public async Task Validate_Signature_Time()
{
var clockInvalid1 = new MockClock()
{
UtcNow = new DateTime(2017, 5, 31, 10, 22, 0, DateTimeKind.Utc)
};
var clockValid1 = new MockClock()
{
UtcNow = new DateTime(2017, 5, 31, 10, 24, 0, DateTimeKind.Utc)
};
var clockValid2 = new MockClock()
{
UtcNow = new DateTime(2017, 5, 31, 11, 22, 0, DateTimeKind.Utc)
};
var clockInvalid2 = new MockClock()
{
UtcNow = new DateTime(2017, 5, 31, 11, 24, 0, DateTimeKind.Utc)
};
Assert.NotNull(await GoogleJsonWebSignature.ValidateInternalAsync(JwtGoogleSigned, MakeSettings(clockValid1), GoogleCertsJson, false));
Assert.NotNull(await GoogleJsonWebSignature.ValidateInternalAsync(JwtGoogleSigned, MakeSettings(clockValid2), GoogleCertsJson, false));
var ex1 = await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync(JwtGoogleSigned, MakeSettings(clockInvalid1), GoogleCertsJson, false));
Assert.Equal("JWT is not yet valid.", ex1.Message);
var ex2 = await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync(JwtGoogleSigned, MakeSettings(clockInvalid2), GoogleCertsJson, false));
Assert.Equal("JWT has expired.", ex2.Message);
}
public async Task Validate_Signature_Time()
{
var clockInvalid1 = new MockClock(FakeCertificateCache.BeforeValidJwtGoogleSigned);
var clockValid1 = new MockClock(FakeCertificateCache.ValidJwtGoogleSigned);
var clockInvalid2 = new MockClock(FakeCertificateCache.AfterValidJwtGoogleSigned);
// Test with no tolerance
Assert.NotNull(await GoogleJsonWebSignature.ValidateInternalAsync(FakeCertificateCache.JwtGoogleSigned, MakeSettings(clockValid1)));
var ex1 = await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync(FakeCertificateCache.JwtGoogleSigned, MakeSettings(clockInvalid1)));
Assert.Equal("JWT is not yet valid.", ex1.Message);
var ex2 = await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync(FakeCertificateCache.JwtGoogleSigned, MakeSettings(clockInvalid2)));
Assert.Equal("JWT has expired.", ex2.Message);
// Test with tolerance
await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync(FakeCertificateCache.JwtGoogleSigned, MakeSettings(clockInvalid1, clockToleranceSeconds: 109)));
Assert.NotNull(await GoogleJsonWebSignature.ValidateInternalAsync(FakeCertificateCache.JwtGoogleSigned, MakeSettings(clockInvalid1, clockToleranceSeconds: 111)));
Assert.NotNull(await GoogleJsonWebSignature.ValidateInternalAsync(FakeCertificateCache.JwtGoogleSigned, MakeSettings(clockInvalid2, clockToleranceSeconds: 11)));
await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync(FakeCertificateCache.JwtGoogleSigned, MakeSettings(clockInvalid2, clockToleranceSeconds: 9)));
}
public async Task Invalid_HostedDomain()
{
var clock = new MockClock(FakeCertificateCache.ValidJwtGoogleSigned);
var ex = await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync(FakeCertificateCache.JwtGoogleSigned, MakeSettings(clock, hd: "hd")));
Assert.Equal("JWT contains invalid 'hd' claim.", ex.Message);
}
public async Task Invalid_Iss()
{
var clock = new MockClock(FakeCertificateCache.ValidJwtNonGoogleSigned);
var ex = await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync(FakeCertificateCache.JwtNonGoogleSigned, MakeSettings(clock)));
Assert.Equal("JWT issuer incorrect. Must be one of: 'https://accounts.google.com', 'accounts.google.com'", ex.Message);
}
public async Task WrongAlgorithm()
{
var settings = MakeSettings(new MockClock(DateTime.UtcNow));
string jwt = $"{UrlSafeBase64Encode("{\"alg\":\"HS256\"}")}.{UrlSafeBase64Encode("{}")}.";
var ex = await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync(jwt, settings));
Assert.Equal("JWT algorithm must be 'RS256'", ex.Message);
}
public async Task Invalid_HostedDomain()
{
var clock = new MockClock()
{
UtcNow = new DateTime(2017, 5, 31, 10, 24, 0, DateTimeKind.Utc)
};
var ex = await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync(JwtGoogleSigned, MakeSettings(clock, hd: "hd"), GoogleCertsJson, true));
Assert.Equal("JWT contains invalid 'hd' claim.", ex.Message);
}
public async Task Invalid_Iss()
{
var clock = new MockClock()
{
UtcNow = new DateTime(2017, 5, 31, 10, 22, 0, DateTimeKind.Utc)
};
var ex = await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync(JwtNonGoogleSigned, MakeSettings(clock), GoogleCertsJson, true));
Assert.Equal("JWT issuer incorrect. Must be one of: 'https://accounts.google.com', 'accounts.google.com'", ex.Message);
}
public async Task WrongAlgorithm()
{
var settings = MakeSettings(new MockClock()
{
UtcNow = new DateTime(2017, 5, 31, 10, 22, 0, DateTimeKind.Utc)
});
string jwt = $"{B64("{\"alg\":\"HS256\"}")}.{B64("{}")}.";
var ex = await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync(jwt, settings, null, true));
Assert.Equal("JWT algorithm must be 'RS256'", ex.Message);
}
public async Task ValidateInternalAsync_Invalid()
{
var clockValid = new MockClock(FakeCertificateCache.ValidJwtGoogleSigned);
// Lets just change the last character of the Google signed token to break the signature.
// But Headers and Payload are still valid for a Google token so we guarantee that the only
// failure comes from the signature being invalid.
// The last character was a Q, changing for a 4. If at some point the token used in tests changes
// and the new token ends in anything but a 4, this test will still be valid. If the new token ends in a 4
// this test will fail and then we'll have to replace the 4 by a Q or any other character.
var invalidToken = FakeCertificateCache.JwtGoogleSigned.Substring(0, FakeCertificateCache.JwtGoogleSigned.Length - 1) + "4";
var ex = await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync(invalidToken, MakeSettings(clockValid)));
Assert.Equal("JWT invalid, unable to verify signature.", ex.Message);
}
public async Task Validate_BadJwt()
{
// Null JWT
await Assert.ThrowsAsync <ArgumentNullException>(() => GoogleJsonWebSignature.ValidateInternalAsync(null, null, false, GoogleCertsJson));
// Empty JWT
await Assert.ThrowsAsync <ArgumentException>(() => GoogleJsonWebSignature.ValidateInternalAsync("", null, false, GoogleCertsJson));
// Too long JWT
await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync(new string('a', GoogleJsonWebSignature.MaxJwtLength + 1), null, false, GoogleCertsJson));
// JWT with incorrect top-level structure; missing signature
await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync("header.payload", null, false, GoogleCertsJson));
}
public async Task Validate_Signature()
{
var clockValid1 = new MockClock()
{
UtcNow = new DateTime(2017, 5, 31, 10, 24, 0, DateTimeKind.Utc)
};
Assert.NotNull(await GoogleJsonWebSignature.ValidateInternalAsync(JwtGoogleSigned, MakeSettings(clockValid1), GoogleCertsJson, false));
var clockValid2 = new MockClock()
{
UtcNow = new DateTime(2017, 5, 31, 10, 24, 0, DateTimeKind.Utc)
};
var ex = await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync(JwtNonGoogleSigned, MakeSettings(clockValid2), GoogleCertsJson, false));
Assert.Equal("JWT invalid, unable to verify signature.", ex.Message);
}
public async Task Validate_Signature_Time()
{
var clockInvalid1 = new MockClock()
{
UtcNow = new DateTime(2017, 5, 31, 10, 22, 0, DateTimeKind.Utc)
};
var clockValid1 = new MockClock()
{
UtcNow = new DateTime(2017, 5, 31, 10, 24, 0, DateTimeKind.Utc)
};
var clockValid2 = new MockClock()
{
UtcNow = new DateTime(2017, 5, 31, 11, 22, 0, DateTimeKind.Utc)
};
var clockInvalid2 = new MockClock()
{
UtcNow = new DateTime(2017, 5, 31, 11, 24, 0, DateTimeKind.Utc)
};
// JwtGoogleSigned is valid from 2017-05-31 10:23:50 until 2017-05-31 11:23:50 (UTC)
// Test with no tolerance
Assert.NotNull(await GoogleJsonWebSignature.ValidateInternalAsync(JwtGoogleSigned, MakeSettings(clockValid1), GoogleCertsJson, false));
Assert.NotNull(await GoogleJsonWebSignature.ValidateInternalAsync(JwtGoogleSigned, MakeSettings(clockValid2), GoogleCertsJson, false));
var ex1 = await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync(JwtGoogleSigned, MakeSettings(clockInvalid1), GoogleCertsJson, false));
Assert.Equal("JWT is not yet valid.", ex1.Message);
var ex2 = await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync(JwtGoogleSigned, MakeSettings(clockInvalid2), GoogleCertsJson, false));
Assert.Equal("JWT has expired.", ex2.Message);
// Test with tolerance
await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync(JwtGoogleSigned, MakeSettings(clockInvalid1, clockToleranceSeconds: 109), GoogleCertsJson, false));
Assert.NotNull(await GoogleJsonWebSignature.ValidateInternalAsync(JwtGoogleSigned, MakeSettings(clockInvalid1, clockToleranceSeconds: 111), GoogleCertsJson, false));
Assert.NotNull(await GoogleJsonWebSignature.ValidateInternalAsync(JwtGoogleSigned, MakeSettings(clockInvalid2, clockToleranceSeconds: 11), GoogleCertsJson, false));
await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync(JwtGoogleSigned, MakeSettings(clockInvalid2, clockToleranceSeconds: 9), GoogleCertsJson, false));
}
public async Task Validate_BadJwt()
{
// The date is irrelevant here since we are not passing any actual valid token for verification.
// In any case we are using a fixed date (any fixed date would do) so that the test always runs the same.
var settings = MakeSettings(new MockClock(FakeCertificateCache.ValidJwtGoogleSigned));
// Null JWT
await Assert.ThrowsAsync <ArgumentNullException>(() => GoogleJsonWebSignature.ValidateInternalAsync(null, settings));
// Empty JWT
await Assert.ThrowsAsync <ArgumentException>(() => GoogleJsonWebSignature.ValidateInternalAsync("", settings));
// Too long JWT
await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync(new string('a', GoogleJsonWebSignature.MaxJwtLength + 1), settings));
// JWT with incorrect top-level structure; missing signature
await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync("header.payload", settings));
}
public async Task Validate_BadJwt()
{
var settings = MakeSettings(new MockClock()
{
UtcNow = new DateTime(2017, 5, 31, 10, 22, 0, DateTimeKind.Utc)
});
// Null JWT
await Assert.ThrowsAsync <ArgumentNullException>(() => GoogleJsonWebSignature.ValidateInternalAsync(null, settings, GoogleCertsJson, false));
// Empty JWT
await Assert.ThrowsAsync <ArgumentException>(() => GoogleJsonWebSignature.ValidateInternalAsync("", settings, GoogleCertsJson, false));
// Too long JWT
await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync(new string('a', GoogleJsonWebSignature.MaxJwtLength + 1), settings, GoogleCertsJson, false));
// JWT with incorrect top-level structure; missing signature
await Assert.ThrowsAsync <InvalidJwtException>(() =>
GoogleJsonWebSignature.ValidateInternalAsync("header.payload", settings, GoogleCertsJson, false));
}
public async Task ValidateInternalAsync_Valid()
{
var clockValid = new MockClock(FakeCertificateCache.ValidJwtGoogleSigned);
Assert.NotNull(await GoogleJsonWebSignature.ValidateInternalAsync(FakeCertificateCache.JwtGoogleSigned, MakeSettings(clockValid)));
}
