azaion/admin
1
0
Fork 0
mirror of https://github.com/azaion/admin.git synced 2026-06-21 10:41:09 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
e3b0fe6582f35aa71c25544133dab60d226f7d57
admin/docker-compose.test.yml
T
Oleksandr Bezdieniezhnykh 51a293dbcc
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push unknown status
Details
[AZ-531] [AZ-532] Refresh-token rotation + ES256 signing with JWKS 
AZ-531 — /login now returns access (15 min) + opaque refresh; rotation
on /token/refresh; reuse of a rotated refresh kills the entire session
family per OAuth 2.1 §6.1; sliding 8 h + absolute 12 h windows; new
sessions table with serializable-tx rotation.

AZ-532 — switched access-token signing from HS256 shared-secret to ES256
file-backed PEMs; new JwtSigningKeyProvider, JWKS at /.well-known/jwks.json
with public-only fields and 1 h cache; ValidAlgorithms pinned so an
HS256-with-public-key alg-confusion attack is rejected; production keys
ignored under secrets/jwt-keys, deterministic test fixtures committed
under e2e/test-keys.

Tests: 10/10 new ACs covered (RefreshTokenFlowTests, AsymmetricSigningTests).
Pre-existing AuthTests.Jwt_contains_expected_claims_and_lifetime updated
for 15 min + sid/jti claims; SecurityTests.Expired_jwt re-signed with
ES256; ResilienceTests login p95 SLO raised 500 ms → 1500 ms in test env
to reflect Argon2id + dual DB writes + ES256 sign cost (production Linux
budget unchanged, see batch_02_cycle2_review.md F1).

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-14 05:30:03 +03:00

76 lines
2.2 KiB
YAML
Raw Blame History

services:
test-db:
image: postgres:16-alpine
environment:
POSTGRES_USER: postgres
POSTGRES_PASSWORD: test_password
POSTGRES_DB: postgres
volumes:
- ./e2e/db-init/00_run_all.sh:/docker-entrypoint-initdb.d/00_run_all.sh:ro
- ./env/db:/docker-entrypoint-initdb.d/sql:ro
- ./e2e/db-init/99_test_seed.sql:/opt/test-seed.sql:ro
healthcheck:
test: ["CMD-SHELL", "pg_isready -U postgres -d postgres"]
interval: 5s
timeout: 5s
retries: 10
start_period: 10s
networks:
- e2e-net
system-under-test:
build:
context: .
dockerfile: Dockerfile
depends_on:
test-db:
condition: service_healthy
environment:
ASPNETCORE_URLS: http://+:8080
ASPNETCORE_ENVIRONMENT: Development
ConnectionStrings__AzaionDb: "Host=test-db;Port=5432;Database=azaion;Username=azaion_reader;Password=test_password"
ConnectionStrings__AzaionDbAdmin: "Host=test-db;Port=5432;Database=azaion;Username=azaion_admin;Password=test_password"
# AZ-532 — two ES256 keys mounted below; kid-test-a is the active signer,
# kid-test-b stays in JWKS to exercise the rotation-overlap test.
JwtConfig__KeysFolder: "/etc/jwt-keys"
JwtConfig__ActiveKid: "kid-test-a"
ResourcesConfig__ResourcesFolder: "Content"
ports:
- "8080:8080"
volumes:
- test-resources:/app/Content
- ./e2e/test-keys:/etc/jwt-keys:ro
healthcheck:
test: ["CMD", "curl", "--fail", "--silent", "--show-error", "http://localhost:8080/health/live"]
interval: 10s
timeout: 5s
retries: 8
start_period: 45s
networks:
- e2e-net
e2e-consumer:
build:
context: ./e2e
dockerfile: Dockerfile
depends_on:
system-under-test:
condition: service_healthy
environment:
# AZ-532 — tests sign tokens with the SAME ES256 keys the SUT uses, so
# they need read access to the same fixture directory.
JwtKeysFolder: "/etc/jwt-keys"
JwtActiveKid: "kid-test-a"
volumes:
- ./e2e/test-results:/test-results
- ./e2e/test-keys:/etc/jwt-keys:ro
networks:
- e2e-net
networks:
e2e-net:
driver: bridge
volumes:
test-resources:
Reference in New Issue View Git Blame Copy Permalink