STS integration, JWT auth and Stateless MCS (#70)

This commit changes the authentication mechanism between mcs and minio to an sts (security token service) schema using the user provided credentials, previously mcs was using master credentials. With that said in order for you to login to MCS as an admin your user must exists first on minio and have enough privileges to do administrative operations. ``` ./mc admin user add myminio alevsk alevsk12345 ``` ``` cat admin.json { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "admin:*", "s3:*" ], "Resource": [ "arn:aws:s3:::*" ] } ] } ./mc admin policy add myminio admin admin.json ``` ``` ./mc admin policy set myminio admin user=alevsk ```
2020-04-22 23:43:17 -07:00
parent 605b80037a
commit 0f52136fd2
29 changed files with 916 additions and 303 deletions
--- a/pkg/auth/jwt.go
+++ b/pkg/auth/jwt.go
@@ -0,0 +1,180 @@
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package auth
+
+import (
+	"crypto/aes"
+	"crypto/cipher"
+	"crypto/rand"
+	"crypto/sha1"
+	"encoding/base64"
+	"errors"
+	"fmt"
+	"io"
+	"log"
+	"strings"
+
+	jwtgo "github.com/dgrijalva/jwt-go"
+	xjwt "github.com/minio/mcs/pkg/auth/jwt"
+	"github.com/minio/minio-go/v6/pkg/credentials"
+	"github.com/minio/minio/cmd"
+	uuid "github.com/satori/go.uuid"
+	"golang.org/x/crypto/pbkdf2"
+)
+
+var (
+	errAuthentication = errors.New("Authentication failed, check your access credentials")
+	errNoAuthToken    = errors.New("JWT token missing")
+	errReadingToken   = errors.New("JWT internal data is malformed")
+	errClaimsFormat   = errors.New("encrypted jwt claims not in the right format")
+)
+
+// derivedKey is the key used to encrypt the JWT claims, its derived using pbkdf on MCS_PBKDF_PASSPHRASE with MCS_PBKDF_SALT
+var derivedKey = pbkdf2.Key([]byte(xjwt.GetPBKDFPassphrase()), []byte(xjwt.GetPBKDFSalt()), 4096, 32, sha1.New)
+
+// IsJWTValid returns true or false depending if the provided jwt is valid or not
+func IsJWTValid(token string) bool {
+	_, err := JWTAuthenticate(token)
+	return err == nil
+}
+
+type DecryptedClaims struct {
+	AccessKeyID     string
+	SecretAccessKey string
+	SessionToken    string
+}
+
+// JWTAuthenticate takes a jwt, decode it, extract claims and validate the signature
+// if the jwt claims.Data is valid we proceed to decrypt the information inside
+//
+// returns claims after validation in the following format:
+//
+//	type DecryptedClaims struct {
+//		AccessKeyID
+//		SecretAccessKey
+//		SessionToken
+//	}
+func JWTAuthenticate(token string) (*DecryptedClaims, error) {
+	if token == "" {
+		return nil, errNoAuthToken
+	}
+	// initialize claims object
+	claims := xjwt.NewMapClaims()
+	// populate the claims object
+	if err := xjwt.ParseWithClaims(token, claims); err != nil {
+		return nil, errAuthentication
+	}
+	// decrypt the claims.Data field
+	claimTokens, err := decryptClaims(claims.Data)
+	if err != nil {
+		// we print decryption token error information for debugging purposes
+		log.Println(err)
+		// we return a generic error that doesn't give any information to attackers
+		return nil, errReadingToken
+	}
+	// claimsTokens contains the decrypted STS claims
+	return claimTokens, nil
+}
+
+// NewJWTWithClaimsForClient generates a new jwt with claims based on the provided STS credentials, first
+// encrypts the claims and the sign them
+func NewJWTWithClaimsForClient(credentials *credentials.Value, audience string) (string, error) {
+	if credentials != nil {
+		encryptedClaims, err := encryptClaims(credentials.AccessKeyID, credentials.SecretAccessKey, credentials.SessionToken)
+		if err != nil {
+			return "", err
+		}
+		claims := xjwt.NewStandardClaims()
+		claims.SetExpiry(cmd.UTCNow().Add(xjwt.GetMcsSTSAndJWTDurationTime()))
+		claims.SetSubject(uuid.NewV4().String())
+		claims.SetData(encryptedClaims)
+		claims.SetAudience(audience)
+		jwt := jwtgo.NewWithClaims(jwtgo.SigningMethodHS512, claims)
+		return jwt.SignedString([]byte(xjwt.GetHmacJWTSecret()))
+	}
+	return "", errors.New("provided credentials are empty")
+}
+
+// encryptClaims() receives the 3 STS claims, concatenate them and encrypt them using AES-GCM
+// returns a base64 encoded ciphertext
+func encryptClaims(accessKeyID, secretAccessKey, sessionToken string) (string, error) {
+	payload := []byte(fmt.Sprintf("%s:%s:%s", accessKeyID, secretAccessKey, sessionToken))
+	ciphertext, err := encrypt(payload)
+	if err != nil {
+		return "", err
+	}
+	return base64.StdEncoding.EncodeToString(ciphertext), nil
+}
+
+// decryptClaims() receives base64 encoded ciphertext, decode it, decrypt it (AES-GCM) and produces a *DecryptedClaims object
+func decryptClaims(ciphertext string) (*DecryptedClaims, error) {
+	decoded, err := base64.StdEncoding.DecodeString(ciphertext)
+	if err != nil {
+		log.Println(err)
+		return nil, errClaimsFormat
+	}
+	plaintext, err := decrypt(decoded)
+	if err != nil {
+		log.Println(err)
+		return nil, errClaimsFormat
+	}
+	s := strings.Split(string(plaintext), ":")
+	// Validate that the decrypted string has the right format "accessKeyID:secretAccessKey:sessionToken"
+	if len(s) != 3 {
+		return nil, errClaimsFormat
+	}
+	accessKeyID, secretAccessKey, sessionToken := s[0], s[1], s[2]
+	return &DecryptedClaims{
+		AccessKeyID:     accessKeyID,
+		SecretAccessKey: secretAccessKey,
+		SessionToken:    sessionToken,
+	}, nil
+}
+
+// Encrypt a blob of data using AEAD (AES-GCM) with a pbkdf2 derived key
+func encrypt(plaintext []byte) ([]byte, error) {
+	block, _ := aes.NewCipher(derivedKey)
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+	nonce := make([]byte, gcm.NonceSize())
+	if _, err = io.ReadFull(rand.Reader, nonce); err != nil {
+		return nil, err
+	}
+	cipherText := gcm.Seal(nonce, nonce, plaintext, nil)
+	return cipherText, nil
+}
+
+// Decrypts a blob of data using AEAD (AES-GCM) with a pbkdf2 derived key
+func decrypt(data []byte) ([]byte, error) {
+	block, err := aes.NewCipher(derivedKey)
+	if err != nil {
+		return nil, err
+	}
+	gcm, err := cipher.NewGCM(block)
+	if err != nil {
+		return nil, err
+	}
+	nonceSize := gcm.NonceSize()
+	nonce, cipherText := data[:nonceSize], data[nonceSize:]
+	plaintext, err := gcm.Open(nil, nonce, cipherText, nil)
+	if err != nil {
+		return nil, err
+	}
+	return plaintext, nil
+}
--- a/pkg/auth/jwt/config.go
+++ b/pkg/auth/jwt/config.go
@@ -0,0 +1,94 @@
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package jwt
+
+import (
+	"crypto/rand"
+	"io"
+	"strconv"
+	"strings"
+	"time"
+
+	"github.com/minio/minio/pkg/env"
+)
+
+// Do not use:
+// https://stackoverflow.com/questions/22892120/how-to-generate-a-random-string-of-a-fixed-length-in-go
+// It relies on math/rand and therefore not on a cryptographically secure RNG => It must not be used
+// for access/secret keys.
+
+// The alphabet of random character string. Each character must be unique.
+//
+// The RandomCharString implementation requires that: 256 / len(letters) is a natural numbers.
+// For example: 256 / 64 = 4. However, 5 > 256/62 > 4 and therefore we must not use a alphabet
+// of 62 characters.
+// The reason is that if 256 / len(letters) is not a natural number then certain characters become
+// more likely then others.
+const letters = "ABCDEFGHIJKLMNOPQRSTUVWXYZ012345"
+
+func RandomCharString(n int) string {
+	random := make([]byte, n)
+	if _, err := io.ReadFull(rand.Reader, random); err != nil {
+		panic(err) // Can only happen if we would run out of entropy.
+	}
+
+	var s strings.Builder
+	for _, v := range random {
+		j := v % byte(len(letters))
+		s.WriteByte(letters[j])
+	}
+	return s.String()
+}
+
+// defaultHmacJWTPassphrase will be used by default if application is not configured with a custom MCS_HMAC_JWT_SECRET secret
+var defaultHmacJWTPassphrase = RandomCharString(64)
+
+// GetHmacJWTSecret returns the 64 bytes secret used for signing the generated JWT for the application
+func GetHmacJWTSecret() string {
+	return env.Get(McsHmacJWTSecret, defaultHmacJWTPassphrase)
+}
+
+// McsSTSAndJWTDurationSeconds returns the default session duration for the STS requested tokens and the generated JWTs.
+// Ideally both values should match so jwt and Minio sts sessions expires at the same time.
+func GetMcsSTSAndJWTDurationInSeconds() int {
+	duration, err := strconv.Atoi(env.Get(McsSTSAndJWTDurationSeconds, "3600"))
+	if err != nil {
+		duration = 3600
+	}
+	return duration
+}
+
+// GetMcsSTSAndJWTDurationTime returns GetMcsSTSAndJWTDurationInSeconds in duration format
+func GetMcsSTSAndJWTDurationTime() time.Duration {
+	duration := GetMcsSTSAndJWTDurationInSeconds()
+	return time.Duration(duration) * time.Second
+}
+
+// defaultPBKDFPassphrase
+var defaultPBKDFPassphrase = RandomCharString(64)
+
+// GetPBKDFPassphrase returns passphrase for the pbkdf2 function used to encrypt JWT payload
+func GetPBKDFPassphrase() string {
+	return env.Get(McsPBKDFPassphrase, defaultPBKDFPassphrase)
+}
+
+var defaultPBKDFSalt = RandomCharString(64)
+
+// GetPBKDFSalt returns salt for the pbkdf2 function used to encrypt JWT payload
+func GetPBKDFSalt() string {
+	return env.Get(McsPBKDFSalt, defaultPBKDFSalt)
+}
--- a/pkg/auth/jwt/const.go
+++ b/pkg/auth/jwt/const.go
@@ -0,0 +1,24 @@
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package jwt
+
+const (
+	McsHmacJWTSecret            = "MCS_HMAC_JWT_SECRET"
+	McsSTSAndJWTDurationSeconds = "MCS_STS_AND_JWT_DURATION_SECONDS"
+	McsPBKDFPassphrase          = "MCS_PBKDF_PASSPHRASE"
+	McsPBKDFSalt                = "MCS_PBKDF_SALT"
+)
--- a/pkg/auth/jwt/parser.go
+++ b/pkg/auth/jwt/parser.go
@@ -0,0 +1,281 @@
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package jwt
+
+// This file is a re-implementation of the original code here with some
+// additional allocation tweaks reproduced using GODEBUG=allocfreetrace=1
+// original file https://github.com/dgrijalva/jwt-go/blob/master/parser.go
+// borrowed under MIT License https://github.com/dgrijalva/jwt-go/blob/master/LICENSE
+
+import (
+	"crypto"
+	"crypto/hmac"
+	"encoding/base64"
+	"encoding/json"
+	"fmt"
+	"strings"
+	"sync"
+	"time"
+
+	jwtgo "github.com/dgrijalva/jwt-go"
+	jsoniter "github.com/json-iterator/go"
+)
+
+const (
+	claimData = "data"
+	claimSub  = "sub"
+)
+
+// SigningMethodHMAC - Implements the HMAC-SHA family of signing methods signing methods
+// Expects key type of []byte for both signing and validation
+type SigningMethodHMAC struct {
+	Name string
+	Hash crypto.Hash
+}
+
+// Specific instances for HS256, HS384, HS512
+var (
+	SigningMethodHS256 *SigningMethodHMAC
+	SigningMethodHS384 *SigningMethodHMAC
+	SigningMethodHS512 *SigningMethodHMAC
+)
+
+var (
+	base64BufPool sync.Pool
+	hmacSigners   []*SigningMethodHMAC
+)
+
+func init() {
+	base64BufPool = sync.Pool{
+		New: func() interface{} {
+			buf := make([]byte, 8192)
+			return &buf
+		},
+	}
+
+	hmacSigners = []*SigningMethodHMAC{
+		{"HS256", crypto.SHA256},
+		{"HS384", crypto.SHA384},
+		{"HS512", crypto.SHA512},
+	}
+}
+
+// StandardClaims are basically standard claims with "Data"
+type StandardClaims struct {
+	Data string `json:"data,omitempty"`
+	jwtgo.StandardClaims
+}
+
+// MapClaims - implements custom unmarshaller
+type MapClaims struct {
+	Data    string `json:"data,omitempty"`
+	Subject string `json:"sub,omitempty"`
+	jwtgo.MapClaims
+}
+
+// NewStandardClaims - initializes standard claims
+func NewStandardClaims() *StandardClaims {
+	return &StandardClaims{}
+}
+
+// SetIssuer sets issuer for these claims
+func (c *StandardClaims) SetIssuer(issuer string) {
+	c.Issuer = issuer
+}
+
+// SetAudience sets audience for these claims
+func (c *StandardClaims) SetAudience(aud string) {
+	c.Audience = aud
+}
+
+// SetExpiry sets expiry in unix epoch secs
+func (c *StandardClaims) SetExpiry(t time.Time) {
+	c.ExpiresAt = t.Unix()
+}
+
+// SetSubject sets unique identifier for the jwt
+func (c *StandardClaims) SetSubject(subject string) {
+	c.Subject = subject
+}
+
+// SetData sets the "Data" custom field.
+func (c *StandardClaims) SetData(data string) {
+	c.Data = data
+}
+
+// Valid - implements https://godoc.org/github.com/dgrijalva/jwt-go#Claims compatible
+// claims interface, additionally validates "Data" field.
+func (c *StandardClaims) Valid() error {
+	if err := c.StandardClaims.Valid(); err != nil {
+		return err
+	}
+
+	if c.Data == "" || c.Subject == "" {
+		return jwtgo.NewValidationError("data/sub",
+			jwtgo.ValidationErrorClaimsInvalid)
+	}
+	return nil
+}
+
+// NewMapClaims - Initializes a new map claims
+func NewMapClaims() *MapClaims {
+	return &MapClaims{MapClaims: jwtgo.MapClaims{}}
+}
+
+// Lookup returns the value and if the key is found.
+func (c *MapClaims) Lookup(key string) (value string, ok bool) {
+	var vinterface interface{}
+	vinterface, ok = c.MapClaims[key]
+	if ok {
+		value, ok = vinterface.(string)
+	}
+	return
+}
+
+// SetExpiry sets expiry in unix epoch secs
+func (c *MapClaims) SetExpiry(t time.Time) {
+	c.MapClaims["exp"] = t.Unix()
+}
+
+// SetData sets the "Data" custom field.
+func (c *MapClaims) SetData(data string) {
+	c.MapClaims[claimData] = data
+}
+
+// Valid - implements https://godoc.org/github.com/dgrijalva/jwt-go#Claims compatible
+// claims interface, additionally validates "Data" field.
+func (c *MapClaims) Valid() error {
+	if err := c.MapClaims.Valid(); err != nil {
+		return err
+	}
+
+	if c.Data == "" || c.Subject == "" {
+		return jwtgo.NewValidationError("data/subject",
+			jwtgo.ValidationErrorClaimsInvalid)
+	}
+	return nil
+}
+
+// Map returns underlying low-level map claims.
+func (c *MapClaims) Map() map[string]interface{} {
+	return c.MapClaims
+}
+
+// MarshalJSON marshals the MapClaims struct
+func (c *MapClaims) MarshalJSON() ([]byte, error) {
+	return json.Marshal(c.MapClaims)
+}
+
+// https://tools.ietf.org/html/rfc7519#page-11
+type jwtHeader struct {
+	Algorithm string `json:"alg"`
+	Type      string `json:"typ"`
+}
+
+// ParseWithClaims - parse the token string, valid methods.
+func ParseWithClaims(tokenStr string, claims *MapClaims) error {
+	bufp := base64BufPool.Get().(*[]byte)
+	defer base64BufPool.Put(bufp)
+
+	signer, err := parseUnverifiedMapClaims(tokenStr, claims, *bufp)
+	if err != nil {
+		return err
+	}
+
+	i := strings.LastIndex(tokenStr, ".")
+	if i < 0 {
+		return jwtgo.ErrSignatureInvalid
+	}
+
+	n, err := base64Decode(tokenStr[i+1:], *bufp)
+	if err != nil {
+		return err
+	}
+
+	var ok bool
+
+	claims.Data, ok = claims.Lookup(claimData)
+	if !ok {
+		return jwtgo.NewValidationError("data missing",
+			jwtgo.ValidationErrorClaimsInvalid)
+	}
+
+	claims.Subject, ok = claims.Lookup(claimSub)
+	if !ok {
+		return jwtgo.NewValidationError("sub missing",
+			jwtgo.ValidationErrorClaimsInvalid)
+	}
+
+	hasher := hmac.New(signer.Hash.New, []byte(GetHmacJWTSecret()))
+	hasher.Write([]byte(tokenStr[:i]))
+	if !hmac.Equal((*bufp)[:n], hasher.Sum(nil)) {
+		return jwtgo.ErrSignatureInvalid
+	}
+
+	// Signature is valid, lets validate the claims for
+	// other fields such as expiry etc.
+	return claims.Valid()
+}
+
+// base64Decode returns the bytes represented by the base64 string s.
+func base64Decode(s string, buf []byte) (int, error) {
+	return base64.RawURLEncoding.Decode(buf, []byte(s))
+}
+
+// ParseUnverifiedMapClaims - WARNING: Don't use this method unless you know what you're doing
+//
+// This method parses the token but doesn't validate the signature. It's only
+// ever useful in cases where you know the signature is valid (because it has
+// been checked previously in the stack) and you want to extract values from
+// it.
+func parseUnverifiedMapClaims(tokenString string, claims *MapClaims, buf []byte) (*SigningMethodHMAC, error) {
+	if strings.Count(tokenString, ".") != 2 {
+		return nil, jwtgo.ErrSignatureInvalid
+	}
+
+	i := strings.Index(tokenString, ".")
+	j := strings.LastIndex(tokenString, ".")
+
+	n, err := base64Decode(tokenString[:i], buf)
+	if err != nil {
+		return nil, &jwtgo.ValidationError{Inner: err, Errors: jwtgo.ValidationErrorMalformed}
+	}
+
+	var header = jwtHeader{}
+	var json = jsoniter.ConfigCompatibleWithStandardLibrary
+	if err = json.Unmarshal(buf[:n], &header); err != nil {
+		return nil, &jwtgo.ValidationError{Inner: err, Errors: jwtgo.ValidationErrorMalformed}
+	}
+
+	n, err = base64Decode(tokenString[i+1:j], buf)
+	if err != nil {
+		return nil, &jwtgo.ValidationError{Inner: err, Errors: jwtgo.ValidationErrorMalformed}
+	}
+
+	if err = json.Unmarshal(buf[:n], &claims.MapClaims); err != nil {
+		return nil, &jwtgo.ValidationError{Inner: err, Errors: jwtgo.ValidationErrorMalformed}
+	}
+
+	for _, signer := range hmacSigners {
+		if header.Algorithm == signer.Name {
+			return signer, nil
+		}
+	}
+
+	return nil, jwtgo.NewValidationError(fmt.Sprintf("signing method (%s) is unavailable.", header.Algorithm),
+		jwtgo.ValidationErrorUnverifiable)
+}
--- a/pkg/auth/jwt_test.go
+++ b/pkg/auth/jwt_test.go
@@ -0,0 +1,80 @@
+// This file is part of MinIO Console Server
+// Copyright (c) 2020 MinIO, Inc.
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU Affero General Public License as published by
+// the Free Software Foundation, either version 3 of the License, or
+// (at your option) any later version.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+// GNU Affero General Public License for more details.
+//
+// You should have received a copy of the GNU Affero General Public License
+// along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+package auth
+
+import (
+	"testing"
+
+	"github.com/minio/minio-go/v6/pkg/credentials"
+	"github.com/stretchr/testify/assert"
+)
+
+var audience = ""
+var creds = &credentials.Value{
+	AccessKeyID:     "fakeAccessKeyID",
+	SecretAccessKey: "fakeSecretAccessKey",
+	SessionToken:    "fakeSessionToken",
+	SignerType:      0,
+}
+var goodToken = ""
+var badToken = "eyJhbGciOiJIUzUxMiIsInR5cCI6IkpXVCJ9.eyJkYXRhIjoiRDMwYWE0ekQ1bWtFaFRyWm5yOWM3NWh0Yko0MkROOWNDZVQ5RHVHUkg1U25SR3RyTXZNOXBMdnlFSVJAAAE5eWxxekhYMXllck8xUXpzMlZzRVFKeUF2ZmpOaDkrTVdoUURWZ2FhK2R5emxzSjNpK0k1dUdoeW5DNWswUW83WEY0UWszY0RtUTdUQUVROVFEbWRKdjBkdVB5L25hQk5vM3dIdlRDZHFNRDJZN3kycktJbmVUbUlFNmVveW9EWmprcW5tckVoYmMrTlhTRU81WjZqa1kwZ1E2eXZLaWhUZGxBRS9zS1lBNlc4Q1R1cm1MU0E0b0dIcGtldFZWU0VXMHEzNU9TU1VaczRXNkxHdGMxSTFWVFZLWUo3ZTlHR2REQ3hMWGtiZHQwcjl0RDNMWUhWRndra0dSZit5ZHBzS1Y3L1Jtbkp3SHNqNVVGV0w5WGVHUkZVUjJQclJTN2plVzFXeGZuYitVeXoxNVpOMzZsZ01GNnBlWFd1LzJGcEtrb2Z2QzNpY2x5Rmp0SE45ZkxYTVpVSFhnV2lsQWVSa3oiLCJhdWQiOiJodHRwOi8vbG9jYWxob3N0OjkwMDAiLCJleHAiOjE1ODc1MTY1NzEsInN1YiI6ImZmYmY4YzljLTJlMjYtNGMwYS1iMmI0LTYyMmVhM2I1YjZhYiJ9.P392RUwzsrBeJOO3fS1xMZcF-lWiDvWZ5hM7LZOyFMmoG5QLccDU5eAPSm8obzPoznX1b7eCFLeEmKK-vKgjiQ"
+
+func TestNewJWTWithClaimsForClient(t *testing.T) {
+	funcAssert := assert.New(t)
+	// Test-1 : NewJWTWithClaimsForClient() is generated correctly without errors
+	function := "NewJWTWithClaimsForClient()"
+	jwt, err := NewJWTWithClaimsForClient(creds, audience)
+	if err != nil || jwt == "" {
+		t.Errorf("Failed on %s:, error occurred: %s", function, err)
+	}
+	// saving jwt for future tests
+	goodToken = jwt
+	// Test-2 : NewJWTWithClaimsForClient() throws error because of empty credentials
+	if _, err = NewJWTWithClaimsForClient(nil, audience); err != nil {
+		funcAssert.Equal("provided credentials are empty", err.Error())
+	}
+}
+
+func TestJWTAuthenticate(t *testing.T) {
+	funcAssert := assert.New(t)
+	// Test-1 : JWTAuthenticate() should correctly return the claims
+	function := "JWTAuthenticate()"
+	claims, err := JWTAuthenticate(goodToken)
+	if err != nil || claims == nil {
+		t.Errorf("Failed on %s:, error occurred: %s", function, err)
+	} else {
+		funcAssert.Equal(claims.AccessKeyID, creds.AccessKeyID)
+		funcAssert.Equal(claims.SecretAccessKey, creds.SecretAccessKey)
+		funcAssert.Equal(claims.SessionToken, creds.SessionToken)
+	}
+	// Test-2 : JWTAuthenticate() return an error because of a tampered jwt
+	if _, err := JWTAuthenticate(badToken); err != nil {
+		funcAssert.Equal("Authentication failed, check your access credentials", err.Error())
+	}
+	// Test-3 : JWTAuthenticate() return an error because of an empty jwt
+	if _, err := JWTAuthenticate(""); err != nil {
+		funcAssert.Equal("JWT token missing", err.Error())
+	}
+}
+
+func TestIsJWTValid(t *testing.T) {
+	funcAssert := assert.New(t)
+	// Test-1 : JWTAuthenticate() provided token is valid
+	funcAssert.Equal(true, IsJWTValid(goodToken))
+	// Test-2 : JWTAuthenticate() provided token is invalid
+	funcAssert.Equal(false, IsJWTValid(badToken))
+}