oauth2-proxy/pkg/encryption/cipher_test.go

package encryption

import (
	"crypto/sha1"
	"crypto/sha256"
	"encoding/base64"
	"testing"

	"github.com/stretchr/testify/assert"
)

func TestSignAndValidate(t *testing.T) {
	seed := "0123456789abcdef"
	key := "cookie-name"
	value := base64.URLEncoding.EncodeToString([]byte("I am soooo encoded"))
	epoch := "123456789"

	sha256sig := cookieSignature(sha256.New, seed, key, value, epoch)
	sha1sig := cookieSignature(sha1.New, seed, key, value, epoch)

	assert.True(t, checkSignature(sha256sig, seed, key, value, epoch))
	// This should be switched to False after fully deprecating SHA1
	assert.True(t, checkSignature(sha1sig, seed, key, value, epoch))

	assert.False(t, checkSignature(sha256sig, seed, key, "tampered", epoch))
	assert.False(t, checkSignature(sha1sig, seed, key, "tampered", epoch))
}

func TestEncodeAndDecodeAccessToken(t *testing.T) {
	const secret = "0123456789abcdefghijklmnopqrstuv"
	const token = "my access token"
	c, err := NewCipher([]byte(secret))
	assert.Equal(t, nil, err)

	encoded, err := c.Encrypt(token)
	assert.Equal(t, nil, err)

	decoded, err := c.Decrypt(encoded)
	assert.Equal(t, nil, err)

	assert.NotEqual(t, token, encoded)
	assert.Equal(t, token, decoded)
}

func TestEncodeAndDecodeAccessTokenB64(t *testing.T) {
	const secretBase64 = "A3Xbr6fu6Al0HkgrP1ztjb-mYiwmxgNPP-XbNsz1WBk="
	const token = "my access token"

	secret, err := base64.URLEncoding.DecodeString(secretBase64)
	assert.Equal(t, nil, err)
	c, err := NewCipher([]byte(secret))
	assert.Equal(t, nil, err)

	encoded, err := c.Encrypt(token)
	assert.Equal(t, nil, err)

	decoded, err := c.Decrypt(encoded)
	assert.Equal(t, nil, err)

	assert.NotEqual(t, token, encoded)
	assert.Equal(t, token, decoded)
}
Move cookie to pkg/encryption 2019-05-24 17:06:48 +01:00			`package encryption`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00
			`import (`
Migrate cookie signing to SHA256 from SHA1 (#524) Also, cleanup the code & make the specific hashing algorithm chosen a function variable. Co-authored-by: Henry Jenkins <henry@henryjenkins.name> 2020-05-05 18:41:48 -07:00			`"crypto/sha1"`
			`"crypto/sha256"`
base64 cookie support 2016-06-20 07:17:39 -04:00			`"encoding/base64"`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00			`"testing"`

Swap out bmizerany/assert package that is deprecated in favor of stretchr/testify/assert 2017-10-23 12:23:46 -04:00			`"github.com/stretchr/testify/assert"`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00			`)`

Migrate cookie signing to SHA256 from SHA1 (#524) Also, cleanup the code & make the specific hashing algorithm chosen a function variable. Co-authored-by: Henry Jenkins <henry@henryjenkins.name> 2020-05-05 18:41:48 -07:00			`func TestSignAndValidate(t *testing.T) {`
			`seed := "0123456789abcdef"`
			`key := "cookie-name"`
			`value := base64.URLEncoding.EncodeToString([]byte("I am soooo encoded"))`
			`epoch := "123456789"`

			`sha256sig := cookieSignature(sha256.New, seed, key, value, epoch)`
			`sha1sig := cookieSignature(sha1.New, seed, key, value, epoch)`

			`assert.True(t, checkSignature(sha256sig, seed, key, value, epoch))`
			`// This should be switched to False after fully deprecating SHA1`
			`assert.True(t, checkSignature(sha1sig, seed, key, value, epoch))`

			`assert.False(t, checkSignature(sha256sig, seed, key, "tampered", epoch))`
			`assert.False(t, checkSignature(sha1sig, seed, key, "tampered", epoch))`
			`}`

SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00			`func TestEncodeAndDecodeAccessToken(t *testing.T) {`
			`const secret = "0123456789abcdefghijklmnopqrstuv"`
			`const token = "my access token"`
base64 cookie support 2016-06-20 07:17:39 -04:00			`c, err := NewCipher([]byte(secret))`
			`assert.Equal(t, nil, err)`

			`encoded, err := c.Encrypt(token)`
			`assert.Equal(t, nil, err)`

			`decoded, err := c.Decrypt(encoded)`
			`assert.Equal(t, nil, err)`

			`assert.NotEqual(t, token, encoded)`
			`assert.Equal(t, token, decoded)`
			`}`

			`func TestEncodeAndDecodeAccessTokenB64(t *testing.T) {`
Lint for non-comment linter errors 2018-11-29 14:26:41 +00:00			`const secretBase64 = "A3Xbr6fu6Al0HkgrP1ztjb-mYiwmxgNPP-XbNsz1WBk="`
base64 cookie support 2016-06-20 07:17:39 -04:00			`const token = "my access token"`

Lint for non-comment linter errors 2018-11-29 14:26:41 +00:00			`secret, err := base64.URLEncoding.DecodeString(secretBase64)`
			`assert.Equal(t, nil, err)`
base64 cookie support 2016-06-20 07:17:39 -04:00			`c, err := NewCipher([]byte(secret))`
SessionState refactoring; improve token renewal and cookie refresh * New SessionState to consolidate email, access token and refresh token * split ServeHttp into individual methods * log on session renewal * log on access token refresh * refactor cookie encription/decription and session state serialization 2015-06-23 07:23:39 -04:00			`assert.Equal(t, nil, err)`

			`encoded, err := c.Encrypt(token)`
			`assert.Equal(t, nil, err)`

			`decoded, err := c.Decrypt(encoded)`
			`assert.Equal(t, nil, err)`

			`assert.NotEqual(t, token, encoded)`
			`assert.Equal(t, token, decoded)`
			`}`