azaion/missions
1
0
Fork 0
mirror of https://github.com/azaion/missions.git synced 2026-06-22 21:41:07 +00:00
Code Issues Packages Projects Releases Wiki Activity

Enhance test infrastructure and configuration for JWKS and Docker setup
ci/woodpecker/push/build-arm Pipeline was successful
Details

Browse Source 
- Updated Azaion.Missions.csproj to exclude test sources from service compilation, preventing build failures due to test project dependencies.
- Modified docker-compose.test.yml to preload the pg_stat_statements extension for testing and adjusted JWT refresh intervals for better test execution timing.
- Enhanced Dockerfile to install wget for health checks and ensure proper initialization of the container.
- Introduced a test-only endpoint for JWKS refresh to facilitate end-to-end testing without relying on the default refresh intervals.
- Updated DTOs in ApiDtos.cs to reflect camelCase naming conventions for consistency with service responses.
- Improved test cases to handle JWKS rotation and refresh scenarios effectively, ensuring robust validation of JWT handling.

This commit lays the groundwork for more reliable and efficient testing of the Azaion.Missions project.
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-16 10:20:38 +03:00
parent 001e80fe96
commit 3398ec49a0
29 changed files with 785 additions and 111 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/Azaion.Missions.E2E.Tests/Tests/Security/CrossCuttingTests.cs
+13 -6
View File
@@ -30,7 +30,8 @@ public sealed class CrossCuttingTests : TestBase, IClassFixture<DbResetFixture>
// 401 long before reaching the endpoint).
var expired = await Tokens.MintAsync(new SignRequest(Permissions: "FL", ExpOffsetSeconds: -3600));
// Act + Assert — anonymous
// Act
// Assert — anonymous
using (var resp = await Missions.GetAsync("/health"))
{
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.OK);
@@ -59,10 +60,14 @@ public sealed class CrossCuttingTests : TestBase, IClassFixture<DbResetFixture>
Seeds.Apply(Seeds.Three_BR01_BR02_MQ9.Sql);
var token = await Tokens.MintDefaultAsync();
// Act + Assert — OR '1'='1 should NOT short-circuit to "all rows".
// Act
// Assert — OR '1'='1 should NOT short-circuit to "all rows".
// EscapeDataString must wrap ONLY the value, not the "name=" key
// (escaping the '=' produces a single oddly-named key, defeating
// the filter and returning the unfiltered list).
using (var req = new HttpRequestMessage(
HttpMethod.Get,
"/vehicles?" + Uri.EscapeDataString("name=' OR '1'='1")))
"/vehicles?name=" + Uri.EscapeDataString("' OR '1'='1")))
{
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token.Jwt);
using var resp = await Missions.SendAsync(req);
@@ -77,14 +82,15 @@ public sealed class CrossCuttingTests : TestBase, IClassFixture<DbResetFixture>
// Drop-table payload should NOT execute as SQL.
using (var req = new HttpRequestMessage(
HttpMethod.Get,
"/missions?" + Uri.EscapeDataString("name=; DROP TABLE vehicles; --")))
"/missions?name=" + Uri.EscapeDataString("; DROP TABLE vehicles; --")))
{
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token.Jwt);
using var resp = await Missions.SendAsync(req);
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.OK);
var raw = await resp.Content.ReadAsStringAsync();
using var doc = JsonDocument.Parse(raw);
Assert.True(doc.RootElement.TryGetProperty("TotalCount", out var totalEl));
// CARRY-FORWARD (json-camelcase-vs-pascalcase): envelope is camelCase.
Assert.True(doc.RootElement.TryGetProperty("totalCount", out var totalEl));
Assert.Equal(0, totalEl.GetInt32());
}
@@ -104,7 +110,8 @@ public sealed class CrossCuttingTests : TestBase, IClassFixture<DbResetFixture>
var unsigned = await Tokens.MintAsync(
new SignRequest(Permissions: "FL", AlgOverride: "none"));
// Act + Assert — HS256 confusion attack rejected.
// Act
// Assert — HS256 confusion attack rejected.
using (var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles"))
{
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", hs256.Jwt);