kopia lustrzana https://gitlab.com/rysiekpl/libresilient
signed-integrity: added test for incorrect signature (ref. #28)
rodzic
8f2d095ff0
commit
5703763097
|
@ -64,17 +64,39 @@ describe("plugin: signed-integrity", () => {
|
||||||
// prepare it for inclusion in the JWT
|
// prepare it for inclusion in the JWT
|
||||||
signature = btoa(signature).replace(/\//g, '_').replace(/\+/g, '-').replace(/=/g, '')
|
signature = btoa(signature).replace(/\//g, '_').replace(/\+/g, '-').replace(/=/g, '')
|
||||||
|
|
||||||
|
// need to test with bad algo!
|
||||||
|
var noneHeader = btoa('{"alg": "none"}').replace(/\//g, '_').replace(/\+/g, '-').replace(/=/g, '')
|
||||||
|
|
||||||
|
// get an invalid signature
|
||||||
|
// an ECDSA signature for {alg: none} header makes zero sense
|
||||||
|
var noneSignature = await subtle.sign(
|
||||||
|
{
|
||||||
|
name: "ECDSA",
|
||||||
|
hash: {name: "SHA-384"}
|
||||||
|
},
|
||||||
|
(await generateECDSAKeypair()).privateKey,
|
||||||
|
(noneHeader + '.' + payload)
|
||||||
|
)
|
||||||
|
// prepare it for inclusion in the JWT
|
||||||
|
noneSignature = btoa(noneSignature).replace(/\//g, '_').replace(/\+/g, '-').replace(/=/g, '')
|
||||||
|
|
||||||
global.resolvingFetch = jest.fn((url, init)=>{
|
global.resolvingFetch = jest.fn((url, init)=>{
|
||||||
var content = '{"test": "success"}'
|
var content = '{"test": "success"}'
|
||||||
var status = 200
|
var status = 200
|
||||||
var statusText = "OK"
|
var statusText = "OK"
|
||||||
|
|
||||||
if (url == 'https://resilient.is/test.json.integrity') {
|
if (url == 'https://resilient.is/test.json.integrity') {
|
||||||
content = header + '.' + payload + '.' + signature
|
content = header + '.' + payload + '.' + signature
|
||||||
} else if (url == 'https://resilient.is/fail.json.integrity') {
|
// testing 404 not found on the integrity URL
|
||||||
|
} else if (url == 'https://resilient.is/not-found.json.integrity') {
|
||||||
content = '{"test": "fail"}'
|
content = '{"test": "fail"}'
|
||||||
status = 404
|
status = 404
|
||||||
statusText = "Not Found"
|
statusText = "Not Found"
|
||||||
|
// testing bad signature on the integrity JWT
|
||||||
|
} else if (url == 'https://resilient.is/bad-signature.json.integrity') {
|
||||||
|
content = header + '.' + payload + '.' + noneSignature
|
||||||
}
|
}
|
||||||
|
|
||||||
return Promise.resolve(
|
return Promise.resolve(
|
||||||
new Response(
|
new Response(
|
||||||
[content],
|
[content],
|
||||||
|
@ -179,12 +201,12 @@ describe("plugin: signed-integrity", () => {
|
||||||
test("it should fetch content when integrity data not provided, and integrity data URL 404s", async () => {
|
test("it should fetch content when integrity data not provided, and integrity data URL 404s", async () => {
|
||||||
require("../../plugins/signed-integrity.js");
|
require("../../plugins/signed-integrity.js");
|
||||||
|
|
||||||
const response = await LibResilientPluginConstructors.get('signed-integrity')(LR, init).fetch('https://resilient.is/fail.json', {});
|
const response = await LibResilientPluginConstructors.get('signed-integrity')(LR, init).fetch('https://resilient.is/not-found.json', {});
|
||||||
|
|
||||||
expect(resolvingFetch).toHaveBeenCalledTimes(2);
|
expect(resolvingFetch).toHaveBeenCalledTimes(2);
|
||||||
expect(resolvingFetch).toHaveBeenNthCalledWith(1, 'https://resilient.is/fail.json.integrity')
|
expect(resolvingFetch).toHaveBeenNthCalledWith(1, 'https://resilient.is/not-found.json.integrity')
|
||||||
expect(await response.json()).toEqual({test: "success"})
|
expect(await response.json()).toEqual({test: "success"})
|
||||||
expect(response.url).toEqual('https://resilient.is/fail.json')
|
expect(response.url).toEqual('https://resilient.is/not-found.json')
|
||||||
});
|
});
|
||||||
|
|
||||||
test("it should refuse to fetch content when integrity data not provided and integrity data URL 404s, but requireIntegrity is set to true", async () => {
|
test("it should refuse to fetch content when integrity data not provided and integrity data URL 404s, but requireIntegrity is set to true", async () => {
|
||||||
|
@ -195,13 +217,27 @@ describe("plugin: signed-integrity", () => {
|
||||||
|
|
||||||
expect.assertions(4);
|
expect.assertions(4);
|
||||||
try {
|
try {
|
||||||
const response = await LibResilientPluginConstructors.get('signed-integrity')(LR, newInit).fetch('https://resilient.is/fail.json', {});
|
const response = await LibResilientPluginConstructors.get('signed-integrity')(LR, newInit).fetch('https://resilient.is/not-found.json', {});
|
||||||
} catch (e) {
|
} catch (e) {
|
||||||
expect(resolvingFetch).toHaveBeenCalledTimes(1);
|
expect(resolvingFetch).toHaveBeenCalledTimes(1);
|
||||||
expect(resolvingFetch).toHaveBeenCalledWith('https://resilient.is/fail.json.integrity')
|
expect(resolvingFetch).toHaveBeenCalledWith('https://resilient.is/not-found.json.integrity')
|
||||||
expect(e).toBeInstanceOf(Error)
|
expect(e).toBeInstanceOf(Error)
|
||||||
expect(e.toString()).toMatch('No integrity data available, though required.')
|
expect(e.toString()).toMatch('No integrity data available, though required.')
|
||||||
}
|
}
|
||||||
});
|
});
|
||||||
|
|
||||||
|
test("it should refuse to fetch content when integrity data not provided and integrity data URL is fetched, but JWT signature check fails", async () => {
|
||||||
|
require("../../plugins/signed-integrity.js");
|
||||||
|
|
||||||
|
expect.assertions(4);
|
||||||
|
try {
|
||||||
|
const response = await LibResilientPluginConstructors.get('signed-integrity')(LR, init).fetch('https://resilient.is/bad-signature.json', {});
|
||||||
|
} catch (e) {
|
||||||
|
expect(resolvingFetch).toHaveBeenCalledTimes(1);
|
||||||
|
expect(resolvingFetch).toHaveBeenCalledWith('https://resilient.is/bad-signature.json.integrity')
|
||||||
|
expect(e).toBeInstanceOf(Error)
|
||||||
|
expect(e.toString()).toMatch('JWT signature validation failed')
|
||||||
|
}
|
||||||
|
});
|
||||||
|
|
||||||
});
|
});
|
||||||
|
|
Ładowanie…
Reference in New Issue