src/python/test/verifier_test.py

@@ -59,6 +59,12 @@ class VerifierTest(unittest.TestCase):
         v = sso.Verifier(self.public, 'service/', 'domain', self.groups)
         self.assertRaises(sso.Error, v.verify, signed)
 
+    def test_verify_fail_expired(self):
+        tkt = sso.Ticket('user', 'service/', 'domain', nonce='nonce', ttl=-1000)
+        signed = self._sign_token(tkt)
+        v = sso.Verifier(self.public, 'service/', 'domain')
+        self.assertRaises(sso.Error, v.verify, signed, 'nonce')
+
 
 class KnownDataVerifierTest(unittest.TestCase):
 

src/sso/sso.c

@@ -60,19 +60,26 @@ static char *strdup_or_null(const char *s) {
   return strdup(s);
 }
 
-sso_ticket_t sso_ticket_new(const char *user, const char *service,
+static sso_ticket_t sso_ticket_new_with_expiry(const char *user, const char *service,
                                                const char *domain, const char *nonce,
-                            const char **groups, int validity_seconds) {
+                                               const char **groups, time_t expires) {
   sso_ticket_t t = (sso_ticket_t)malloc(sizeof(struct sso_ticket));
   t->user = strdup_or_null(user);
   t->service = strdup_or_null(service);
   t->domain = strdup_or_null(domain);
   t->nonce = strdup_or_null(nonce);
   t->groups = group_list_dup(groups);
-  t->expires = time(NULL) + validity_seconds;
+  t->expires = expires;
   return t;
 }
 
+sso_ticket_t sso_ticket_new(const char *user, const char *service,
+                            const char *domain, const char *nonce,
+                            const char **groups, int validity_seconds) {
+  time_t expires = time(NULL) + validity_seconds;
+  return sso_ticket_new_with_expiry(user, service, domain, nonce, groups, expires);
+}
+
 void sso_ticket_free(sso_ticket_t t) {
   if (t->user != NULL) {
     free(t->user);
@@ -275,7 +282,7 @@ static int sso_ticket_deserialize(sso_ticket_t *t, const char *s, int sz) {
     goto fail;
   }
 
-  *t = sso_ticket_new(user, service, domain, nonce, (const char **)groups, expires);
+  *t = sso_ticket_new_with_expiry(user, service, domain, nonce, (const char **)groups, expires);
 
  fail:
   if (version != NULL)

src/sso/test/Makefile.am

 include $(top_srcdir)/Makefile.defs
 
+AUTOMAKE_OPTIONS = serial-tests
+
 check_PROGRAMS = \
 	sso_unittest \
 	tweetnacl_unittest

src/sso/test/fuzz_signed.c

@@ -32,6 +32,8 @@ static inline const unsigned char *get_secret_key() {
   return secret_key;
 }
 
+static char *static_groups[] = {"g1", "g2", NULL};
+
 int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
   unsigned char *buf;
   unsigned char *b64buf;
@@ -52,6 +54,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *data, size_t size) {
 
   r = sso_ticket_open(&tkt, (const char *)b64buf, get_public_key());
   if (r == SSO_OK) {
+    sso_validate(tkt, "svc", "domain", NULL, static_groups);
     sso_ticket_free(tkt);
   }
 

src/sso/test/sso_unittest.cc

@@ -98,13 +98,19 @@ protected:
   char *sign_ticket(sso_ticket_t t) {
     char buf[1024];
     EXPECT_EQ(0, sso_ticket_sign(t, secret_key, buf, sizeof(buf)));
+    return strdup(buf);
+  }
+
+  // Return a signed ticket, for test data generation.
+  char *sign_and_free_ticket(sso_ticket_t t) {
+    char *res = sign_ticket(t);
     // No further use for the original ticket.
     sso_ticket_free(t);
-    return strdup(buf);
+    return res;
   }
 
   // Sign a ticket with a random secret key.
-  char *sign_ticket_with_random_key(sso_ticket_t t) {
+  char *sign_and_free_ticket_with_random_key(sso_ticket_t t) {
     unsigned char pk[SSO_PUBLIC_KEY_SIZE], sk[SSO_SECRET_KEY_SIZE];
     sso_generate_keys(pk, sk);
     char buf[1024];
@@ -177,20 +183,20 @@ struct open_testdata {
 TEST_F(SSO, Open) {
   const char *groups[] = {"users", "wheel", "daemon", NULL};
   struct open_testdata td[] = {
-      {sign_ticket(
+      {sign_and_free_ticket(
            sso_ticket_new("user", "service/", "domain", NULL, NULL, 7200)),
        0},
-      {sign_ticket(
+      {sign_and_free_ticket(
            sso_ticket_new("user", "service/", "domain", NULL, groups, 7200)),
        0},
-      {sign_ticket(sso_ticket_new("user", "", "", NULL, NULL, 7200)), 0},
+      {sign_and_free_ticket(sso_ticket_new("user", "", "", NULL, NULL, 7200)), 0},
 
       {sign_string("5|user|service/|domain|1414402999|"),
        SSO_ERR_UNSUPPORTED_VERSION},
       {sign_string("4|definitely not a ticket"), SSO_ERR_DESERIALIZATION},
       {sign_string("4||||||"), 0},
 
-      {sign_ticket_with_random_key(
+      {sign_and_free_ticket_with_random_key(
            sso_ticket_new("user", "service/", "domain", NULL, NULL, 7200)),
        SSO_ERR_BAD_SIGNATURE},
 
@@ -332,6 +338,43 @@ TEST_F(SSO, Validation) {
   }
 }
 
+static bool is_ticket_equal(sso_ticket_t a, sso_ticket_t b) {
+  return (!strcmp(a->user, b->user) &&
+          !strcmp(a->service, b->service) &&
+          !strcmp(a->domain, b->domain) &&
+          !strcmp(a->nonce ?: "NULL", b->nonce ?: "NULL") &&
+          a->expires == b->expires);
+}
+
+TEST_F(SSO, Serialization) {
+  const char *groups_ok[] = {"users", "admins", NULL};
+  const char *groups_fail[] = {"users", "others", NULL};
+
+  sso_ticket_t td[] = {
+     sso_ticket_new("user", "service/", "domain", NULL, groups_ok, 7200),
+     sso_ticket_new("user", "service/", "domain", NULL, NULL, 7200),
+     sso_ticket_new("user", "service/", "domain", NULL, groups_fail, 7200),
+     sso_ticket_new("user", "service/", "other", NULL, groups_ok, 7200),
+     sso_ticket_new("user", "other/", "domain", NULL, groups_ok, 7200),
+     sso_ticket_new("user", "service/", "domain", NULL, NULL, -1000),
+     sso_ticket_new("user", "service/", "domain", "testnonce", NULL, 7200),
+     sso_ticket_new("user", "service/", "domain", "badnonce", NULL, 7200),
+     sso_ticket_new("user", "service/", "domain", NULL, NULL, 7200),
+     NULL,
+  };
+
+  for (sso_ticket_t *tdp = td; *tdp; tdp++) {
+    sso_ticket_t cur = *tdp, deserialized = NULL;
+    char *serialized;
+
+    serialized = sign_ticket(cur);
+    EXPECT_EQ(SSO_OK, sso_ticket_open(&deserialized, serialized, public_key));
+    EXPECT_NE(cur, deserialized);
+    EXPECT_EQ(true, is_ticket_equal(cur, deserialized));
+    free(serialized);
+  }
+}
+
 } // namespace
 
 int main(int argc, char **argv) {