mirror of
https://github.com/azaion/missions.git
synced 2026-06-22 12:41:07 +00:00
[AZ-576] Add e2e test infrastructure (xUnit + jwks-mock + reporting)
ci/woodpecker/push/build-arm Pipeline failed
ci/woodpecker/push/build-arm Pipeline failed
Scaffold the blackbox test project the rest of epic AZ-575 (AZ-577..AZ-586) will build on. Two new csprojs under tests/, plus the TLS materials and TRX->CSV reporting hand-off the existing docker-compose.test.yml already calls for. JWKS mock (tests/Azaion.Missions.JwksMock/): - ASP.NET Core minimal API on .NET 10, no NuGet deps; JWS is hand-rolled to keep the surface tight and avoid version drift with the SUT - KeyStore with one in-memory ECDSA P-256 keypair + retired-key grace window for NFT-RES-07 / NFT-SEC-11 rotation observability - Endpoints: GET /.well-known/jwks.json, POST /sign, POST /rotate-key - Mock-only alg_override / kid_override switches drive NFT-SEC-09/10/11 - TLS keypair committed under tls/; tests/jwks-mock-ca.crt is a copy mounted into both missions and e2e-consumer per docker-compose.test.yml E2E consumer (tests/Azaion.Missions.E2E.Tests/): - xUnit 2.9.2 + Bogus 35.6.1 + Npgsql 10.0.2 + Xunit.SkippableFact 1.4.13 - TestBase / TokenMinter scaffolding for downstream tasks - Fixtures/ for DbReset, DbSeed, ComposeRestart, JwksRotate, JwksMockReverse - Helpers/ for DbAssertions (side-channel), HttpAssertions, FixtureSql - 8 Tests/<category>/Sanity.cs discovery smoke tests (AC-3) - Tests/InfrastructureSanity.cs SkippableFacts for AC-1/2/5/6 - Tests/AaaPatternEnforcement.cs greps source files for AC-7 - Tests/Reporting/TrxToCsvPostProcessorTests.cs covers AC-4 - Reporting/TrxToCsvPostProcessor.cs handles VSTest TRX -> environment.md CSV; xUnit traits are not propagated by the TRX logger so the converter reflects them out of the test DLL via GetCustomAttributesData - Reporting.Cli/ is a separate console csproj that links the converter source files (test project excludes Reporting.Cli/** from compile) - Dockerfile + entrypoint.sh wire dotnet test -> trx -> csv inside the e2e-consumer container the compose file already references Local verification: 13 pass, 3 skip (with explicit reasons), 0 fail. End-to-end TRX->CSV manually verified against environment.md header spec. Docker stack build is handed off to autodev Step 7 (test-run skill). Reports under _docs/03_implementation/. AZ-576 task spec moved to _docs/tasks/done/. Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
@@ -0,0 +1,48 @@
|
||||
using System.Security.Cryptography;
|
||||
using System.Text.Json.Nodes;
|
||||
using Azaion.Missions.JwksMock.Services;
|
||||
|
||||
namespace Azaion.Missions.JwksMock.Endpoints;
|
||||
|
||||
public static class JwksEndpoint
|
||||
{
|
||||
/// <summary>
|
||||
/// <c>GET /.well-known/jwks.json</c>. Mirrors the shape the production
|
||||
/// admin issuer publishes — JsonWebKey 'kty=EC, crv=P-256, alg=ES256,
|
||||
/// use=sig' with base64url x/y coordinates.
|
||||
/// </summary>
|
||||
public static IResult Handle(KeyStore keys)
|
||||
{
|
||||
var keysArray = new JsonArray();
|
||||
foreach (var key in keys.PublishedKeys())
|
||||
{
|
||||
var p = key.Ec.ExportParameters(includePrivateParameters: false);
|
||||
keysArray.Add(new JsonObject
|
||||
{
|
||||
["kty"] = "EC",
|
||||
["use"] = "sig",
|
||||
["alg"] = "ES256",
|
||||
["crv"] = "P-256",
|
||||
["kid"] = key.Kid,
|
||||
["x"] = Base64Url.Encode(p.Q.X!),
|
||||
["y"] = Base64Url.Encode(p.Q.Y!)
|
||||
});
|
||||
}
|
||||
|
||||
var doc = new JsonObject { ["keys"] = keysArray };
|
||||
return Results.Json(doc, statusCode: 200, contentType: "application/json")
|
||||
.WithCacheControl("public, max-age=60");
|
||||
}
|
||||
|
||||
private static IResult WithCacheControl(this IResult result, string value) =>
|
||||
new CacheControlResult(result, value);
|
||||
|
||||
private sealed class CacheControlResult(IResult inner, string cacheControl) : IResult
|
||||
{
|
||||
public Task ExecuteAsync(HttpContext httpContext)
|
||||
{
|
||||
httpContext.Response.Headers.CacheControl = cacheControl;
|
||||
return inner.ExecuteAsync(httpContext);
|
||||
}
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,17 @@
|
||||
using Azaion.Missions.JwksMock.Services;
|
||||
|
||||
namespace Azaion.Missions.JwksMock.Endpoints;
|
||||
|
||||
public static class RotateKeyEndpoint
|
||||
{
|
||||
/// <summary>
|
||||
/// <c>POST /rotate-key</c>. Generates a new active ECDSA P-256 keypair,
|
||||
/// retires the previous active key for <c>OldKeyGraceSeconds</c>, returns
|
||||
/// the new <c>kid</c>.
|
||||
/// </summary>
|
||||
public static IResult Handle(KeyStore keys)
|
||||
{
|
||||
var newKey = keys.Rotate();
|
||||
return Results.Json(new { kid = newKey.Kid });
|
||||
}
|
||||
}
|
||||
@@ -0,0 +1,65 @@
|
||||
using System.Text.Json;
|
||||
using System.Text.Json.Serialization;
|
||||
using Azaion.Missions.JwksMock.Services;
|
||||
|
||||
namespace Azaion.Missions.JwksMock.Endpoints;
|
||||
|
||||
public static class SignEndpoint
|
||||
{
|
||||
/// <summary>
|
||||
/// <c>POST /sign</c>. Body is a small JSON object documented in
|
||||
/// <c>_docs/02_document/tests/test-data.md § JWKS mock token-minting contract</c>.
|
||||
/// All fields optional; omitted fields fall back to mock defaults.
|
||||
/// </summary>
|
||||
public static async Task<IResult> Handle(HttpContext ctx, TokenSigner signer)
|
||||
{
|
||||
SignBody? body;
|
||||
try
|
||||
{
|
||||
body = await JsonSerializer.DeserializeAsync(
|
||||
ctx.Request.Body,
|
||||
SignBodyContext.Default.SignBody,
|
||||
ctx.RequestAborted);
|
||||
}
|
||||
catch (JsonException ex)
|
||||
{
|
||||
return Results.BadRequest(new { error = "invalid_json", detail = ex.Message });
|
||||
}
|
||||
body ??= new SignBody();
|
||||
|
||||
try
|
||||
{
|
||||
var result = signer.Sign(new SignRequest(
|
||||
Issuer: body.Iss,
|
||||
Audience: body.Aud,
|
||||
ExpOffsetSeconds: body.ExpOffsetSeconds,
|
||||
Permissions: body.Permissions,
|
||||
Subject: body.Sub,
|
||||
AlgOverride: body.AlgOverride,
|
||||
KidOverride: body.KidOverride));
|
||||
return Results.Json(new SignResponse(result.Token, result.Kid), SignBodyContext.Default.SignResponse);
|
||||
}
|
||||
catch (ArgumentException ex)
|
||||
{
|
||||
return Results.BadRequest(new { error = "invalid_arg", detail = ex.Message });
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
public sealed record SignBody(
|
||||
[property: JsonPropertyName("iss")] string? Iss = null,
|
||||
[property: JsonPropertyName("aud")] string? Aud = null,
|
||||
[property: JsonPropertyName("sub")] string? Sub = null,
|
||||
[property: JsonPropertyName("exp_offset_seconds")] int? ExpOffsetSeconds = null,
|
||||
[property: JsonPropertyName("permissions")] string? Permissions = null,
|
||||
[property: JsonPropertyName("alg_override")] string? AlgOverride = null,
|
||||
[property: JsonPropertyName("kid_override")] string? KidOverride = null);
|
||||
|
||||
public sealed record SignResponse(
|
||||
[property: JsonPropertyName("token")] string Token,
|
||||
[property: JsonPropertyName("kid")] string Kid);
|
||||
|
||||
[JsonSerializable(typeof(SignBody))]
|
||||
[JsonSerializable(typeof(SignResponse))]
|
||||
[JsonSourceGenerationOptions(PropertyNamingPolicy = JsonKnownNamingPolicy.SnakeCaseLower)]
|
||||
internal sealed partial class SignBodyContext : JsonSerializerContext;
|
||||
Reference in New Issue
Block a user