azaion/missions
1
0
Fork 0
mirror of https://github.com/azaion/missions.git synced 2026-06-22 19:41:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-581] [AZ-582] [AZ-583] [AZ-584] Sec+Res NFT tests

Browse Source 
Batch 3 of test implementation cycle 1 (existing-code Step 6).

- AZ-581 AuthClaimsTests: NFT-SEC-01..06+04b (foreign-keypair, byte-flip,
  30s skew, iss/aud/perms, multi-value permissions array).
- AZ-582 CrossCutting/ErrorRedaction/JwksRotation/StartupConfig/CorsConfig:
  NFT-SEC-07..13 (alg pin, kid rotation grace window, env fail-fast, CORS
  Production gate).
- AZ-583 CascadeF3/CascadeF4/MigratorRestart: NFT-RES-01..04. CascadeF4
  pins current walk-order divergence with carry_forward AC-4.6.
- AZ-584 ConfigDbStartup/JwksRotationNoRestart/DefaultVehicleRace:
  NFT-RES-05..08. NFT-RES-08 pins current behaviour (unique-index closes
  the race) with carry_forward AC-1.4.

Mock contract: SignBody accepts permissions OR permissions_array (mutually
exclusive). TokenSigner validates kid_override against published keys so
NFT-SEC-11 can assert "mock refuses old kid post-grace".

Helpers added: ForeignKeypair (test-only ECDSA P-256),
MissionsContainerHelper (docker-run wrapper for startup-time scenarios),
DockerLogs.

7 of 22 new tests are Skippable, gated on COMPOSE_RESTART_ENABLED + docker
CLI in the e2e-consumer image (explicit skip reason; no silent pass).

Build green: test csproj + jwks-mock csproj.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-15 08:58:59 +03:00
parent 6b2c2d998e
commit 24c4561bef
24 changed files with 2240 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/Azaion.Missions.JwksMock/Endpoints/SignEndpoint.cs
+7
View File
@@ -34,6 +34,7 @@ public static class SignEndpoint
Audience: body.Aud,
ExpOffsetSeconds: body.ExpOffsetSeconds,
Permissions: body.Permissions,
PermissionsArray: body.PermissionsArray,
Subject: body.Sub,
AlgOverride: body.AlgOverride,
KidOverride: body.KidOverride));
@@ -46,12 +47,18 @@ public static class SignEndpoint
}
}
// permissions vs permissions_array: NFT-SEC-06 multi-value (AC-7) requires the
// mock to emit a JSON-array `permissions` claim. Splitting the field on the
// wire keeps SignBody compatible with System.Text.Json source generation
// (a single JsonElement field would defeat the AOT-friendly SignBodyContext).
// At most one of the two fields may be set per request.
public sealed record SignBody(
[property: JsonPropertyName("iss")] string? Iss = null,
[property: JsonPropertyName("aud")] string? Aud = null,
[property: JsonPropertyName("sub")] string? Sub = null,
[property: JsonPropertyName("exp_offset_seconds")] int? ExpOffsetSeconds = null,
[property: JsonPropertyName("permissions")] string? Permissions = null,
[property: JsonPropertyName("permissions_array")] string[]? PermissionsArray = null,
[property: JsonPropertyName("alg_override")] string? AlgOverride = null,
[property: JsonPropertyName("kid_override")] string? KidOverride = null);