From dbb5ca7c9cdee2f6dd52d203aa71a4397541e2dd Mon Sep 17 00:00:00 2001 From: juerg Date: Tue, 9 Aug 2022 08:08:28 -0700 Subject: [PATCH] Add validation test with duplicated 'issuer' claim, and with invalid UTF-16 encoded claim name. PiperOrigin-RevId: 466362093 --- testing/cross_language/jwt_validation_test.py | 26 +++++++++++++++++++ 1 file changed, 26 insertions(+) diff --git a/testing/cross_language/jwt_validation_test.py b/testing/cross_language/jwt_validation_test.py index cd4e3cca0b..09f954a8a0 100644 --- a/testing/cross_language/jwt_validation_test.py +++ b/testing/cross_language/jwt_validation_test.py @@ -380,6 +380,24 @@ def test_verify_issuer(self, lang): with self.assertRaises(tink.TinkError): jwt_mac.verify_mac_and_decode(token, val4) + @parameterized.parameters(SUPPORTED_LANGUAGES) + def test_duplicated_issuer(self, lang): + token = generate_token('{"alg":"HS256"}', '{"iss":"joe", "iss":"jane"}') + jwt_mac = testing_servers.jwt_mac(lang, KEYSET) + + if lang != 'java' and lang != 'python': + validator_with_second_issuer = jwt.new_validator( + ignore_issuer=True, allow_missing_expiration=True) + with self.assertRaises(tink.TinkError): + jwt_mac.verify_mac_and_decode(token, validator_with_second_issuer) + else: + # Currently, this is accepted in Java and Python, and always the last + # entry is used. + # TODO(b/241828611): This should be rejected. + validator_with_second_issuer = jwt.new_validator( + expected_issuer='jane', allow_missing_expiration=True) + jwt_mac.verify_mac_and_decode(token, validator_with_second_issuer) + @parameterized.parameters(SUPPORTED_LANGUAGES) def test_verify_empty_string_issuer(self, lang): token = generate_token('{"alg":"HS256"}', '{"iss":""}') @@ -438,6 +456,14 @@ def test_verify_with_invalid_json_escaped_utf16_in_payload(self, lang): with self.assertRaises(tink.TinkError): jwt_mac.verify_mac_and_decode(token, EMPTY_VALIDATOR) + @parameterized.parameters(SUPPORTED_LANGUAGES) + def test_verify_with_invalid_json_escaped_utf16_in_claim_name(self, lang): + token = generate_token('{"alg":"HS256"}', + '{"\\uD800\\uD800claim":"value"}') + jwt_mac = testing_servers.jwt_mac(lang, KEYSET) + with self.assertRaises(tink.TinkError): + jwt_mac.verify_mac_and_decode(token, EMPTY_VALIDATOR) + @parameterized.parameters(SUPPORTED_LANGUAGES) def test_verify_audience(self, lang): token = generate_token('{"alg":"HS256"}', '{"aud":["joe", "jane"]}')