Fix

Author: easyCZ

components/public-api-server/pkg/oidc/service_test.go

@@ -17,6 +17,8 @@ import (
 	"github.com/coreos/go-oidc/v3/oidc"
 	db "github.com/gitpod-io/gitpod/components/gitpod-db/go"
 	"github.com/gitpod-io/gitpod/components/gitpod-db/go/dbtest"
+	"github.com/gitpod-io/gitpod/public-api-server/pkg/jws"
+	"github.com/gitpod-io/gitpod/public-api-server/pkg/jws/jwstest"
 	"github.com/go-chi/chi/v5"
 	"github.com/go-chi/chi/v5/middleware"
 	"github.com/google/uuid"
@@ -223,11 +225,14 @@ func setupOIDCServiceForTests(t *testing.T) (*Service, *gorm.DB) {
 
 	dbConn := dbtest.ConnectForTests(t)
 	cipher := dbtest.CipherSet(t)
-	stateJWT := newTestStateJWT([]byte("ANY KEY"), 5*time.Minute)
 
 	sessionServerAddress := newFakeSessionServer(t)
 
-	service := NewService(sessionServerAddress, dbConn, cipher, stateJWT)
+	keyset := jwstest.GenerateKeySet(t)
+	signerVerifier, err := jws.NewRSA256(keyset)
+	require.NoError(t, err)
+
+	service := NewService(sessionServerAddress, dbConn, cipher, signerVerifier, 5*time.Minute)
 	service.skipVerifyIdToken = true
 	return service, dbConn
 }

components/public-api-server/pkg/oidc/state_jwt_test.go

@@ -5,76 +5,27 @@
 package oidc
 
 import (
-	"strings"
 	"testing"
 	"time"
 
 	"github.com/golang-jwt/jwt/v5"
 	"github.com/stretchr/testify/require"
 )
 
-func Test_Encode(t *testing.T) {
-	stateJWT := NewStateJWT([]byte("ANY KEY"))
-	encodedState, err := stateJWT.Encode(StateClaims{
-		ClientConfigID: "test-id",
-		ReturnToURL:    "test-url",
-	})
-	require.NoError(t, err)
-	// check for header: { "alg": "HS256", "typ": "JWT" }
-	require.Contains(t, encodedState, "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.", "")
-}
-
-func Test_Decode(t *testing.T) {
-
-	testCases := []struct {
-		Label         string
-		Key4Encode    string
-		expiresIn     time.Duration
-		Key4Decode    string
-		ExpectedError string
-	}{
-		{
-			Label:         "happy path",
-			Key4Encode:    "ANY KEY",
-			expiresIn:     5 * time.Minute,
-			Key4Decode:    "ANY KEY",
-			ExpectedError: "",
-		},
-		{
-			Label:         "expired state token",
-			Key4Encode:    "ANY KEY",
-			expiresIn:     0 * time.Second,
-			Key4Decode:    "ANY KEY",
-			ExpectedError: "token is expired",
+func TestNewStateJWT(t *testing.T) {
+	var (
+		clientConfigID = "test-id"
+		returnURL      = "test-url"
+		issuedAt       = time.Now()
+		expiry         = issuedAt.Add(5 * time.Minute)
+	)
+	token := NewStateJWT(clientConfigID, returnURL, issuedAt, expiry)
+	require.Equal(t, &StateClaims{
+		ClientConfigID: clientConfigID,
+		ReturnToURL:    returnURL,
+		RegisteredClaims: jwt.RegisteredClaims{
+			ExpiresAt: jwt.NewNumericDate(expiry),
+			IssuedAt:  jwt.NewNumericDate(issuedAt),
 		},
-		{
-			Label:         "signature is invalid",
-			Key4Encode:    "OTHER KEY",
-			expiresIn:     5 * time.Minute,
-			Key4Decode:    "ANY KEY",
-			ExpectedError: jwt.ErrSignatureInvalid.Error(),
-		},
-	}
-
-	for _, tc := range testCases {
-		t.Run(tc.Label, func(t *testing.T) {
-			encoder := newTestStateJWT([]byte(tc.Key4Encode), tc.expiresIn)
-			decoder := NewStateJWT([]byte(tc.Key4Decode))
-			encodedState, err := encoder.Encode(StateClaims{
-				ClientConfigID: "test-id",
-				ReturnToURL:    "test-url",
-			})
-			if err != nil && tc.ExpectedError == "" {
-				require.FailNowf(t, "Unexpected error on `Encode`.", "Error: %", err)
-			}
-			_, err = decoder.Decode(encodedState)
-			if err != nil && tc.ExpectedError == "" {
-				require.FailNowf(t, "Unexpected error on `Decode`.", "Error: %", err)
-			}
-			if err != nil && !strings.Contains(err.Error(), tc.ExpectedError) {
-				require.FailNowf(t, "Unmatched error.", "Got error: %", err.Error())
-			}
-		})
-	}
-
+	}, token.Claims)
 }