More unit tests for the auth package (#28)

* Added more unit tests for auth package

* Added some unit tests for low-level JWT processing

* More test cases

* Fixing a typo

Author: hiranya911

auth/auth_test.go

@@ -15,7 +15,9 @@
 package auth
 
 import (
+	"encoding/json"
 	"errors"
+	"fmt"
 	"io/ioutil"
 	"log"
 	"os"
@@ -81,6 +83,38 @@ func TestMain(m *testing.M) {
 	os.Exit(m.Run())
 }
 
+func TestNewClientInvalidCredentials(t *testing.T) {
+	creds := &google.DefaultCredentials{
+		JSON: []byte("foo"),
+	}
+	conf := &internal.AuthConfig{
+		Ctx:   context.Background(),
+		Creds: creds,
+	}
+	if c, err := NewClient(conf); c != nil || err == nil {
+		t.Errorf("NewCient() = (%v,%v); want = (nil, error)", c, err)
+	}
+}
+
+func TestNewClientInvalidPrivateKey(t *testing.T) {
+	sa := map[string]interface{}{
+		"private_key":  "foo",
+		"client_email": "bar@test.com",
+	}
+	b, err := json.Marshal(sa)
+	if err != nil {
+		t.Fatal(err)
+	}
+	creds := &google.DefaultCredentials{JSON: b}
+	conf := &internal.AuthConfig{
+		Ctx:   context.Background(),
+		Creds: creds,
+	}
+	if c, err := NewClient(conf); c != nil || err == nil {
+		t.Errorf("NewCient() = (%v,%v); want = (nil, error)", c, err)
+	}
+}
+
 func TestCustomToken(t *testing.T) {
 	token, err := client.CustomToken("user1")
 	if err != nil {
@@ -118,13 +152,14 @@ func TestCustomTokenError(t *testing.T) {
 	}{
 		{"EmptyName", "", nil},
 		{"LongUid", strings.Repeat("a", 129), nil},
-		{"ReservedClaims", "uid", map[string]interface{}{"sub": "1234"}},
+		{"ReservedClaim", "uid", map[string]interface{}{"sub": "1234"}},
+		{"ReservedClaims", "uid", map[string]interface{}{"sub": "1234", "aud": "foo"}},
 	}
 
 	for _, tc := range cases {
 		token, err := client.CustomTokenWithClaims(tc.uid, tc.claims)
 		if token != "" || err == nil {
-			t.Errorf("CustomTokenWithClaims(%q) = (%q, %v); want: (\"\", error)", tc.name, token, err)
+			t.Errorf("CustomTokenWithClaims(%q) = (%q, %v); want = (\"\", error)", tc.name, token, err)
 		}
 	}
 }
@@ -137,12 +172,12 @@ func TestCustomTokenInvalidCredential(t *testing.T) {
 
 	token, err := s.CustomToken("user1")
 	if token != "" || err == nil {
-		t.Errorf("CustomTokenWithClaims() = (%q, %v); want: (\"\", error)", token, err)
+		t.Errorf("CustomTokenWithClaims() = (%q, %v); want = (\"\", error)", token, err)
 	}
 
 	token, err = s.CustomTokenWithClaims("user1", map[string]interface{}{"foo": "bar"})
 	if token != "" || err == nil {
-		t.Errorf("CustomTokenWithClaims() = (%q, %v); want: (\"\", error)", token, err)
+		t.Errorf("CustomTokenWithClaims() = (%q, %v); want = (\"\", error)", token, err)
 	}
 }
 
@@ -152,15 +187,23 @@ func TestVerifyIDToken(t *testing.T) {
 		t.Fatal(err)
 	}
 	if ft.Claims["admin"] != true {
-		t.Errorf("Claims['admin'] = %v; want: true", ft.Claims["admin"])
+		t.Errorf("Claims['admin'] = %v; want = true", ft.Claims["admin"])
 	}
 	if ft.UID != ft.Subject {
 		t.Errorf("UID = %q; Sub = %q; want UID = Sub", ft.UID, ft.Subject)
 	}
 }
 
+func TestVerifyIDTokenInvalidSignature(t *testing.T) {
+	parts := strings.Split(testIDToken, ".")
+	token := fmt.Sprintf("%s:%s:invalidsignature", parts[0], parts[1])
+	if ft, err := client.VerifyIDToken(token); ft != nil || err == nil {
+		t.Errorf("VerifyiDToken('invalid-signature') = (%v, %v); want = (nil, error)", ft, err)
+	}
+}
+
 func TestVerifyIDTokenError(t *testing.T) {
-	var now int64 = 1000
+	now := time.Now().Unix()
 	cases := []struct {
 		name  string
 		token string
@@ -172,22 +215,18 @@ func TestVerifyIDTokenError(t *testing.T) {
 		{"EmptySubject", getIDToken(mockIDTokenPayload{"sub": ""})},
 		{"IntSubject", getIDToken(mockIDTokenPayload{"sub": 10})},
 		{"LongSubject", getIDToken(mockIDTokenPayload{"sub": strings.Repeat("a", 129)})},
-		{"FutureToken", getIDToken(mockIDTokenPayload{"iat": time.Unix(now+1, 0)})},
+		{"FutureToken", getIDToken(mockIDTokenPayload{"iat": now + 1000})},
 		{"ExpiredToken", getIDToken(mockIDTokenPayload{
-			"iat": time.Unix(now-10, 0),
-			"exp": time.Unix(now-1, 0),
+			"iat": now - 1000,
+			"exp": now - 100,
 		})},
 		{"EmptyToken", ""},
 		{"BadFormatToken", "foobar"},
 	}
 
-	clk = &mockClock{now: time.Unix(now, 0)}
-	defer func() {
-		clk = &systemClock{}
-	}()
 	for _, tc := range cases {
 		if _, err := client.VerifyIDToken(tc.token); err == nil {
-			t.Errorf("VerifyyIDToken(%q) = nil; want error", tc.name)
+			t.Errorf("VerifyIDToken(%q) = nil; want error", tc.name)
 		}
 	}
 }

auth/crypto.go

@@ -148,13 +148,10 @@ func (k *httpKeySource) refreshKeys() error {
 
 func findMaxAge(resp *http.Response) (*time.Duration, error) {
 	cc := resp.Header.Get("cache-control")
-	for _, value := range strings.Split(cc, ", ") {
+	for _, value := range strings.Split(cc, ",") {
 		value = strings.TrimSpace(value)
-		if strings.HasPrefix(value, "max-age") {
+		if strings.HasPrefix(value, "max-age=") {
 			sep := strings.Index(value, "=")
-			if sep == -1 {
-				return nil, errors.New("Malformed cache-control header")
-			}
 			seconds, err := strconv.ParseInt(value[sep+1:], 10, 64)
 			if err != nil {
 				return nil, err

auth/crypto_test.go

@@ -15,6 +15,7 @@
 package auth
 
 import (
+	"errors"
 	"fmt"
 	"io"
 	"io/ioutil"
@@ -122,6 +123,122 @@ func TestHTTPKeySourceWithClient(t *testing.T) {
 	}
 }
 
+func TestHTTPKeySourceEmptyResponse(t *testing.T) {
+	hc, _ := newHTTPClient([]byte(""))
+	ks, err := newHTTPKeySource(context.Background(), "http://mock.url", option.WithHTTPClient(hc))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if keys, err := ks.Keys(); keys != nil || err == nil {
+		t.Errorf("Keys() = (%v, %v); want = (nil, error)", keys, err)
+	}
+}
+
+func TestHTTPKeySourceIncorrectResponse(t *testing.T) {
+	hc, _ := newHTTPClient([]byte("{\"foo\": 1}"))
+	ks, err := newHTTPKeySource(context.Background(), "http://mock.url", option.WithHTTPClient(hc))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if keys, err := ks.Keys(); keys != nil || err == nil {
+		t.Errorf("Keys() = (%v, %v); want = (nil, error)", keys, err)
+	}
+}
+
+func TestHTTPKeySourceTransportError(t *testing.T) {
+	hc := &http.Client{
+		Transport: &mockHTTPResponse{
+			Err: errors.New("transport error"),
+		},
+	}
+	ks, err := newHTTPKeySource(context.Background(), "http://mock.url", option.WithHTTPClient(hc))
+	if err != nil {
+		t.Fatal(err)
+	}
+
+	if keys, err := ks.Keys(); keys != nil || err == nil {
+		t.Errorf("Keys() = (%v, %v); want = (nil, error)", keys, err)
+	}
+}
+
+func TestFindMaxAge(t *testing.T) {
+	cases := []struct {
+		cc   string
+		want int64
+	}{
+		{"max-age=100", 100},
+		{"public, max-age=100", 100},
+		{"public,max-age=100", 100},
+	}
+	for _, tc := range cases {
+		resp := &http.Response{
+			Header: http.Header{"Cache-Control": {tc.cc}},
+		}
+		age, err := findMaxAge(resp)
+		if err != nil {
+			t.Errorf("findMaxAge(%q) = %v", tc.cc, err)
+		} else if *age != (time.Duration(tc.want) * time.Second) {
+			t.Errorf("findMaxAge(%q) = %v; want %v", tc.cc, *age, tc.want)
+		}
+	}
+}
+
+func TestFindMaxAgeError(t *testing.T) {
+	cases := []string{
+		"",
+		"max-age 100",
+		"max-age: 100",
+		"max-age2=100",
+		"max-age=foo",
+	}
+	for _, tc := range cases {
+		resp := &http.Response{
+			Header: http.Header{"Cache-Control": []string{tc}},
+		}
+		if age, err := findMaxAge(resp); age != nil || err == nil {
+			t.Errorf("findMaxAge(%q) = (%v, %v); want = (nil, err)", tc, age, err)
+		}
+	}
+}
+
+func TestParsePublicKeys(t *testing.T) {
+	b, err := ioutil.ReadFile("../testdata/public_certs.json")
+	if err != nil {
+		t.Fatal(err)
+	}
+	keys, err := parsePublicKeys(b)
+	if err != nil {
+		t.Fatal(err)
+	}
+	if len(keys) != 3 {
+		t.Errorf("parsePublicKeys() = %d; want: %d", len(keys), 3)
+	}
+}
+
+func TestParsePublicKeysError(t *testing.T) {
+	cases := []string{
+		"",
+		"not-json",
+	}
+	for _, tc := range cases {
+		if keys, err := parsePublicKeys([]byte(tc)); keys != nil || err == nil {
+			t.Errorf("parsePublicKeys(%q) = (%v, %v); want: (nil, err)", tc, keys, err)
+		}
+	}
+}
+
+func TestDefaultServiceAcctSigner(t *testing.T) {
+	signer := &serviceAcctSigner{}
+	if email, err := signer.Email(); email != "" || err == nil {
+		t.Errorf("Email() = (%v, %v); want = ('', error)", email, err)
+	}
+	if sig, err := signer.Sign([]byte("")); sig != nil || err == nil {
+		t.Errorf("Sign() = (%v, %v); want = ('', error)", sig, err)
+	}
+}
+
 func verifyHTTPKeySource(ks *httpKeySource, rc *mockReadCloser) error {
 	mc := &mockClock{now: time.Unix(0, 0)}
 	ks.Clock = mc

auth/jwt.go

@@ -80,10 +80,7 @@ func decode(s string, i interface{}) error {
 	if err != nil {
 		return err
 	}
-	if err := json.NewDecoder(bytes.NewBuffer(decoded)).Decode(i); err != nil {
-		return err
-	}
-	return nil
+	return json.NewDecoder(bytes.NewBuffer(decoded)).Decode(i)
 }
 
 func encodeToken(s signer, h jwtHeader, p jwtPayload) (string, error) {

auth/jwt_test.go

@@ -0,0 +1,75 @@
+package auth
+
+import (
+	"encoding/base64"
+	"errors"
+	"strings"
+	"testing"
+)
+
+func TestEncodeToken(t *testing.T) {
+	h := defaultHeader()
+	p := mockIDTokenPayload{"key": "value"}
+	s, err := encodeToken(&mockSigner{}, h, p)
+	if err != nil {
+		t.Fatal(err)
+	}
+	parts := strings.Split(s, ".")
+	if len(parts) != 3 {
+		t.Errorf("encodeToken() = %d; want: %d", len(parts), 3)
+	}
+
+	var header jwtHeader
+	if err := decode(parts[0], &header); err != nil {
+		t.Fatal(err)
+	} else if h != header {
+		t.Errorf("decode(header) = %v; want = %v", header, h)
+	}
+
+	payload := make(mockIDTokenPayload)
+	if err := decode(parts[1], &payload); err != nil {
+		t.Fatal(err)
+	} else if len(payload) != 1 || payload["key"] != "value" {
+		t.Errorf("decode(payload) = %v; want = %v", payload, p)
+	}
+
+	if sig, err := base64.RawURLEncoding.DecodeString(parts[2]); err != nil {
+		t.Fatal(err)
+	} else if string(sig) != "signature" {
+		t.Errorf("decode(signature) = %q; want = %q", string(sig), "signature")
+	}
+}
+
+func TestEncodeSignError(t *testing.T) {
+	h := defaultHeader()
+	p := mockIDTokenPayload{"key": "value"}
+	signer := &mockSigner{
+		err: errors.New("sign error"),
+	}
+	if s, err := encodeToken(signer, h, p); s != "" || err == nil {
+		t.Errorf("encodeToken() = (%v, %v); want = ('', error)", s, err)
+	}
+}
+
+func TestEncodeInvalidPayload(t *testing.T) {
+	h := defaultHeader()
+	p := mockIDTokenPayload{"key": func() {}}
+	if s, err := encodeToken(&mockSigner{}, h, p); s != "" || err == nil {
+		t.Errorf("encodeToken() = (%v, %v); want = ('', error)", s, err)
+	}
+}
+
+type mockSigner struct {
+	err error
+}
+
+func (s *mockSigner) Email() (string, error) {
+	return "", nil
+}
+
+func (s *mockSigner) Sign(b []byte) ([]byte, error) {
+	if s.err != nil {
+		return nil, s.err
+	}
+	return []byte("signature"), nil
+}