From e751f71706fe00fddb60f9d3fb4809069bf54d47 Mon Sep 17 00:00:00 2001
From: Stephen Brown <december1981@gmail.com>
Date: Mon, 30 Sep 2024 12:23:50 +0100
Subject: [PATCH] tests for jwt files mode user auth

---
 backends/jwt_test.go | 53 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 53 insertions(+)

diff --git a/backends/jwt_test.go b/backends/jwt_test.go
index 795e041..4ff0dec 100644
--- a/backends/jwt_test.go
+++ b/backends/jwt_test.go
@@ -218,6 +218,59 @@ func TestFilesJWTChecker(t *testing.T) {
 		token, err := notPresentJwtToken.SignedString([]byte(jwtSecret))
 		So(err, ShouldBeNil)
 
+		invalidToken, err := notPresentJwtToken.SignedString([]byte("badsecret"))
+		So(err, ShouldBeNil)
+
+		expiredToken, err := expiredToken.SignedString([]byte(jwtSecret))
+		So(err, ShouldBeNil)
+
+		Convey("Given a valid token, it should correctly authenticate it", func() {
+			authenticated, err := filesChecker.GetUser(token)
+
+			So(err, ShouldBeNil)
+			So(authenticated, ShouldBeTrue)
+		})
+
+		Convey("Given an invalid token, it should not authenticate it", func() {
+			authenticated, err := filesChecker.GetUser(invalidToken)
+
+			So(err, ShouldBeNil)
+			So(authenticated, ShouldBeFalse)
+		})
+
+		Convey("Given an expired token, it should not authenticate it", func() {
+			authenticated, err := filesChecker.GetUser(expiredToken)
+
+			So(err, ShouldBeNil)
+			So(authenticated, ShouldBeFalse)
+		})
+
+		Convey("Given an expired token with skip user expiration, it should anyway authenticate it", func() {
+			skipExpirationOptions := tkOptions
+			skipExpirationOptions.skipUserExpiration = true
+			filesChecker, err := NewFilesJWTChecker(authOpts, logLevel, hasher, skipExpirationOptions)
+			So(err, ShouldBeNil)
+
+			authenticated, err := filesChecker.GetUser(expiredToken)
+
+			So(err, ShouldBeNil)
+			So(authenticated, ShouldBeTrue)
+		})
+
+		Convey("Given a plain non-token format valid username, it should not authenticate it", func() {
+			authenticated, err := filesChecker.GetUser(username)
+
+			So(err, ShouldBeNil)
+			So(authenticated, ShouldBeFalse)
+		})
+
+		Convey("Given a plain non-token format random username, it should not authenticate it", func() {
+			authenticated, err := filesChecker.GetUser("somerandomuser")
+
+			So(err, ShouldBeNil)
+			So(authenticated, ShouldBeFalse)
+		})
+
 		Convey("Access should be granted for ACL mentioned users", func() {
 			tt, err := filesChecker.CheckAcl(token, "test/not_present", "id", 1)