Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
gitpod-io
GitHub Repository: gitpod-io/gitpod
 Path: blob/main/components/public-api-server/pkg/jws/rsa256_test.go
2506 views
1
// Copyright (c) 2023 Gitpod GmbH. All rights reserved.

2
// Licensed under the GNU Affero General Public License (AGPL).

3
// See License.AGPL.txt in the project root for license information.

4


5
package jws_test

6


7
import (

8
	"testing"

9
	"time"

10


11
	"github.com/gitpod-io/gitpod/public-api-server/pkg/jws"

12
	"github.com/gitpod-io/gitpod/public-api-server/pkg/jws/jwstest"

13
	"github.com/golang-jwt/jwt/v5"

14
	"github.com/stretchr/testify/require"

15
)

16


17
func TestRSA256SignVerify(t *testing.T) {

18
	keyset := jwstest.GenerateKeySet(t)

19
	rsa256, err := jws.NewRSA256(keyset)

20
	require.NoError(t, err)

21


22
	claims := &jwt.RegisteredClaims{

23
		Subject:   "user-id",

24
		Issuer:    "test-issuer",

25
		ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour)),

26
		IssuedAt:  jwt.NewNumericDate(time.Now()),

27
	}

28
	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)

29


30
	signed, err := rsa256.Sign(token)

31
	require.NoError(t, err)

32
	require.Equal(t, keyset.Signing.ID, token.Header[jws.KeyIDName], "signer must add key ID header")

33


34
	verified, err := rsa256.Verify(signed, &jwt.RegisteredClaims{})

35
	require.NoError(t, err)

36
	require.Equal(t, claims, verified.Claims)

37
}

38


39
func TestRSA256VerifyWithOlderKey(t *testing.T) {

40
	keyset := jwstest.GenerateKeySet(t)

41


42
	// manually sign with older key

43
	// this simulates a scenario where we issued a token with an older key, which we've since moved into our Validating keys

44
	validating := keyset.Validating[0]

45
	claims := &jwt.RegisteredClaims{

46
		Subject:   "user-id",

47
		Issuer:    "test-issuer",

48
		ExpiresAt: jwt.NewNumericDate(time.Now().Add(time.Hour)),

49
		IssuedAt:  jwt.NewNumericDate(time.Now()),

50
	}

51
	token := jwt.NewWithClaims(jwt.SigningMethodRS256, claims)

52
	token.Header[jws.KeyIDName] = validating.ID

53


54
	signed, err := token.SignedString(validating.Private)

55
	require.NoError(t, err)

56


57
	// use our "newer" setup with a new signing key

58
	rsa256, err := jws.NewRSA256(keyset)

59
	require.NoError(t, err)

60


61
	verified, err := rsa256.Verify(signed, &jwt.RegisteredClaims{})

62
	require.NoError(t, err)

63
	require.Equal(t, claims, verified.Claims)

64
}

65


66