fixed/tokenutils: differentiate empty token from not enough segments (#…

…72)
PaloAltoNetworks · Mar 30, 2020 · c0ac909 · c0ac909
1 parent 2df1280
commit c0ac909
Show file tree

Hide file tree

Showing 2 changed files with 46 additions and 0 deletions.
diff --git a/tokenutils/tokenutils.go b/tokenutils/tokenutils.go
@@ -39,6 +39,10 @@ func Snip(err error, token string) error {
 // verifying its validity. Only use or trust this after proper validation.
 func UnsecureClaimsMap(token string) (claims map[string]interface{}, err error) {
 
+	if token == "" {
+		return nil, errors.New("invalid jwt: empty")
+	}
+
 	parts := strings.Split(token, ".")
 	if len(parts) != 3 {
 		return nil, errors.New("invalid jwt: not enough segments")
@@ -60,6 +64,10 @@ func UnsecureClaimsMap(token string) (claims map[string]interface{}, err error)
 // SigAlg returns the signature used by the token
 func SigAlg(token string) (string, error) {
 
+	if token == "" {
+		return "", errors.New("invalid jwt: empty")
+	}
+
 	parts := strings.Split(token, ".")
 	if len(parts) != 3 {
 		return "", errors.New("invalid jwt: not enough segments")

diff --git a/tokenutils/tokenutils_test.go b/tokenutils/tokenutils_test.go
@@ -106,6 +106,25 @@ func TestTokenUtils_UnsecureClaimsMap(t *testing.T) {
 		})
 	})
 
+	Convey("Given I have a token an empty token", t, func() {
+
+		token := ""
+
+		Convey("When I UnsecureClaimsMap", func() {
+
+			claims, err := UnsecureClaimsMap(token)
+
+			Convey("Then err should be nil", func() {
+				So(err, ShouldNotBeNil)
+				So(err.Error(), ShouldEqual, "invalid jwt: empty")
+			})
+
+			Convey("Then claims should be nil", func() {
+				So(claims, ShouldBeNil)
+			})
+		})
+	})
+
 	Convey("Given I have a token a token with invalid base64", t, func() {
 
 		token := "eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.not-base64.jvh034mNSV-Fy--GIGnnYeWouluV6CexC9_8IHJ-IR4"
@@ -184,6 +203,25 @@ func TestJWTUtils_SigAlg(t *testing.T) {
 		})
 	})
 
+	Convey("Given I have an empty token", t, func() {
+
+		token := ""
+
+		Convey("When I SigAlg", func() {
+
+			alg, err := SigAlg(token)
+
+			Convey("Then err should be nil", func() {
+				So(err, ShouldNotBeNil)
+				So(err.Error(), ShouldEqual, "invalid jwt: empty")
+			})
+
+			Convey("Then alg should be empty", func() {
+				So(alg, ShouldBeEmpty)
+			})
+		})
+	})
+
 	Convey("Given I have a token a token with invalid base64", t, func() {
 
 		token := "not-base-64.eyJyZWFsbSI6IlZpbmNlIiwiZGF0YSI6eyJhY2NvdW50IjoiYXBvbXV4IiwiZW1haWwiOiJhZG1pbkBhcG9tdXguY29tIiwiaWQiOiI1YTZhNTUxMTdkZGYxZjIxMmY4ZWIwY2UiLCJvcmdhbml6YXRpb24iOiJhcG9tdXgiLCJyZWFsbSI6InZpbmNlIn0sImF1ZCI6ImFwb3JldG8uY29tIiwiZXhwIjoxNTIwNjQ5MTAyLCJpYXQiOjE1MTgwNTcxMDIsImlzcyI6Im1pZGdhcmQuYXBvbXV4LmNvbSIsInN1YiI6ImFwb211eCJ9.jvh034mNSV-Fy--GIGnnYeWouluV6CexC9_8IHJ-IR4"