Merge pull request Kong#1325 from Mashape/refactor/jwt

tests(jwt) update to new testing tools
mickylee · Jun 27, 2016 · ae920fd · ae920fd
2 parents 5d74345 + d1b5799
commit ae920fd
Show file tree

Hide file tree

Showing 9 changed files with 842 additions and 600 deletions.
diff --git a/spec/03-plugins/basic-auth/02-api_spec.lua b/spec/03-plugins/basic-auth/02-api_spec.lua
@@ -27,7 +27,7 @@ describe("Plugin: basic-auth (API)", function()
       helpers.dao:truncate_table("basicauth_credentials")
     end)
 
-    describe("#o POST", function()
+    describe("POST", function()
       it("creates a basic-auth credential", function()
         local res = assert(admin_client:send {
           method = "POST",
@@ -85,7 +85,7 @@ describe("Plugin: basic-auth (API)", function()
       end)
     end)
 
-    describe("#o PUT", function()
+    describe("PUT", function()
       it("creates a basic-auth credential", function()
         local res = assert(admin_client:send {
           method = "PUT",
@@ -119,7 +119,7 @@ describe("Plugin: basic-auth (API)", function()
       end)
     end)
 
-    describe("#o GET", function()
+    describe("GET", function()
       setup(function()
         for i = 1, 3 do
           assert(helpers.dao.basicauth_credentials:insert {
@@ -156,7 +156,7 @@ describe("Plugin: basic-auth (API)", function()
         consumer_id = consumer.id
       })
     end)
-    describe("#o GET", function()
+    describe("GET", function()
       it("retrieves basic-auth credential by id", function()
         local res = assert(admin_client:send {
           method = "GET",
@@ -185,7 +185,7 @@ describe("Plugin: basic-auth (API)", function()
       end)
     end)
 
-    describe("#o PATCH", function()
+    describe("PATCH", function()
       it("updates a credential", function()
         local previous_hash = credential.password
 

diff --git a/spec/03-plugins/jwt/01-jwt_parser_spec.lua b/spec/03-plugins/jwt/01-jwt_parser_spec.lua
@@ -0,0 +1,123 @@
+local jwt_parser = require "kong.plugins.jwt.jwt_parser"
+local fixtures = require "spec.03-plugins.jwt.fixtures"
+
+describe("Plugin: jwt (parser)", function()
+  describe("Encoding", function()
+    it("should properly encode using HS256", function()
+      local token = jwt_parser.encode({
+        sub = "1234567890",
+        name = "John Doe",
+        admin = true
+      }, "secret")
+
+      assert.equal([[eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG1pbiI6dHJ1ZSw]]
+                 ..[[ibmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMTIzNDU2Nzg5MCJ9.]]
+                 ..[[eNK_fimsCW3Q-meOXyc_dnZHubl2D4eZkIcn6llniCk]], token)
+    end)
+    it("should properly encode using RS256", function()
+      local token = jwt_parser.encode({
+        sub = "1234567890",
+        name = "John Doe",
+        admin = true
+      }, fixtures.rs256_private_key, 'RS256')
+
+      assert.equal([[eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJhZG1pbiI6dHJ1ZSwi]]
+                 ..[[bmFtZSI6IkpvaG4gRG9lIiwic3ViIjoiMTIzNDU2Nzg5MCJ9.EiOLxyMimY8vbLR8]]
+                 ..[[EcGOlXAiEe-eEVn7Aewgu0gYIBPyiEhVTq0CzB_XtHoQ_0y4gBBBZVRnz1pgruOtN]]
+                 ..[[mOzcaoXnyplFm1IbrCCBKYQeA4lanmu_-Wzk6Dw4p-TimRHpf8EEHBUJSEbVEyet3]]
+                 ..[[cpozUo2Ep0dEfA_Nf3T-g8RjfOYXkFTr3M6FuIDq95cFZloH-DRGodUVQX508wggg]]
+                 ..[[tcFKN-Pi7_rWzBtQwP2u4CrFD4ZJbn2sxobzSlFb9fn4nRh_-rPPjDSeHVKwrpsYp]]
+                 ..[[FSLBJxwX-KhbeGUfalg2eu9tHLDPHC4gTCpoQKxxRIwfMjW5zlHOZhohKZV2ZtpcgA]] , token)
+    end)
+  end)
+  describe("Decoding", function()
+    it("throws an error if not given a string", function()
+      assert.has_error(function()
+        jwt_parser:new()
+      end, "JWT must be a string")
+    end)
+    it("refuses invalid typ", function()
+      local token = jwt_parser.encode({sub = "1234"}, "secret", nil, {typ = "foo"})
+      local _, err = jwt_parser:new(token)
+      assert.equal("Invalid typ", err)
+    end)
+    it("refuses invalid alg", function()
+      local token = jwt_parser.encode({sub = "1234"}, "secret", nil, {
+        typ = "JWT",
+        alg = "foo"
+      })
+      local _, err = jwt_parser:new(token)
+      assert.equal("Invalid alg", err)
+    end)
+    it("accepts a valid encoding request", function()
+      local token = jwt_parser.encode({sub = "1234"}, "secret", nil, {
+        typ = "JWT",
+        alg = "RS256"
+      })
+      assert(jwt_parser:new(token))
+    end)
+    it("accepts a valid encoding request with lowercase TYP", function()
+      local token = jwt_parser.encode({sub = "1234"}, "secret", nil, {
+        typ = "jwt",
+        alg = "RS256"
+      })
+      assert(jwt_parser:new(token))
+    end)
+    it("accepts a valid encoding request with missing TYP", function()
+      local token = jwt_parser.encode({sub = "1234"}, "secret", nil, {alg = "RS256"})
+      assert(jwt_parser:new(token))
+    end)
+  end)
+  describe("verify signature", function()
+    it("using HS256", function()
+      local token = jwt_parser.encode({sub = "foo"}, "secret")
+      local jwt = assert(jwt_parser:new(token))
+      assert.True(jwt:verify_signature("secret"))
+      assert.False(jwt:verify_signature("invalid"))
+    end)
+    it("using RS256", function()
+      local token = jwt_parser.encode({sub = "foo"}, fixtures.rs256_private_key, 'RS256')
+      local jwt = assert(jwt_parser:new(token))
+      assert.True(jwt:verify_signature(fixtures.rs256_public_key))
+      assert.False(jwt:verify_signature(fixtures.rs256_public_key:gsub('QAB', 'zzz')))
+    end)
+  end)
+  describe("verify registered claims", function()
+    it("requires claims passed as arguments", function()
+      local token = jwt_parser.encode({sub = "foo"}, "secret")
+      local jwt = assert(jwt_parser:new(token))
+
+      local ok, errors = jwt:verify_registered_claims({"exp", "nbf"})
+      assert.False(ok)
+      assert.same({exp = "must be a number", nbf = "must be a number"}, errors)
+
+      ok, errors = jwt:verify_registered_claims({"nbf"})
+      assert.False(ok)
+      assert.same({nbf = "must be a number"}, errors)
+    end)
+    it("checks the type of given registered claims", function()
+      local token = jwt_parser.encode({exp = "bar", nbf = "foo"}, "secret")
+      local jwt = assert(jwt_parser:new(token))
+
+      local ok, errors = jwt:verify_registered_claims({"exp", "nbf"})
+      assert.False(ok)
+      assert.same({exp = "must be a number", nbf = "must be a number"}, errors)
+    end)
+    it("checks the exp claim", function()
+      local token = jwt_parser.encode({exp = os.time()}, "secret")
+      local jwt = assert(jwt_parser:new(token))
+
+      local ok, errors = jwt:verify_registered_claims({"exp"})
+      assert.False(ok)
+      assert.same({exp = "token expired"}, errors)
+    end)
+    it("checks the nbf claim", function()
+      local token = jwt_parser.encode({nbf = os.time() + 10}, "secret")
+      local jwt = assert(jwt_parser:new(token))
+
+      local ok, errors = jwt:verify_registered_claims({"nbf"})
+      assert.False(ok)
+      assert.same({nbf = "token not valid yet"}, errors)
+    end)
+  end)
+end)
diff --git a/spec/03-plugins/jwt/02-api_spec.lua b/spec/03-plugins/jwt/02-api_spec.lua
@@ -0,0 +1,163 @@
+local helpers = require "spec.helpers"
+local cjson = require "cjson"
+
+local jwt_secrets = helpers.dao.jwt_secrets
+
+describe("Plugin: jwt (API)", function()
+  local admin_client, consumer, jwt_secret
+  setup(function()
+    helpers.dao:truncate_tables()
+    assert(helpers.prepare_prefix())
+    assert(helpers.start_kong())
+    admin_client = assert(helpers.http_client("127.0.0.1", helpers.test_conf.admin_port))
+  end)
+  teardown(function()
+    if admin_client then
+      admin_client:close()
+    end
+    helpers.stop_kong()
+  end)
+
+  describe("/consumers/:consumer/jwt/", function()
+    setup(function()
+      consumer = assert(helpers.dao.consumers:insert {
+        username = "bob"
+      })
+    end)
+
+    describe("POST", function()
+      local jwt1, jwt2
+      teardown(function()
+        if jwt1 == nil then return end
+        jwt_secrets:delete(jwt1)
+        jwt_secrets:delete(jwt2)
+      end)
+
+      it("creates a jwt secret", function()
+        local res = assert(admin_client:send {
+          method = "POST",
+          path = "/consumers/bob/jwt/",
+          body = {},
+          headers = {
+            ["Content-Type"] = "application/json"
+          }
+        })
+        local body = cjson.decode(assert.res_status(201, res))
+        assert.equal(consumer.id, body.consumer_id)
+        jwt1 = body
+      end)
+      it("accepts any given `secret` and `key` parameters", function()
+        local res = assert(admin_client:send {
+          method = "POST",
+          path = "/consumers/bob/jwt/",
+          body = {
+            key = "bob2",
+            secret = "tooshort"
+          },
+          headers = {
+            ["Content-Type"] = "application/json"
+          }
+        })
+        local body = cjson.decode(assert.res_status(201, res))
+        assert.equal("bob2", body.key)
+        assert.equal("tooshort", body.secret)
+        jwt2 = body
+      end)
+    end)
+
+    describe("PUT", function()
+      it("creates and update", function()
+        local res = assert(admin_client:send {
+          method = "POST",
+          path = "/consumers/bob/jwt/",
+          body = {},
+          headers = {
+            ["Content-Type"] = "application/json"
+          }
+        })
+        local body = cjson.decode(assert.res_status(201, res))
+        assert.equal(consumer.id, body.consumer_id)
+
+        -- For GET tests
+        jwt_secret = body
+      end)
+    end)
+
+    describe("GET", function()
+      it("retrieves all", function()
+        local res = assert(admin_client:send {
+          method = "GET",
+          path = "/consumers/bob/jwt/",
+        })
+        local body = cjson.decode(assert.res_status(200, res))
+        assert.equal(1, #(body.data))
+      end)
+    end)
+  end)
+
+  describe("/consumers/:consumer/jwt/:id", function()
+    describe("GET", function()
+      it("retrieves by id", function()
+        local res = assert(admin_client:send {
+          method = "GET",
+          path = "/consumers/bob/jwt/"..jwt_secret.id,
+        })
+        assert.res_status(200, res)
+      end)
+    end)
+
+    describe("PATCH", function()
+      it("updates a credential", function()
+        local res = assert(admin_client:send {
+          method = "PATCH",
+          path = "/consumers/bob/jwt/"..jwt_secret.id,
+          body = {
+            key = "alice",
+            secret = "newsecret"
+          },
+          headers = {
+            ["Content-Type"] = "application/json"
+          }
+        })
+        local body = assert.res_status(200, res)
+        jwt_secret = cjson.decode(body)
+        assert.equal("newsecret", jwt_secret.secret)
+      end)
+    end)
+
+    describe("DELETE", function()
+      it("deletes a credential", function()
+        local res = assert(admin_client:send {
+          method = "DELETE",
+          path = "/consumers/bob/jwt/"..jwt_secret.id,
+          body = {},
+          headers = {
+            ["Content-Type"] = "application/json"
+          }
+        })
+        assert.res_status(204, res)
+      end)
+      it("returns proper errors", function()
+        local res = assert(admin_client:send {
+          method = "DELETE",
+          path = "/consumers/bob/jwt/".."blah",
+          body = {},
+          headers = {
+            ["Content-Type"] = "application/json"
+          }
+        })
+        assert.res_status(400, res)
+
+       local res = assert(admin_client:send {
+          method = "DELETE",
+          path = "/consumers/bob/jwt/".."00000000-0000-0000-0000-000000000000",
+          body = {},
+          headers = {
+            ["Content-Type"] = "application/json"
+          }
+        })
+        assert.res_status(404, res)
+      end)
+    end)
+  end)
+end)