azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-06-21 22:51:10 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
8b7d8a42752ee379d3f2ce111ed1a74c09fe6055
admin/e2e/Azaion.E2E/Tests/CorsHttpsTests.cs
T
Oleksandr Bezdieniezhnykh 491993f9c1
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push unknown status
Details
[AZ-536] [AZ-537] [AZ-538] Argon2id, login rate limit + lockout, CORS https-only 
AZ-536 — replace unsalted SHA-384 password hashing with Argon2id (RFC 9106).
Stored as PHC string with 64 MiB / 3 iter / 1 lane defaults; legacy SHA-384
hashes detected by prefix and lazily re-hashed on next successful login.
Verify uses CryptographicOperations.FixedTimeEquals on both formats.

AZ-537 — add per-IP sliding window rate limit on /login (ASP.NET Core
RateLimiter, 10/60s default — production-tight) plus DB-backed per-account
limit (5/300s) and consecutive-failure lockout (10 / 15 min) on the users
row. Adds a generic audit_events table with INSERT/SELECT-only grants for
the app role so the per-account count is queryable and admins cannot erase
their own forensic trail. BusinessExceptionHandler maps AccountLocked to
423 and LoginRateLimited to 429, both with Retry-After.

AZ-538 — drop the http://admin.azaion.com origin from CORS, gate
UseHsts() + UseHttpsRedirection() to non-Development envs (1y / preload).

Test infra: Npgsql in the e2e project + a DbHelper for direct DB
inspection used by the AZ-536/537 ACs. appsettings.Development.json
raises PerIpPermitLimit to 1000 so the suite (~270 logins from one
container IP) doesn't false-trip the limiter.

Tests: 53 pass + 3 documented skips (per-IP rate limit needs distinct
client IPs; HSTS/HTTPS redirect need ASPNETCORE_ENVIRONMENT=Production).

Code review: PASS_WITH_WARNINGS — 0 Critical, 0 High, 1 Medium, 3 Low.
See _docs/03_implementation/reviews/batch_01_cycle2_review.md.

Closes AZ-530 epic batch 1 of 4.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-14 04:52:31 +03:00

92 lines
4.1 KiB
C#
Raw Blame History

using System.Net;
using System.Net.Http;
using Azaion.E2E.Helpers;
using FluentAssertions;
using Xunit;
namespace Azaion.E2E.Tests;
// AZ-538 — CORS http-origin removal + HSTS + HTTPS redirection.
//
// The test environment runs ASPNETCORE_ENVIRONMENT=Development (matches the
// docker-compose.test.yml setting), so AC-3/AC-4 (production-only behavior) are
// verified by direct inspection of the production-side code path:
// `if (!app.Environment.IsDevelopment()) { app.UseHsts(); app.UseHttpsRedirection(); }`
// — the same gate ASP.NET Core's standard project template uses.
//
// AC-1, AC-2, and AC-5 are exercised here against the running container.
[Collection("E2E")]
public sealed class CorsHttpsTests
{
private readonly TestFixture _fixture;
public CorsHttpsTests(TestFixture fixture) => _fixture = fixture;
[Fact]
public async Task AC1_Http_origin_is_rejected_by_cors_preflight()
{
// Arrange
using var bare = new HttpClient { BaseAddress = new Uri(_fixture.Settings.ApiBaseUrl), Timeout = TimeSpan.FromSeconds(30) };
var preflight = new HttpRequestMessage(HttpMethod.Options, "/login");
preflight.Headers.Add("Origin", "http://admin.azaion.com");
preflight.Headers.Add("Access-Control-Request-Method", "POST");
preflight.Headers.Add("Access-Control-Request-Headers", "content-type");
// Act
using var response = await bare.SendAsync(preflight);
// Assert
response.Headers.Contains("Access-Control-Allow-Origin").Should().BeFalse(
"the http origin is no longer allow-listed");
}
[Fact]
public async Task AC2_Https_origin_is_accepted_with_credentials()
{
// Arrange
using var bare = new HttpClient { BaseAddress = new Uri(_fixture.Settings.ApiBaseUrl), Timeout = TimeSpan.FromSeconds(30) };
var preflight = new HttpRequestMessage(HttpMethod.Options, "/login");
preflight.Headers.Add("Origin", "https://admin.azaion.com");
preflight.Headers.Add("Access-Control-Request-Method", "POST");
preflight.Headers.Add("Access-Control-Request-Headers", "content-type");
// Act
using var response = await bare.SendAsync(preflight);
// Assert
response.Headers.GetValues("Access-Control-Allow-Origin")
.Should().ContainSingle().Which.Should().Be("https://admin.azaion.com");
response.Headers.GetValues("Access-Control-Allow-Credentials")
.Should().ContainSingle().Which.Should().Be("true");
}
// AZ-538 AC-3 — HSTS is gated to non-Development envs in Program.cs:
// if (!app.Environment.IsDevelopment()) { app.UseHsts(); ... }
// The test container runs ASPNETCORE_ENVIRONMENT=Development, so the production
// path can't be exercised here without spinning a second Production-mode SUT.
// Tracked here as a skipped Fact so the AC stays linked to a test rather than a
// file-level comment; promote to a runnable test when a prod-mode harness exists.
[Fact(Skip = "AZ-538 AC-3 requires ASPNETCORE_ENVIRONMENT=Production; test harness runs Development. Verified by code inspection of Program.cs UseHsts gate.")]
public void AC3_Hsts_header_present_in_production() { }
// AZ-538 AC-4 — same gate as AC-3: UseHttpsRedirection only fires when not
// Development. Skipped for the same prod-only reason.
[Fact(Skip = "AZ-538 AC-4 requires ASPNETCORE_ENVIRONMENT=Production; test harness runs Development. Verified by code inspection of Program.cs UseHttpsRedirection gate.")]
public void AC4_Http_request_redirects_to_https_in_production() { }
[Fact]
public async Task AC5_Development_env_does_not_redirect_or_send_hsts()
{
// Arrange
using var bare = new HttpClient { BaseAddress = new Uri(_fixture.Settings.ApiBaseUrl), Timeout = TimeSpan.FromSeconds(30) };
// Act
using var response = await bare.GetAsync("/health/live");
// Assert
response.StatusCode.Should().Be(HttpStatusCode.OK);
response.Headers.Contains("Strict-Transport-Security").Should().BeFalse(
"Development env must not emit HSTS so http://localhost workflows still work");
}
}
Reference in New Issue View Git Blame Copy Permalink