zitadel/internal/domain/refresh_token_test.go
Tim Möhlmann 3759ed9f08 fix(crypto): reject decrypted strings with non-UTF8 characters. (#8374)
# Which Problems Are Solved

We noticed logging where 500: Internal Server errors were returned from
the token endpoint, mostly for the `refresh_token` grant. The error was
thrown by the database as it received non-UTF8 strings for token IDs

Zitadel uses symmetric encryption for opaque tokens, including refresh
tokens. Encrypted values are base64 encoded. It appeared to be possible
to send garbage base64 to the token endpoint, which will pass decryption
and string-splitting. In those cases the resulting ID is not a valid
UTF-8 string.

Invalid non-UTF8 strings are now rejected during token decryption.

# How the Problems Are Solved

- `AESCrypto.DecryptString()` checks if the decrypted bytes only contain
valid UTF-8 characters before converting them into a string.
- `AESCrypto.Decrypt()` is unmodified and still allows decryption on
non-UTF8 byte strings.
- `FromRefreshToken` now uses `DecryptString` instead of `Decrypt`

# Additional Changes

- Unit tests added for `FromRefreshToken` and
`AESCrypto.DecryptString()`.
- Fuzz tests added for `FromRefreshToken` and
`AESCrypto.DecryptString()`. This was to pinpoint the problem
- Testdata with values that resulted in invalid strings are committed.
In the pipeline this results in the Fuzz tests to execute as regular
unit-test cases. As we don't use the `-fuzz` flag in the pipeline no
further fuzzing is performed.

# Additional Context

- Closes #7765
- https://go.dev/doc/tutorial/fuzz
2024-08-06 13:58:53 +02:00

130 lines
3.5 KiB
Go

package domain
import (
"encoding/base64"
"errors"
"testing"
"github.com/stretchr/testify/assert"
"github.com/stretchr/testify/require"
"golang.org/x/net/context"
"github.com/zitadel/zitadel/internal/crypto"
"github.com/zitadel/zitadel/internal/zerrors"
)
type mockKeyStorage struct {
keys crypto.Keys
}
func (s *mockKeyStorage) ReadKeys() (crypto.Keys, error) {
return s.keys, nil
}
func (s *mockKeyStorage) ReadKey(id string) (*crypto.Key, error) {
return &crypto.Key{
ID: id,
Value: s.keys[id],
}, nil
}
func (*mockKeyStorage) CreateKeys(context.Context, ...*crypto.Key) error {
return errors.New("mockKeyStorage.CreateKeys not implemented")
}
func TestFromRefreshToken(t *testing.T) {
const (
userID = "userID"
tokenID = "tokenID"
)
keyConfig := &crypto.KeyConfig{
EncryptionKeyID: "keyID",
DecryptionKeyIDs: []string{"keyID"},
}
keys := crypto.Keys{"keyID": "ThisKeyNeedsToHave32Characters!!"}
algorithm, err := crypto.NewAESCrypto(keyConfig, &mockKeyStorage{keys: keys})
require.NoError(t, err)
refreshToken, err := NewRefreshToken(userID, tokenID, algorithm)
require.NoError(t, err)
invalidRefreshToken, err := algorithm.Encrypt([]byte(userID + ":" + tokenID))
require.NoError(t, err)
type args struct {
refreshToken string
algorithm crypto.EncryptionAlgorithm
}
tests := []struct {
name string
args args
wantUserID string
wantTokenID string
wantToken string
wantErr error
}{
{
name: "invalid base64",
args: args{"~~~", algorithm},
wantErr: zerrors.ThrowInvalidArgument(nil, "DOMAIN-BGDhn", "Errors.User.RefreshToken.Invalid"),
},
{
name: "short cipher text",
args: args{"DEADBEEF", algorithm},
wantErr: zerrors.ThrowInvalidArgument(err, "DOMAIN-rie9A", "Errors.User.RefreshToken.Invalid"),
},
{
name: "incorrect amount of segments",
args: args{base64.RawURLEncoding.EncodeToString(invalidRefreshToken), algorithm},
wantErr: zerrors.ThrowInvalidArgument(nil, "DOMAIN-Se8oh", "Errors.User.RefreshToken.Invalid"),
},
{
name: "success",
args: args{refreshToken, algorithm},
wantUserID: userID,
wantTokenID: tokenID,
wantToken: tokenID,
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
gotUserID, gotTokenID, gotToken, err := FromRefreshToken(tt.args.refreshToken, tt.args.algorithm)
require.ErrorIs(t, err, tt.wantErr)
assert.Equal(t, tt.wantUserID, gotUserID)
assert.Equal(t, tt.wantTokenID, gotTokenID)
assert.Equal(t, tt.wantToken, gotToken)
})
}
}
// Fuzz test invalid inputs. None of the inputs should result in a success.
func FuzzFromRefreshToken(f *testing.F) {
keyConfig := &crypto.KeyConfig{
EncryptionKeyID: "keyID",
DecryptionKeyIDs: []string{"keyID"},
}
keys := crypto.Keys{"keyID": "ThisKeyNeedsToHave32Characters!!"}
algorithm, err := crypto.NewAESCrypto(keyConfig, &mockKeyStorage{keys: keys})
require.NoError(f, err)
invalidRefreshToken, err := algorithm.Encrypt([]byte("userID:tokenID"))
require.NoError(f, err)
tests := []string{
"~~~", // invalid base64
"DEADBEEF", // short cipher text
base64.RawURLEncoding.EncodeToString(invalidRefreshToken), // incorrect amount of segments
}
for _, tc := range tests {
f.Add(tc)
}
f.Fuzz(func(t *testing.T, refreshToken string) {
gotUserID, gotTokenID, gotToken, err := FromRefreshToken(refreshToken, algorithm)
target := zerrors.InvalidArgumentError{ZitadelError: new(zerrors.ZitadelError)}
t.Log(gotUserID, gotTokenID, gotToken)
require.ErrorAs(t, err, &target)
})
}