1 /*
2 *
3 * Copyright 2015 gRPC authors.
4 *
5 * Licensed under the Apache License, Version 2.0 (the "License");
6 * you may not use this file except in compliance with the License.
7 * You may obtain a copy of the License at
8 *
9 * http://www.apache.org/licenses/LICENSE-2.0
10 *
11 * Unless required by applicable law or agreed to in writing, software
12 * distributed under the License is distributed on an "AS IS" BASIS,
13 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14 * See the License for the specific language governing permissions and
15 * limitations under the License.
16 *
17 */
18
19 #include "src/core/lib/security/credentials/jwt/jwt_verifier.h"
20
21 #include <string.h>
22
23 #include <grpc/grpc.h>
24
25 #include <grpc/slice.h>
26 #include <grpc/support/alloc.h>
27 #include <grpc/support/log.h>
28 #include <grpc/support/string_util.h>
29
30 #include "src/core/lib/http/httpcli.h"
31 #include "src/core/lib/security/credentials/jwt/json_token.h"
32 #include "src/core/lib/slice/b64.h"
33 #include "test/core/util/test_config.h"
34
35 using grpc_core::Json;
36
37 /* This JSON key was generated with the GCE console and revoked immediately.
38 The identifiers have been changed as well.
39 Maximum size for a string literal is 509 chars in C89, yay! */
40 static const char json_key_str_part1[] =
41 "{ \"private_key\": \"-----BEGIN PRIVATE KEY-----"
42 "\\nMIICeAIBADANBgkqhkiG9w0BAQEFAASCAmIwggJeAgEAAoGBAOEvJsnoHnyHkXcp\\n7mJE"
43 "qg"
44 "WGjiw71NfXByguekSKho65FxaGbsnSM9SMQAqVk7Q2rG+I0OpsT0LrWQtZ\\nyjSeg/"
45 "rWBQvS4hle4LfijkP3J5BG+"
46 "IXDMP8RfziNRQsenAXDNPkY4kJCvKux2xdD\\nOnVF6N7dL3nTYZg+"
47 "uQrNsMTz9UxVAgMBAAECgYEAzbLewe1xe9vy+2GoSsfib+28\\nDZgSE6Bu/"
48 "zuFoPrRc6qL9p2SsnV7txrunTyJkkOnPLND9ABAXybRTlcVKP/sGgza\\n/"
49 "8HpCqFYM9V8f34SBWfD4fRFT+n/"
50 "73cfRUtGXdXpseva2lh8RilIQfPhNZAncenU\\ngqXjDvpkypEusgXAykECQQD+";
51 static const char json_key_str_part2[] =
52 "53XxNVnxBHsYb+AYEfklR96yVi8HywjVHP34+OQZ\\nCslxoHQM8s+"
53 "dBnjfScLu22JqkPv04xyxmt0QAKm9+vTdAkEA4ib7YvEAn2jXzcCI\\nEkoy2L/"
54 "XydR1GCHoacdfdAwiL2npOdnbvi4ZmdYRPY1LSTO058tQHKVXV7NLeCa3\\nAARh2QJBAMKeDA"
55 "G"
56 "W303SQv2cZTdbeaLKJbB5drz3eo3j7dDKjrTD9JupixFbzcGw\\n8FZi5c8idxiwC36kbAL6Hz"
57 "A"
58 "ZoX+ofI0CQE6KCzPJTtYNqyShgKAZdJ8hwOcvCZtf\\n6z8RJm0+"
59 "6YBd38lfh5j8mZd7aHFf6I17j5AQY7oPEc47TjJj/"
60 "5nZ68ECQQDvYuI3\\nLyK5fS8g0SYbmPOL9TlcHDOqwG0mrX9qpg5DC2fniXNSrrZ64GTDKdzZ"
61 "Y"
62 "Ap6LI9W\\nIqv4vr6y38N79TTC\\n-----END PRIVATE KEY-----\\n\", ";
63 static const char json_key_str_part3_for_google_email_issuer[] =
64 "\"private_key_id\": \"e6b5137873db8d2ef81e06a47289e6434ec8a165\", "
65 "\"client_email\": "
66 "\"777-abaslkan11hlb6nmim3bpspl31ud@developer.gserviceaccount."
67 "com\", \"client_id\": "
68 "\"777-abaslkan11hlb6nmim3bpspl31ud.apps.googleusercontent."
69 "com\", \"type\": \"service_account\" }";
70 /* Trick our JWT library into issuing a JWT with iss=accounts.google.com. */
71 static const char json_key_str_part3_for_url_issuer[] =
72 "\"private_key_id\": \"e6b5137873db8d2ef81e06a47289e6434ec8a165\", "
73 "\"client_email\": \"accounts.google.com\", "
74 "\"client_id\": "
75 "\"777-abaslkan11hlb6nmim3bpspl31ud.apps.googleusercontent."
76 "com\", \"type\": \"service_account\" }";
77 static const char json_key_str_part3_for_custom_email_issuer[] =
78 "\"private_key_id\": \"e6b5137873db8d2ef81e06a47289e6434ec8a165\", "
79 "\"client_email\": "
80 "\"foo@bar.com\", \"client_id\": "
81 "\"777-abaslkan11hlb6nmim3bpspl31ud.apps.googleusercontent."
82 "com\", \"type\": \"service_account\" }";
83
84 static grpc_jwt_verifier_email_domain_key_url_mapping custom_mapping = {
85 "bar.com", "keys.bar.com/jwk"};
86
87 static const char expected_user_data[] = "user data";
88
89 static const char good_jwk_set[] =
90 "{"
91 " \"keys\": ["
92 " {"
93 " \"kty\": \"RSA\","
94 " \"alg\": \"RS256\","
95 " \"use\": \"sig\","
96 " \"kid\": \"e6b5137873db8d2ef81e06a47289e6434ec8a165\","
97 " \"n\": "
98 "\"4S8myegefIeRdynuYkSqBYaOLDvU19cHKC56RIqGjrkXFoZuydIz1IxACpWTtDasb4jQ6mxP"
99 "QutZC1nKNJ6D-tYFC9LiGV7gt-KOQ_cnkEb4hcMw_xF_OI1FCx6cBcM0-"
100 "RjiQkK8q7HbF0M6dUXo3t0vedNhmD65Cs2wxPP1TFU=\","
101 " \"e\": \"AQAB\""
102 " }"
103 " ]"
104 "}";
105
106 static gpr_timespec expected_lifetime = {3600, 0, GPR_TIMESPAN};
107
108 static const char good_google_email_keys_part1[] =
109 "{\"e6b5137873db8d2ef81e06a47289e6434ec8a165\": \"-----BEGIN "
110 "CERTIFICATE-----"
111 "\\nMIICATCCAWoCCQDEywLhxvHjnDANBgkqhkiG9w0BAQsFADBFMQswCQYDVQQGEwJB\\nVTET"
112 "MBEGA1UECAwKU29tZS1TdGF0ZTEhMB8GA1UECgwYSW50ZXJuZXQgV2lkZ2l0\\ncyBQdHkgTHR"
113 "kMB4XDTE1MDYyOTA4Mzk1MFoXDTI1MDYyNjA4Mzk1MFowRTELMAkG\\nA1UEBhMCQVUxEzARBg"
114 "NVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGEludGVybmV0\\nIFdpZGdpdHMgUHR5IEx0ZDCBn"
115 "zANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEA4S8m\\nyegefIeRdynuYkSqBYaOLDvU19cHKC56"
116 "RIqGjrkXFoZuydIz1IxACpWTtDasb4jQ\\n6mxPQutZC1nKNJ6D+tYFC9LiGV7gt+KOQ/";
117
118 static const char good_google_email_keys_part2[] =
119 "cnkEb4hcMw/xF/OI1FCx6cBcM0+"
120 "Rji\\nQkK8q7HbF0M6dUXo3t0vedNhmD65Cs2wxPP1TFUCAwEAATANBgkqhkiG9w0BAQsF\\nA"
121 "AOBgQBfu69FkPmBknbKNFgurPz78kbs3VNN+k/"
122 "PUgO5DHKskJmgK2TbtvX2VMpx\\nkftmHGzgzMzUlOtigCaGMgHWjfqjpP9uuDbahXrZBJzB8c"
123 "Oq7MrQF8r17qVvo3Ue\\nPjTKQMAsU8uxTEMmeuz9L6yExs0rfd6bPOrQkAoVfFfiYB3/"
124 "pA==\\n-----END CERTIFICATE-----\\n\"}";
125
126 static const char expected_audience[] = "https://foo.com";
127
128 static const char good_openid_config[] =
129 "{"
130 " \"issuer\": \"https://accounts.google.com\","
131 " \"authorization_endpoint\": "
132 "\"https://accounts.google.com/o/oauth2/v2/auth\","
133 " \"token_endpoint\": \"https://oauth2.googleapis.com/token\","
134 " \"userinfo_endpoint\": \"https://www.googleapis.com/oauth2/v3/userinfo\","
135 " \"revocation_endpoint\": \"https://oauth2.googleapis.com/revoke\","
136 " \"jwks_uri\": \"https://www.googleapis.com/oauth2/v3/certs\""
137 "}";
138
139 static const char expired_claims[] =
140 "{ \"aud\": \"https://foo.com\","
141 " \"iss\": \"blah.foo.com\","
142 " \"sub\": \"juju@blah.foo.com\","
143 " \"jti\": \"jwtuniqueid\","
144 " \"iat\": 100," /* Way back in the past... */
145 " \"exp\": 120,"
146 " \"nbf\": 60,"
147 " \"foo\": \"bar\"}";
148
149 static const char claims_without_time_constraint[] =
150 "{ \"aud\": \"https://foo.com\","
151 " \"iss\": \"blah.foo.com\","
152 " \"sub\": \"juju@blah.foo.com\","
153 " \"jti\": \"jwtuniqueid\","
154 " \"foo\": \"bar\"}";
155
156 static const char claims_with_bad_subject[] =
157 "{ \"aud\": \"https://foo.com\","
158 " \"iss\": \"evil@blah.foo.com\","
159 " \"sub\": \"juju@blah.foo.com\","
160 " \"jti\": \"jwtuniqueid\","
161 " \"foo\": \"bar\"}";
162
163 static const char invalid_claims[] =
164 "{ \"aud\": \"https://foo.com\","
165 " \"iss\": 46," /* Issuer cannot be a number. */
166 " \"sub\": \"juju@blah.foo.com\","
167 " \"jti\": \"jwtuniqueid\","
168 " \"foo\": \"bar\"}";
169
170 typedef struct {
171 grpc_jwt_verifier_status expected_status;
172 const char* expected_issuer;
173 const char* expected_subject;
174 } verifier_test_config;
175
test_jwt_issuer_email_domain(void)176 static void test_jwt_issuer_email_domain(void) {
177 const char* d = grpc_jwt_issuer_email_domain("https://foo.com");
178 GPR_ASSERT(d == nullptr);
179 d = grpc_jwt_issuer_email_domain("foo.com");
180 GPR_ASSERT(d == nullptr);
181 d = grpc_jwt_issuer_email_domain("");
182 GPR_ASSERT(d == nullptr);
183 d = grpc_jwt_issuer_email_domain("@");
184 GPR_ASSERT(d == nullptr);
185 d = grpc_jwt_issuer_email_domain("bar@foo");
186 GPR_ASSERT(strcmp(d, "foo") == 0);
187 d = grpc_jwt_issuer_email_domain("bar@foo.com");
188 GPR_ASSERT(strcmp(d, "foo.com") == 0);
189 d = grpc_jwt_issuer_email_domain("bar@blah.foo.com");
190 GPR_ASSERT(strcmp(d, "foo.com") == 0);
191 d = grpc_jwt_issuer_email_domain("bar.blah@blah.foo.com");
192 GPR_ASSERT(strcmp(d, "foo.com") == 0);
193 d = grpc_jwt_issuer_email_domain("bar.blah@baz.blah.foo.com");
194 GPR_ASSERT(strcmp(d, "foo.com") == 0);
195
196 /* This is not a very good parser but make sure we do not crash on these weird
197 inputs. */
198 d = grpc_jwt_issuer_email_domain("@foo");
199 GPR_ASSERT(strcmp(d, "foo") == 0);
200 d = grpc_jwt_issuer_email_domain("bar@.");
201 GPR_ASSERT(d != nullptr);
202 d = grpc_jwt_issuer_email_domain("bar@..");
203 GPR_ASSERT(d != nullptr);
204 d = grpc_jwt_issuer_email_domain("bar@...");
205 GPR_ASSERT(d != nullptr);
206 }
207
test_claims_success(void)208 static void test_claims_success(void) {
209 grpc_jwt_claims* claims;
210 grpc_error* error = GRPC_ERROR_NONE;
211 Json json = Json::Parse(claims_without_time_constraint, &error);
212 if (error != GRPC_ERROR_NONE) {
213 gpr_log(GPR_ERROR, "JSON parse error: %s", grpc_error_string(error));
214 }
215 GPR_ASSERT(error == GRPC_ERROR_NONE);
216 GPR_ASSERT(json.type() == Json::Type::OBJECT);
217 grpc_core::ExecCtx exec_ctx;
218 claims = grpc_jwt_claims_from_json(json);
219 GPR_ASSERT(claims != nullptr);
220 GPR_ASSERT(*grpc_jwt_claims_json(claims) == json);
221 GPR_ASSERT(strcmp(grpc_jwt_claims_audience(claims), "https://foo.com") == 0);
222 GPR_ASSERT(strcmp(grpc_jwt_claims_issuer(claims), "blah.foo.com") == 0);
223 GPR_ASSERT(strcmp(grpc_jwt_claims_subject(claims), "juju@blah.foo.com") == 0);
224 GPR_ASSERT(strcmp(grpc_jwt_claims_id(claims), "jwtuniqueid") == 0);
225 GPR_ASSERT(grpc_jwt_claims_check(claims, "https://foo.com") ==
226 GRPC_JWT_VERIFIER_OK);
227 grpc_jwt_claims_destroy(claims);
228 }
229
test_expired_claims_failure(void)230 static void test_expired_claims_failure(void) {
231 grpc_jwt_claims* claims;
232 grpc_error* error = GRPC_ERROR_NONE;
233 Json json = Json::Parse(expired_claims, &error);
234 if (error != GRPC_ERROR_NONE) {
235 gpr_log(GPR_ERROR, "JSON parse error: %s", grpc_error_string(error));
236 }
237 GPR_ASSERT(error == GRPC_ERROR_NONE);
238 GPR_ASSERT(json.type() == Json::Type::OBJECT);
239 gpr_timespec exp_iat = {100, 0, GPR_CLOCK_REALTIME};
240 gpr_timespec exp_exp = {120, 0, GPR_CLOCK_REALTIME};
241 gpr_timespec exp_nbf = {60, 0, GPR_CLOCK_REALTIME};
242 grpc_core::ExecCtx exec_ctx;
243 claims = grpc_jwt_claims_from_json(json);
244 GPR_ASSERT(claims != nullptr);
245 GPR_ASSERT(*grpc_jwt_claims_json(claims) == json);
246 GPR_ASSERT(strcmp(grpc_jwt_claims_audience(claims), "https://foo.com") == 0);
247 GPR_ASSERT(strcmp(grpc_jwt_claims_issuer(claims), "blah.foo.com") == 0);
248 GPR_ASSERT(strcmp(grpc_jwt_claims_subject(claims), "juju@blah.foo.com") == 0);
249 GPR_ASSERT(strcmp(grpc_jwt_claims_id(claims), "jwtuniqueid") == 0);
250 GPR_ASSERT(gpr_time_cmp(grpc_jwt_claims_issued_at(claims), exp_iat) == 0);
251 GPR_ASSERT(gpr_time_cmp(grpc_jwt_claims_expires_at(claims), exp_exp) == 0);
252 GPR_ASSERT(gpr_time_cmp(grpc_jwt_claims_not_before(claims), exp_nbf) == 0);
253
254 GPR_ASSERT(grpc_jwt_claims_check(claims, "https://foo.com") ==
255 GRPC_JWT_VERIFIER_TIME_CONSTRAINT_FAILURE);
256 grpc_jwt_claims_destroy(claims);
257 }
258
test_invalid_claims_failure(void)259 static void test_invalid_claims_failure(void) {
260 grpc_error* error = GRPC_ERROR_NONE;
261 Json json = Json::Parse(invalid_claims, &error);
262 if (error != GRPC_ERROR_NONE) {
263 gpr_log(GPR_ERROR, "JSON parse error: %s", grpc_error_string(error));
264 }
265 GPR_ASSERT(error == GRPC_ERROR_NONE);
266 GPR_ASSERT(json.type() == Json::Type::OBJECT);
267 grpc_core::ExecCtx exec_ctx;
268 GPR_ASSERT(grpc_jwt_claims_from_json(json) == nullptr);
269 }
270
test_bad_audience_claims_failure(void)271 static void test_bad_audience_claims_failure(void) {
272 grpc_jwt_claims* claims;
273 grpc_error* error = GRPC_ERROR_NONE;
274 Json json = Json::Parse(claims_without_time_constraint, &error);
275 if (error != GRPC_ERROR_NONE) {
276 gpr_log(GPR_ERROR, "JSON parse error: %s", grpc_error_string(error));
277 }
278 GPR_ASSERT(error == GRPC_ERROR_NONE);
279 GPR_ASSERT(json.type() == Json::Type::OBJECT);
280 grpc_core::ExecCtx exec_ctx;
281 claims = grpc_jwt_claims_from_json(json);
282 GPR_ASSERT(claims != nullptr);
283 GPR_ASSERT(grpc_jwt_claims_check(claims, "https://bar.com") ==
284 GRPC_JWT_VERIFIER_BAD_AUDIENCE);
285 grpc_jwt_claims_destroy(claims);
286 }
287
test_bad_subject_claims_failure(void)288 static void test_bad_subject_claims_failure(void) {
289 grpc_jwt_claims* claims;
290 grpc_error* error = GRPC_ERROR_NONE;
291 Json json = Json::Parse(claims_with_bad_subject, &error);
292 if (error != GRPC_ERROR_NONE) {
293 gpr_log(GPR_ERROR, "JSON parse error: %s", grpc_error_string(error));
294 }
295 GPR_ASSERT(error == GRPC_ERROR_NONE);
296 GPR_ASSERT(json.type() == Json::Type::OBJECT);
297 grpc_core::ExecCtx exec_ctx;
298 claims = grpc_jwt_claims_from_json(json);
299 GPR_ASSERT(claims != nullptr);
300 GPR_ASSERT(grpc_jwt_claims_check(claims, "https://foo.com") ==
301 GRPC_JWT_VERIFIER_BAD_SUBJECT);
302 grpc_jwt_claims_destroy(claims);
303 }
304
json_key_str(const char * last_part)305 static char* json_key_str(const char* last_part) {
306 size_t result_len = strlen(json_key_str_part1) + strlen(json_key_str_part2) +
307 strlen(last_part);
308 char* result = static_cast<char*>(gpr_malloc(result_len + 1));
309 char* current = result;
310 strcpy(result, json_key_str_part1);
311 current += strlen(json_key_str_part1);
312 strcpy(current, json_key_str_part2);
313 current += strlen(json_key_str_part2);
314 strcpy(current, last_part);
315 return result;
316 }
317
good_google_email_keys(void)318 static char* good_google_email_keys(void) {
319 size_t result_len = strlen(good_google_email_keys_part1) +
320 strlen(good_google_email_keys_part2);
321 char* result = static_cast<char*>(gpr_malloc(result_len + 1));
322 char* current = result;
323 strcpy(result, good_google_email_keys_part1);
324 current += strlen(good_google_email_keys_part1);
325 strcpy(current, good_google_email_keys_part2);
326 return result;
327 }
328
http_response(int status,char * body)329 static grpc_httpcli_response http_response(int status, char* body) {
330 grpc_httpcli_response response;
331 response = {};
332 response.status = status;
333 response.body = body;
334 response.body_length = strlen(body);
335 return response;
336 }
337
httpcli_post_should_not_be_called(const grpc_httpcli_request *,const char *,size_t,grpc_millis,grpc_closure *,grpc_httpcli_response *)338 static int httpcli_post_should_not_be_called(
339 const grpc_httpcli_request* /*request*/, const char* /*body_bytes*/,
340 size_t /*body_size*/, grpc_millis /*deadline*/, grpc_closure* /*on_done*/,
341 grpc_httpcli_response* /*response*/) {
342 GPR_ASSERT("HTTP POST should not be called" == nullptr);
343 return 1;
344 }
345
httpcli_get_google_keys_for_email(const grpc_httpcli_request * request,grpc_millis,grpc_closure * on_done,grpc_httpcli_response * response)346 static int httpcli_get_google_keys_for_email(
347 const grpc_httpcli_request* request, grpc_millis /*deadline*/,
348 grpc_closure* on_done, grpc_httpcli_response* response) {
349 *response = http_response(200, good_google_email_keys());
350 GPR_ASSERT(request->handshaker == &grpc_httpcli_ssl);
351 GPR_ASSERT(strcmp(request->host, "www.googleapis.com") == 0);
352 GPR_ASSERT(strcmp(request->http.path,
353 "/robot/v1/metadata/x509/"
354 "777-abaslkan11hlb6nmim3bpspl31ud@developer."
355 "gserviceaccount.com") == 0);
356 grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_done, GRPC_ERROR_NONE);
357 return 1;
358 }
359
on_verification_success(void * user_data,grpc_jwt_verifier_status status,grpc_jwt_claims * claims)360 static void on_verification_success(void* user_data,
361 grpc_jwt_verifier_status status,
362 grpc_jwt_claims* claims) {
363 GPR_ASSERT(status == GRPC_JWT_VERIFIER_OK);
364 GPR_ASSERT(claims != nullptr);
365 GPR_ASSERT(user_data == (void*)expected_user_data);
366 GPR_ASSERT(strcmp(grpc_jwt_claims_audience(claims), expected_audience) == 0);
367 grpc_jwt_claims_destroy(claims);
368 }
369
test_jwt_verifier_google_email_issuer_success(void)370 static void test_jwt_verifier_google_email_issuer_success(void) {
371 grpc_core::ExecCtx exec_ctx;
372 grpc_jwt_verifier* verifier = grpc_jwt_verifier_create(nullptr, 0);
373 char* jwt = nullptr;
374 char* key_str = json_key_str(json_key_str_part3_for_google_email_issuer);
375 grpc_auth_json_key key = grpc_auth_json_key_create_from_string(key_str);
376 gpr_free(key_str);
377 GPR_ASSERT(grpc_auth_json_key_is_valid(&key));
378 grpc_httpcli_set_override(httpcli_get_google_keys_for_email,
379 httpcli_post_should_not_be_called);
380 jwt = grpc_jwt_encode_and_sign(&key, expected_audience, expected_lifetime,
381 nullptr);
382 grpc_auth_json_key_destruct(&key);
383 GPR_ASSERT(jwt != nullptr);
384 grpc_jwt_verifier_verify(verifier, nullptr, jwt, expected_audience,
385 on_verification_success, (void*)expected_user_data);
386 grpc_jwt_verifier_destroy(verifier);
387 grpc_core::ExecCtx::Get()->Flush();
388 gpr_free(jwt);
389 grpc_httpcli_set_override(nullptr, nullptr);
390 }
391
httpcli_get_custom_keys_for_email(const grpc_httpcli_request * request,grpc_millis,grpc_closure * on_done,grpc_httpcli_response * response)392 static int httpcli_get_custom_keys_for_email(
393 const grpc_httpcli_request* request, grpc_millis /*deadline*/,
394 grpc_closure* on_done, grpc_httpcli_response* response) {
395 *response = http_response(200, gpr_strdup(good_jwk_set));
396 GPR_ASSERT(request->handshaker == &grpc_httpcli_ssl);
397 GPR_ASSERT(strcmp(request->host, "keys.bar.com") == 0);
398 GPR_ASSERT(strcmp(request->http.path, "/jwk/foo@bar.com") == 0);
399 grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_done, GRPC_ERROR_NONE);
400 return 1;
401 }
402
test_jwt_verifier_custom_email_issuer_success(void)403 static void test_jwt_verifier_custom_email_issuer_success(void) {
404 grpc_core::ExecCtx exec_ctx;
405 grpc_jwt_verifier* verifier = grpc_jwt_verifier_create(&custom_mapping, 1);
406 char* jwt = nullptr;
407 char* key_str = json_key_str(json_key_str_part3_for_custom_email_issuer);
408 grpc_auth_json_key key = grpc_auth_json_key_create_from_string(key_str);
409 gpr_free(key_str);
410 GPR_ASSERT(grpc_auth_json_key_is_valid(&key));
411 grpc_httpcli_set_override(httpcli_get_custom_keys_for_email,
412 httpcli_post_should_not_be_called);
413 jwt = grpc_jwt_encode_and_sign(&key, expected_audience, expected_lifetime,
414 nullptr);
415 grpc_auth_json_key_destruct(&key);
416 GPR_ASSERT(jwt != nullptr);
417 grpc_jwt_verifier_verify(verifier, nullptr, jwt, expected_audience,
418 on_verification_success, (void*)expected_user_data);
419 grpc_jwt_verifier_destroy(verifier);
420 grpc_core::ExecCtx::Get()->Flush();
421 gpr_free(jwt);
422 grpc_httpcli_set_override(nullptr, nullptr);
423 }
424
httpcli_get_jwk_set(const grpc_httpcli_request * request,grpc_millis,grpc_closure * on_done,grpc_httpcli_response * response)425 static int httpcli_get_jwk_set(const grpc_httpcli_request* request,
426 grpc_millis /*deadline*/, grpc_closure* on_done,
427 grpc_httpcli_response* response) {
428 *response = http_response(200, gpr_strdup(good_jwk_set));
429 GPR_ASSERT(request->handshaker == &grpc_httpcli_ssl);
430 GPR_ASSERT(strcmp(request->host, "www.googleapis.com") == 0);
431 GPR_ASSERT(strcmp(request->http.path, "/oauth2/v3/certs") == 0);
432 grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_done, GRPC_ERROR_NONE);
433 return 1;
434 }
435
httpcli_get_openid_config(const grpc_httpcli_request * request,grpc_millis,grpc_closure * on_done,grpc_httpcli_response * response)436 static int httpcli_get_openid_config(const grpc_httpcli_request* request,
437 grpc_millis /*deadline*/,
438 grpc_closure* on_done,
439 grpc_httpcli_response* response) {
440 *response = http_response(200, gpr_strdup(good_openid_config));
441 GPR_ASSERT(request->handshaker == &grpc_httpcli_ssl);
442 GPR_ASSERT(strcmp(request->host, "accounts.google.com") == 0);
443 GPR_ASSERT(strcmp(request->http.path, GRPC_OPENID_CONFIG_URL_SUFFIX) == 0);
444 grpc_httpcli_set_override(httpcli_get_jwk_set,
445 httpcli_post_should_not_be_called);
446 grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_done, GRPC_ERROR_NONE);
447 return 1;
448 }
449
test_jwt_verifier_url_issuer_success(void)450 static void test_jwt_verifier_url_issuer_success(void) {
451 grpc_core::ExecCtx exec_ctx;
452 grpc_jwt_verifier* verifier = grpc_jwt_verifier_create(nullptr, 0);
453 char* jwt = nullptr;
454 char* key_str = json_key_str(json_key_str_part3_for_url_issuer);
455 grpc_auth_json_key key = grpc_auth_json_key_create_from_string(key_str);
456 gpr_free(key_str);
457 GPR_ASSERT(grpc_auth_json_key_is_valid(&key));
458 grpc_httpcli_set_override(httpcli_get_openid_config,
459 httpcli_post_should_not_be_called);
460 jwt = grpc_jwt_encode_and_sign(&key, expected_audience, expected_lifetime,
461 nullptr);
462 grpc_auth_json_key_destruct(&key);
463 GPR_ASSERT(jwt != nullptr);
464 grpc_jwt_verifier_verify(verifier, nullptr, jwt, expected_audience,
465 on_verification_success, (void*)expected_user_data);
466 grpc_jwt_verifier_destroy(verifier);
467 grpc_core::ExecCtx::Get()->Flush();
468 gpr_free(jwt);
469 grpc_httpcli_set_override(nullptr, nullptr);
470 }
471
on_verification_key_retrieval_error(void * user_data,grpc_jwt_verifier_status status,grpc_jwt_claims * claims)472 static void on_verification_key_retrieval_error(void* user_data,
473 grpc_jwt_verifier_status status,
474 grpc_jwt_claims* claims) {
475 GPR_ASSERT(status == GRPC_JWT_VERIFIER_KEY_RETRIEVAL_ERROR);
476 GPR_ASSERT(claims == nullptr);
477 GPR_ASSERT(user_data == (void*)expected_user_data);
478 }
479
httpcli_get_bad_json(const grpc_httpcli_request * request,grpc_millis,grpc_closure * on_done,grpc_httpcli_response * response)480 static int httpcli_get_bad_json(const grpc_httpcli_request* request,
481 grpc_millis /*deadline*/, grpc_closure* on_done,
482 grpc_httpcli_response* response) {
483 *response = http_response(200, gpr_strdup("{\"bad\": \"stuff\"}"));
484 GPR_ASSERT(request->handshaker == &grpc_httpcli_ssl);
485 grpc_core::ExecCtx::Run(DEBUG_LOCATION, on_done, GRPC_ERROR_NONE);
486 return 1;
487 }
488
test_jwt_verifier_url_issuer_bad_config(void)489 static void test_jwt_verifier_url_issuer_bad_config(void) {
490 grpc_core::ExecCtx exec_ctx;
491 grpc_jwt_verifier* verifier = grpc_jwt_verifier_create(nullptr, 0);
492 char* jwt = nullptr;
493 char* key_str = json_key_str(json_key_str_part3_for_url_issuer);
494 grpc_auth_json_key key = grpc_auth_json_key_create_from_string(key_str);
495 gpr_free(key_str);
496 GPR_ASSERT(grpc_auth_json_key_is_valid(&key));
497 grpc_httpcli_set_override(httpcli_get_bad_json,
498 httpcli_post_should_not_be_called);
499 jwt = grpc_jwt_encode_and_sign(&key, expected_audience, expected_lifetime,
500 nullptr);
501 grpc_auth_json_key_destruct(&key);
502 GPR_ASSERT(jwt != nullptr);
503 grpc_jwt_verifier_verify(verifier, nullptr, jwt, expected_audience,
504 on_verification_key_retrieval_error,
505 (void*)expected_user_data);
506 grpc_jwt_verifier_destroy(verifier);
507 grpc_core::ExecCtx::Get()->Flush();
508 gpr_free(jwt);
509 grpc_httpcli_set_override(nullptr, nullptr);
510 }
511
test_jwt_verifier_bad_json_key(void)512 static void test_jwt_verifier_bad_json_key(void) {
513 grpc_core::ExecCtx exec_ctx;
514 grpc_jwt_verifier* verifier = grpc_jwt_verifier_create(nullptr, 0);
515 char* jwt = nullptr;
516 char* key_str = json_key_str(json_key_str_part3_for_google_email_issuer);
517 grpc_auth_json_key key = grpc_auth_json_key_create_from_string(key_str);
518 gpr_free(key_str);
519 GPR_ASSERT(grpc_auth_json_key_is_valid(&key));
520 grpc_httpcli_set_override(httpcli_get_bad_json,
521 httpcli_post_should_not_be_called);
522 jwt = grpc_jwt_encode_and_sign(&key, expected_audience, expected_lifetime,
523 nullptr);
524 grpc_auth_json_key_destruct(&key);
525 GPR_ASSERT(jwt != nullptr);
526 grpc_jwt_verifier_verify(verifier, nullptr, jwt, expected_audience,
527 on_verification_key_retrieval_error,
528 (void*)expected_user_data);
529 grpc_jwt_verifier_destroy(verifier);
530 grpc_core::ExecCtx::Get()->Flush();
531 gpr_free(jwt);
532 grpc_httpcli_set_override(nullptr, nullptr);
533 }
534
corrupt_jwt_sig(char * jwt)535 static void corrupt_jwt_sig(char* jwt) {
536 grpc_slice sig;
537 char* bad_b64_sig;
538 uint8_t* sig_bytes;
539 char* last_dot = strrchr(jwt, '.');
540 GPR_ASSERT(last_dot != nullptr);
541 {
542 grpc_core::ExecCtx exec_ctx;
543 sig = grpc_base64_decode(last_dot + 1, 1);
544 }
545 GPR_ASSERT(!GRPC_SLICE_IS_EMPTY(sig));
546 sig_bytes = GRPC_SLICE_START_PTR(sig);
547 (*sig_bytes)++; /* Corrupt first byte. */
548 bad_b64_sig = grpc_base64_encode(GRPC_SLICE_START_PTR(sig),
549 GRPC_SLICE_LENGTH(sig), 1, 0);
550 memcpy(last_dot + 1, bad_b64_sig, strlen(bad_b64_sig));
551 gpr_free(bad_b64_sig);
552 grpc_slice_unref(sig);
553 }
554
on_verification_bad_signature(void * user_data,grpc_jwt_verifier_status status,grpc_jwt_claims * claims)555 static void on_verification_bad_signature(void* user_data,
556 grpc_jwt_verifier_status status,
557 grpc_jwt_claims* claims) {
558 GPR_ASSERT(status == GRPC_JWT_VERIFIER_BAD_SIGNATURE);
559 GPR_ASSERT(claims == nullptr);
560 GPR_ASSERT(user_data == (void*)expected_user_data);
561 }
562
test_jwt_verifier_bad_signature(void)563 static void test_jwt_verifier_bad_signature(void) {
564 grpc_core::ExecCtx exec_ctx;
565 grpc_jwt_verifier* verifier = grpc_jwt_verifier_create(nullptr, 0);
566 char* jwt = nullptr;
567 char* key_str = json_key_str(json_key_str_part3_for_url_issuer);
568 grpc_auth_json_key key = grpc_auth_json_key_create_from_string(key_str);
569 gpr_free(key_str);
570 GPR_ASSERT(grpc_auth_json_key_is_valid(&key));
571 grpc_httpcli_set_override(httpcli_get_openid_config,
572 httpcli_post_should_not_be_called);
573 jwt = grpc_jwt_encode_and_sign(&key, expected_audience, expected_lifetime,
574 nullptr);
575 grpc_auth_json_key_destruct(&key);
576 corrupt_jwt_sig(jwt);
577 GPR_ASSERT(jwt != nullptr);
578 grpc_jwt_verifier_verify(verifier, nullptr, jwt, expected_audience,
579 on_verification_bad_signature,
580 (void*)expected_user_data);
581 gpr_free(jwt);
582 grpc_jwt_verifier_destroy(verifier);
583 grpc_core::ExecCtx::Get()->Flush();
584 grpc_httpcli_set_override(nullptr, nullptr);
585 }
586
httpcli_get_should_not_be_called(const grpc_httpcli_request *,grpc_millis,grpc_closure *,grpc_httpcli_response *)587 static int httpcli_get_should_not_be_called(
588 const grpc_httpcli_request* /*request*/, grpc_millis /*deadline*/,
589 grpc_closure* /*on_done*/, grpc_httpcli_response* /*response*/) {
590 GPR_ASSERT(0);
591 return 1;
592 }
593
on_verification_bad_format(void * user_data,grpc_jwt_verifier_status status,grpc_jwt_claims * claims)594 static void on_verification_bad_format(void* user_data,
595 grpc_jwt_verifier_status status,
596 grpc_jwt_claims* claims) {
597 GPR_ASSERT(status == GRPC_JWT_VERIFIER_BAD_FORMAT);
598 GPR_ASSERT(claims == nullptr);
599 GPR_ASSERT(user_data == (void*)expected_user_data);
600 }
601
test_jwt_verifier_bad_format(void)602 static void test_jwt_verifier_bad_format(void) {
603 grpc_core::ExecCtx exec_ctx;
604 grpc_jwt_verifier* verifier = grpc_jwt_verifier_create(nullptr, 0);
605 grpc_httpcli_set_override(httpcli_get_should_not_be_called,
606 httpcli_post_should_not_be_called);
607 grpc_jwt_verifier_verify(verifier, nullptr, "bad jwt", expected_audience,
608 on_verification_bad_format,
609 (void*)expected_user_data);
610 grpc_jwt_verifier_destroy(verifier);
611 grpc_core::ExecCtx::Get()->Flush();
612 grpc_httpcli_set_override(nullptr, nullptr);
613 }
614
615 /* find verification key: bad jks, cannot find key in jks */
616 /* bad signature custom provided email*/
617 /* bad key */
618
main(int argc,char ** argv)619 int main(int argc, char** argv) {
620 grpc::testing::TestEnvironment env(argc, argv);
621 grpc_init();
622 test_jwt_issuer_email_domain();
623 test_claims_success();
624 test_expired_claims_failure();
625 test_invalid_claims_failure();
626 test_bad_audience_claims_failure();
627 test_bad_subject_claims_failure();
628 test_jwt_verifier_google_email_issuer_success();
629 test_jwt_verifier_custom_email_issuer_success();
630 test_jwt_verifier_url_issuer_success();
631 test_jwt_verifier_url_issuer_bad_config();
632 test_jwt_verifier_bad_json_key();
633 test_jwt_verifier_bad_signature();
634 test_jwt_verifier_bad_format();
635 grpc_shutdown();
636 return 0;
637 }
638