From d25f4df88f55793c692fefa09ac8ec8ef33ba419 Mon Sep 17 00:00:00 2001
From: Lloyd Hilaiel <lloyd@hilaiel.com>
Date: Wed, 23 Nov 2011 14:55:26 -0700
Subject: [PATCH] tests to reproduce and fixes for wildy invalid assertions
posted to the verifier. closes #598 and closes #605
---
lib/verifier/certassertion.js | 6 ++-
tests/verifier-test.js | 78 ++++++++++++++++++++++++++++++++++-
2 files changed, 82 insertions(+), 2 deletions(-)
diff --git a/lib/verifier/certassertion.js b/lib/verifier/certassertion.js
index 12fd622dd..0a954a76c 100644
--- a/lib/verifier/certassertion.js
+++ b/lib/verifier/certassertion.js
@@ -120,7 +120,11 @@ function compareAudiences(want, got) {
// audience is a web origin, e.g. https://foo.com or http://foo.org:81
function verify(assertion, audience, successCB, errorCB) {
// assertion is bundle
- var bundle = vep.unbundleCertsAndAssertion(assertion);
+ try {
+ var bundle = vep.unbundleCertsAndAssertion(assertion);
+ } catch(e) {
+ return errorCB("malformed assertion");
+ }
jwcert.JWCert.verifyChain(
bundle.certificates,
diff --git a/tests/verifier-test.js b/tests/verifier-test.js
index c6ca1a276..83dd06853 100755
--- a/tests/verifier-test.js
+++ b/tests/verifier-test.js
@@ -524,7 +524,83 @@ suite.addBatch({
});
// now let's really get down and screw with the assertion
-// XXX
+suite.addBatch({
+ "using an email address as an assertion (which is bogus)": {
+ topic: function() {
+ wsapi.post('/verify', {
+ audience: TEST_ORIGIN,
+ assertion: "test@example.com"
+ }).call(this);
+ },
+ "fails with a nice error": function(r, err) {
+ var resp = JSON.parse(r.body);
+ assert.strictEqual(resp.status, 'failure');
+ assert.strictEqual(resp.reason, 'malformed assertion');
+ }
+ },
+ "using an integer as an assertion (which is bogus)": {
+ topic: function() {
+ wsapi.post('/verify', {
+ audience: TEST_ORIGIN,
+ assertion: 777
+ }).call(this);
+ },
+ "fails with a nice error": function(r, err) {
+ var resp = JSON.parse(r.body);
+ assert.strictEqual(resp.status, 'failure');
+ assert.strictEqual(resp.reason, 'malformed assertion');
+ }
+ },
+ "generating a valid assertion": {
+ topic: function() {
+ var expirationDate = new Date(new Date().getTime() + (2 * 60 * 1000));
+ var tok = new jwt.JWT(null, expirationDate, TEST_ORIGIN);
+ return vep.bundleCertsAndAssertion([g_cert], tok.sign(g_keypair.secretKey));
+ },
+ "and removing the last char from it": {
+ topic: function(assertion) {
+ assertion = assertion.substr(0, assertion.length - 1);
+ wsapi.post('/verify', {
+ audience: TEST_ORIGIN,
+ assertion: assertion
+ }).call(this);
+ },
+ "fails with a nice error": function(r, err) {
+ var resp = JSON.parse(r.body);
+ assert.strictEqual(resp.status, 'failure');
+ assert.strictEqual(resp.reason, 'malformed assertion');
+ }
+ },
+ "and removing the first char from it": {
+ topic: function(assertion) {
+ assertion = assertion.substr(1);
+ wsapi.post('/verify', {
+ audience: TEST_ORIGIN,
+ assertion: assertion
+ }).call(this);
+ },
+ "fails with a nice error": function(r, err) {
+ var resp = JSON.parse(r.body);
+ assert.strictEqual(resp.status, 'failure');
+ assert.strictEqual(resp.reason, 'malformed assertion');
+ }
+ },
+ "and appending gunk to it": {
+ topic: function(assertion) {
+ assertion += "gunk";
+ wsapi.post('/verify', {
+ audience: TEST_ORIGIN,
+ assertion: assertion
+ }).call(this);
+ },
+ "fails with a nice error": function(r, err) {
+ var resp = JSON.parse(r.body);
+ assert.strictEqual(resp.status, 'failure');
+ assert.strictEqual(resp.reason, 'malformed assertion');
+ }
+ }
+ }
+});
// now verify that no-one other than browserid is allowed to issue assertions
// (until primary support is implemented)
--
GitLab