distribution/registry/auth/token/fuzz_test.go
Milos Gajdos 52d68216c0
feature: Bump go-jose and require signing algorithms in auth
This bumps go-jose to the latest available version: v4.0.3.
This slightly breaks the backwards compatibility with the existing
registry deployments but brings more security with it.

We now require the users to specify the list of token signing algorithms in
the configuration. We do strive to maintain the b/w compat by providing
a list of supported algorithms, though, this isn't something we
recommend due to security issues, see:
* https://github.com/go-jose/go-jose/issues/64
* https://github.com/go-jose/go-jose/pull/69

As part of this change we now return to the original flow of the token
signature validation:
1. X2C (tls) headers
2. JWKS
3. KeyID

Signed-off-by: Milos Gajdos <milosthegajdos@gmail.com>
2024-05-30 20:44:35 +01:00

53 lines
1 KiB
Go

package token
import (
"testing"
fuzz "github.com/AdaLogics/go-fuzz-headers"
"github.com/go-jose/go-jose/v4"
)
func FuzzToken1(f *testing.F) {
f.Fuzz(func(t *testing.T, data []byte) {
ff := fuzz.NewConsumer(data)
rawToken, err := ff.GetString()
if err != nil {
return
}
verifyOps := VerifyOptions{}
err = ff.GenerateStruct(&verifyOps)
if err != nil {
return
}
token, err := NewToken(rawToken, []jose.SignatureAlgorithm{jose.EdDSA, jose.RS384})
if err != nil {
return
}
_, err = token.Verify(verifyOps)
if err != nil {
return
}
_, _ = token.VerifySigningKey(verifyOps)
})
}
func FuzzToken2(f *testing.F) {
f.Fuzz(func(t *testing.T, data []byte) {
ff := fuzz.NewConsumer(data)
verifyOps := VerifyOptions{}
err := ff.GenerateStruct(&verifyOps)
if err != nil {
return
}
token := &Token{}
err = ff.GenerateStruct(token)
if err != nil {
return
}
_, err = token.Verify(verifyOps)
if err != nil {
return
}
_, _ = token.VerifySigningKey(verifyOps)
})
}