed_token) { described_class.encode({'foo' => 'bar'}, ec_jwk_secp384r1.keypair, 'ES512', { kid: ec_jwk_secp521r1.kid }) }
it 'fails in some way' do
expect { described_class.decode(signed_token, nil, true, algorithms: ['ES512'], jwks: jwks) }.to(
raise_error(JWT::IncorrectAlgorithm, 'payload algorithm is ES512 but ES384 signing key was provided')
)
end
end
end
end
end