GitLab/ocserv
1
0
Fork 0
mirror of https://gitlab.com/openconnect/ocserv.git synced 2026-02-10 00:37:00 +08:00
Code Issues Packages Projects Releases Wiki Activity

Attempt to download updated JWKs if the client presents an unknown key.

Browse Source 
Limit the download of keys to every 900s.

Resolves: #284
Signed-off-by: Alan Jowett <alanjo@microsoft.com>
This commit is contained in:
Alan Jowett
2020-04-14 10:10:19 -06:00
parent df3b925524
commit 9d9907ef5e
3 changed files with 78 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
tests/generate_oidc_test_data.c
View File

@@ -65,6 +65,10 @@ json_t *create_oidc_config(const char *openid_configuration_url,
goto cleanup;
}
if (json_object_set_new(config, "minimum_jwk_refresh_time", json_integer(0))) {
goto cleanup;
}
required_claims = NULL;
result = true;
@@ -257,19 +261,21 @@ int main(int argc, char **argv)
const char audience[] = "SomeAudience";
const char issuer[] = "SomeIssuer";
const char user_name_claim[] = "preferred_user_name";
const char kid[] = "My Fake Key";
char kid[64];
const char user_name[] = "SomeUser";
const char typ[] = "JWT";
const char alg[] = "ES256";
time_t now = time(NULL);
snprintf(kid, sizeof(kid), "key_%ld", now);
if (!getcwd(working_directory, sizeof(working_directory))) {
return 1;
}
strncat(working_directory, "/data", sizeof(working_directory)-1);
working_directory[sizeof(working_directory)-1] = 0;
cjose_jwk_t *key = create_key("My Fake Key");
cjose_jwk_t *key = create_key(kid);
generate_config_files(working_directory, key, audience, issuer,
user_name_claim);

20
tests/test-oidc
View File

@@ -46,6 +46,26 @@ for token in data/fail_*; do
fi
done
sleep 5s
# Generate new OIDC keys
# First client should fail, triggering reload of keys
`dirname $0`/gen_oidc_test_data
for token in data/success_*; do
http_result=$(LD_PRELOAD=libsocket_wrapper.so curl --insecure https://$ADDRESS:$PORT --request POST --data config-auth.xml --header "Authorization:Bearer=`cat $token`" --output /dev/null --write-out "%{http_code}")
if [ "$http_result" != "401" ]; then
fail $PID "Token incorrectly accepted returned $http_result"
fi
done
# Second client should succeed with new keys
for token in data/success_*; do
http_result=$(LD_PRELOAD=libsocket_wrapper.so curl --insecure https://$ADDRESS:$PORT --request POST --data config-auth.xml --header "Authorization:Bearer=`cat $token`" --output /dev/null --write-out "%{http_code}")
if [ "$http_result" != "200" ]; then
fail $PID "Token incorrectly rejected returned $http_result"
fi
done
if ! test -f ${PIDFILE};then
fail $PID "Could not find pid file ${PIDFILE}"
fi