azaion/missions
1
0
Fork 0
mirror of https://github.com/azaion/missions.git synced 2026-06-21 08:11:06 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-581] [AZ-582] [AZ-583] [AZ-584] Sec+Res NFT tests

Browse Source 
Batch 3 of test implementation cycle 1 (existing-code Step 6).

- AZ-581 AuthClaimsTests: NFT-SEC-01..06+04b (foreign-keypair, byte-flip,
  30s skew, iss/aud/perms, multi-value permissions array).
- AZ-582 CrossCutting/ErrorRedaction/JwksRotation/StartupConfig/CorsConfig:
  NFT-SEC-07..13 (alg pin, kid rotation grace window, env fail-fast, CORS
  Production gate).
- AZ-583 CascadeF3/CascadeF4/MigratorRestart: NFT-RES-01..04. CascadeF4
  pins current walk-order divergence with carry_forward AC-4.6.
- AZ-584 ConfigDbStartup/JwksRotationNoRestart/DefaultVehicleRace:
  NFT-RES-05..08. NFT-RES-08 pins current behaviour (unique-index closes
  the race) with carry_forward AC-1.4.

Mock contract: SignBody accepts permissions OR permissions_array (mutually
exclusive). TokenSigner validates kid_override against published keys so
NFT-SEC-11 can assert "mock refuses old kid post-grace".

Helpers added: ForeignKeypair (test-only ECDSA P-256),
MissionsContainerHelper (docker-run wrapper for startup-time scenarios),
DockerLogs.

7 of 22 new tests are Skippable, gated on COMPOSE_RESTART_ENABLED + docker
CLI in the e2e-consumer image (explicit skip reason; no silent pass).

Build green: test csproj + jwks-mock csproj.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-15 08:58:59 +03:00
parent 6b2c2d998e
commit 24c4561bef
24 changed files with 2240 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/Azaion.Missions.E2E.Tests/Helpers/DockerLogs.cs
+52
View File
@@ -0,0 +1,52 @@
using System.Diagnostics;
using System.Globalization;
namespace Azaion.Missions.E2E.Helpers;
/// <summary>
/// Scrapes <c>docker logs</c> from inside the e2e-consumer container, used
/// to assert "unhandled exception" and structured log lines emitted by the
/// SUT (NFT-SEC-08 stack-not-leaked, NFT-RES-01..04 cascade/migrator log
/// invariants, NFT-RES-06 Npgsql 3D000).
/// </summary>
/// <remarks>
/// Like the docker-compose fixtures, this helper requires docker CLI access
/// (and typically a docker socket bind). Tests that depend on it must
/// <see cref="Xunit.Skip.IfNot(bool, string)"/> when the CLI is not
/// available — silent passing is rejected.
/// </remarks>
public static class DockerLogs
{
public static bool Contains(string container, string needle, DateTime sinceUtc)
=> Read(container, sinceUtc).Contains(needle, StringComparison.Ordinal);
/// <summary>Returns the combined stdout+stderr log slice since <paramref name="sinceUtc"/>.</summary>
public static string Read(string container, DateTime? sinceUtc = null)
{
var args = sinceUtc is { } cutoff
? $"logs --since {cutoff.ToString("yyyy-MM-ddTHH:mm:ssZ", CultureInfo.InvariantCulture)} {container}"
: $"logs {container}";
var psi = new ProcessStartInfo("docker", args)
{
RedirectStandardOutput = true,
RedirectStandardError = true,
UseShellExecute = false
};
try
{
using var p = Process.Start(psi)
?? throw new InvalidOperationException("docker command not available");
var stdout = p.StandardOutput.ReadToEnd();
var stderr = p.StandardError.ReadToEnd();
p.WaitForExit();
return stdout + stderr;
}
catch (System.ComponentModel.Win32Exception)
{
// No docker CLI in PATH — surface, do not silently pass.
throw new InvalidOperationException(
$"docker CLI not available; cannot scrape logs for '{container}'. " +
"Mount /var/run/docker.sock and install docker-cli in the e2e-consumer image.");
}
}
}
tests/Azaion.Missions.E2E.Tests/Helpers/ForeignKeypair.cs
+70
View File
@@ -0,0 +1,70 @@
using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using System.Text.Json.Nodes;
namespace Azaion.Missions.E2E.Helpers;
/// <summary>
/// Test-only ECDSA P-256 signer used by NFT-SEC-02 to mint a token signed by
/// a keypair the JWKS endpoint never published. This is the ONE in-test
/// signing path allowed by the task spec — every other test mints via the
/// jwks-mock <c>POST /sign</c> endpoint.
/// </summary>
/// <remarks>
/// The private key lives entirely in the test process and is disposed with
/// the helper. The wire shape mirrors <c>JwksMock.TokenSigner</c> (JWS-compact
/// ES256) so the only thing that differs from a "real" mock-minted token is
/// the signing key — defeating any IssuerSigningKeyResolver that fails to
/// match <c>kid</c> against the published JWKS.
/// </remarks>
public sealed class ForeignKeypair : IDisposable
{
private readonly ECDsa _ec;
private readonly string _kid;
public ForeignKeypair()
{
_ec = ECDsa.Create(ECCurve.NamedCurves.nistP256);
// Deterministic kid that is clearly NOT what jwks-mock issues
// (mock kids are base64url SHA-256 hashes; this label is plain ASCII).
_kid = "foreign-keypair-not-in-jwks";
}
public string Mint(string issuer, string audience, string permissions, int expOffsetSeconds = 3600)
{
var nowUnix = DateTimeOffset.UtcNow.ToUnixTimeSeconds();
var expUnix = nowUnix + expOffsetSeconds;
var header = new JsonObject
{
["alg"] = "ES256",
["kid"] = _kid,
["typ"] = "JWT"
};
var payload = new JsonObject
{
["iss"] = issuer,
["aud"] = audience,
["iat"] = nowUnix,
["exp"] = expUnix,
["permissions"] = permissions
};
var headerSeg = Base64UrlEncode(JsonSerializer.SerializeToUtf8Bytes(header));
var payloadSeg = Base64UrlEncode(JsonSerializer.SerializeToUtf8Bytes(payload));
var signingInput = Encoding.ASCII.GetBytes($"{headerSeg}.{payloadSeg}");
var signature = _ec.SignData(signingInput, HashAlgorithmName.SHA256,
DSASignatureFormat.IeeeP1363FixedFieldConcatenation);
var sigSeg = Base64UrlEncode(signature);
return $"{headerSeg}.{payloadSeg}.{sigSeg}";
}
public void Dispose() => _ec.Dispose();
private static string Base64UrlEncode(ReadOnlySpan<byte> bytes)
{
var b64 = Convert.ToBase64String(bytes);
return b64.Replace('+', '-').Replace('/', '_').TrimEnd('=');
}
}
tests/Azaion.Missions.E2E.Tests/Helpers/MissionsContainerHelper.cs
+244
View File
@@ -0,0 +1,244 @@
using System.Diagnostics;
using System.Globalization;
using System.Net;
namespace Azaion.Missions.E2E.Helpers;
/// <summary>
/// Spawns standalone <c>azaion/missions:test</c> containers via <c>docker run</c>
/// (NOT compose) so startup-time behavior can be exercised independently of
/// the long-running compose stack. Used by NFT-SEC-12, NFT-SEC-13,
/// NFT-RES-05, NFT-RES-06 — each provides its own env override map and asserts
/// against the captured exit code + logs.
/// </summary>
/// <remarks>
/// Like <see cref="Fixtures.ComposeRestartFixture"/>, this helper is gated on
/// <c>COMPOSE_RESTART_ENABLED=1</c> and a docker CLI on PATH; tests using it
/// must <see cref="Xunit.Skip.IfNot(bool, string)"/> when the gate fails so
/// CI environments without Docker access skip with an explicit reason
/// instead of silently passing.
/// </remarks>
public static class MissionsContainerHelper
{
public const string MissionsImageEnvVar = "MISSIONS_TEST_IMAGE";
public const string DefaultMissionsImage = "azaion/missions:test";
public const string NetworkEnvVar = "MISSIONS_TEST_NETWORK";
public const string DefaultNetwork = "missions-e2e-net";
public static bool Enabled =>
Environment.GetEnvironmentVariable("COMPOSE_RESTART_ENABLED") == "1";
public static string Image =>
Environment.GetEnvironmentVariable(MissionsImageEnvVar) ?? DefaultMissionsImage;
public static string Network =>
Environment.GetEnvironmentVariable(NetworkEnvVar) ?? DefaultNetwork;
/// <summary>
/// Runs <c>docker run --rm --name &lt;name&gt; --network &lt;net&gt; &lt;env&gt; &lt;image&gt;</c>,
/// waits for the container to exit (up to <paramref name="timeout"/>),
/// and returns its exit code + combined logs. Forces removal of any
/// stale container with the same name before starting (an earlier crash
/// can leave a stopped container behind).
/// </summary>
public static RunResult RunUntilExit(
string containerName,
IReadOnlyDictionary<string, string> envOverrides,
TimeSpan timeout)
{
ForceRemove(containerName);
var args = BuildRunArgs(containerName, envOverrides);
Run("docker", args, out var runStdout, out var runStderr);
var deadline = DateTime.UtcNow + timeout;
while (DateTime.UtcNow < deadline)
{
if (TryGetExitCode(containerName, out var exitCode))
{
var logs = ReadLogs(containerName);
ForceRemove(containerName);
return new RunResult(exitCode, logs, runStdout, runStderr);
}
Thread.Sleep(250);
}
var partialLogs = ReadLogs(containerName);
ForceRemove(containerName);
throw new TimeoutException(
$"container '{containerName}' did not exit within {timeout.TotalSeconds:F0}s. " +
$"Partial logs:\n{partialLogs}");
}
/// <summary>
/// Captures <c>docker inspect --format '{{.State.StartedAt}}'</c> for a
/// running container, returned as a stable ISO-8601 string. Used by
/// NFT-RES-07 to assert the missions service did NOT restart during a
/// JWKS rotation flow.
/// </summary>
public static string GetStartedAt(string containerName)
{
Run("docker",
$"inspect --format '{{{{.State.StartedAt}}}}' {containerName}",
out var stdout, out _);
return stdout.Trim().Trim('\'');
}
/// <summary>
/// Starts a missions container detached (<c>-d</c>) and polls its <c>/health</c>
/// endpoint over the shared e2e network until it responds 200 (or
/// <paramref name="readyTimeout"/> elapses). Used by tests that need a
/// running SUT with non-default env (NFT-SEC-12 HTTP-not-HTTPS,
/// NFT-SEC-13 CORS preflight) — the test then drives the container
/// over the network and reads <c>docker logs</c> for log-line assertions.
/// </summary>
public static async Task<DetachedContainer> StartAndWaitForHealthAsync(
string containerName,
IReadOnlyDictionary<string, string> envOverrides,
TimeSpan readyTimeout)
{
ForceRemove(containerName);
var args = BuildRunArgs(containerName, envOverrides);
Run("docker", args, out _, out _);
using var http = new HttpClient { Timeout = TimeSpan.FromSeconds(2) };
var healthUrl = new Uri($"http://{containerName}:8080/health");
var deadline = DateTime.UtcNow + readyTimeout;
while (DateTime.UtcNow < deadline)
{
try
{
using var resp = await http.GetAsync(healthUrl);
if (resp.StatusCode == HttpStatusCode.OK)
return new DetachedContainer(containerName);
}
catch (HttpRequestException) { /* container not yet listening */ }
catch (TaskCanceledException) { /* slow first response */ }
await Task.Delay(500);
}
// Health never came up — capture logs for the failure message before
// tearing down, so the test reporter shows why the harness gave up.
var logs = ReadLogs(containerName);
ForceRemove(containerName);
throw new TimeoutException(
$"container '{containerName}' did not become healthy within {readyTimeout.TotalSeconds:F0}s. " +
$"Logs:\n{logs}");
}
public sealed class DetachedContainer : IDisposable
{
public string Name { get; }
public DetachedContainer(string name) => Name = name;
public string ReadLogs() => MissionsContainerHelper.ReadLogs(Name);
public void Dispose() => ForceRemove(Name);
}
private static string BuildRunArgs(
string containerName,
IReadOnlyDictionary<string, string> envOverrides)
{
var sb = new System.Text.StringBuilder();
sb.Append("run --rm -d ");
sb.Append("--name ").Append(containerName).Append(' ');
sb.Append("--network ").Append(Network).Append(' ');
foreach (var (key, value) in envOverrides)
{
sb.Append("-e ").Append(key).Append('=').Append('"')
.Append(value.Replace("\"", "\\\"", StringComparison.Ordinal))
.Append("\" ");
}
sb.Append(Image);
return sb.ToString();
}
private static bool TryGetExitCode(string containerName, out int exitCode)
{
// `docker inspect` succeeds while the container exists (running OR
// exited). Once `--rm` removes it the inspect call fails — but we
// already captured exitCode by then.
var psi = new ProcessStartInfo("docker",
$"inspect --format '{{{{.State.Running}}}} {{{{.State.ExitCode}}}}' {containerName}")
{
RedirectStandardOutput = true,
RedirectStandardError = true,
UseShellExecute = false
};
using var p = Process.Start(psi)
?? throw new InvalidOperationException("docker CLI not available");
var stdout = p.StandardOutput.ReadToEnd();
p.WaitForExit();
if (p.ExitCode != 0)
{
// Container is gone (already removed); treat as "still in flight".
exitCode = 0;
return false;
}
var parts = stdout.Trim().Trim('\'').Split(' ', StringSplitOptions.RemoveEmptyEntries);
if (parts.Length < 2 ||
!bool.TryParse(parts[0], out var running) ||
!int.TryParse(parts[1], NumberStyles.Integer, CultureInfo.InvariantCulture, out exitCode))
{
exitCode = 0;
return false;
}
return !running;
}
internal static string ReadLogs(string containerName)
{
var psi = new ProcessStartInfo("docker", $"logs {containerName}")
{
RedirectStandardOutput = true,
RedirectStandardError = true,
UseShellExecute = false
};
using var p = Process.Start(psi);
if (p is null) return string.Empty;
var stdout = p.StandardOutput.ReadToEnd();
var stderr = p.StandardError.ReadToEnd();
p.WaitForExit();
return stdout + stderr;
}
private static void ForceRemove(string containerName)
{
var psi = new ProcessStartInfo("docker", $"rm -f {containerName}")
{
RedirectStandardOutput = true,
RedirectStandardError = true,
UseShellExecute = false
};
try
{
using var p = Process.Start(psi);
p?.WaitForExit();
}
catch (System.ComponentModel.Win32Exception)
{
// docker CLI absent — let the caller's Enabled check surface the issue.
throw new InvalidOperationException(
"docker CLI not available in test container; " +
"MissionsContainerHelper requires docker access (set COMPOSE_RESTART_ENABLED=1 and mount the socket).");
}
}
private static void Run(string file, string args, out string stdout, out string stderr)
{
var psi = new ProcessStartInfo(file, args)
{
RedirectStandardOutput = true,
RedirectStandardError = true,
UseShellExecute = false
};
using var p = Process.Start(psi)
?? throw new InvalidOperationException($"failed to launch `{file} {args}`");
stdout = p.StandardOutput.ReadToEnd();
stderr = p.StandardError.ReadToEnd();
p.WaitForExit();
if (p.ExitCode != 0)
throw new InvalidOperationException(
$"`{file} {args}` exited {p.ExitCode}.\nstdout: {stdout}\nstderr: {stderr}");
}
public sealed record RunResult(int ExitCode, string Logs, string RunStdout, string RunStderr);
}
tests/Azaion.Missions.E2E.Tests/Tests/Resilience/CascadeF3Tests.cs
+112
View File
@@ -0,0 +1,112 @@
using System.Net;
using System.Net.Http.Headers;
using Azaion.Missions.E2E.Fixtures;
using Azaion.Missions.E2E.Helpers;
using Npgsql;
using Xunit;
namespace Azaion.Missions.E2E.Tests.Resilience;
/// <summary>
/// NFT-RES-01 — mission cascade is NOT transaction-wrapped. Dropping the
/// borrowed-schema <c>media</c> table mid-walk leaves <c>map_objects</c>
/// committed-deleted while <c>missions</c> stays uncommitted. The test pins
/// the current behaviour (ADR-006 carry-forward) so a future transaction
/// wrap flips the assertion loudly.
/// Traces: AC-3.3, AC-10.2.
/// </summary>
[Collection("ResCascadeF3")]
[Trait("Category", "Res")]
[Trait("db_access", "seed-or-assert-only")]
public sealed class CascadeF3Tests : TestBase, IClassFixture<ComposeRestartFixture>
{
private readonly ComposeRestartFixture _restart;
public CascadeF3Tests(ComposeRestartFixture restart) => _restart = restart;
[SkippableFact]
[Trait("Traces", "AC-3.3,AC-10.2")]
[Trait("max_ms", "10000")]
[Trait("carry_forward", "ADR-006")]
public async Task NFT_RES_01_mission_cascade_partial_state_survives_mid_walk_failure()
{
Skip.IfNot(_restart.Enabled,
"ComposeRestartFixture disabled (COMPOSE_RESTART_ENABLED!=1). " +
"NFT-RES-01 drops the media table and needs the full stack restart " +
"in teardown.");
// CARRY-FORWARD: cascade is not transaction-wrapped today. When the
// ADR-006 follow-up wraps the cascade in a transaction, both row
// counts will flip (map_objects rolls back to its pre-state); the
// test fails loudly at that point — which is the intended signal.
// Arrange — F3 fixture loaded by the IClassFixture<CascadeF3Fixture>
// pattern; we apply directly here so the fixture is owned by this
// class (its restart teardown is destructive).
DbResetFixture.ResetDatabase(TestEnvironment.DbSideChannel);
StubSchema.EnsureCreated();
Seeds.Apply(FixtureSql.Load("fixture_cascade_F3"));
var mid = CascadeF3Fixture.MissionId;
var preMapObjects = DbAssertions.ScalarCount(
"SELECT COUNT(*) FROM map_objects WHERE mission_id = @mid", ("mid", mid));
Assert.Equal(3, preMapObjects);
var preMission = DbAssertions.ScalarCount(
"SELECT COUNT(*) FROM missions WHERE id = @mid", ("mid", mid));
Assert.Equal(1, preMission);
DropMediaTable();
var requestStart = DateTime.UtcNow;
var token = await Tokens.MintDefaultAsync();
try
{
// Act
using var req = new HttpRequestMessage(HttpMethod.Delete, $"/missions/{mid}");
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token.Jwt);
using var response = await Missions.SendAsync(req);
// Assert
await HttpAssertions.AssertProblemEnvelopeAsync(response, HttpStatusCode.InternalServerError);
var postMapObjects = DbAssertions.ScalarCount(
"SELECT COUNT(*) FROM map_objects WHERE mission_id = @mid", ("mid", mid));
Assert.Equal(0, postMapObjects); // committed before media-DROP exploded
var postMission = DbAssertions.ScalarCount(
"SELECT COUNT(*) FROM missions WHERE id = @mid", ("mid", mid));
Assert.Equal(1, postMission); // uncommitted — never deleted
// The unhandled exception must mention the missing media table.
var deadline = DateTime.UtcNow.AddSeconds(2);
var sawLog = false;
while (DateTime.UtcNow < deadline)
{
var logs = DockerLogs.Read("missions-sut", requestStart);
if (logs.Contains("Unhandled exception", StringComparison.Ordinal)
&& (logs.Contains("relation", StringComparison.OrdinalIgnoreCase)
&& logs.Contains("media", StringComparison.OrdinalIgnoreCase)))
{
sawLog = true;
break;
}
await Task.Delay(100);
}
Assert.True(sawLog,
"expected 'Unhandled exception' mentioning 'relation' + 'media' in logs within 2s");
}
finally
{
_restart.RestartStack();
}
}
private static void DropMediaTable()
{
using var conn = new NpgsqlConnection(TestEnvironment.DbSideChannel);
conn.Open();
using var cmd = conn.CreateCommand();
cmd.CommandText = "DROP TABLE IF EXISTS media CASCADE;";
cmd.ExecuteNonQuery();
}
}
tests/Azaion.Missions.E2E.Tests/Tests/Resilience/CascadeF4Tests.cs
+115
View File
@@ -0,0 +1,115 @@
using System.Net;
using System.Net.Http.Headers;
using Azaion.Missions.E2E.Fixtures;
using Azaion.Missions.E2E.Helpers;
using Npgsql;
using Xunit;
namespace Azaion.Missions.E2E.Tests.Resilience;
/// <summary>
/// NFT-RES-02 — waypoint cascade NOT transaction-wrapped, mirror of
/// NFT-RES-01. The spec expects a partial-state observation (detection=0,
/// waypoint=1) but the actual <see cref="Services.WaypointService"/> walk
/// makes the media SELECT the FIRST cross-table read after the waypoint
/// lookup — so a pre-request <c>DROP TABLE media</c> aborts the cascade
/// before any DELETE commits.
/// Traces: AC-4.6, AC-3.3.
/// </summary>
/// <remarks>
/// Carry-forward (spec-vs-code) marked with
/// <c>[Trait("carry_forward","AC-4.6/walk-order")]</c>: if the production
/// cascade is later refactored to commit detections/annotations BEFORE the
/// media lookup, the second assertion flips and this test fails loudly —
/// at which point the spec assertion should be restored.
/// </remarks>
[Collection("ResCascadeF4")]
[Trait("Category", "Res")]
[Trait("db_access", "seed-or-assert-only")]
public sealed class CascadeF4Tests : TestBase, IClassFixture<ComposeRestartFixture>
{
private readonly ComposeRestartFixture _restart;
public CascadeF4Tests(ComposeRestartFixture restart) => _restart = restart;
[SkippableFact]
[Trait("Traces", "AC-4.6,AC-3.3")]
[Trait("max_ms", "10000")]
[Trait("carry_forward", "AC-4.6/walk-order")]
public async Task NFT_RES_02_waypoint_cascade_aborts_at_media_lookup_with_no_partial_state_today()
{
Skip.IfNot(_restart.Enabled,
"ComposeRestartFixture disabled (COMPOSE_RESTART_ENABLED!=1). " +
"NFT-RES-02 drops the media table and needs a full stack restart.");
// Arrange — fresh F4 fixture; capture target waypoint id + its
// chained detection id so the post-state probe is deterministic.
DbResetFixture.ResetDatabase(TestEnvironment.DbSideChannel);
StubSchema.EnsureCreated();
Seeds.Apply(FixtureSql.Load("fixture_cascade_F4"));
var missionId = CascadeF4Fixture.MissionId;
var targetWaypointId = CascadeF4Fixture.TargetWaypointId;
var targetAnnotationId = CascadeF4Fixture.TargetAnnotationId;
DropMediaTable();
var requestStart = DateTime.UtcNow;
var token = await Tokens.MintDefaultAsync();
try
{
// Act
using var req = new HttpRequestMessage(
HttpMethod.Delete, $"/missions/{missionId}/waypoints/{targetWaypointId}");
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token.Jwt);
using var response = await Missions.SendAsync(req);
// Assert — 500 (PostgresException 42P01 bubbles to generic catch).
await HttpAssertions.AssertProblemEnvelopeAsync(
response, HttpStatusCode.InternalServerError);
// Carry-forward: today the media SELECT fires BEFORE any DELETE,
// so nothing commits. detection (target row) is unchanged.
var targetDetectionCount = DbAssertions.ScalarCount(
"SELECT COUNT(*) FROM detection WHERE annotation_id = @aid",
("aid", targetAnnotationId));
Assert.Equal(1, targetDetectionCount); // spec says 0 — flip when walk is reordered.
// The waypoint row is uncommitted (matches spec).
var waypointCount = DbAssertions.ScalarCount(
"SELECT COUNT(*) FROM waypoints WHERE id = @id",
("id", targetWaypointId));
Assert.Equal(1, waypointCount);
// Log line must still mention the missing media table.
var deadline = DateTime.UtcNow.AddSeconds(2);
var sawLog = false;
while (DateTime.UtcNow < deadline)
{
var logs = DockerLogs.Read("missions-sut", requestStart);
if (logs.Contains("Unhandled exception", StringComparison.Ordinal)
&& logs.Contains("media", StringComparison.OrdinalIgnoreCase))
{
sawLog = true;
break;
}
await Task.Delay(100);
}
Assert.True(sawLog,
"expected 'Unhandled exception' mentioning 'media' in logs within 2s");
}
finally
{
_restart.RestartStack();
}
}
private static void DropMediaTable()
{
using var conn = new NpgsqlConnection(TestEnvironment.DbSideChannel);
conn.Open();
using var cmd = conn.CreateCommand();
cmd.CommandText = "DROP TABLE IF EXISTS media CASCADE;";
cmd.ExecuteNonQuery();
}
}
tests/Azaion.Missions.E2E.Tests/Tests/Resilience/ConfigDbStartupTests.cs
+201
View File
@@ -0,0 +1,201 @@
using System.Diagnostics;
using Azaion.Missions.E2E.Helpers;
using Npgsql;
using Xunit;
namespace Azaion.Missions.E2E.Tests.Resilience;
/// <summary>
/// NFT-RES-05 (config fail-fast + DB-down differentiator) and
/// NFT-RES-06 (Npgsql 3D000 on missing database). The 4 missing-env rows
/// overlap with NFT-SEC-12 in the security category — same docker-run
/// primitive, separate Sec/Res CSV rows.
/// Traces: AC-6.1, AC-6.2, AC-6.7, AC-6.8, E3, E4.
/// </summary>
[Collection("MigratorRestart")]
[Trait("Category", "Res")]
[Trait("db_access", "seed-or-assert-only")]
public sealed class ConfigDbStartupTests
{
private const string PostgresUrl =
"postgresql://postgres:postgres-test@missions-postgres-test:5432/azaion";
private const string JwksUrlHttps =
"https://jwks-mock:8443/.well-known/jwks.json";
private const string Issuer = "https://admin-test.azaion.local";
private const string Audience = "azaion-edge";
public static IEnumerable<object[]> FailFastCases() => new[]
{
new object[] { "all_missing", Array.Empty<string>() },
new object[] { "db_url_missing", new[] { "DATABASE_URL" } },
new object[] { "jwt_issuer_missing", new[] { "JWT_ISSUER" } },
new object[] { "jwt_audience_missing", new[] { "JWT_AUDIENCE" } },
new object[] { "jwks_url_missing", new[] { "JWT_JWKS_URL" } },
};
[SkippableTheory]
[MemberData(nameof(FailFastCases))]
[Trait("Traces", "AC-6.1,AC-6.2,E3")]
[Trait("max_ms", "30000")]
public void NFT_RES_05_missing_required_env_var_throws_invalid_operation_exception(
string caseName, string[] omittedVars)
{
Skip.IfNot(MissionsContainerHelper.Enabled,
"MissionsContainerHelper requires COMPOSE_RESTART_ENABLED=1 and docker CLI access.");
// Arrange
var env = BaseEnv();
foreach (var v in omittedVars) env.Remove(v);
if (omittedVars.Length == 0)
{
env.Remove("DATABASE_URL");
env.Remove("JWT_ISSUER");
env.Remove("JWT_AUDIENCE");
env.Remove("JWT_JWKS_URL");
}
// Act
var result = MissionsContainerHelper.RunUntilExit(
$"missions-res05-{caseName}", env, TimeSpan.FromSeconds(20));
// Assert
Assert.NotEqual(0, result.ExitCode);
Assert.Contains("InvalidOperationException", result.Logs, StringComparison.Ordinal);
}
[SkippableFact]
[Trait("Traces", "AC-6.1,E3")]
[Trait("max_ms", "30000")]
public void NFT_RES_05_whitespace_required_env_var_treated_as_missing()
{
Skip.IfNot(MissionsContainerHelper.Enabled,
"MissionsContainerHelper requires COMPOSE_RESTART_ENABLED=1 and docker CLI access.");
// Arrange — whitespace-only value triggers the same fail-fast path
// as an absent value (ResolveRequiredOrThrow uses IsNullOrWhiteSpace).
var env = BaseEnv();
env["JWT_ISSUER"] = " ";
// Act
var result = MissionsContainerHelper.RunUntilExit(
"missions-res05-whitespace-iss", env, TimeSpan.FromSeconds(20));
// Assert
Assert.NotEqual(0, result.ExitCode);
Assert.Contains("InvalidOperationException", result.Logs, StringComparison.Ordinal);
var mentionsIssuer =
result.Logs.Contains("JWT_ISSUER", StringComparison.Ordinal)
|| result.Logs.Contains("Jwt:Issuer", StringComparison.Ordinal);
Assert.True(mentionsIssuer,
$"logs must mention JWT_ISSUER. Logs:\n{result.Logs}");
}
[SkippableFact]
[Trait("Traces", "AC-6.7,E4")]
[Trait("max_ms", "60000")]
public void NFT_RES_05_db_down_after_config_resolution_logs_npgsql_connection_refused()
{
Skip.IfNot(MissionsContainerHelper.Enabled,
"MissionsContainerHelper requires COMPOSE_RESTART_ENABLED=1 and docker CLI access.");
// Arrange — all 4 required vars set, but point DATABASE_URL at a
// host that is not running. Config resolution succeeds; Npgsql
// fails on the migrator's first connection attempt.
var env = BaseEnv();
env["DATABASE_URL"] =
"postgresql://postgres:postgres-test@nonexistent-host-for-res05:5432/azaion";
// Act
var result = MissionsContainerHelper.RunUntilExit(
"missions-res05-db-down", env, TimeSpan.FromSeconds(45));
// Assert
Assert.NotEqual(0, result.ExitCode);
// Connection-refused / name-not-resolved / unreachable are the
// acceptable Npgsql failure shapes; the differentiator is that
// InvalidOperationException must NOT appear — proving config
// resolution completed before the connection broke.
Assert.DoesNotContain("InvalidOperationException", result.Logs, StringComparison.Ordinal);
var connectionShape =
result.Logs.Contains("Connection refused", StringComparison.OrdinalIgnoreCase)
|| result.Logs.Contains("could not resolve", StringComparison.OrdinalIgnoreCase)
|| result.Logs.Contains("could not connect", StringComparison.OrdinalIgnoreCase)
|| result.Logs.Contains("Name or service not known", StringComparison.OrdinalIgnoreCase)
|| result.Logs.Contains("Temporary failure in name resolution", StringComparison.OrdinalIgnoreCase);
Assert.True(connectionShape,
$"logs must show Npgsql connection failure (not InvalidOperationException). Logs:\n{result.Logs}");
}
[SkippableFact]
[Trait("Traces", "AC-6.8")]
[Trait("max_ms", "60000")]
public void NFT_RES_06_dropping_target_database_causes_3D000_exit()
{
Skip.IfNot(MissionsContainerHelper.Enabled,
"Requires docker CLI + COMPOSE_RESTART_ENABLED=1 + Postgres admin access.");
// Arrange — drop the azaion database via a side-channel that
// connects to the `postgres` admin DB. Caller is responsible for
// recreating the DB in teardown (handled by ComposeRestartFixture
// in the surrounding collection).
try
{
DropAzaionDatabase();
}
catch (PostgresException ex)
{
Skip.If(true,
$"could not drop azaion database for NFT-RES-06 setup ({ex.SqlState}: {ex.MessageText}); " +
"the test requires superuser admin access on the postgres-test container.");
return;
}
try
{
// Act
var result = MissionsContainerHelper.RunUntilExit(
"missions-res06-dropdb", BaseEnv(), TimeSpan.FromSeconds(45));
// Assert
Assert.NotEqual(0, result.ExitCode);
Assert.Contains("3D000", result.Logs, StringComparison.Ordinal);
}
finally
{
RestoreAzaionDatabase();
}
}
private static void DropAzaionDatabase()
{
var adminConn = TestEnvironment.DbSideChannel
.Replace("Database=azaion", "Database=postgres", StringComparison.Ordinal);
using var conn = new NpgsqlConnection(adminConn);
conn.Open();
using var cmd = conn.CreateCommand();
// WITH (FORCE) terminates any other backends still on azaion.
cmd.CommandText = "DROP DATABASE IF EXISTS azaion WITH (FORCE);";
cmd.ExecuteNonQuery();
}
private static void RestoreAzaionDatabase()
{
var adminConn = TestEnvironment.DbSideChannel
.Replace("Database=azaion", "Database=postgres", StringComparison.Ordinal);
using var conn = new NpgsqlConnection(adminConn);
conn.Open();
using var cmd = conn.CreateCommand();
cmd.CommandText = "CREATE DATABASE azaion;";
cmd.ExecuteNonQuery();
}
private static Dictionary<string, string> BaseEnv() => new(StringComparer.Ordinal)
{
{ "DATABASE_URL", PostgresUrl },
{ "JWT_ISSUER", Issuer },
{ "JWT_AUDIENCE", Audience },
{ "JWT_JWKS_URL", JwksUrlHttps },
{ "ASPNETCORE_URLS", "http://+:8080" },
{ "ASPNETCORE_ENVIRONMENT","Test" },
};
}
tests/Azaion.Missions.E2E.Tests/Tests/Resilience/DefaultVehicleRaceTests.cs
+142
View File
@@ -0,0 +1,142 @@
using System.Net.Http.Headers;
using System.Net.Http.Json;
using Azaion.Missions.E2E.Fixtures;
using Azaion.Missions.E2E.Helpers;
using Npgsql;
using Xunit;
namespace Azaion.Missions.E2E.Tests.Resilience;
/// <summary>
/// NFT-RES-08 — TOCTOU race on <c>vehicles.is_default</c>.
/// </summary>
/// <remarks>
/// <para>
/// Spec AC-1.4 expects the race to be OBSERVABLE — i.e. at least one of 100
/// concurrent iterations leaves two rows with <c>is_default=true</c>. The
/// current migrator ships
/// <c>ux_vehicles_one_default ON vehicles (is_default) WHERE is_default = TRUE</c>,
/// which closes the race at the storage layer: the second writer always
/// fails with <c>23505</c>.
/// </para>
/// <para>
/// Following <c>CascadeF4Tests</c> precedent we pin the CURRENT behaviour
/// (max-one default after the race) and mark the divergence with the
/// <c>carry_forward</c> trait. If the index is ever removed without an
/// application-level guard replacing it, this test fails loudly — that
/// failure is the signal to revisit the AC-1.4 carry-forward in the
/// traceability matrix.
/// </para>
/// </remarks>
[Collection("MigratorRestart")]
[Trait("Category", "Res")]
[Trait("carry_forward", "AC-1.4/index-closes-race")]
[Trait("db_access", "seed-or-assert-only")]
public sealed class DefaultVehicleRaceTests : TestBase, IClassFixture<DbResetFixture>
{
private const int Iterations = 100;
[Fact]
[Trait("Traces", "AC-1.4")]
[Trait("max_ms", "30000")]
public async Task NFT_RES_08_concurrent_default_writes_converge_on_one_default_today()
{
// Arrange — fresh DB and a valid token reused across iterations.
DbResetFixture.ResetDatabase(TestEnvironment.DbSideChannel);
var token = await Tokens.MintDefaultAsync();
Missions.DefaultRequestHeaders.Authorization =
new AuthenticationHeaderValue("Bearer", token.Jwt);
var observations = new int[Iterations];
for (int i = 0; i < Iterations; i++)
{
ResetVehiclesAndSeedOneDefault();
// Each writer carries a unique id so PK collisions never mask
// the race that AC-1.4 is interested in.
var postTask = TryPostVehicleAsync(Guid.NewGuid());
var insertTask = TrySideChannelInsertAsync(Guid.NewGuid());
await Task.WhenAll(postTask, insertTask);
observations[i] = CountDefaultVehicles();
}
var maxObserved = observations.Max();
// Assert — CURRENT behaviour: the partial unique index forces
// every iteration to converge on a single default vehicle.
// If this assertion ever fails (max >= 2), the index has been
// removed/relaxed and AC-1.4 carry-forward should be revisited.
Assert.True(maxObserved <= 1,
$"observed >= 2 defaults in some iteration (max={maxObserved}). " +
"Index ux_vehicles_one_default appears removed/relaxed — revisit " +
"AC-1.4 carry-forward in traceability_matrix.csv.");
}
private async Task<HttpRequestState> TryPostVehicleAsync(Guid vehicleId)
{
try
{
var body = new
{
Id = vehicleId,
Name = $"race-api-{vehicleId:N}",
IsDefault = true,
};
using var resp = await Missions.PostAsJsonAsync("/vehicles", body);
return new HttpRequestState((int)resp.StatusCode, null);
}
catch (Exception ex)
{
return new HttpRequestState(-1, ex);
}
}
private static async Task<SideChannelState> TrySideChannelInsertAsync(Guid vehicleId)
{
try
{
await using var conn = new NpgsqlConnection(TestEnvironment.DbSideChannel);
await conn.OpenAsync();
await using var cmd = conn.CreateCommand();
cmd.CommandText = """
INSERT INTO vehicles (id, name, is_default, created_at, updated_at)
VALUES (@id, @name, TRUE, NOW(), NOW());
""";
cmd.Parameters.AddWithValue("id", vehicleId);
cmd.Parameters.AddWithValue("name", $"race-side-{vehicleId:N}");
await cmd.ExecuteNonQueryAsync();
return new SideChannelState(true, null);
}
catch (PostgresException ex)
{
return new SideChannelState(false, ex);
}
}
private static void ResetVehiclesAndSeedOneDefault()
{
using var conn = new NpgsqlConnection(TestEnvironment.DbSideChannel);
conn.Open();
using var cmd = conn.CreateCommand();
cmd.CommandText = """
TRUNCATE vehicles RESTART IDENTITY CASCADE;
INSERT INTO vehicles (id, name, is_default, created_at, updated_at)
VALUES (gen_random_uuid(), 'seed-default', TRUE, NOW(), NOW());
""";
cmd.ExecuteNonQuery();
}
private static int CountDefaultVehicles()
{
using var conn = new NpgsqlConnection(TestEnvironment.DbSideChannel);
conn.Open();
using var cmd = conn.CreateCommand();
cmd.CommandText = "SELECT COUNT(*) FROM vehicles WHERE is_default = TRUE;";
return Convert.ToInt32(cmd.ExecuteScalar());
}
private sealed record HttpRequestState(int StatusCode, Exception? Error);
private sealed record SideChannelState(bool Inserted, Exception? Error);
}
tests/Azaion.Missions.E2E.Tests/Tests/Resilience/JwksRotationNoRestartTests.cs
+94
View File
@@ -0,0 +1,94 @@
using System.Diagnostics;
using System.Net;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using System.Text.Json;
using Azaion.Missions.E2E.Fixtures;
using Azaion.Missions.E2E.Helpers;
using Xunit;
namespace Azaion.Missions.E2E.Tests.Resilience;
/// <summary>
/// NFT-RES-07 — operational counterpart of NFT-SEC-11. Verifies that a JWKS
/// rotation propagates through the SUT WITHOUT a process restart. The
/// security-shaped variant lives in <c>Tests/Security/JwksRotationTests.cs</c>;
/// here the assertion focuses on
/// <c>docker inspect --format '{{.State.StartedAt}}' missions-sut</c>
/// returning the SAME ISO-8601 timestamp before and after the rotation flow.
/// Traces: AC-5.7.
/// </summary>
[Collection("JwksRotation")]
[Trait("Category", "Res")]
[Trait("db_access", "seed-or-assert-only")]
public sealed class JwksRotationNoRestartTests : TestBase, IClassFixture<DbResetFixture>
{
[SkippableFact(Timeout = 200_000)]
[Trait("Traces", "AC-5.7")]
[Trait("max_ms", "180000")]
public async Task NFT_RES_07_jwks_rotation_propagates_without_missions_restart()
{
Skip.IfNot(MissionsContainerHelper.Enabled,
"Requires docker CLI access (COMPOSE_RESTART_ENABLED=1) to read StartedAt.");
// Arrange — capture StartedAt before any rotation activity so the
// post-flow comparison is anchored to "before this test started".
DbResetFixture.ResetDatabase(TestEnvironment.DbSideChannel);
Seeds.Apply(Seeds.OneDefaultVehicle.Sql);
var startedAtBefore = MissionsContainerHelper.GetStartedAt("missions-sut");
var t1 = await Tokens.MintDefaultAsync();
var kidV1 = t1.Kid;
using (var resp = await CallVehiclesAsync(t1.Jwt))
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.OK);
// Act 1 — rotate; mint a token with the new kid; assert pre-refresh 401.
var kidV2 = await RotateMockAsync();
Assert.NotEqual(kidV1, kidV2);
var t2 = await Tokens.MintDefaultAsync();
Assert.Equal(kidV2, t2.Kid);
using (var resp = await CallVehiclesAsync(t2.Jwt))
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
// Act 2 — wait for refresh.
var refreshDeadline = DateTime.UtcNow.AddSeconds(90);
var refreshed = false;
while (DateTime.UtcNow < refreshDeadline)
{
using var resp = await CallVehiclesAsync(t2.Jwt);
if (resp.StatusCode == HttpStatusCode.OK)
{
refreshed = true;
break;
}
await Task.Delay(TimeSpan.FromSeconds(3));
}
Assert.True(refreshed,
"JWKS refresh did not propagate to missions within 90s");
// Assert — service did NOT restart.
var startedAtAfter = MissionsContainerHelper.GetStartedAt("missions-sut");
Assert.Equal(startedAtBefore, startedAtAfter);
}
private async Task<HttpResponseMessage> CallVehiclesAsync(string jwt)
{
var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles");
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", jwt);
return await Missions.SendAsync(req);
}
private static async Task<string> RotateMockAsync()
{
using var http = new HttpClient { Timeout = TimeSpan.FromSeconds(10) };
var rotateUrl = new Uri(new Uri(TestEnvironment.JwksMockBaseUrl), "/rotate-key");
using var resp = await http.PostAsync(rotateUrl, content: null);
resp.EnsureSuccessStatusCode();
var body = await resp.Content.ReadFromJsonAsync<JsonElement>();
return body.GetProperty("kid").GetString()
?? throw new InvalidOperationException("mock /rotate-key returned no kid");
}
}
tests/Azaion.Missions.E2E.Tests/Tests/Resilience/MigratorRestartTests.cs
+200
View File
@@ -0,0 +1,200 @@
using System.Diagnostics;
using System.Net;
using Azaion.Missions.E2E.Fixtures;
using Azaion.Missions.E2E.Helpers;
using Npgsql;
using Xunit;
namespace Azaion.Missions.E2E.Tests.Resilience;
/// <summary>
/// NFT-RES-03 and NFT-RES-04 — migrator behaviour across container restarts.
/// Both scenarios drive the SUT via docker compose and rely on the
/// <see cref="ComposeRestartFixture"/> harness; they share one xUnit
/// collection so a failed teardown of NFT-RES-03 does not leak state into
/// NFT-RES-04.
/// Traces: AC-6.4, AC-6.5, AC-6.6, AC-10.5.
/// </summary>
[Collection("MigratorRestart")]
[Trait("Category", "Res")]
[Trait("db_access", "seed-or-assert-only")]
public sealed class MigratorRestartTests : TestBase, IClassFixture<ComposeRestartFixture>
{
private readonly ComposeRestartFixture _restart;
public MigratorRestartTests(ComposeRestartFixture restart) => _restart = restart;
[SkippableFact]
[Trait("Traces", "AC-6.6,AC-6.4")]
[Trait("max_ms", "60000")]
public async Task NFT_RES_03_migrator_is_idempotent_on_container_restart()
{
Skip.IfNot(_restart.Enabled,
"ComposeRestartFixture disabled (COMPOSE_RESTART_ENABLED!=1). " +
"NFT-RES-03 needs `docker compose restart` access.");
// Arrange — clean DB so the migrator is not racing with stale data.
DbResetFixture.ResetDatabase(TestEnvironment.DbSideChannel);
var schemaBefore = SnapshotPublicSchema();
// Capture the wall-clock just before the restart so the log slice
// does not include pre-existing warnings from the first start.
var restartUtc = DateTime.UtcNow;
// Act
Compose("restart missions");
await WaitForHealthyAsync(TimeSpan.FromSeconds(30));
// Assert — no NEW errors AT ALL in the restart slice.
var logs = DockerLogs.Read("missions-sut", restartUtc);
AssertNoNewErrorLines(logs);
var schemaAfter = SnapshotPublicSchema();
Assert.Equal(schemaBefore, schemaAfter);
}
[SkippableFact]
[Trait("Traces", "AC-6.5,AC-10.5")]
[Trait("max_ms", "120000")]
public async Task NFT_RES_04_legacy_gps_tables_dropped_on_first_start_and_subsequent_restart_is_noop()
{
Skip.IfNot(_restart.Enabled,
"ComposeRestartFixture disabled (COMPOSE_RESTART_ENABLED!=1). " +
"NFT-RES-04 needs `docker compose stop|start|restart` access.");
// Build-time gate — the migrator must contain the post-B9 DROP block.
// We probe empirically: seed the legacy tables, restart missions,
// verify they are gone. If they survive, the build pre-dates B9 and
// we skip with a clear reason.
// Arrange — stop missions, seed the legacy tables.
Compose("stop missions");
ResetAllAndSeedLegacyTables();
var legacyPresent = LegacyTablesExist();
Assert.True(legacyPresent, "seed_legacy_gps_tables did not actually create the legacy tables");
// Act 1 — first start should drop the legacy tables.
Compose("up -d missions");
await WaitForHealthyAsync(TimeSpan.FromSeconds(45));
var legacyAfterFirstStart = LegacyTablesExist();
Skip.If(legacyAfterFirstStart,
"Legacy orthophotos/gps_corrections tables still present after first start; " +
"this build appears to pre-date B9. NFT-RES-04 is a no-op on pre-B9 builds.");
// Act 2 — restart should be a no-op (no 'does not exist' errors).
var restartUtc = DateTime.UtcNow;
Compose("restart missions");
await WaitForHealthyAsync(TimeSpan.FromSeconds(30));
// Assert
Assert.False(LegacyTablesExist(), "legacy tables reappeared after restart");
var logs = DockerLogs.Read("missions-sut", restartUtc);
Assert.DoesNotContain("does not exist", logs, StringComparison.OrdinalIgnoreCase);
}
private static void ResetAllAndSeedLegacyTables()
{
using var conn = new NpgsqlConnection(TestEnvironment.DbSideChannel);
conn.Open();
using var cmd = conn.CreateCommand();
cmd.CommandText = """
DROP TABLE IF EXISTS orthophotos;
DROP TABLE IF EXISTS gps_corrections;
CREATE TABLE orthophotos (
id UUID PRIMARY KEY,
payload TEXT NOT NULL DEFAULT ''
);
CREATE TABLE gps_corrections (
id UUID PRIMARY KEY,
payload TEXT NOT NULL DEFAULT ''
);
""";
cmd.ExecuteNonQuery();
}
private static bool LegacyTablesExist()
{
using var conn = new NpgsqlConnection(TestEnvironment.DbSideChannel);
conn.Open();
using var cmd = conn.CreateCommand();
cmd.CommandText = """
SELECT to_regclass('orthophotos')::TEXT, to_regclass('gps_corrections')::TEXT;
""";
using var reader = cmd.ExecuteReader();
reader.Read();
var ortho = reader.IsDBNull(0) ? null : reader.GetString(0);
var gpsCorr = reader.IsDBNull(1) ? null : reader.GetString(1);
return ortho is not null || gpsCorr is not null;
}
private static Dictionary<string, string> SnapshotPublicSchema()
{
var rows = new Dictionary<string, string>(StringComparer.Ordinal);
using var conn = new NpgsqlConnection(TestEnvironment.DbSideChannel);
conn.Open();
using var cmd = conn.CreateCommand();
cmd.CommandText = """
SELECT table_name || '.' || column_name AS key,
data_type
FROM information_schema.columns
WHERE table_schema = 'public'
ORDER BY table_name, column_name;
""";
using var reader = cmd.ExecuteReader();
while (reader.Read())
rows[reader.GetString(0)] = reader.GetString(1);
return rows;
}
private static void AssertNoNewErrorLines(string logs)
{
// Each line is independently checked — a stack-trace dump
// contains exception keywords; an actual ERROR log line does too.
var bad = logs.Split('\n')
.Where(line =>
line.Contains("error", StringComparison.OrdinalIgnoreCase)
|| line.Contains("exception", StringComparison.OrdinalIgnoreCase))
.ToArray();
Assert.True(bad.Length == 0,
$"expected NO new error/exception lines in restart slice; saw {bad.Length}:\n{string.Join("\n", bad)}");
}
private async Task WaitForHealthyAsync(TimeSpan timeout)
{
using var http = new HttpClient { Timeout = TimeSpan.FromSeconds(2) };
var deadline = DateTime.UtcNow + timeout;
while (DateTime.UtcNow < deadline)
{
try
{
using var resp = await http.GetAsync(new Uri(TestEnvironment.MissionsBaseUrl + "/health"));
if (resp.StatusCode == HttpStatusCode.OK) return;
}
catch (HttpRequestException) { /* not yet listening */ }
catch (TaskCanceledException) { /* slow first request */ }
await Task.Delay(500);
}
throw new TimeoutException(
$"missions did not become healthy within {timeout.TotalSeconds:F0}s");
}
private void Compose(string subcommand)
{
var psi = new ProcessStartInfo("docker",
$"compose -f {_restart.ComposeFile} {subcommand}")
{
RedirectStandardOutput = true,
RedirectStandardError = true,
UseShellExecute = false
};
using var p = Process.Start(psi)
?? throw new InvalidOperationException("docker CLI not available");
var stdout = p.StandardOutput.ReadToEnd();
var stderr = p.StandardError.ReadToEnd();
p.WaitForExit();
if (p.ExitCode != 0)
throw new InvalidOperationException(
$"`docker compose {subcommand}` exited {p.ExitCode}:\nstdout: {stdout}\nstderr: {stderr}");
}
}
tests/Azaion.Missions.E2E.Tests/Tests/Security/AuthClaimsTests.cs
+235
View File
@@ -0,0 +1,235 @@
using System.Net;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using Azaion.Missions.E2E.Fixtures;
using Azaion.Missions.E2E.Helpers;
using Xunit;
namespace Azaion.Missions.E2E.Tests.Security;
/// <summary>
/// NFT-SEC-01..06 + 04b — JWT authn/authz scenarios from
/// <c>_docs/02_document/tests/security-tests.md</c>.
/// Traces: AC-5.2..AC-5.6, AC-5.8, AC-5.11, AC-5.12, AC-9.1, AC-9.2.
/// </summary>
[Collection("SecurityAuthClaims")]
[Trait("Category", "Sec")]
[Trait("db_access", "seed-or-assert-only")]
public sealed class AuthClaimsTests : TestBase, IClassFixture<DbResetFixture>
{
[Fact]
[Trait("Traces", "AC-5.4")]
[Trait("max_ms", "5000")]
public async Task NFT_SEC_01_missing_authorization_header_rejects_protected_endpoints_with_401_and_no_db_write()
{
// Arrange
DbResetFixture.ResetDatabase(TestEnvironment.DbSideChannel);
Seeds.Apply(Seeds.OneDefaultVehicle.Sql);
var anyMissionId = Guid.NewGuid();
var preCount = DbAssertions.TableRowCount("vehicles");
// Act + Assert — GET /vehicles
using (var resp = await Missions.GetAsync("/vehicles"))
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
using (var resp = await Missions.GetAsync("/missions"))
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
using (var resp = await Missions.GetAsync($"/missions/{anyMissionId}/waypoints"))
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
var postBody = new
{
Type = 0,
Model = "Bayraktar",
Name = "BR-noauth",
FuelType = 1,
BatteryCapacity = 0,
EngineConsumption = 5,
EngineConsumptionIdle = 1,
IsDefault = false
};
using (var post = new HttpRequestMessage(HttpMethod.Post, "/vehicles")
{
Content = JsonContent.Create(postBody)
})
using (var resp = await Missions.SendAsync(post))
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
// Assert — POST 401 did not write a row.
var postCount = DbAssertions.TableRowCount("vehicles");
Assert.Equal(preCount, postCount);
}
[Fact]
[Trait("Traces", "AC-5.5")]
[Trait("max_ms", "5000")]
public async Task NFT_SEC_02_invalid_signature_rejects_byte_flip_and_foreign_keypair_with_401()
{
// Arrange — single-byte-flip uses a mock-signed token; foreign-keypair
// uses a local ECDSA P-256 (the one in-test signing path the task
// spec permits).
var good = await Tokens.MintDefaultAsync();
var flipped = FlipFirstSignatureChar(good.Jwt);
using var foreign = new ForeignKeypair();
var foreignJwt = foreign.Mint(
TestEnvironment.JwtIssuer, TestEnvironment.JwtAudience, "FL");
// Act + Assert — flipped signature
using (var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles"))
{
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", flipped);
using var resp = await Missions.SendAsync(req);
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
}
// Act + Assert — foreign keypair token (kid not in JWKS).
using (var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles"))
{
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", foreignJwt);
using var resp = await Missions.SendAsync(req);
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
}
}
[Fact]
[Trait("Traces", "AC-5.2,AC-5.6")]
[Trait("max_ms", "5000")]
public async Task NFT_SEC_03_clock_skew_30s_rejects_minus_60_and_accepts_minus_15()
{
// Arrange — both tokens are otherwise identical; only exp differs.
var expiredBeyondSkew = await Tokens.MintAsync(
new SignRequest(Permissions: "FL", ExpOffsetSeconds: -60));
var expiredWithinSkew = await Tokens.MintAsync(
new SignRequest(Permissions: "FL", ExpOffsetSeconds: -15));
// Act + Assert — outside the 30s skew window.
using (var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles"))
{
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", expiredBeyondSkew.Jwt);
using var resp = await Missions.SendAsync(req);
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
}
// Inside the 30s skew window.
using (var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles"))
{
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", expiredWithinSkew.Jwt);
using var resp = await Missions.SendAsync(req);
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.OK);
}
}
[Fact]
[Trait("Traces", "AC-5.3,AC-5.11")]
[Trait("max_ms", "5000")]
public async Task NFT_SEC_04_wrong_iss_rejected_default_iss_accepted()
{
// Arrange
var wrongIss = await Tokens.MintAsync(
new SignRequest(Iss: "https://attacker.example.com", Permissions: "FL"));
var defaultIss = await Tokens.MintDefaultAsync();
// Act + Assert
using (var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles"))
{
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", wrongIss.Jwt);
using var resp = await Missions.SendAsync(req);
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
}
using (var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles"))
{
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", defaultIss.Jwt);
using var resp = await Missions.SendAsync(req);
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.OK);
}
}
[Fact]
[Trait("Traces", "AC-5.3,AC-5.12")]
[Trait("max_ms", "5000")]
public async Task NFT_SEC_04b_wrong_aud_rejected()
{
// Arrange
var wrongAud = await Tokens.MintAsync(
new SignRequest(Aud: "wrong-audience", Permissions: "FL"));
// Act + Assert
using var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles");
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", wrongAud.Jwt);
using var resp = await Missions.SendAsync(req);
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
}
[Fact]
[Trait("Traces", "AC-5.8,AC-9.1")]
[Trait("max_ms", "5000")]
public async Task NFT_SEC_05_missing_permissions_claim_returns_403()
{
// Arrange — Permissions=null + PermissionsArray=null omits the claim.
var noPermissions = await Tokens.MintAsync(new SignRequest());
// Act
using var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles");
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", noPermissions.Jwt);
using var resp = await Missions.SendAsync(req);
// Assert — authentication succeeds, authorization fails → 403 (NOT 401).
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Forbidden);
}
[Theory]
[InlineData("ADMIN")]
[InlineData("fl")]
[InlineData("FLight")]
[Trait("Traces", "AC-9.1,AC-9.2")]
[Trait("max_ms", "5000")]
public async Task NFT_SEC_06_wrong_single_permission_value_returns_403(string permissions)
{
// Arrange
var token = await Tokens.MintAsync(new SignRequest(Permissions: permissions));
// Act
using var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles");
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token.Jwt);
using var resp = await Missions.SendAsync(req);
// Assert — RequireClaim("permissions","FL") is case-sensitive exact match.
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Forbidden);
}
[Fact]
[Trait("Traces", "AC-9.1,AC-9.2")]
[Trait("max_ms", "5000")]
public async Task NFT_SEC_06_multi_value_permissions_array_accepts_when_FL_is_present()
{
// Arrange — array permissions claim; ASP.NET's JWT handler flattens
// an array claim into multiple per-value claims, so RequireClaim
// matches if ANY value equals "FL".
var token = await Tokens.MintAsync(
new SignRequest(PermissionsArray: new[] { "FL", "ADMIN" }));
// Act
using var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles");
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token.Jwt);
using var resp = await Missions.SendAsync(req);
// Assert
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.OK);
}
private static string FlipFirstSignatureChar(string jwt)
{
var parts = jwt.Split('.');
if (parts.Length != 3)
throw new InvalidOperationException(
"expected a JWS-compact JWT with exactly 3 segments");
var sig = parts[2].ToCharArray();
// Toggle the first char between two base64url-valid letters so the
// result is still parseable but signature verification fails.
sig[0] = sig[0] == 'A' ? 'B' : 'A';
return $"{parts[0]}.{parts[1]}.{new string(sig)}";
}
}
tests/Azaion.Missions.E2E.Tests/Tests/Security/CorsConfigTests.cs
+159
View File
@@ -0,0 +1,159 @@
using System.Net;
using Azaion.Missions.E2E.Helpers;
using Xunit;
namespace Azaion.Missions.E2E.Tests.Security;
/// <summary>
/// NFT-SEC-13 — CORS posture across environments. The Production-gate
/// rejects an empty allow-list (CorsConfigurationValidator); the
/// Test/Development environment logs a PermissiveDefaultWarning when the
/// same shape is observed. Each scenario spawns its own missions container
/// via <c>docker run</c>. Traces: AC-6.11, E9.
/// </summary>
[Collection("SecurityCors")]
[Trait("Category", "Sec")]
[Trait("db_access", "seed-or-assert-only")]
public sealed class CorsConfigTests
{
private const string PostgresUrl =
"postgresql://postgres:postgres-test@missions-postgres-test:5432/azaion";
private const string JwksUrlHttps =
"https://jwks-mock:8443/.well-known/jwks.json";
[SkippableFact]
[Trait("Traces", "AC-6.11,E9")]
[Trait("max_ms", "15000")]
public void NFT_SEC_13_production_empty_origins_exits_non_zero_with_invalid_operation_exception()
{
Skip.IfNot(MissionsContainerHelper.Enabled,
"MissionsContainerHelper requires COMPOSE_RESTART_ENABLED=1 and docker CLI access.");
// Arrange
var env = BaseEnv();
env["ASPNETCORE_ENVIRONMENT"] = "Production";
// Act
var result = MissionsContainerHelper.RunUntilExit(
"missions-sec13-prod-empty", env, TimeSpan.FromSeconds(15));
// Assert
Assert.NotEqual(0, result.ExitCode);
Assert.Contains("InvalidOperationException", result.Logs, StringComparison.Ordinal);
var mentionsCors =
result.Logs.Contains("CorsConfig", StringComparison.Ordinal)
|| result.Logs.Contains("AllowedOrigins", StringComparison.Ordinal)
|| result.Logs.Contains("Production", StringComparison.Ordinal);
Assert.True(mentionsCors,
$"logs must mention CorsConfig/AllowedOrigins/Production. Logs:\n{result.Logs}");
}
[SkippableFact]
[Trait("Traces", "AC-6.11")]
[Trait("max_ms", "15000")]
public async Task NFT_SEC_13_production_allow_any_origin_starts_with_warning_log()
{
Skip.IfNot(MissionsContainerHelper.Enabled,
"MissionsContainerHelper requires COMPOSE_RESTART_ENABLED=1 and docker CLI access.");
// Arrange
var env = BaseEnv();
env["ASPNETCORE_ENVIRONMENT"] = "Production";
env["CorsConfig__AllowAnyOrigin"] = "true";
// Act
using var c = await MissionsContainerHelper.StartAndWaitForHealthAsync(
"missions-sec13-prod-anyorigin", env, TimeSpan.FromSeconds(20));
// Assert — container is up AND a warning sits in the log slice.
var logs = c.ReadLogs();
var mentionsWarning =
logs.Contains("permissive", StringComparison.OrdinalIgnoreCase)
|| logs.Contains("AllowAnyOrigin", StringComparison.Ordinal)
|| logs.Contains("warn", StringComparison.OrdinalIgnoreCase);
Assert.True(mentionsWarning,
$"logs must include a permissive-CORS warning. Logs:\n{logs}");
}
[SkippableFact]
[Trait("Traces", "AC-6.11")]
[Trait("max_ms", "20000")]
public async Task NFT_SEC_13_production_explicit_origin_preflight_allowed_and_other_origins_rejected()
{
Skip.IfNot(MissionsContainerHelper.Enabled,
"MissionsContainerHelper requires COMPOSE_RESTART_ENABLED=1 and docker CLI access.");
// Arrange
const string allowedOrigin = "https://operator.example.com";
const string disallowedOrigin = "https://attacker.example.com";
var env = BaseEnv();
env["ASPNETCORE_ENVIRONMENT"] = "Production";
env["CorsConfig__AllowedOrigins__0"] = allowedOrigin;
var containerName = "missions-sec13-prod-origins";
using var c = await MissionsContainerHelper.StartAndWaitForHealthAsync(
containerName, env, TimeSpan.FromSeconds(20));
// Act — allowed origin preflight.
using var http = new HttpClient { Timeout = TimeSpan.FromSeconds(10) };
var url = new Uri($"http://{containerName}:8080/vehicles");
using (var preflight = new HttpRequestMessage(HttpMethod.Options, url))
{
preflight.Headers.Add("Origin", allowedOrigin);
preflight.Headers.Add("Access-Control-Request-Method", "GET");
using var resp = await http.SendAsync(preflight);
Assert.True(resp.IsSuccessStatusCode,
$"preflight from allowed origin should succeed; got {(int)resp.StatusCode}");
Assert.True(resp.Headers.TryGetValues("Access-Control-Allow-Origin", out var allowVals),
"preflight from allowed origin must echo Access-Control-Allow-Origin");
Assert.Contains(allowedOrigin, allowVals);
}
// Disallowed origin preflight — middleware responds without echoing the header.
using (var preflight = new HttpRequestMessage(HttpMethod.Options, url))
{
preflight.Headers.Add("Origin", disallowedOrigin);
preflight.Headers.Add("Access-Control-Request-Method", "GET");
using var resp = await http.SendAsync(preflight);
// ASP.NET Core CORS middleware returns 204 even when origin is
// disallowed, but does NOT emit Access-Control-Allow-Origin —
// the missing header is the signal browsers act on.
Assert.False(resp.Headers.TryGetValues("Access-Control-Allow-Origin", out _),
"preflight from disallowed origin must NOT echo Access-Control-Allow-Origin");
}
}
[SkippableFact]
[Trait("Traces", "AC-6.11")]
[Trait("max_ms", "15000")]
public async Task NFT_SEC_13_test_environment_permissive_default_emits_warning_log()
{
Skip.IfNot(MissionsContainerHelper.Enabled,
"MissionsContainerHelper requires COMPOSE_RESTART_ENABLED=1 and docker CLI access.");
// Arrange — Test env with no CorsConfig. EnsureSafeForEnvironment
// is a no-op; permissive policy is applied with a warning log.
var env = BaseEnv();
env["ASPNETCORE_ENVIRONMENT"] = "Test";
// Act
using var c = await MissionsContainerHelper.StartAndWaitForHealthAsync(
"missions-sec13-test-permissive", env, TimeSpan.FromSeconds(20));
// Assert
var logs = c.ReadLogs();
Assert.Contains("Permissive", logs, StringComparison.Ordinal);
}
private static Dictionary<string, string> BaseEnv() => new(StringComparer.Ordinal)
{
{ "DATABASE_URL", PostgresUrl },
{ "JWT_ISSUER", "https://admin-test.azaion.local" },
{ "JWT_AUDIENCE", "azaion-edge" },
{ "JWT_JWKS_URL", JwksUrlHttps },
{ "ASPNETCORE_URLS", "http://+:8080" },
{ "ASPNETCORE_ENVIRONMENT","Test" },
};
}
tests/Azaion.Missions.E2E.Tests/Tests/Security/CrossCuttingTests.cs
+133
View File
@@ -0,0 +1,133 @@
using System.Net;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using System.Text.Json;
using Azaion.Missions.E2E.Fixtures;
using Azaion.Missions.E2E.Helpers;
using Npgsql;
using Xunit;
namespace Azaion.Missions.E2E.Tests.Security;
/// <summary>
/// NFT-SEC-07 (health anonymous), NFT-SEC-09 (SQL-injection guard),
/// NFT-SEC-10 (alg-pin) — fast cross-cutting security checks that share a
/// happy-path stack and need no destructive teardown.
/// Traces: AC-7.1, AC-9.4, AC-1.6, AC-2.3 (defensive), AC-5.1, AC-5.10.
/// </summary>
[Collection("SecurityCrossCutting")]
[Trait("Category", "Sec")]
[Trait("db_access", "seed-or-assert-only")]
public sealed class CrossCuttingTests : TestBase, IClassFixture<DbResetFixture>
{
[Fact]
[Trait("Traces", "AC-7.1,AC-9.4")]
[Trait("max_ms", "5000")]
public async Task NFT_SEC_07_health_is_anonymous_and_accepts_expired_token()
{
// Arrange — anonymous case + expired-token case prove the auth
// pipeline does NOT run for /health (an expired token would otherwise
// 401 long before reaching the endpoint).
var expired = await Tokens.MintAsync(new SignRequest(Permissions: "FL", ExpOffsetSeconds: -3600));
// Act + Assert — anonymous
using (var resp = await Missions.GetAsync("/health"))
{
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.OK);
var body = await resp.Content.ReadFromJsonAsync<JsonElement>();
Assert.Equal("healthy", body.GetProperty("status").GetString());
}
// Expired token
using (var req = new HttpRequestMessage(HttpMethod.Get, "/health"))
{
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", expired.Jwt);
using var resp = await Missions.SendAsync(req);
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.OK);
var body = await resp.Content.ReadFromJsonAsync<JsonElement>();
Assert.Equal("healthy", body.GetProperty("status").GetString());
}
}
[Fact]
[Trait("Traces", "AC-1.6,AC-2.3")]
[Trait("max_ms", "5000")]
public async Task NFT_SEC_09_sql_injection_payloads_are_treated_as_literal_strings()
{
// Arrange
DbResetFixture.ResetDatabase(TestEnvironment.DbSideChannel);
Seeds.Apply(Seeds.Three_BR01_BR02_MQ9.Sql);
var token = await Tokens.MintDefaultAsync();
// Act + Assert — OR '1'='1 should NOT short-circuit to "all rows".
using (var req = new HttpRequestMessage(
HttpMethod.Get,
"/vehicles?" + Uri.EscapeDataString("name=' OR '1'='1")))
{
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token.Jwt);
using var resp = await Missions.SendAsync(req);
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.OK);
var raw = await resp.Content.ReadAsStringAsync();
using var doc = JsonDocument.Parse(raw);
Assert.Equal(JsonValueKind.Array, doc.RootElement.ValueKind);
// The literal "'OR'1'='1" never matches any vehicle name.
Assert.Equal(0, doc.RootElement.GetArrayLength());
}
// Drop-table payload should NOT execute as SQL.
using (var req = new HttpRequestMessage(
HttpMethod.Get,
"/missions?" + Uri.EscapeDataString("name=; DROP TABLE vehicles; --")))
{
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token.Jwt);
using var resp = await Missions.SendAsync(req);
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.OK);
var raw = await resp.Content.ReadAsStringAsync();
using var doc = JsonDocument.Parse(raw);
Assert.True(doc.RootElement.TryGetProperty("TotalCount", out var totalEl));
Assert.Equal(0, totalEl.GetInt32());
}
// Side-channel: vehicles table still exists.
var oid = ScalarToRegclass("vehicles");
Assert.NotNull(oid);
}
[Fact]
[Trait("Traces", "AC-5.1,AC-5.10")]
[Trait("max_ms", "5000")]
public async Task NFT_SEC_10_alg_pin_rejects_HS256_confusion_and_unsigned_tokens()
{
// Arrange — both attack shapes carry valid claims; only `alg` differs.
var hs256 = await Tokens.MintAsync(
new SignRequest(Permissions: "FL", AlgOverride: "HS256"));
var unsigned = await Tokens.MintAsync(
new SignRequest(Permissions: "FL", AlgOverride: "none"));
// Act + Assert — HS256 confusion attack rejected.
using (var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles"))
{
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", hs256.Jwt);
using var resp = await Missions.SendAsync(req);
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
}
// alg:none unsigned token rejected.
using (var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles"))
{
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", unsigned.Jwt);
using var resp = await Missions.SendAsync(req);
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
}
}
private static string? ScalarToRegclass(string table)
{
using var conn = new NpgsqlConnection(TestEnvironment.DbSideChannel);
conn.Open();
using var cmd = conn.CreateCommand();
cmd.CommandText = "SELECT to_regclass(@t)::TEXT";
cmd.Parameters.AddWithValue("t", table);
return cmd.ExecuteScalar() as string;
}
}
tests/Azaion.Missions.E2E.Tests/Tests/Security/ErrorRedactionTests.cs
+90
View File
@@ -0,0 +1,90 @@
using System.Net;
using System.Net.Http.Headers;
using System.Text.Json;
using Azaion.Missions.E2E.Fixtures;
using Azaion.Missions.E2E.Helpers;
using Npgsql;
using Xunit;
namespace Azaion.Missions.E2E.Tests.Security;
/// <summary>
/// NFT-SEC-08 — security-category variant of FT-N-08. Same destructive
/// fixture (DROP TABLE vehicles CASCADE) but emphasises the redaction
/// assertions and the matching log-line presence. Lives in the
/// <c>ErrorEnvelope500</c> collection so xUnit serialises against FT-N-08
/// and the consumer image still uses one round of compose restart for both.
/// Traces: AC-8.6, AC-10.3.
/// </summary>
[Collection("ErrorEnvelope500")]
[Trait("Category", "Sec")]
[Trait("db_access", "seed-or-assert-only")]
public sealed class ErrorRedactionTests : TestBase, IClassFixture<ComposeRestartFixture>
{
private readonly ComposeRestartFixture _restart;
public ErrorRedactionTests(ComposeRestartFixture restart) => _restart = restart;
[SkippableFact]
[Trait("Traces", "AC-8.6,AC-10.3")]
[Trait("max_ms", "5000")]
public async Task NFT_SEC_08_500_body_redacts_internals_and_log_records_exception_type()
{
Skip.IfNot(_restart.Enabled,
"ComposeRestartFixture disabled (COMPOSE_RESTART_ENABLED!=1). " +
"NFT-SEC-08 drops the vehicles table and needs the full stack restart " +
"in teardown.");
// Arrange — DROP TABLE vehicles forces the SUT into the generic
// catch path on /vehicles/{any}.
DbResetFixture.ResetDatabase(TestEnvironment.DbSideChannel);
DropVehiclesTable();
var requestStart = DateTime.UtcNow;
var token = await Tokens.MintDefaultAsync();
try
{
// Act
using var req = new HttpRequestMessage(HttpMethod.Get, $"/vehicles/{Guid.NewGuid()}");
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token.Jwt);
using var response = await Missions.SendAsync(req);
// Assert — wire-shape is EXACTLY { statusCode, message }; no extra
// keys, no stack-leak keywords anywhere in the JSON DOM.
var problem = await HttpAssertions.AssertProblemEnvelopeAsync(
response, HttpStatusCode.InternalServerError);
Assert.Equal(500, problem.StatusCode);
Assert.Equal("Internal server error", problem.Message);
// The unhandled exception MUST still be logged. The log line
// includes the exception type (Npgsql.PostgresException) so an
// operator can diagnose without the response leaking it.
var deadline = DateTime.UtcNow.AddSeconds(2);
var sawLog = false;
while (DateTime.UtcNow < deadline)
{
if (DockerLogs.Contains("missions-sut", "Unhandled exception", requestStart))
{
sawLog = true;
break;
}
await Task.Delay(100);
}
Assert.True(sawLog,
"expected 'Unhandled exception' in missions-sut docker logs within 2s of request");
}
finally
{
_restart.RestartStack();
}
}
private static void DropVehiclesTable()
{
using var conn = new NpgsqlConnection(TestEnvironment.DbSideChannel);
conn.Open();
using var cmd = conn.CreateCommand();
cmd.CommandText = "DROP TABLE IF EXISTS vehicles CASCADE;";
cmd.ExecuteNonQuery();
}
}
tests/Azaion.Missions.E2E.Tests/Tests/Security/JwksRotationTests.cs
+117
View File
@@ -0,0 +1,117 @@
using System.Net;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using System.Text.Json;
using Azaion.Missions.E2E.Fixtures;
using Azaion.Missions.E2E.Helpers;
using Xunit;
namespace Azaion.Missions.E2E.Tests.Security;
/// <summary>
/// NFT-SEC-11 — security-shaped view of JWKS rotation. Verifies the kid-cache
/// mechanics + grace-window timing; the resilience-shaped variant
/// (no-restart) lives in <c>Tests/Resilience/JwksRotationTests.cs</c>.
/// Traces: AC-5.7.
/// </summary>
/// <remarks>
/// Owns the <c>JwksRotation</c> xUnit collection because rotating the mock
/// changes the active kid for every subsequent test that holds a stale
/// token. After running, the next test class in any collection mints a
/// fresh token, so it picks up the new kid on its next JWKS refresh.
/// </remarks>
[Collection("JwksRotation")]
[Trait("Category", "Sec")]
[Trait("db_access", "seed-or-assert-only")]
public sealed class JwksRotationTests : TestBase, IClassFixture<DbResetFixture>
{
[Fact(Timeout = 130_000)]
[Trait("Traces", "AC-5.7")]
[Trait("max_ms", "120000")]
public async Task NFT_SEC_11_unknown_kid_rotation_completes_within_120s_honouring_grace()
{
// Arrange — warm up: confirm the active key works before rotation.
DbResetFixture.ResetDatabase(TestEnvironment.DbSideChannel);
Seeds.Apply(Seeds.OneDefaultVehicle.Sql);
var t1 = await Tokens.MintDefaultAsync();
var kidV1 = t1.Kid;
using (var resp = await CallVehiclesAsync(t1.Jwt))
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.OK);
var rotationStart = DateTime.UtcNow;
// Act 1: Rotate the mock. After this call, kid_v2 is active and
// kid_v1 is retained for OLD_KEY_GRACE_SECONDS=5.
var kidV2 = await RotateMockAsync();
Assert.NotEqual(kidV1, kidV2);
// Mint T2 with the brand-new active key.
var t2 = await Tokens.MintDefaultAsync();
Assert.Equal(kidV2, t2.Kid);
// Assert AC-5.7.1 — T2 is rejected BEFORE missions refreshes its JWKS
// cache (the new kid is not yet in the cache). We probe immediately
// and require at least one 401 — once missions refreshes, subsequent
// calls should succeed.
using (var resp = await CallVehiclesAsync(t2.Jwt))
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
// Assert AC-5.7.3 — during the 5s grace window, the OLD-kid token T1
// is still accepted (missions' cache still contains kid_v1 from the
// initial bootstrap fetch; the cache hasn't refreshed yet).
using (var resp = await CallVehiclesAsync(t1.Jwt))
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.OK);
// Act 2: Wait for JWKS refresh — poll T2 every 3s, up to 90s.
var refreshDeadline = DateTime.UtcNow.AddSeconds(90);
var refreshed = false;
while (DateTime.UtcNow < refreshDeadline)
{
using var resp = await CallVehiclesAsync(t2.Jwt);
if (resp.StatusCode == HttpStatusCode.OK)
{
refreshed = true;
break;
}
await Task.Delay(TimeSpan.FromSeconds(3));
}
Assert.True(refreshed,
"JWKS refresh did not propagate to missions within 90s (max-age=60s + auto-refresh=30s)");
// Assert AC-5.7.4 — after the 5s grace window, the mock refuses to
// sign with the old kid. Wait until grace certainly expired.
var graceExpiry = rotationStart.AddSeconds(7);
var until = graceExpiry - DateTime.UtcNow;
if (until > TimeSpan.Zero)
await Task.Delay(until);
using var http = new HttpClient { Timeout = TimeSpan.FromSeconds(10) };
var signUrl = new Uri(TestEnvironment.JwksMockSignUrl);
using var signResponse = await http.PostAsJsonAsync(
signUrl,
new { kid_override = kidV1, permissions = "FL" });
Assert.Equal(HttpStatusCode.BadRequest, signResponse.StatusCode);
var body = await signResponse.Content.ReadFromJsonAsync<JsonElement>();
Assert.True(body.TryGetProperty("error", out _),
"mock refusal must include 'error' field");
}
private async Task<HttpResponseMessage> CallVehiclesAsync(string jwt)
{
var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles");
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", jwt);
return await Missions.SendAsync(req);
}
private static async Task<string> RotateMockAsync()
{
using var http = new HttpClient { Timeout = TimeSpan.FromSeconds(10) };
var rotateUrl = new Uri(new Uri(TestEnvironment.JwksMockBaseUrl), "/rotate-key");
using var resp = await http.PostAsync(rotateUrl, content: null);
resp.EnsureSuccessStatusCode();
var body = await resp.Content.ReadFromJsonAsync<JsonElement>();
return body.GetProperty("kid").GetString()
?? throw new InvalidOperationException("mock /rotate-key returned no kid");
}
}
tests/Azaion.Missions.E2E.Tests/Tests/Security/StartupConfigTests.cs
+124
View File
@@ -0,0 +1,124 @@
using System.Net;
using System.Net.Http.Headers;
using Azaion.Missions.E2E.Helpers;
using Xunit;
namespace Azaion.Missions.E2E.Tests.Security;
/// <summary>
/// NFT-SEC-12 — security-shaped startup config posture. The 4 missing-env
/// rows are also exercised by NFT-RES-05 row 14 in
/// <c>Tests/Resilience/ConfigDbStartupTests.cs</c>; here they fall under the
/// <c>Sec</c> category so the CSV report carries both rows. Traces: AC-6.1,
/// AC-6.2, E1, E3.
/// </summary>
/// <remarks>
/// Each scenario spawns its own missions container via <c>docker run</c>
/// (independent of the long-running compose stack) so the test can probe
/// startup behaviour without taking the shared SUT down. The helper bails
/// with <see cref="Skip.IfNot(bool, string)"/> when docker access is not
/// available (developer inner-loop with <c>COMPOSE_RESTART_ENABLED=0</c>).
/// </remarks>
[Collection("SecurityStartupConfig")]
[Trait("Category", "Sec")]
[Trait("db_access", "seed-or-assert-only")]
public sealed class StartupConfigTests
{
private const string PostgresUrl =
"postgresql://postgres:postgres-test@missions-postgres-test:5432/azaion";
private const string JwksUrlHttps =
"https://jwks-mock:8443/.well-known/jwks.json";
private const string Issuer = "https://admin-test.azaion.local";
private const string Audience = "azaion-edge";
public static IEnumerable<object[]> MissingEnvCases() => new[]
{
new object[] { "missing_db_url", "DATABASE_URL", "Database:Url" },
new object[] { "missing_jwt_issuer", "JWT_ISSUER", "Jwt:Issuer" },
new object[] { "missing_jwt_aud", "JWT_AUDIENCE", "Jwt:Audience" },
new object[] { "missing_jwks_url", "JWT_JWKS_URL", "Jwt:JwksUrl" },
};
[SkippableTheory]
[MemberData(nameof(MissingEnvCases))]
[Trait("Traces", "AC-6.1,AC-6.2")]
[Trait("max_ms", "5000")]
public void NFT_SEC_12_missing_required_env_var_exits_non_zero_with_invalid_operation_exception(
string caseName, string omittedVar, string configAlias)
{
Skip.IfNot(MissionsContainerHelper.Enabled,
"MissionsContainerHelper requires COMPOSE_RESTART_ENABLED=1 and docker CLI access.");
// Arrange
var env = BaseEnv();
env.Remove(omittedVar);
var container = $"missions-sec12-{caseName}";
// Act
var result = MissionsContainerHelper.RunUntilExit(
container, env, TimeSpan.FromSeconds(15));
// Assert
Assert.NotEqual(0, result.ExitCode);
Assert.Contains("InvalidOperationException", result.Logs, StringComparison.Ordinal);
var mentionsVar = result.Logs.Contains(omittedVar, StringComparison.Ordinal)
|| result.Logs.Contains(configAlias, StringComparison.Ordinal);
Assert.True(mentionsVar,
$"logs must mention '{omittedVar}' or '{configAlias}'. Logs:\n{result.Logs}");
}
[SkippableFact]
[Trait("Traces", "E1,E3")]
[Trait("max_ms", "30000")]
public async Task NFT_SEC_12_http_jwks_url_starts_then_fails_protected_request_with_RequireHttps_log()
{
Skip.IfNot(MissionsContainerHelper.Enabled,
"MissionsContainerHelper requires COMPOSE_RESTART_ENABLED=1 and docker CLI access.");
// Arrange — config resolution succeeds (HTTP URL is a well-formed
// string), so the container starts. The first protected request
// triggers a JWKS fetch which the HttpDocumentRetriever rejects
// because RequireHttps=true.
var env = BaseEnv();
env["JWT_JWKS_URL"] = "http://jwks-mock:8443/.well-known/jwks.json";
var container = "missions-sec12-http-jwks";
using var c = await MissionsContainerHelper.StartAndWaitForHealthAsync(
container, env, TimeSpan.FromSeconds(20));
// Mint a normal token from the mock — the SUT will reject it not
// because the token is bad, but because it cannot fetch JWKS at all.
var minter = new TokenMinter(TestEnvironment.JwksMockSignUrl);
var token = await minter.MintDefaultAsync();
// Act — send /vehicles to the new SUT container directly.
using var http = new HttpClient { Timeout = TimeSpan.FromSeconds(10) };
var url = new Uri($"http://{container}:8080/vehicles");
using var req = new HttpRequestMessage(HttpMethod.Get, url);
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token.Jwt);
using var resp = await http.SendAsync(req);
// Assert — either 500 (RequireHttps exception bubbles to error
// middleware) or 401 (auth handler swallows the inner exception).
Assert.True(
resp.StatusCode is HttpStatusCode.InternalServerError or HttpStatusCode.Unauthorized,
$"expected 500 or 401, got {(int)resp.StatusCode}");
var logs = c.ReadLogs();
var mentionsHttps = logs.Contains("RequireHttps", StringComparison.OrdinalIgnoreCase)
|| logs.Contains("HTTPS", StringComparison.OrdinalIgnoreCase)
|| logs.Contains("requires https", StringComparison.OrdinalIgnoreCase);
Assert.True(mentionsHttps,
$"logs must mention HTTPS / RequireHttps. Logs:\n{logs}");
}
private static Dictionary<string, string> BaseEnv() => new(StringComparer.Ordinal)
{
{ "DATABASE_URL", PostgresUrl },
{ "JWT_ISSUER", Issuer },
{ "JWT_AUDIENCE", Audience },
{ "JWT_JWKS_URL", JwksUrlHttps },
{ "ASPNETCORE_URLS", "http://+:8080" },
{ "ASPNETCORE_ENVIRONMENT","Test" },
};
}
tests/Azaion.Missions.E2E.Tests/TokenMinter.cs
+1
View File
@@ -45,6 +45,7 @@ public sealed record SignRequest(
[property: JsonPropertyName("sub")] string? Sub = null,
[property: JsonPropertyName("exp_offset_seconds")] int? ExpOffsetSeconds = null,
[property: JsonPropertyName("permissions")] string? Permissions = null,
[property: JsonPropertyName("permissions_array")] string[]? PermissionsArray = null,
[property: JsonPropertyName("alg_override")] string? AlgOverride = null,
[property: JsonPropertyName("kid_override")] string? KidOverride = null);
tests/Azaion.Missions.JwksMock/Endpoints/SignEndpoint.cs
+7
View File
@@ -34,6 +34,7 @@ public static class SignEndpoint
Audience: body.Aud,
ExpOffsetSeconds: body.ExpOffsetSeconds,
Permissions: body.Permissions,
PermissionsArray: body.PermissionsArray,
Subject: body.Sub,
AlgOverride: body.AlgOverride,
KidOverride: body.KidOverride));
@@ -46,12 +47,18 @@ public static class SignEndpoint
}
}
// permissions vs permissions_array: NFT-SEC-06 multi-value (AC-7) requires the
// mock to emit a JSON-array `permissions` claim. Splitting the field on the
// wire keeps SignBody compatible with System.Text.Json source generation
// (a single JsonElement field would defeat the AOT-friendly SignBodyContext).
// At most one of the two fields may be set per request.
public sealed record SignBody(
[property: JsonPropertyName("iss")] string? Iss = null,
[property: JsonPropertyName("aud")] string? Aud = null,
[property: JsonPropertyName("sub")] string? Sub = null,
[property: JsonPropertyName("exp_offset_seconds")] int? ExpOffsetSeconds = null,
[property: JsonPropertyName("permissions")] string? Permissions = null,
[property: JsonPropertyName("permissions_array")] string[]? PermissionsArray = null,
[property: JsonPropertyName("alg_override")] string? AlgOverride = null,
[property: JsonPropertyName("kid_override")] string? KidOverride = null);
tests/Azaion.Missions.JwksMock/Services/TokenSigner.cs
+27
View File
@@ -31,6 +31,25 @@ public sealed class TokenSigner
var kid = request.KidOverride ?? active.Kid;
var alg = request.AlgOverride ?? "ES256";
if (request.Permissions is not null && request.PermissionsArray is not null)
throw new ArgumentException(
"permissions and permissions_array are mutually exclusive — set at most one.",
nameof(request));
// NFT-SEC-11 AC-5.4: the mock refuses kid_override values that don't
// correspond to a currently-published kid (active or in-grace retired).
// Without this guard, a tester could mint a token with any kid string
// and the SUT would simply 401 on JWKS lookup — defeating the
// "post-grace mock refuses old kid" assertion.
if (request.KidOverride is not null)
{
var known = _keys.PublishedKeys().Select(k => k.Kid).ToHashSet(StringComparer.Ordinal);
if (!known.Contains(request.KidOverride))
throw new ArgumentException(
$"kid_override '{request.KidOverride}' is not a currently-published kid.",
nameof(request));
}
var nowUnix = _clock.GetUtcNow().ToUnixTimeSeconds();
var expUnix = nowUnix + (request.ExpOffsetSeconds ?? 3600);
@@ -50,6 +69,13 @@ public sealed class TokenSigner
};
if (request.Permissions is not null)
payload["permissions"] = request.Permissions;
if (request.PermissionsArray is not null)
{
var arr = new JsonArray();
foreach (var p in request.PermissionsArray)
arr.Add(p);
payload["permissions"] = arr;
}
if (request.Subject is not null)
payload["sub"] = request.Subject;
@@ -95,6 +121,7 @@ public sealed record SignRequest(
string? Audience,
int? ExpOffsetSeconds,
string? Permissions,
string[]? PermissionsArray,
string? Subject,
string? AlgOverride,
string? KidOverride);