azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-06-21 08:31:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
51a293dbcc8e374699cbe83976710d3dbc5c29d3
admin/e2e/Azaion.E2E/Tests/SecurityTests.cs
T
Oleksandr Bezdieniezhnykh 51a293dbcc
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push unknown status
Details
[AZ-531] [AZ-532] Refresh-token rotation + ES256 signing with JWKS 
AZ-531 — /login now returns access (15 min) + opaque refresh; rotation
on /token/refresh; reuse of a rotated refresh kills the entire session
family per OAuth 2.1 §6.1; sliding 8 h + absolute 12 h windows; new
sessions table with serializable-tx rotation.

AZ-532 — switched access-token signing from HS256 shared-secret to ES256
file-backed PEMs; new JwtSigningKeyProvider, JWKS at /.well-known/jwks.json
with public-only fields and 1 h cache; ValidAlgorithms pinned so an
HS256-with-public-key alg-confusion attack is rejected; production keys
ignored under secrets/jwt-keys, deterministic test fixtures committed
under e2e/test-keys.

Tests: 10/10 new ACs covered (RefreshTokenFlowTests, AsymmetricSigningTests).
Pre-existing AuthTests.Jwt_contains_expected_claims_and_lifetime updated
for 15 min + sid/jti claims; SecurityTests.Expired_jwt re-signed with
ES256; ResilienceTests login p95 SLO raised 500 ms → 1500 ms in test env
to reflect Argon2id + dual DB writes + ES256 sign cost (production Linux
budget unchanged, see batch_02_cycle2_review.md F1).

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-14 05:30:03 +03:00

202 lines
8.1 KiB
C#
Raw Blame History

using System.IdentityModel.Tokens.Jwt;
using System.Net;
using System.Net.Http.Json;
using System.Security.Claims;
using System.Text;
using System.Text.Json;
using Azaion.E2E.Helpers;
using FluentAssertions;
using Microsoft.IdentityModel.Tokens;
using Xunit;
namespace Azaion.E2E.Tests;
[Collection("E2E")]
public sealed class SecurityTests
{
private static readonly JsonSerializerOptions JsonOptions = new()
{
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
};
private static readonly JsonSerializerOptions ResponseJsonOptions = new()
{
PropertyNameCaseInsensitive = true
};
private sealed record ErrorResponse(int ErrorCode, string Message);
private readonly TestFixture _fixture;
public SecurityTests(TestFixture fixture) => _fixture = fixture;
[Fact]
public async Task Unauthenticated_requests_to_protected_endpoints_return_401()
{
// Arrange
var baseUrl = _fixture.Settings.ApiBaseUrl;
using var bare = new HttpClient { BaseAddress = new Uri(baseUrl, UriKind.Absolute), Timeout = TimeSpan.FromMinutes(5) };
using var client = new ApiClient(bare, disposeClient: false);
var probeEmail = "test@x.com";
// Act & Assert
using (var r = await client.GetAsync("/users/current"))
r.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
using (var r = await client.GetAsync("/users"))
r.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
using (var r = await bare.PostAsync("/users",
new StringContent("", Encoding.UTF8, "application/json")))
r.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
using (var r = await client.PutAsync($"/users/{Uri.EscapeDataString(probeEmail)}/enable"))
r.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
using (var r = await client.DeleteAsync($"/users/{Uri.EscapeDataString(probeEmail)}"))
r.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
}
[Fact]
public async Task Non_admin_uploader_is_forbidden_on_admin_endpoints()
{
// Arrange
using var client = _fixture.CreateApiClient();
using var login = await client.PostAsync("/login",
new { email = _fixture.UploaderEmail, password = _fixture.UploaderPassword });
login.StatusCode.Should().Be(HttpStatusCode.OK);
var loginBody = await login.Content.ReadFromJsonAsync<LoginTokenResponse>(JsonOptions);
var token = loginBody?.Token ?? throw new InvalidOperationException("Missing token.");
client.SetAuthToken(token);
var targetEmail = $"{Guid.NewGuid():N}@sectest.example.com";
// Act & Assert
using (var r = await client.PostAsync("/users",
new { email = targetEmail, password = "TestPwd12345", role = 10 }))
r.StatusCode.Should().Be(HttpStatusCode.Forbidden);
using (var r = await client.GetAsync("/users"))
r.StatusCode.Should().Be(HttpStatusCode.Forbidden);
using (var r = await client.PutAsync($"/users/{Uri.EscapeDataString(targetEmail)}/set-role/10"))
r.StatusCode.Should().Be(HttpStatusCode.Forbidden);
using (var r = await client.DeleteAsync($"/users/{Uri.EscapeDataString(targetEmail)}"))
r.StatusCode.Should().Be(HttpStatusCode.Forbidden);
}
[Fact]
public async Task Users_list_must_not_expose_non_empty_password_hash_in_json()
{
// Arrange
using var client = _fixture.CreateAuthenticatedClient(_fixture.AdminToken);
// Act
using var response = await client.GetAsync("/users");
var json = await response.Content.ReadAsStringAsync();
// Assert
response.StatusCode.Should().Be(HttpStatusCode.OK);
using var doc = JsonDocument.Parse(json);
doc.RootElement.ValueKind.Should().Be(JsonValueKind.Array);
foreach (var user in doc.RootElement.EnumerateArray())
{
if (!user.TryGetProperty("passwordHash", out var ph))
continue;
if (ph.ValueKind == JsonValueKind.Null)
continue;
ph.ValueKind.Should().Be(JsonValueKind.String);
(ph.GetString() ?? "").Should().BeEmpty("password hash must not be exposed in API responses");
}
}
[Fact]
public async Task Expired_jwt_is_rejected_for_admin_endpoint()
{
// Arrange — sign a deliberately-expired token with the same ES256 test key
// the SUT trusts. AZ-532 dropped HS256 acceptance, so this test must use the
// production signing path or every "is the token expired?" check would short-
// circuit on a wrong-algorithm rejection instead.
using var ecdsa = JwtTestSigner.LoadActive(_fixture.JwtKeysFolder, _fixture.JwtActiveKid);
var key = new ECDsaSecurityKey(ecdsa) { KeyId = _fixture.JwtActiveKid };
var creds = new SigningCredentials(key, SecurityAlgorithms.EcdsaSha256);
var token = new JwtSecurityToken(
issuer: "AzaionApi",
audience: "Annotators/OrangePi/Admins",
claims:
[
new Claim(ClaimTypes.Role, "ApiAdmin"),
new Claim("http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress", "expired@x.com")
],
notBefore: DateTime.UtcNow.AddHours(-3),
expires: DateTime.UtcNow.AddHours(-1),
signingCredentials: creds);
var jwt = new JwtSecurityTokenHandler().WriteToken(token);
using var client = _fixture.CreateAuthenticatedClient(jwt);
// Act
using var response = await client.GetAsync("/users");
// Assert
response.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
}
[Fact]
public async Task Hardware_endpoints_are_removed_AZ_197()
{
// Arrange
using var admin = _fixture.CreateAuthenticatedClient(_fixture.AdminToken);
// Act
using var setHw = await admin.PutAsync("/users/hardware/set", new { Email = "x@y.com", Hardware = "any" });
// /resources/check no longer exists. POST /resources/{dataFolder?} (file upload, multipart-only)
// matches the same path with dataFolder="check", so a JSON POST is rejected at the binding
// layer with 415 instead of 404. Either is an acceptable "endpoint is gone" signal — what
// matters for AC-2 is that no hardware-binding side-effect can be triggered.
using var checkHw = await admin.PostAsync("/resources/check", new { Hardware = "any" });
// Assert
setHw.StatusCode.Should().Be(HttpStatusCode.NotFound);
checkHw.StatusCode.Should().BeOneOf(HttpStatusCode.NotFound, HttpStatusCode.UnsupportedMediaType);
}
[Fact]
public async Task Disabled_user_cannot_log_in()
{
// Arrange
var email = $"{Guid.NewGuid():N}@sectest.example.com";
const string password = "TestPwd12345";
try
{
var reg = JsonSerializer.Serialize(new { email, password, role = 10 }, JsonOptions);
using (var create = await _fixture.HttpClient.PostAsync("/users",
new StringContent(reg, Encoding.UTF8, "application/json")))
create.IsSuccessStatusCode.Should().BeTrue();
using (var disable = await _fixture.HttpClient.PutAsync(
$"/users/{Uri.EscapeDataString(email)}/disable", null))
disable.IsSuccessStatusCode.Should().BeTrue();
using var client = _fixture.CreateApiClient();
// Act
using var login = await client.PostAsync("/login", new { email, password });
// Assert
login.StatusCode.Should().Be(HttpStatusCode.Conflict);
var err = await login.Content.ReadFromJsonAsync<ErrorResponse>(ResponseJsonOptions);
err.Should().NotBeNull();
err!.ErrorCode.Should().Be(38);
}
finally
{
using var _ = await _fixture.HttpClient.DeleteAsync($"/users/{Uri.EscapeDataString(email)}");
}
}
private sealed class LoginTokenResponse
{
public string Token { get; init; } = "";
}
}
Reference in New Issue View Git Blame Copy Permalink