azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-06-21 22:51:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
1bdbe8c96d2d909897ef08db94847c628938c310
admin/e2e/Azaion.E2E/Helpers/DbHelper.cs
T
Oleksandr Bezdieniezhnykh 1e1ded73f5
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push unknown status
Details
[AZ-534] TOTP-based 2FA at credential login 
Add RFC 6238 TOTP enrollment, two-step /login flow, recovery codes, and
the amr=["pwd","mfa"] claim that propagates through refresh-token rotation.

- New endpoints: /users/me/mfa/{enroll,confirm,disable} and /login/mfa.
- /login short-circuits to a 5-min ES256 step-1 token (audience-pinned
  azaion-mfa-step2) when the user has MFA enabled; real access+refresh
  pair is minted only after /login/mfa.
- mfa_secret encrypted at rest via ASP.NET Core IDataProtector
  (purpose=Azaion.Mfa.Secret.v1; key folder configurable via
  DataProtection:KeysFolder for production persistence).
- Recovery codes (10 single-use, base32, ~80-bit entropy) hashed with
  SHA-256 and stored as JSONB; constant-time compare on lookup.
- RFC 6238 §5.2 replay defense via mfa_last_used_window per user.
- Sessions carry mfa_authenticated so /token/refresh re-stamps the
  amr claim correctly across the entire 30-day refresh window.
- New audit events: enroll, confirm, disable, login-success/failed,
  recovery-used.
- Schema: env/db/10_users_mfa.sql adds users.mfa_* columns and
  sessions.mfa_authenticated; mfa_recovery_codes mapped as BinaryJson
  in AzaionDbSchemaHolder; disable path uses raw parameterised SQL to
  avoid LinqToDB null-literal type-inference on jsonb columns.

E2E: 6 new tests in MfaLoginTests cover all six AC; full suite
82 passed / 0 failed / 3 intentional skips.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-14 06:21:28 +03:00

296 lines
13 KiB
C#
Raw Blame History

using System.Globalization;
using Npgsql;
namespace Azaion.E2E.Helpers;
/// <summary>
/// Thin wrapper around <see cref="NpgsqlConnection"/> for tests that must inspect
/// or seed rows directly. Used by AZ-536 (password hash format) and AZ-537
/// (lockout state, audit_events) acceptance tests.
/// </summary>
public sealed record SessionRow(
Guid Id,
Guid UserId,
Guid FamilyId,
DateTime IssuedAt,
DateTime ExpiresAt,
DateTime? RevokedAt,
string? RevokedReason,
Guid? ParentSessionId,
DateTime FamilyStartedAt);
public sealed class DbHelper
{
private readonly string _connectionString;
public DbHelper(string connectionString) => _connectionString = connectionString;
public async Task<string?> GetPasswordHash(string email, CancellationToken ct = default)
{
await using var conn = await OpenAsync(ct);
await using var cmd = new NpgsqlCommand(
"SELECT password_hash FROM public.users WHERE email = @e", conn);
cmd.Parameters.AddWithValue("e", email);
var raw = await cmd.ExecuteScalarAsync(ct);
return raw == null || raw is DBNull ? null : (string)raw;
}
public async Task<(int FailedLoginCount, DateTime? LockoutUntil)> GetLockoutState(string email, CancellationToken ct = default)
{
await using var conn = await OpenAsync(ct);
await using var cmd = new NpgsqlCommand(
"SELECT failed_login_count, lockout_until FROM public.users WHERE email = @e", conn);
cmd.Parameters.AddWithValue("e", email);
await using var rd = await cmd.ExecuteReaderAsync(ct);
if (!await rd.ReadAsync(ct))
throw new InvalidOperationException($"User {email} not found.");
var failed = rd.GetInt32(0);
DateTime? lockout = rd.IsDBNull(1) ? null : DateTime.SpecifyKind(rd.GetDateTime(1), DateTimeKind.Utc);
return (failed, lockout);
}
public async Task<int> CountAuditEvents(string eventType, string email, CancellationToken ct = default)
{
await using var conn = await OpenAsync(ct);
await using var cmd = new NpgsqlCommand(
"SELECT COUNT(*) FROM public.audit_events WHERE event_type = @t AND email = @e", conn);
cmd.Parameters.AddWithValue("t", eventType);
cmd.Parameters.AddWithValue("e", email);
var raw = await cmd.ExecuteScalarAsync(ct);
return Convert.ToInt32(raw, CultureInfo.InvariantCulture);
}
/// <summary>
/// Inject a user with a known legacy SHA-384 hash so the lazy-migration path can be
/// exercised end-to-end without going through the Argon2id-using registration API.
/// </summary>
public async Task SeedLegacyShaUser(Guid id, string email, string sha384HashBase64, string role = "ResourceUploader", CancellationToken ct = default)
{
await using var conn = await OpenAsync(ct);
await using var cmd = new NpgsqlCommand(@"
INSERT INTO public.users (id, email, password_hash, role, created_at, is_enabled, failed_login_count)
VALUES (@id, @email, @hash, @role, now(), true, 0)
ON CONFLICT (email) DO UPDATE
SET password_hash = excluded.password_hash,
failed_login_count = 0,
lockout_until = NULL,
is_enabled = true", conn);
cmd.Parameters.AddWithValue("id", id);
cmd.Parameters.AddWithValue("email", email);
cmd.Parameters.AddWithValue("hash", sha384HashBase64);
cmd.Parameters.AddWithValue("role", role);
await cmd.ExecuteNonQueryAsync(ct);
}
public async Task DeleteUser(string email, CancellationToken ct = default)
{
await using var conn = await OpenAsync(ct);
await using var cmd = new NpgsqlCommand(
"DELETE FROM public.users WHERE email = @e", conn);
cmd.Parameters.AddWithValue("e", email);
await cmd.ExecuteNonQueryAsync(ct);
}
public async Task DeleteAuditEventsFor(string email, CancellationToken ct = default)
{
await using var conn = await OpenAsync(ct);
await using var cmd = new NpgsqlCommand(
"DELETE FROM public.audit_events WHERE email = @e", conn);
cmd.Parameters.AddWithValue("e", email);
await cmd.ExecuteNonQueryAsync(ct);
}
/// <summary>
/// Force-set a lockout deadline so tests don't have to actually trip the threshold
/// 10 times to check expiry behavior (AZ-537 AC-5).
/// </summary>
public async Task SetLockoutUntil(string email, DateTime? lockoutUntilUtc, int failedCount, CancellationToken ct = default)
{
await using var conn = await OpenAsync(ct);
await using var cmd = new NpgsqlCommand(@"
UPDATE public.users
SET lockout_until = @until,
failed_login_count = @count
WHERE email = @e", conn);
cmd.Parameters.AddWithValue("until",
(object?)(lockoutUntilUtc?.ToUniversalTime()) ?? DBNull.Value);
cmd.Parameters.AddWithValue("count", failedCount);
cmd.Parameters.AddWithValue("e", email);
await cmd.ExecuteNonQueryAsync(ct);
}
/// <summary>
/// AZ-531 — looks up a session row by the refresh token's sha256 hash. Tests
/// hash the opaque token the same way RefreshTokenService does, then assert
/// on the persisted row.
/// </summary>
public async Task<SessionRow?> GetSessionByHash(string refreshHashHex, CancellationToken ct = default)
{
await using var conn = await OpenAsync(ct);
await using var cmd = new NpgsqlCommand(@"
SELECT id, user_id, family_id, issued_at, expires_at, revoked_at,
revoked_reason, parent_session_id, family_started_at
FROM public.sessions
WHERE refresh_hash = @h", conn);
cmd.Parameters.AddWithValue("h", refreshHashHex);
await using var rd = await cmd.ExecuteReaderAsync(ct);
if (!await rd.ReadAsync(ct)) return null;
return new SessionRow(
Id: rd.GetGuid(0),
UserId: rd.GetGuid(1),
FamilyId: rd.GetGuid(2),
IssuedAt: DateTime.SpecifyKind(rd.GetDateTime(3), DateTimeKind.Utc),
ExpiresAt: DateTime.SpecifyKind(rd.GetDateTime(4), DateTimeKind.Utc),
RevokedAt: rd.IsDBNull(5) ? null : DateTime.SpecifyKind(rd.GetDateTime(5), DateTimeKind.Utc),
RevokedReason: rd.IsDBNull(6) ? null : rd.GetString(6),
ParentSessionId: rd.IsDBNull(7) ? null : rd.GetGuid(7),
FamilyStartedAt: DateTime.SpecifyKind(rd.GetDateTime(8), DateTimeKind.Utc));
}
public async Task<int> CountActiveInFamily(Guid familyId, CancellationToken ct = default)
{
await using var conn = await OpenAsync(ct);
await using var cmd = new NpgsqlCommand(
"SELECT COUNT(*) FROM public.sessions WHERE family_id = @f AND revoked_at IS NULL", conn);
cmd.Parameters.AddWithValue("f", familyId);
return Convert.ToInt32(await cmd.ExecuteScalarAsync(ct), CultureInfo.InvariantCulture);
}
public async Task<int> CountReuseRevokedInFamily(Guid familyId, CancellationToken ct = default)
{
await using var conn = await OpenAsync(ct);
await using var cmd = new NpgsqlCommand(
"SELECT COUNT(*) FROM public.sessions WHERE family_id = @f AND revoked_reason = 'reuse_detected'", conn);
cmd.Parameters.AddWithValue("f", familyId);
return Convert.ToInt32(await cmd.ExecuteScalarAsync(ct), CultureInfo.InvariantCulture);
}
/// <summary>
/// AZ-531 AC-4 — backdate a family so the absolute-expiry check fires
/// without waiting 12 hours of wall-clock time.
/// </summary>
public async Task BackdateFamily(Guid familyId, TimeSpan ageFromNow, CancellationToken ct = default)
{
await using var conn = await OpenAsync(ct);
await using var cmd = new NpgsqlCommand(@"
UPDATE public.sessions
SET family_started_at = now() - @age,
issued_at = now() - @age,
last_used_at = now() - @age
WHERE family_id = @f", conn);
cmd.Parameters.AddWithValue("age", ageFromNow);
cmd.Parameters.AddWithValue("f", familyId);
await cmd.ExecuteNonQueryAsync(ct);
}
public async Task DeleteSessionsFor(string email, CancellationToken ct = default)
{
await using var conn = await OpenAsync(ct);
await using var cmd = new NpgsqlCommand(@"
DELETE FROM public.sessions
WHERE user_id = (SELECT id FROM public.users WHERE email = @e)", conn);
cmd.Parameters.AddWithValue("e", email);
await cmd.ExecuteNonQueryAsync(ct);
}
/// <summary>
/// AZ-535 — count active sessions for a user, optionally filtered to a session class.
/// </summary>
public async Task<int> CountActiveSessionsForUser(string email, string? sessionClass = null, CancellationToken ct = default)
{
await using var conn = await OpenAsync(ct);
var sql = @"
SELECT COUNT(*) FROM public.sessions
WHERE user_id = (SELECT id FROM public.users WHERE email = @e)
AND revoked_at IS NULL"
+ (sessionClass != null ? " AND class = @c" : "");
await using var cmd = new NpgsqlCommand(sql, conn);
cmd.Parameters.AddWithValue("e", email);
if (sessionClass != null) cmd.Parameters.AddWithValue("c", sessionClass);
return Convert.ToInt32(await cmd.ExecuteScalarAsync(ct), CultureInfo.InvariantCulture);
}
/// <summary>
/// AZ-533 — count open mission sessions whose <c>aircraft_id</c> matches the given user.
/// </summary>
public async Task<int> CountOpenMissionsForAircraft(Guid aircraftId, CancellationToken ct = default)
{
await using var conn = await OpenAsync(ct);
await using var cmd = new NpgsqlCommand(@"
SELECT COUNT(*) FROM public.sessions
WHERE aircraft_id = @a AND class = 'mission' AND revoked_at IS NULL", conn);
cmd.Parameters.AddWithValue("a", aircraftId);
return Convert.ToInt32(await cmd.ExecuteScalarAsync(ct), CultureInfo.InvariantCulture);
}
/// <summary>
/// AZ-535 — pluck the row's revocation columns for assertions on who/why/when.
/// </summary>
public async Task<(DateTime? RevokedAt, string? Reason, Guid? RevokedBy)> GetRevocationInfo(Guid sessionId, CancellationToken ct = default)
{
await using var conn = await OpenAsync(ct);
await using var cmd = new NpgsqlCommand(
"SELECT revoked_at, revoked_reason, revoked_by_user_id FROM public.sessions WHERE id = @s", conn);
cmd.Parameters.AddWithValue("s", sessionId);
await using var rd = await cmd.ExecuteReaderAsync(ct);
if (!await rd.ReadAsync(ct))
throw new InvalidOperationException($"Session {sessionId} not found.");
return (
rd.IsDBNull(0) ? null : DateTime.SpecifyKind(rd.GetDateTime(0), DateTimeKind.Utc),
rd.IsDBNull(1) ? null : rd.GetString(1),
rd.IsDBNull(2) ? null : rd.GetGuid(2));
}
/// <summary>
/// AZ-534 — read mfa_secret raw to assert it's encrypted at rest.
/// </summary>
public async Task<string?> GetMfaSecretRaw(string email, CancellationToken ct = default)
{
await using var conn = await OpenAsync(ct);
await using var cmd = new NpgsqlCommand(
"SELECT mfa_secret FROM public.users WHERE email = @e", conn);
cmd.Parameters.AddWithValue("e", email);
var raw = await cmd.ExecuteScalarAsync(ct);
return raw is null or DBNull ? null : (string)raw;
}
/// <summary>
/// AZ-534 — read mfa_enabled flag.
/// </summary>
public async Task<bool> GetMfaEnabled(string email, CancellationToken ct = default)
{
await using var conn = await OpenAsync(ct);
await using var cmd = new NpgsqlCommand(
"SELECT mfa_enabled FROM public.users WHERE email = @e", conn);
cmd.Parameters.AddWithValue("e", email);
var raw = await cmd.ExecuteScalarAsync(ct);
return raw is bool b && b;
}
/// <summary>
/// AZ-535 — promote a user to <c>Service</c> role so they can read /sessions/revoked.
/// </summary>
public async Task PromoteToService(string email, CancellationToken ct = default)
{
await using var conn = await OpenAsync(ct);
await using var cmd = new NpgsqlCommand(
"UPDATE public.users SET role = 'Service' WHERE email = @e", conn);
cmd.Parameters.AddWithValue("e", email);
await cmd.ExecuteNonQueryAsync(ct);
}
public static string HashRefreshToken(string opaqueToken)
{
var bytes = System.Text.Encoding.ASCII.GetBytes(opaqueToken);
var digest = System.Security.Cryptography.SHA256.HashData(bytes);
return Convert.ToHexString(digest);
}
private async Task<NpgsqlConnection> OpenAsync(CancellationToken ct)
{
var conn = new NpgsqlConnection(_connectionString);
await conn.OpenAsync(ct);
return conn;
}
}
Reference in New Issue View Git Blame Copy Permalink