Google Git
Sign in
apache / couchdb / eb6a74d5603d4bac1d77fc895946ffbdd99f4b97 / . / test / elixir / test / jwt_roles_claim_test.exs
blob: 28b280e9ca448c3b5685fe1230723bd3599034aa [file] [log] [blame]
defmodule JwtRolesClaimTest do
use CouchTestCase
@global_server_config [
%{
:section => "chttpd",
:key => "authentication_handlers",
:value => [
"{chttpd_auth, jwt_authentication_handler}, ",
"{chttpd_auth, cookie_authentication_handler}, ",
"{chttpd_auth, default_authentication_handler})"
] |> Enum.join
},
%{
:section => "jwt_keys",
:key => "hmac:myjwttestkey",
:value => ~w(
NTNv7j0TuYARvmNMmWXo6fKvM4o6nv/aUi9ryX38ZH+L1bkrnD1ObOQ8JAUmHCBq7
Iy7otZcyAagBLHVKvvYaIpmMuxmARQ97jUVG16Jkpkp1wXOPsrF9zwew6TpczyH
kHgX5EuLg2MeBuiT/qJACs1J0apruOOJCg/gOtkjB4c=
) |> Enum.join()
},
%{
:section => "jwt_keys",
:key => "hmac:myjwttestkey2",
:value => ~w(
VW5kb3VidGVkbHktRW5nYWdpbmctUm9hZHdheS0wMjk=
) |> Enum.join()
}
]
test "case: roles_claim_name (undefined) / roles_claim_path (undefined)" do
server_config = @global_server_config
run_on_modified_server(server_config, fn ->
test_roles(["_couchdb.roles_1", "_couchdb.roles_2"])
test_roles_as_string(["_couchdb_string.roles_1", "_couchdb_string.roles_2"])
end)
end
test "case: roles_claim_name (defined) / roles_claim_path (undefined)" do
server_config =
[
%{
:section => "jwt_auth",
:key => "roles_claim_name",
:value => "my._couchdb.roles"
}
] ++ @global_server_config
run_on_modified_server(server_config, fn ->
test_roles(["my._couchdb.roles_1", "my._couchdb.roles_2"])
test_roles_as_string(["my._couchdb_string.roles_1", "my._couchdb_string.roles_2"])
end)
end
test "case: roles_claim_name (undefined) / roles_claim_path (defined)" do
server_config =
[
%{
:section => "jwt_auth",
:key => "roles_claim_path",
:value => "foo.bar\\.zonk.baz\\.buu.baa.baa\\.bee.roles"
}
] ++ @global_server_config
run_on_modified_server(server_config, fn ->
test_roles(["my_nested_role_1", "my_nested_role_2"])
test_roles_as_string(["my_nested_string_role_1", "my_nested_string_role_2"])
end)
end
test "case: roles_claim_name (defined) / roles_claim_path (defined)" do
server_config =
[
%{
:section => "jwt_auth",
:key => "roles_claim_name",
:value => "my._couchdb.roles"
},
%{
:section => "jwt_auth",
:key => "roles_claim_path",
:value => "foo.bar\\.zonk.baz\\.buu.baa.baa\\.bee.roles"
}
] ++ @global_server_config
run_on_modified_server(server_config, fn ->
test_roles(["my_nested_role_1", "my_nested_role_2"])
test_roles_as_string(["my_nested_string_role_1", "my_nested_string_role_2"])
end)
end
test "case: roles_claim_path with bad input" do
server_config =
[
%{
:section => "jwt_auth",
:key => "roles_claim_path",
:value => "<<foo.bar\\.zonk.baz\\.buu.baa.baa\\.bee.roles"
}
] ++ @global_server_config
run_on_modified_server(server_config, fn ->
test_roles_with_bad_input()
end)
server_config =
[
%{
:section => "jwt_auth",
:key => "roles_claim_path",
:value => "foo.bar\\.zonk.baz\\.buu.baa.baa\\.bee.roles>>"
}
] ++ @global_server_config
run_on_modified_server(server_config, fn ->
test_roles_with_bad_input()
end)
server_config =
[
%{
:section => "jwt_auth",
:key => "roles_claim_path",
:value => "123456"
}
] ++ @global_server_config
run_on_modified_server(server_config, fn ->
test_roles_with_bad_input()
end)
end
def test_roles(roles) do
token = ~w(
eyJ0eXAiOiJKV1QiLCJraWQiOiJteWp3dHRlc3RrZXkiLCJhbGciOiJIUzI1NiJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRyd
WUsImlhdCI6MTY1NTI5NTgxMCwiZXhwIjoxNzU1Mjk5NDEwLCJteSI6eyJuZXN0ZW
QiOnsiX2NvdWNoZGIucm9sZXMiOlsibXlfbmVzdGVkX2NvdWNoZGIucm9sZXNfMSI
sIm15X25lc3RlZF9jb3VjaGRiLnJvbGVzXzEiXX19LCJfY291Y2hkYi5yb2xlcyI6
WyJfY291Y2hkYi5yb2xlc18xIiwiX2NvdWNoZGIucm9sZXNfMiJdLCJteS5fY291Y
2hkYi5yb2xlcyI6WyJteS5fY291Y2hkYi5yb2xlc18xIiwibXkuX2NvdWNoZGIucm
9sZXNfMiJdLCJmb28iOnsiYmFyLnpvbmsiOnsiYmF6LmJ1dSI6eyJiYWEiOnsiYmF
hLmJlZSI6eyJyb2xlcyI6WyJteV9uZXN0ZWRfcm9sZV8xIiwibXlfbmVzdGVkX3Jv
bGVfMiJdfX19fX19.F6kQK-FK0z1kP01bTyw-moXfy2klWfubgF7x7Xitd-0) |> Enum.join()
resp =
Couch.get("/_session",
headers: [authorization: "Bearer #{token}"]
)
assert resp.body["userCtx"]["name"] == "1234567890"
assert resp.body["userCtx"]["roles"] == roles
assert resp.body["info"]["authenticated"] == "jwt"
end
def test_roles_as_string(roles) do
# Different token
token = ~w(
eyJ0eXAiOiJKV1QiLCJraWQiOiJteWp3dHRlc3RrZXkyIiwiYWxnIjoiSFMyNTYifQ.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRydWU
sImlhdCI6MTY1NTI5NTgxMCwiZXhwIjoxNzU1Mjk5NDEwLCJteSI6eyJuZXN0ZWQiOn
siX2NvdWNoZGIucm9sZXMiOiJteV9uZXN0ZWRfY291Y2hkYl9zdHJpbmcucm9sZXNfM
SwgbXlfbmVzdGVkX2NvdWNoZGJfc3RyaW5nLnJvbGVzXzEifX0sIl9jb3VjaGRiLnJv
bGVzIjoiX2NvdWNoZGJfc3RyaW5nLnJvbGVzXzEsX2NvdWNoZGJfc3RyaW5nLnJvbGV
zXzIiLCJteS5fY291Y2hkYi5yb2xlcyI6Im15Ll9jb3VjaGRiX3N0cmluZy5yb2xlc1
8xLCBteS5fY291Y2hkYl9zdHJpbmcucm9sZXNfMiIsImZvbyI6eyJiYXIuem9uayI6e
yJiYXouYnV1Ijp7ImJhYSI6eyJiYWEuYmVlIjp7InJvbGVzIjoibXlfbmVzdGVkX3N0
cmluZ19yb2xlXzEsIG15X25lc3RlZF9zdHJpbmdfcm9sZV8yIn19fX19fQ.rzaLmcA2
0R291XuGYNNTM9ypGL3UD_GlVp3DmBtWrZI
) |> Enum.join()
resp =
Couch.get("/_session",
headers: [authorization: "Bearer #{token}"]
)
assert resp.body["userCtx"]["name"] == "1234567890"
assert resp.body["userCtx"]["roles"] == roles
assert resp.body["info"]["authenticated"] == "jwt"
end
def test_roles_with_bad_input() do
token = ~w(
eyJ0eXAiOiJKV1QiLCJraWQiOiJteWp3dHRlc3RrZXkiLCJhbGciOiJIUzI1NiJ9.
eyJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiYWRtaW4iOnRyd
WUsImlhdCI6MTY1NTI5NTgxMCwiZXhwIjoxNzU1Mjk5NDEwLCJteSI6eyJuZXN0ZW
QiOnsiX2NvdWNoZGIucm9sZXMiOlsibXlfbmVzdGVkX2NvdWNoZGIucm9sZXNfMSI
sIm15X25lc3RlZF9jb3VjaGRiLnJvbGVzXzEiXX19LCJfY291Y2hkYi5yb2xlcyI6
WyJfY291Y2hkYi5yb2xlc18xIiwiX2NvdWNoZGIucm9sZXNfMiJdLCJteS5fY291Y
2hkYi5yb2xlcyI6WyJteS5fY291Y2hkYi5yb2xlc18xIiwibXkuX2NvdWNoZGIucm
9sZXNfMiJdLCJmb28iOnsiYmFyLnpvbmsiOnsiYmF6LmJ1dSI6eyJiYWEiOnsiYmF
hLmJlZSI6eyJyb2xlcyI6WyJteV9uZXN0ZWRfcm9sZV8xIiwibXlfbmVzdGVkX3Jv
bGVfMiJdfX19fX19.F6kQK-FK0z1kP01bTyw-moXfy2klWfubgF7x7Xitd-0) |> Enum.join()
resp =
Couch.get("/_session",
headers: [authorization: "Bearer #{token}"]
)
assert resp.status_code == 404
end
end