e2e: implement claims validation

wpjunior · wpjunior · commit 5da0425d2520 · 2025-03-20T17:34:27.000-03:00
diff --git a/e2e/container/nginx.conf b/e2e/container/nginx.conf
@@ -27,6 +27,9 @@ http {
                 local cjson = require("cjson.safe")
                 local token, err = libjwt.validate({
                     jwks_files = {"/usr/share/tokens/jwks1.json", "/usr/share/tokens/jwks2.json"},
+                    validate_claims = {
+                        email = {exact = "tsuru@tsuru.io"},
+                    },
                 })
                 ngx.header.content_type = "application/json"
                 if err and err ~= "" then
diff --git a/e2e/e2e_test.go b/e2e/e2e_test.go
@@ -212,4 +212,24 @@ func TestNginxContainer(t *testing.T) {
 		assert.Equal(http.StatusOK, statusCode)
 	})
 
+	t.Run("Should deny when passes a invalid claim", func(t *testing.T) {
+		t.Parallel()
+		assert := assertTestify.New(t)
+
+		jwtRequest, err := jwks_test.CreateJWT(
+			privateKey2,
+			jwks_test.JWTParams{KID: "kid-654321", Email: "guest@tsuru.io"})
+		assert.NoError(err)
+		body, statusCode, err := request_test.Do(request_test.Params{
+			URL:         URL,
+			HeaderKey:   "Authorization",
+			HeaderValue: fmt.Sprintf("Bearer %s", jwtRequest),
+		})
+		assert.NoError(err)
+		assert.Equal(http.StatusForbidden, statusCode)
+		assert.Equal(string(body), `{"message":"Claim 'email' must be exactly 'tsuru@tsuru.io'"}
+`)
+
+	})
+
 }
diff --git a/e2e/jwks/generate.go b/e2e/jwks/generate.go
@@ -47,6 +47,7 @@ func CreateJWT(privateKey *rsa.PrivateKey, params JWTParams) (string, error) {
 	claims := jwt.MapClaims{
 		"sub":   "1234567890",
 		"name":  "Tsuru",
+		"email": "tsuru@tsuru.io",
 		"admin": true,
 		"iat":   time.Now().Unix(),
 		"exp":   time.Now().Add(time.Hour * 24).Unix(),
