1
0
mirror of https://github.com/oauth2-proxy/oauth2-proxy.git synced 2025-07-15 01:44:22 +02:00

feature: static public keys file support for oidc provider

Co-authored-by: Jan Larwig <jan@larwig.com>
Co-authored-by: JJ Łakis <jacek.lakis@checkatrade.com>
This commit is contained in:
axel7083
2023-03-15 14:03:48 +01:00
committed by Jan Larwig
parent ae8fb08a89
commit e28603f7af
9 changed files with 154 additions and 16 deletions

View File

@ -2,6 +2,8 @@ package oidc
import (
"context"
"os"
"path/filepath"
"time"
"github.com/golang-jwt/jwt/v5"
@ -10,6 +12,37 @@ import (
. "github.com/onsi/gomega"
)
var tempDir string
var invalidPublicKeyFilePath string
var validPublicKeyFilePath string
var _ = BeforeSuite(func() {
var err error
// Create a temporary directory and public key file
tempDir, err = os.MkdirTemp("/tmp", "provider-verifier-test")
Expect(err).ToNot(HaveOccurred())
invalidPublicKeyFilePath = filepath.Join(tempDir, "invalid.key")
validPublicKeyFilePath = filepath.Join(tempDir, "valid.key")
invalidKeyContents := []byte(`-----BEGIN INVALID KEY-----
ThisIsNotAValidKey
-----END INVALID KEY-----`)
Expect(os.WriteFile(invalidPublicKeyFilePath, invalidKeyContents, 0644)).To(Succeed())
validKeyContents := []byte(`-----BEGIN PUBLIC KEY-----
MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALBJK+8qU+aQu2bHxJ8E95AIu2NINztM
NmX9R2zI9xlXN8wGQG8kWLYoRLbyiZwY9kdzOBGvYci64wHIjtFswHcCAwEAAQ==
-----END PUBLIC KEY-----`)
Expect(os.WriteFile(validPublicKeyFilePath, validKeyContents, 0644)).To(Succeed())
})
var _ = AfterSuite(func() {
// Clean up temporary directory
Expect(os.RemoveAll(tempDir)).To(Succeed())
})
var _ = Describe("ProviderVerifier", func() {
var m *mockoidc.MockOIDC
@ -77,14 +110,42 @@ var _ = Describe("ProviderVerifier", func() {
p.SkipDiscovery = true
p.JWKsURL = ""
},
expectedError: "invalid provider verifier options: missing required setting: jwks-url",
expectedError: "invalid provider verifier options: missing required setting: jwks-url or public-key-files",
}),
Entry("should be succesfful when skipping discovery with the JWKs URL specified", &newProviderVerifierTableInput{
Entry("with skip discovery, the JWKs URL not empty and len(PublicKeyFiles) is greater than 0", &newProviderVerifierTableInput{
modifyOpts: func(p *ProviderVerifierOptions) {
p.SkipDiscovery = true
p.JWKsURL = "notEmpty"
p.PublicKeyFiles = []string{"notEmpty"}
},
expectedError: "invalid provider verifier options: mutually exclusive settings: jwks-url and public-key-files",
}),
Entry("should be successful when skipping discovery with the JWKs URL specified", &newProviderVerifierTableInput{
modifyOpts: func(p *ProviderVerifierOptions) {
p.SkipDiscovery = true
p.JWKsURL = m.JWKSEndpoint()
},
}),
Entry("should pass when the key is valid", &newProviderVerifierTableInput{
modifyOpts: func(p *ProviderVerifierOptions) {
p.SkipDiscovery = true
p.PublicKeyFiles = []string{validPublicKeyFilePath}
},
}),
Entry("should fail when the key is invalid", &newProviderVerifierTableInput{
modifyOpts: func(p *ProviderVerifierOptions) {
p.SkipDiscovery = true
p.PublicKeyFiles = []string{invalidPublicKeyFilePath}
},
expectedError: "could not get verifier builder: error while parsing public keys",
}),
Entry("should fail when the key file is not found", &newProviderVerifierTableInput{
modifyOpts: func(p *ProviderVerifierOptions) {
p.SkipDiscovery = true
p.PublicKeyFiles = []string{"non-existing"}
},
expectedError: "could not get verifier builder: error while parsing public keys: failed to read file",
}),
)
type verifierTableInput struct {