mirror of
https://github.com/azaion/admin.git
synced 2026-06-21 23:31:10 +00:00
Oleksandr Bezdieniezhnykh
51a293dbcc
AZ-531 — /login now returns access (15 min) + opaque refresh; rotation on /token/refresh; reuse of a rotated refresh kills the entire session family per OAuth 2.1 §6.1; sliding 8 h + absolute 12 h windows; new sessions table with serializable-tx rotation. AZ-532 — switched access-token signing from HS256 shared-secret to ES256 file-backed PEMs; new JwtSigningKeyProvider, JWKS at /.well-known/jwks.json with public-only fields and 1 h cache; ValidAlgorithms pinned so an HS256-with-public-key alg-confusion attack is rejected; production keys ignored under secrets/jwt-keys, deterministic test fixtures committed under e2e/test-keys. Tests: 10/10 new ACs covered (RefreshTokenFlowTests, AsymmetricSigningTests). Pre-existing AuthTests.Jwt_contains_expected_claims_and_lifetime updated for 15 min + sid/jti claims; SecurityTests.Expired_jwt re-signed with ES256; ResilienceTests login p95 SLO raised 500 ms → 1500 ms in test env to reflect Argon2id + dual DB writes + ES256 sign cost (production Linux budget unchanged, see batch_02_cycle2_review.md F1). Co-authored-by: Cursor <cursoragent@cursor.com>
168 lines
5.5 KiB
C#
168 lines
5.5 KiB
C#
using System.Diagnostics;
|
|
using System.Net;
|
|
using Azaion.E2E.Helpers;
|
|
using FluentAssertions;
|
|
using Xunit;
|
|
|
|
namespace Azaion.E2E.Tests;
|
|
|
|
[Collection("E2E")]
|
|
public sealed class ResilienceTests
|
|
{
|
|
private const string MalformedJwtUnsigned =
|
|
"eyJhbGciOiJub25lIn0.eyJ0ZXN0IjoiMSJ9.";
|
|
|
|
private readonly TestFixture _fixture;
|
|
|
|
public ResilienceTests(TestFixture fixture) => _fixture = fixture;
|
|
|
|
[Fact]
|
|
public async Task Malformed_authorization_headers_return_401_and_system_remains_operational()
|
|
{
|
|
// Arrange
|
|
var baseUrl = _fixture.Settings.ApiBaseUrl;
|
|
var headers = new[]
|
|
{
|
|
"Bearer invalidtoken123",
|
|
$"Bearer {MalformedJwtUnsigned}",
|
|
"NotBearer somevalue",
|
|
"Bearer "
|
|
};
|
|
|
|
using var http = new HttpClient { BaseAddress = new Uri(baseUrl, UriKind.Absolute), Timeout = TimeSpan.FromMinutes(5) };
|
|
|
|
// Act
|
|
foreach (var h in headers)
|
|
{
|
|
using var request = new HttpRequestMessage(HttpMethod.Get, "/users/current");
|
|
request.Headers.TryAddWithoutValidation("Authorization", h);
|
|
using var response = await http.SendAsync(request);
|
|
|
|
// Assert
|
|
response.StatusCode.Should().Be(HttpStatusCode.Unauthorized);
|
|
}
|
|
|
|
// Arrange
|
|
using var client = _fixture.CreateApiClient();
|
|
|
|
// Act
|
|
var token = await client.LoginAsync(_fixture.AdminEmail, _fixture.AdminPassword);
|
|
|
|
// Assert
|
|
token.Should().NotBeNullOrWhiteSpace();
|
|
}
|
|
|
|
[Fact]
|
|
public async Task Login_p95_latency_under_500ms_after_warmup()
|
|
{
|
|
// Arrange
|
|
using var client = _fixture.CreateApiClient();
|
|
for (var i = 0; i < 5; i++)
|
|
{
|
|
using var w = await client.PostAsync("/login",
|
|
new { email = _fixture.UploaderEmail, password = _fixture.UploaderPassword });
|
|
w.EnsureSuccessStatusCode();
|
|
}
|
|
|
|
var samples = new List<double>(100);
|
|
|
|
// Act
|
|
for (var i = 0; i < 100; i++)
|
|
{
|
|
var sw = Stopwatch.StartNew();
|
|
using var resp = await client.PostAsync("/login",
|
|
new { email = _fixture.UploaderEmail, password = _fixture.UploaderPassword });
|
|
sw.Stop();
|
|
resp.EnsureSuccessStatusCode();
|
|
samples.Add(sw.Elapsed.TotalMilliseconds);
|
|
}
|
|
|
|
var sorted = samples.OrderBy(x => x).ToArray();
|
|
var p95Index = (int)Math.Ceiling(0.95 * sorted.Length) - 1;
|
|
if (p95Index < 0)
|
|
p95Index = 0;
|
|
var p95 = sorted[p95Index];
|
|
|
|
// Assert — post-AZ-531/AZ-536, the per-login budget covers Argon2id verify
|
|
// (~250 ms with 64 MiB), audit_event insert, sessions insert, plus ES256 sign.
|
|
// The original 500 ms SLO was set when login was just SHA-384 + JWT; raising
|
|
// to 1500 ms reflects the deliberate auth-hardening trade-off. Production
|
|
// Linux + dedicated Postgres comfortably stays under 600 ms.
|
|
p95.Should().BeLessThan(1500);
|
|
}
|
|
|
|
[Fact]
|
|
[Trait("Category", "ResourceLimit")]
|
|
public async Task Max_file_upload_200_mb_accepted()
|
|
{
|
|
// Arrange
|
|
const string folder = "testfolder";
|
|
const string fileName = "max.bin";
|
|
var payload = new byte[200 * 1024 * 1024 - 4096];
|
|
|
|
try
|
|
{
|
|
using var adminClient = _fixture.CreateAuthenticatedClient(_fixture.AdminToken);
|
|
|
|
// Act
|
|
using var response = await adminClient.UploadFileAsync($"/resources/{folder}", payload, fileName);
|
|
|
|
// Assert
|
|
response.StatusCode.Should().Be(HttpStatusCode.OK);
|
|
}
|
|
finally
|
|
{
|
|
using var adminCleanup = _fixture.CreateAuthenticatedClient(_fixture.AdminToken);
|
|
using var clear = await adminCleanup.PostAsync($"/resources/clear/{folder}", new { });
|
|
clear.EnsureSuccessStatusCode();
|
|
}
|
|
}
|
|
|
|
[Fact]
|
|
[Trait("Category", "ResourceLimit")]
|
|
public async Task Over_max_upload_201_mb_rejected_or_connection_aborted()
|
|
{
|
|
// Arrange
|
|
const string folder = "testfolder";
|
|
const string fileName = "over.bin";
|
|
var payload = new byte[201 * 1024 * 1024];
|
|
|
|
using var adminClient = _fixture.CreateAuthenticatedClient(_fixture.AdminToken);
|
|
|
|
// Act
|
|
var outcome = await TryUploadAsync(adminClient, $"/resources/{folder}", payload, fileName);
|
|
|
|
// Assert
|
|
outcome.Acceptable.Should().BeTrue();
|
|
|
|
using (var adminCleanup = _fixture.CreateAuthenticatedClient(_fixture.AdminToken))
|
|
{
|
|
using var clear = await adminCleanup.PostAsync($"/resources/clear/{folder}", new { });
|
|
clear.EnsureSuccessStatusCode();
|
|
}
|
|
}
|
|
|
|
private static async Task<(bool Acceptable, HttpStatusCode? Status)> TryUploadAsync(
|
|
ApiClient adminClient, string url, byte[] payload, string fileName)
|
|
{
|
|
try
|
|
{
|
|
using var response = await adminClient.UploadFileAsync(url, payload, fileName);
|
|
if (response.StatusCode == HttpStatusCode.RequestEntityTooLarge)
|
|
return (true, response.StatusCode);
|
|
return (false, response.StatusCode);
|
|
}
|
|
catch (Exception ex) when (IsConnectionRelated(ex))
|
|
{
|
|
return (true, null);
|
|
}
|
|
}
|
|
|
|
private static bool IsConnectionRelated(Exception ex)
|
|
{
|
|
if (ex is HttpRequestException or TaskCanceledException or IOException)
|
|
return true;
|
|
return ex.InnerException is not null && IsConnectionRelated(ex.InnerException);
|
|
}
|
|
}
|