add tests for publicKey

felixheck · felixheck · commit 0e07b7ec80db · 2017-08-04T09:25:52.000+02:00
diff --git a/README.md b/README.md
@@ -108,16 +108,34 @@ server.route([
 ## API
 #### Plugin Options
 
-- `client {Object}` — The configuration of [`keycloak-auth-utils`][keycloak-auth-utils] its [`GrantManager`][keycloak-auth-utils-gm]. The configuration requires at least:
-  - `realmUrl {string}`: The absolute uri of the Keycloak realm<br/>
-  Example: `https://localhost:8080/auth/realms/testme`
-  - `clientId {string}` The identifier of the Keycloak client<br/>
-  Example: `foobar`
-  - `secret {string}` The related secret of the Keycloak client<br/>
-  Example: `1234-bar-4321-foo`
+- `realmUrl {string}`: The absolute uri of the Keycloak realm<br/>
+Required. Example: `https://localhost:8080/auth/realms/testme`<br/>
+
+- `clientId {string}` The identifier of the Keycloak client<br/>
+Required. Example: `foobar`<br/>
+
+
+- `secret {string}` The related secret of the Keycloak client<br/>
+Required (or `publicKey`). Example: `1234-bar-4321-foo`<br/>
+
   
-  Furthermore it may be necessary to reduce `minTimeBetweenJwksRequests`.<br/>
-  Required.
+- `publicKey {string}` The related public key of the Keycloak client<br/>
+Required (or `secret`). Example:
+```
+-----BEGIN RSA PUBLIC KEY-----
+MIICCgKCAgEAur96MoQa/blg5eJFqmN//V4oQjKaBJl6KEvWSGAVgRm2PsnFKzCJ
+K9aJrUjETS473/x6fAHXyF5QKun6avNxpWs2VzwlO4t8Bi2EpSW2w0led2OzR/MF
+CYUX1Bg00OXLmdh0kvemABHXSOL4Zs4nN95rr77JsdG6ntylWmtnZlofySwLjFrX
+B2JFpunl4n7eF7y8vD4Zyycvi+xl+OuMA6qomLQmfIDF0qJh0QMt/xh6CB4ooK5a
+Fy6VHORU5gS6MoSgJ78ZPhqmKayRd6U0rhDOq7bWiVykktTPdB1X/YlMbQHonyqZ
+0z2sh7e7olroUdE1FsDi0SdxV2Zzvff8IIPSGT74gQuaU4buoVUpMjSdXDfJw9m4
+i/mhsZwX1/MUU8Oq1AsBHdgTkNVaVwFc6Z7AqJSGW/mxMKQqspOr+/BAM8pnw5BC
+R/RnZBJfMjAYiSh6rVYuEWUBBLgZWIRNAMyRwS8OtWxADfOBtVwn8fmw8schro9X
+D17VcqTdjlS1Mkr73ZoD1GagWZvuSOaz2P0PhnfapRUF1KkbjjnbyzLpfT8Mgovv
+xBQJDIcRYL5oetXu//V5rNAr0na4zMBkPOi3ArpFp+Z4YKulYmSEG//216rLmzjl
+WKEkH1OK39jddDrMTidlxDKY+THheyQBPZ6pFfbKEM5281glYjkeQpECAwEAAQ==
+-----END RSA PUBLIC KEY-----
+```
 
 - `cache {Object|false}` — The configuration of the [hapi.js cache](https://hapijs.com/api#servercacheoptions) powered by [catbox][catbox].<br/>
 If `false` the cache is disabled. Use an empty object (`{}`) to use the built-in default cache.<br/>
@@ -127,8 +145,6 @@ Optional. Default: `false`.
 Optional. Default: `[]`.<br/>
 
 #### `server.kjwt.validate(field {string}, done {Function})`
-Uses internally [`GrantManager.prototype.validateAccessToken()`][keycloak-auth-utils-gm-validate].
-
 - `field {string}` — The `Bearer` field, including the scheme (`bearer`) itself.<br/>
 Example: `bearer 12345.abcde.67890`.<br/>
 Required.
@@ -227,7 +243,3 @@ For further information read the [contributing guideline](CONTRIBUTING.md).
 [catbox]: https://github.com/hapijs/catbox
 [bearer]: https://tools.ietf.org/html/rfc6750
 [hapi-route-options]: https://hapijs.com/api#route-options
-[keycloak-auth-utils]: http://www.keycloak.org/keycloak-nodejs-auth-utils/
-[keycloak-auth-utils-gm]: http://www.keycloak.org/keycloak-nodejs-auth-utils/grant-manager.js.html
-[keycloak-auth-utils-gm-obtain]: http://www.keycloak.org/keycloak-nodejs-auth-utils/grant-manager.js.html#obtainDirectly
-[keycloak-auth-utils-gm-validate]: http://www.keycloak.org/keycloak-nodejs-auth-utils/grant-manager.js.html#validateAccessToken
diff --git a/src/index.js b/src/index.js
@@ -25,7 +25,10 @@ let options
  * @returns {Promise} The error-handled promise
  */
 function validateOffline (token) {
-  const { publicKey, verifyOpts = {} } = options
+  const {
+    publicKey,
+    verifyOpts = { algorithms: ['RS256', 'RS384', 'RS512'] }
+  } = options
 
   return new Promise((resolve, reject) => {
     jwt.verify(token, publicKey, verifyOpts, (err, decoded) => {
diff --git a/test.js b/test.js
@@ -0,0 +1,10 @@
+const fs = require('fs')
+const jwt = require('jsonwebtoken')
+const fixtures = require('./test/fixtures')
+
+const priv = fs.readFileSync('./test/fixtures/private.pem')
+
+const dd = jwt.sign(fixtures.content.userData, priv, {
+  algorithm: 'RS256'
+})
+console.log(dd)
diff --git a/test/fixtures/index.js b/test/fixtures/index.js
@@ -1,3 +1,6 @@
+const fs = require('fs')
+const jsonwebtoken = require('jsonwebtoken')
+
 const token = 'abc.def.ghi'
 const baseUrl = 'http://localhost:8080'
 const realmPath = '/auth/realms/testme'
@@ -45,46 +48,53 @@ const common = Object.assign({}, clientConfig, {
   introspectPath
 })
 
+const contentBase = {
+  'sub': '1234567890',
+  'name': 'John Doe',
+  'email': 'john.doe@mail.com',
+  'admin': true,
+  'active': true,
+  'realm_access': {
+    'roles': [
+      'admin'
+    ]
+  },
+  'resource_access': {
+    'account': {
+      'roles': [
+        'manage-account',
+        'manage-account-links',
+        'view-profile'
+      ]
+    },
+    'same': {
+      'roles': [
+        'editor'
+      ]
+    },
+    'other-app': {
+      'roles': [
+        'other-app:creator'
+      ]
+    }
+  }
+}
+
 /**
  * @type Object
  * @public
  *
  * Content Parts of JWTs
  */
 const content = {
-  userData: {
+  userData: Object.assign({
     'exp': 5,
-    'iat': 1,
-    'sub': '1234567890',
-    'name': 'John Doe',
-    'email': 'john.doe@mail.com',
-    'admin': true,
-    'active': true,
-    'realm_access': {
-      'roles': [
-        'admin'
-      ]
-    },
-    'resource_access': {
-      'account': {
-        'roles': [
-          'manage-account',
-          'manage-account-links',
-          'view-profile'
-        ]
-      },
-      'same': {
-        'roles': [
-          'editor'
-        ]
-      },
-      'other-app': {
-        'roles': [
-          'other-app:creator'
-        ]
-      }
-    }
-  }
+    'iat': 1
+  }, contentBase),
+  userDataNoExp: Object.assign({
+    'exp': (Date.now() / 1000) + 60 * 60,
+    'iat': (Date.now() / 1000) + 60 * 15
+  }, contentBase)
 }
 
 /**
@@ -96,7 +106,11 @@ const content = {
 const jwt = {
   userData: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjUsImFjdGl2ZSI6dHJ1ZSwiaWF0IjoxLCJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZW1haWwiOiJqb2huLmRvZUBtYWlsLmNvbSIsImFkbWluIjp0cnVlLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiYWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX0sInNhbWUiOnsicm9sZXMiOlsiZWRpdG9yIl19LCJvdGhlci1hcHAiOnsicm9sZXMiOlsib3RoZXItYXBwOmNyZWF0b3IiXX19fQ.rjQkSo132lPSVUEsuz42oB5u_lW9zCBpvnOyngDYa_0',
   userDataExp: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhY3RpdmUiOnRydWUsInN1YiI6IjEyMzQ1Njc4OTAiLCJuYW1lIjoiSm9obiBEb2UiLCJlbWFpbCI6ImpvaG4uZG9lQG1haWwuY29tIiwiYWRtaW4iOnRydWUsInJlYWxtX2FjY2VzcyI6eyJyb2xlcyI6WyJhZG1pbiJdfSwicmVzb3VyY2VfYWNjZXNzIjp7ImFjY291bnQiOnsicm9sZXMiOlsibWFuYWdlLWFjY291bnQiLCJtYW5hZ2UtYWNjb3VudC1saW5rcyIsInZpZXctcHJvZmlsZSJdfSwic2FtZSI6eyJyb2xlcyI6WyJlZGl0b3IiXX0sIm90aGVyLWFwcCI6eyJyb2xlcyI6WyJvdGhlci1hcHA6Y3JlYXRvciJdfX19.0_g0X4cOpOEJ37qwRQzBpouQDn2aEyg0-0jnnWECCsk',
-  userDataScope: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhY3RpdmUiOnRydWUsImV4cCI6NSwiaWF0IjoxLCJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZW1haWwiOiJqb2huLmRvZUBtYWlsLmNvbSIsImFkbWluIjp0cnVlfQ.V7lYgZKjnDJcPtUnIBHA9f-8bn8XXB6uH8bXElH-aOU'
+  userDataScope: 'eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJhY3RpdmUiOnRydWUsImV4cCI6NSwiaWF0IjoxLCJzdWIiOiIxMjM0NTY3ODkwIiwibmFtZSI6IkpvaG4gRG9lIiwiZW1haWwiOiJqb2huLmRvZUBtYWlsLmNvbSIsImFkbWluIjp0cnVlfQ.V7lYgZKjnDJcPtUnIBHA9f-8bn8XXB6uH8bXElH-aOU',
+  userDataPublicKey: () => jsonwebtoken.sign(content.userDataNoExp, fs.readFileSync('./test/fixtures/private.pem'), {
+    algorithm: 'RS256'
+  }),
+  userDataPublicKeyExp: 'eyJhbGciOiJSUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjUsImlhdCI6MSwic3ViIjoiMTIzNDU2Nzg5MCIsIm5hbWUiOiJKb2huIERvZSIsImVtYWlsIjoiam9obi5kb2VAbWFpbC5jb20iLCJhZG1pbiI6dHJ1ZSwiYWN0aXZlIjp0cnVlLCJyZWFsbV9hY2Nlc3MiOnsicm9sZXMiOlsiYWRtaW4iXX0sInJlc291cmNlX2FjY2VzcyI6eyJhY2NvdW50Ijp7InJvbGVzIjpbIm1hbmFnZS1hY2NvdW50IiwibWFuYWdlLWFjY291bnQtbGlua3MiLCJ2aWV3LXByb2ZpbGUiXX0sInNhbWUiOnsicm9sZXMiOlsiZWRpdG9yIl19LCJvdGhlci1hcHAiOnsicm9sZXMiOlsib3RoZXItYXBwOmNyZWF0b3IiXX19fQ.IgNqnLBKCox3b6KLewV5U_CLfQ79upmT-xkz5XreQ1Jdv1HcAuWcDYeraFnHU29aeU-JJGa7k3VvdbVSwSbFPkkMvjg_lLnqUUcHtuoPqisdbyty-4VRfZp18JnbAUnxlY4R7d-ZEQKPiXp-WBkHOPo5c8FrqATJ7HI7-MkrrKLBgOCmAFrVXto2lp7xmQOnoTy-31Suoj-0hOaIuP2jDRuIwGGigIgtCxxriE0Lzpt2R_wlEfq-0kmMZrgq9F91x-rB6Vg0nbhdtcv4c61nETHdRSqSIuAQzi9lm1mq9Kg67qU7tzaC3pPLkZRd6hMX6fwittVhm9G9SrXLX4rN6QoArEvglfuNX9sIYgEFoD9vqCx1rRCiyx1m55IGgFRLSn_pjOfTBx5Gb5GPlDcCdsNjW0BXLMSzhuPXDsslFFcBHzSYdOFz6hKEU1CVDYjxalq7wDPzMyCORDSSrgZJn_-oirDFaOe3H3ioZzH2x_lfXfbgga7lc5hkU0ZYZfq-1PUrEuqKKFWtDyPhzwcbX-uCno4HiJOuBlRsnJJFnWI0-GNASHUQD-eO4c9a0c2azG7dhH9lnhsHyA_ptLlIqeoPebkl_E88GXmjbHs3qa6anw1ZWn6sEXdlHAZ1ARt8Gc6r_2oOU8VOusgOnnMQdLYHONfbS0sKFNV65uvd01M'
 }
 
 module.exports = {
diff --git a/test/publicKey.spec.js b/test/publicKey.spec.js
@@ -0,0 +1,118 @@
+const test = require('ava')
+const helpers = require('./_helpers')
+const fixtures = require('./fixtures')
+const cache = require('../src/cache')
+
+test.afterEach('reset instances and prototypes', () => {
+  cache.reset()
+})
+
+const publicKeyConfig = {
+  realmUrl: fixtures.common.realmUrl,
+  clientId: fixtures.common.clientId,
+  publicKey: fixtures.common.publicKey
+}
+
+test.cb.serial('authentication does succeed', (t) => {
+  helpers.getServer(publicKeyConfig, (server) => {
+    server.inject({
+      method: 'GET',
+      url: '/',
+      headers: {
+        authorization: `bearer ${fixtures.jwt.userDataPublicKey()}`
+      }
+    }, (res) => {
+      t.truthy(res)
+      t.is(res.statusCode, 200)
+      t.end()
+    })
+  })
+})
+
+test.cb.serial('authentication does succeed – cached', (t) => {
+  const mockReq = {
+    method: 'GET',
+    url: '/',
+    headers: {
+      authorization: `bearer ${fixtures.jwt.userDataPublicKey()}`
+    }
+  }
+
+  helpers.getServer(Object.assign({
+    cache: true
+  }, publicKeyConfig), (server) => {
+    server.inject(mockReq, () => {
+      server.inject(mockReq, (res) => {
+        t.truthy(res)
+        t.is(res.statusCode, 200)
+        t.end()
+      })
+    })
+  })
+})
+
+test.cb.serial('authentication does success – valid roles', (t) => {
+  helpers.getServer(publicKeyConfig, (server) => {
+    server.inject({
+      method: 'GET',
+      url: '/role',
+      headers: {
+        authorization: `bearer ${fixtures.jwt.userDataPublicKey()}`
+      }
+    }, (res) => {
+      t.truthy(res)
+      t.is(res.statusCode, 200)
+      t.end()
+    })
+  })
+})
+
+test.cb.serial('authentication does fail – invalid roles', (t) => {
+  helpers.getServer(publicKeyConfig, (server) => {
+    server.inject({
+      method: 'GET',
+      url: '/role/guest',
+      headers: {
+        authorization: `bearer ${fixtures.jwt.userDataPublicKey()}`
+      }
+    }, (res) => {
+      t.truthy(res)
+      t.is(res.statusCode, 403)
+      t.end()
+    })
+  })
+})
+
+test.cb.serial('authentication does fail – expired token', (t) => {
+  helpers.getServer(publicKeyConfig, (server) => {
+    server.inject({
+      method: 'GET',
+      url: '/',
+      headers: {
+        authorization: `bearer ${fixtures.jwt.userDataPublicKeyExp}`
+      }
+    }, (res) => {
+      t.truthy(res)
+      t.is(res.statusCode, 401)
+      t.is(res.headers['www-authenticate'], 'Bearer error="jwt expired"')
+      t.end()
+    })
+  })
+})
+
+test.cb.serial('authentication does fail – invalid header', (t) => {
+  helpers.getServer(publicKeyConfig, (server) => {
+    server.inject({
+      method: 'GET',
+      url: '/',
+      headers: {
+        authorization: fixtures.common.token
+      }
+    }, (res) => {
+      t.truthy(res)
+      t.is(res.statusCode, 401)
+      t.is(res.headers['www-authenticate'], 'Bearer error="Missing or invalid authorization header"')
+      t.end()
+    })
+  })
+})
diff --git a/test/secret.spec.js b/test/secret.spec.js
