mirror of
https://github.com/azaion/missions.git
synced 2026-06-21 14:21:07 +00:00
Oleksandr Bezdieniezhnykh
24c4561bef
Batch 3 of test implementation cycle 1 (existing-code Step 6). - AZ-581 AuthClaimsTests: NFT-SEC-01..06+04b (foreign-keypair, byte-flip, 30s skew, iss/aud/perms, multi-value permissions array). - AZ-582 CrossCutting/ErrorRedaction/JwksRotation/StartupConfig/CorsConfig: NFT-SEC-07..13 (alg pin, kid rotation grace window, env fail-fast, CORS Production gate). - AZ-583 CascadeF3/CascadeF4/MigratorRestart: NFT-RES-01..04. CascadeF4 pins current walk-order divergence with carry_forward AC-4.6. - AZ-584 ConfigDbStartup/JwksRotationNoRestart/DefaultVehicleRace: NFT-RES-05..08. NFT-RES-08 pins current behaviour (unique-index closes the race) with carry_forward AC-1.4. Mock contract: SignBody accepts permissions OR permissions_array (mutually exclusive). TokenSigner validates kid_override against published keys so NFT-SEC-11 can assert "mock refuses old kid post-grace". Helpers added: ForeignKeypair (test-only ECDSA P-256), MissionsContainerHelper (docker-run wrapper for startup-time scenarios), DockerLogs. 7 of 22 new tests are Skippable, gated on COMPOSE_RESTART_ENABLED + docker CLI in the e2e-consumer image (explicit skip reason; no silent pass). Build green: test csproj + jwks-mock csproj. Co-authored-by: Cursor <cursoragent@cursor.com>
71 lines
2.5 KiB
C#
71 lines
2.5 KiB
C#
using System.Security.Cryptography;
|
|
using System.Text;
|
|
using System.Text.Json;
|
|
using System.Text.Json.Nodes;
|
|
|
|
namespace Azaion.Missions.E2E.Helpers;
|
|
|
|
/// <summary>
|
|
/// Test-only ECDSA P-256 signer used by NFT-SEC-02 to mint a token signed by
|
|
/// a keypair the JWKS endpoint never published. This is the ONE in-test
|
|
/// signing path allowed by the task spec — every other test mints via the
|
|
/// jwks-mock <c>POST /sign</c> endpoint.
|
|
/// </summary>
|
|
/// <remarks>
|
|
/// The private key lives entirely in the test process and is disposed with
|
|
/// the helper. The wire shape mirrors <c>JwksMock.TokenSigner</c> (JWS-compact
|
|
/// ES256) so the only thing that differs from a "real" mock-minted token is
|
|
/// the signing key — defeating any IssuerSigningKeyResolver that fails to
|
|
/// match <c>kid</c> against the published JWKS.
|
|
/// </remarks>
|
|
public sealed class ForeignKeypair : IDisposable
|
|
{
|
|
private readonly ECDsa _ec;
|
|
private readonly string _kid;
|
|
|
|
public ForeignKeypair()
|
|
{
|
|
_ec = ECDsa.Create(ECCurve.NamedCurves.nistP256);
|
|
// Deterministic kid that is clearly NOT what jwks-mock issues
|
|
// (mock kids are base64url SHA-256 hashes; this label is plain ASCII).
|
|
_kid = "foreign-keypair-not-in-jwks";
|
|
}
|
|
|
|
public string Mint(string issuer, string audience, string permissions, int expOffsetSeconds = 3600)
|
|
{
|
|
var nowUnix = DateTimeOffset.UtcNow.ToUnixTimeSeconds();
|
|
var expUnix = nowUnix + expOffsetSeconds;
|
|
|
|
var header = new JsonObject
|
|
{
|
|
["alg"] = "ES256",
|
|
["kid"] = _kid,
|
|
["typ"] = "JWT"
|
|
};
|
|
var payload = new JsonObject
|
|
{
|
|
["iss"] = issuer,
|
|
["aud"] = audience,
|
|
["iat"] = nowUnix,
|
|
["exp"] = expUnix,
|
|
["permissions"] = permissions
|
|
};
|
|
|
|
var headerSeg = Base64UrlEncode(JsonSerializer.SerializeToUtf8Bytes(header));
|
|
var payloadSeg = Base64UrlEncode(JsonSerializer.SerializeToUtf8Bytes(payload));
|
|
var signingInput = Encoding.ASCII.GetBytes($"{headerSeg}.{payloadSeg}");
|
|
var signature = _ec.SignData(signingInput, HashAlgorithmName.SHA256,
|
|
DSASignatureFormat.IeeeP1363FixedFieldConcatenation);
|
|
var sigSeg = Base64UrlEncode(signature);
|
|
return $"{headerSeg}.{payloadSeg}.{sigSeg}";
|
|
}
|
|
|
|
public void Dispose() => _ec.Dispose();
|
|
|
|
private static string Base64UrlEncode(ReadOnlySpan<byte> bytes)
|
|
{
|
|
var b64 = Convert.ToBase64String(bytes);
|
|
return b64.Replace('+', '-').Replace('/', '_').TrimEnd('=');
|
|
}
|
|
}
|