-
Notifications
You must be signed in to change notification settings - Fork 1
/
validator_test.go
99 lines (76 loc) · 2.88 KB
/
validator_test.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
package scitokens
import (
"context"
"testing"
"github.com/lestrrat-go/jwx/jwt"
"github.com/stretchr/testify/assert"
)
func TestScopeValidator(t *testing.T) {
assert := assert.New(t)
ctx := context.Background()
t1 := jwt.New()
t1.Set("scope", "read:/foo write:/foo/bar")
st1, err := NewSciToken(t1)
if !assert.NoError(err) {
return
}
v := WithScope(Scope{"read", "/foo"})
assert.ErrorIs(v.Validate(ctx, t1), NotSciTokenError, "cannot validate non-SciToken")
assert.NoError(v.Validate(ctx, st1), "token has read permission on /foo")
v = WithScope(Scope{"read", "/foo/bar"})
assert.NoError(v.Validate(ctx, st1), "sub-paths can be read")
v = WithScope(Scope{"read", "/qux"})
assert.Error(v.Validate(ctx, st1), "token does not have read permission on /qux")
v = WithScope(Scope{"write", "/foo"})
assert.Error(v.Validate(ctx, st1), "token does not have write permission on /foo")
v = WithScope(Scope{"write", "/foo/bar"})
assert.NoError(v.Validate(ctx, st1), "token has write permission on /foo/bar")
v = WithScope(Scope{"write", "/foo/bar/baz"})
assert.NoError(v.Validate(ctx, st1), "sub-paths can be written")
v = WithScope(Scope{"compute", ""})
assert.Error(v.Validate(ctx, st1), "token does not have compute permission")
}
func TestGroupValidator(t *testing.T) {
assert := assert.New(t)
ctx := context.Background()
t1 := jwt.New()
t1.Set("wlcg.groups", []interface{}{"/foo"})
st1, err := NewSciToken(t1)
if !assert.NoError(err) {
return
}
v := WithGroup("/foo")
assert.ErrorIs(v.Validate(ctx, t1), NotSciTokenError, "cannot validate non-SciToken")
assert.NoError(v.Validate(ctx, st1), "token has group foo")
v = WithGroup("foo")
assert.NoError(v.Validate(ctx, st1), "leading slash is optional")
v = WithGroup("bar")
assert.Error(v.Validate(ctx, st1), "token does not have group bar")
v = WithGroup("foo/bar")
assert.Error(v.Validate(ctx, st1), "token does not have sub-group foo/bar")
}
func TestAudienceValidator(t *testing.T) {
assert := assert.New(t)
ctx := context.Background()
t1 := jwt.New()
t1.Set("ver", "scitoken:2.0")
t1.Set("aud", "foo")
st1, err := NewSciToken(t1)
if !assert.NoError(err) {
return
}
v := WithAudience("bar")
assert.ErrorIs(v.Validate(ctx, t1), NotSciTokenError, "cannot validate non-SciToken")
assert.Error(v.Validate(ctx, st1), "token does not have required audience")
assert.NoError(t1.Set("aud", "bar"))
assert.NoError(v.Validate(ctx, st1), "token has required audience")
assert.NoError(st1.Remove("aud"))
assert.Error(v.Validate(ctx, st1), "audience is mandatory for scitoken v2.0")
assert.NoError(st1.Set("ver", "scitoken:1.0"))
assert.NoError(v.Validate(ctx, st1), "audience is not mandatory for scitoken v1.0")
assert.NoError(st1.Set("ver", "scitoken:2.0"))
for _, any := range AnyAudiences {
assert.NoError(st1.Set("aud", any))
assert.NoErrorf(v.Validate(ctx, st1), "%s audience allows use for any audience", any)
}
}