Timo/auth-server-helper
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

asymmetric keys
Some checks failed
continuous-integration/drone/push Build is failing
Details

Browse Source
This commit is contained in:
Timo Hocker
2021-01-06 16:06:03 +01:00
parent 1437316519
commit adfeeaa52c
9 changed files with 207 additions and 147 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
test/spec/Authority.ts
View File

@ -25,8 +25,8 @@ describe ('authority', () => {
.uninstall ();
});
it ('should create an access token', () => {
const token = auth.sign ('access_token', 60);
it ('should create an access token', async () => {
const token = await auth.sign ('access_token', 60);
jasmine.clock ()
.tick (30000);
const res = auth.verify (token.signature);
@ -44,8 +44,8 @@ describe ('authority', () => {
.toBeUndefined ();
});
it ('should create a refresh token', () => {
const token = auth.sign ('refresh_token', 600);
it ('should create a refresh token', async () => {
const token = await auth.sign ('refresh_token', 600);
jasmine.clock ()
.tick (30000);
const res = auth.verify (token.signature);
@ -63,8 +63,8 @@ describe ('authority', () => {
.toBeUndefined ();
});
it ('should create a part token', () => {
const token = auth.sign ('part_token', 60, { next_module: '2fa' });
it ('should create a part token', async () => {
const token = await auth.sign ('part_token', 60, { next_module: '2fa' });
jasmine.clock ()
.tick (30000);
const res = auth.verify (token.signature);
@ -82,8 +82,8 @@ describe ('authority', () => {
.toBeUndefined ();
});
it ('should reject an invalid access token', () => {
const token = auth.sign ('access_token', 60);
it ('should reject an invalid access token', async () => {
const token = await auth.sign ('access_token', 60);
token.signature = modify_signature (token.signature);
jasmine.clock ()
.tick (30000);
@ -102,8 +102,8 @@ describe ('authority', () => {
.toEqual ('invalid signature');
});
it ('should reject blacklisted access token', () => {
const token = auth.sign ('access_token', 60);
it ('should reject blacklisted access token', async () => {
const token = await auth.sign ('access_token', 60);
jasmine.clock ()
.tick (30000);
bl.add_signature (token.id);
@ -122,8 +122,8 @@ describe ('authority', () => {
.toEqual ('blacklisted');
});
it ('should reject an invalid refresh token', () => {
const token = auth.sign ('refresh_token', 600);
it ('should reject an invalid refresh token', async () => {
const token = await auth.sign ('refresh_token', 600);
token.signature = modify_signature (token.signature);
jasmine.clock ()
.tick (30000);
@ -142,8 +142,8 @@ describe ('authority', () => {
.toEqual ('invalid signature');
});
it ('should reject a blacklisted refresh token', () => {
const token = auth.sign ('refresh_token', 600);
it ('should reject a blacklisted refresh token', async () => {
const token = await auth.sign ('refresh_token', 600);
jasmine.clock ()
.tick (30000);
bl.add_signature (token.id);

16
test/spec/Gateway.ts
View File

@ -57,7 +57,7 @@ describe ('gateway', () => {
});
it ('should allow a valid access token', async () => {
const token = authority.sign ('access_token', 60);
const token = await authority.sign ('access_token', 60);
const resp = await get ({ authorization: `Bearer ${token.signature}` });
expect (resp.statusCode)
.toEqual (200);
@ -66,7 +66,7 @@ describe ('gateway', () => {
});
it ('should allow a valid access token using cookies', async () => {
const token = authority.sign ('access_token', 60);
const token = await authority.sign ('access_token', 60);
const resp = await get ({ cookie: `cookie_jar=${token.signature}` });
expect (resp.statusCode)
.toEqual (200);
@ -75,7 +75,7 @@ describe ('gateway', () => {
});
it ('should correctly deliver token data', async () => {
const token = authority.sign ('access_token', 60, { data: 'foobar' });
const token = await authority.sign ('access_token', 60, { data: 'foobar' });
const resp = await get ({ authorization: `Bearer ${token.signature}` });
expect (resp.statusCode)
.toEqual (200);
@ -87,7 +87,7 @@ describe ('gateway', () => {
});
it ('should reject an outdated access token', async () => {
const token = authority.sign ('access_token', 60);
const token = await authority.sign ('access_token', 60);
jasmine.clock ()
.tick (70000);
const resp = await get ({ authorization: `Bearer ${token.signature}` });
@ -98,7 +98,7 @@ describe ('gateway', () => {
});
it ('should reject a blacklisted access token', async () => {
const token = authority.sign ('access_token', 60);
const token = await authority.sign ('access_token', 60);
blacklist.add_signature (token.id);
const resp = await get ({ authorization: `Bearer ${token.signature}` });
expect (resp.statusCode)
@ -108,7 +108,7 @@ describe ('gateway', () => {
});
it ('should reject any refresh_token', async () => {
const token = authority.sign ('refresh_token', 60);
const token = await authority.sign ('refresh_token', 60);
const resp = await get ({ authorization: `Bearer ${token.signature}` });
expect (resp.statusCode)
.toEqual (302);
@ -117,7 +117,7 @@ describe ('gateway', () => {
});
it ('should reject any part_token', async () => {
const token = authority.sign ('part_token', 60);
const token = await authority.sign ('part_token', 60);
const resp = await get ({ authorization: `Bearer ${token.signature}` });
expect (resp.statusCode)
.toEqual (302);
@ -126,7 +126,7 @@ describe ('gateway', () => {
});
it ('should reject any noname token', async () => {
const token = authority.sign ('none', 60);
const token = await authority.sign ('none', 60);
const resp = await get ({ authorization: `Bearer ${token.signature}` });
expect (resp.statusCode)
.toEqual (302);

88
test/spec/KeyStore.ts
View File

@ -20,54 +20,66 @@ describe ('key store', () => {
.mockDate (base_date);
});
const keys: {key:string, iat:number}[] = [];
const keys: {key:string, sign:string, iat:number}[] = [];
it ('should generate a new key', () => {
it ('should generate a new key', async () => {
const iat = (new Date)
.getTime () / 1000;
const duration = 10 * frame;
const key = ks.get_key (iat, duration);
const key = await ks.get_sign_key (iat, duration);
const sign = ks.get_key (iat);
expect (typeof key)
.toEqual ('string');
expect (key.length)
.toEqual (64);
keys.push ({ iat, key });
expect (typeof sign)
.toEqual ('string');
keys.push ({ iat, key, sign });
});
it ('should return the generated key', () => {
const key = ks.get_key (keys[0].iat);
it ('should return the generated key', async () => {
const key = await ks.get_sign_key (keys[0].iat, 1);
expect (key)
.toEqual (keys[0].key);
const sign = ks.get_key (keys[0].iat);
expect (sign)
.toEqual (keys[0].sign);
});
it ('should return the same key on a different time', () => {
const key = ks.get_key (keys[0].iat + (frame / 2));
it ('should return the same key on a different time', async () => {
const key = await ks.get_sign_key (keys[0].iat + (frame / 2), 1);
expect (key)
.toEqual (keys[0].key);
const sign = ks.get_key (keys[0].iat + (frame / 2));
expect (sign)
.toEqual (keys[0].sign);
});
it ('should generate a new key after time frame is over', () => {
it ('should generate a new key after time frame is over', async () => {
jasmine.clock ()
.tick (frame * 1000);
const iat = (new Date)
.getTime () / 1000;
const duration = 10 * frame;
const key = ks.get_key (iat, duration);
const key = await ks.get_sign_key (iat, duration);
const sign = ks.get_key (iat);
expect (typeof key)
.toEqual ('string');
expect (key.length)
.toEqual (64);
expect (key).not.toEqual (keys[0].key);
keys.push ({ iat, key });
expect (sign).not.toEqual (keys[0].sign);
keys.push ({ iat, key, sign });
});
it ('should return both keys', () => {
const key = ks.get_key (keys[0].iat);
expect (key)
.toEqual (keys[0].key);
const k2 = ks.get_key (keys[1].iat);
it ('should return both keys, but not the first sign key', async () => {
const sign = ks.get_key (keys[0].iat);
expect (sign)
.toEqual (keys[0].sign);
await expectAsync (ks.get_sign_key (keys[0].iat, 1))
.toBeRejectedWithError ('cannot access already expired keys');
const k2 = await ks.get_sign_key (keys[1].iat, 1);
const s2 = ks.get_key (keys[1].iat);
expect (k2)
.toEqual (keys[1].key);
expect (s2)
.toEqual (keys[1].sign);
});
it ('should throw on non existing key', () => {
@ -82,21 +94,26 @@ describe ('key store', () => {
.toThrowError ('key could not be found');
});
it ('should still retrieve the second key', () => {
const key = ks.get_key (keys[1].iat);
expect (key)
.toEqual (keys[1].key);
});
it (
'should still retrieve the second key, but not its sign key',
async () => {
await expectAsync (ks.get_sign_key (keys[1].iat, 1))
.toBeRejectedWithError ('cannot access already expired keys');
const sign = ks.get_key (keys[1].iat);
expect (sign)
.toEqual (keys[1].sign);
}
);
it ('should reject key generation of expired keys', () => {
it ('should reject key generation of expired keys', async () => {
const iat = ((new Date)
.getTime () / 1000) - 2;
const duration = 5;
expect (() => ks.get_key (iat, duration))
.toThrowError ('cannot create already expired keys');
await expectAsync (ks.get_sign_key (iat, duration))
.toBeRejectedWithError ('cannot access already expired keys');
});
it ('key should live as long as the longest created token', () => {
it ('key should live as long as the longest created token', async () => {
const base = new Date;
base.setSeconds (2, 0);
jasmine.clock ()
@ -108,21 +125,22 @@ describe ('key store', () => {
const duration1 = frame;
const duration2 = frame * 10;
const key1 = ks.get_key (iat, duration1);
const key1 = await ks.get_sign_key (iat, duration1);
const step = 0.9 * frame;
jasmine.clock ()
.tick (step * 1000);
const key2 = ks.get_key (iat + step, duration2);
const key2 = await ks.get_sign_key (iat + step, duration2);
const sign = ks.get_key (iat);
expect (key1)
.toEqual (key2);
jasmine.clock ()
.tick (5000 * frame);
const keyv = ks.get_key (iat + step);
expect (keyv)
.toEqual (key1);
const signv = ks.get_key (iat + step);
expect (signv)
.toEqual (sign);
});
// required use case: insert keys for verification of old tokens
// TODO: required use case: insert keys for verification of old tokens
afterAll (() => {
jasmine.clock ()