mirror of
https://github.com/azaion/missions.git
synced 2026-06-21 15:51:08 +00:00
Oleksandr Bezdieniezhnykh
3398ec49a0
ci/woodpecker/push/build-arm Pipeline was successful
- Updated Azaion.Missions.csproj to exclude test sources from service compilation, preventing build failures due to test project dependencies. - Modified docker-compose.test.yml to preload the pg_stat_statements extension for testing and adjusted JWT refresh intervals for better test execution timing. - Enhanced Dockerfile to install wget for health checks and ensure proper initialization of the container. - Introduced a test-only endpoint for JWKS refresh to facilitate end-to-end testing without relying on the default refresh intervals. - Updated DTOs in ApiDtos.cs to reflect camelCase naming conventions for consistency with service responses. - Improved test cases to handle JWKS rotation and refresh scenarios effectively, ensuring robust validation of JWT handling. This commit lays the groundwork for more reliable and efficient testing of the Azaion.Missions project.
141 lines
5.9 KiB
C#
141 lines
5.9 KiB
C#
using System.Net;
|
|
using System.Net.Http.Headers;
|
|
using System.Net.Http.Json;
|
|
using System.Text.Json;
|
|
using Azaion.Missions.E2E.Fixtures;
|
|
using Azaion.Missions.E2E.Helpers;
|
|
using Npgsql;
|
|
using Xunit;
|
|
|
|
namespace Azaion.Missions.E2E.Tests.Security;
|
|
|
|
/// <summary>
|
|
/// NFT-SEC-07 (health anonymous), NFT-SEC-09 (SQL-injection guard),
|
|
/// NFT-SEC-10 (alg-pin) — fast cross-cutting security checks that share a
|
|
/// happy-path stack and need no destructive teardown.
|
|
/// Traces: AC-7.1, AC-9.4, AC-1.6, AC-2.3 (defensive), AC-5.1, AC-5.10.
|
|
/// </summary>
|
|
[Collection("SecurityCrossCutting")]
|
|
[Trait("Category", "Sec")]
|
|
[Trait("db_access", "seed-or-assert-only")]
|
|
public sealed class CrossCuttingTests : TestBase, IClassFixture<DbResetFixture>
|
|
{
|
|
[Fact]
|
|
[Trait("Traces", "AC-7.1,AC-9.4")]
|
|
[Trait("max_ms", "5000")]
|
|
public async Task NFT_SEC_07_health_is_anonymous_and_accepts_expired_token()
|
|
{
|
|
// Arrange — anonymous case + expired-token case prove the auth
|
|
// pipeline does NOT run for /health (an expired token would otherwise
|
|
// 401 long before reaching the endpoint).
|
|
var expired = await Tokens.MintAsync(new SignRequest(Permissions: "FL", ExpOffsetSeconds: -3600));
|
|
|
|
// Act
|
|
// Assert — anonymous
|
|
using (var resp = await Missions.GetAsync("/health"))
|
|
{
|
|
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.OK);
|
|
var body = await resp.Content.ReadFromJsonAsync<JsonElement>();
|
|
Assert.Equal("healthy", body.GetProperty("status").GetString());
|
|
}
|
|
|
|
// Expired token
|
|
using (var req = new HttpRequestMessage(HttpMethod.Get, "/health"))
|
|
{
|
|
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", expired.Jwt);
|
|
using var resp = await Missions.SendAsync(req);
|
|
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.OK);
|
|
var body = await resp.Content.ReadFromJsonAsync<JsonElement>();
|
|
Assert.Equal("healthy", body.GetProperty("status").GetString());
|
|
}
|
|
}
|
|
|
|
[Fact]
|
|
[Trait("Traces", "AC-1.6,AC-2.3")]
|
|
[Trait("max_ms", "5000")]
|
|
public async Task NFT_SEC_09_sql_injection_payloads_are_treated_as_literal_strings()
|
|
{
|
|
// Arrange
|
|
DbResetFixture.ResetDatabase(TestEnvironment.DbSideChannel);
|
|
Seeds.Apply(Seeds.Three_BR01_BR02_MQ9.Sql);
|
|
var token = await Tokens.MintDefaultAsync();
|
|
|
|
// Act
|
|
// Assert — OR '1'='1 should NOT short-circuit to "all rows".
|
|
// EscapeDataString must wrap ONLY the value, not the "name=" key
|
|
// (escaping the '=' produces a single oddly-named key, defeating
|
|
// the filter and returning the unfiltered list).
|
|
using (var req = new HttpRequestMessage(
|
|
HttpMethod.Get,
|
|
"/vehicles?name=" + Uri.EscapeDataString("' OR '1'='1")))
|
|
{
|
|
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token.Jwt);
|
|
using var resp = await Missions.SendAsync(req);
|
|
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.OK);
|
|
var raw = await resp.Content.ReadAsStringAsync();
|
|
using var doc = JsonDocument.Parse(raw);
|
|
Assert.Equal(JsonValueKind.Array, doc.RootElement.ValueKind);
|
|
// The literal "'OR'1'='1" never matches any vehicle name.
|
|
Assert.Equal(0, doc.RootElement.GetArrayLength());
|
|
}
|
|
|
|
// Drop-table payload should NOT execute as SQL.
|
|
using (var req = new HttpRequestMessage(
|
|
HttpMethod.Get,
|
|
"/missions?name=" + Uri.EscapeDataString("; DROP TABLE vehicles; --")))
|
|
{
|
|
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token.Jwt);
|
|
using var resp = await Missions.SendAsync(req);
|
|
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.OK);
|
|
var raw = await resp.Content.ReadAsStringAsync();
|
|
using var doc = JsonDocument.Parse(raw);
|
|
// CARRY-FORWARD (json-camelcase-vs-pascalcase): envelope is camelCase.
|
|
Assert.True(doc.RootElement.TryGetProperty("totalCount", out var totalEl));
|
|
Assert.Equal(0, totalEl.GetInt32());
|
|
}
|
|
|
|
// Side-channel: vehicles table still exists.
|
|
var oid = ScalarToRegclass("vehicles");
|
|
Assert.NotNull(oid);
|
|
}
|
|
|
|
[Fact]
|
|
[Trait("Traces", "AC-5.1,AC-5.10")]
|
|
[Trait("max_ms", "5000")]
|
|
public async Task NFT_SEC_10_alg_pin_rejects_HS256_confusion_and_unsigned_tokens()
|
|
{
|
|
// Arrange — both attack shapes carry valid claims; only `alg` differs.
|
|
var hs256 = await Tokens.MintAsync(
|
|
new SignRequest(Permissions: "FL", AlgOverride: "HS256"));
|
|
var unsigned = await Tokens.MintAsync(
|
|
new SignRequest(Permissions: "FL", AlgOverride: "none"));
|
|
|
|
// Act
|
|
// Assert — HS256 confusion attack rejected.
|
|
using (var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles"))
|
|
{
|
|
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", hs256.Jwt);
|
|
using var resp = await Missions.SendAsync(req);
|
|
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
|
|
}
|
|
|
|
// alg:none unsigned token rejected.
|
|
using (var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles"))
|
|
{
|
|
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", unsigned.Jwt);
|
|
using var resp = await Missions.SendAsync(req);
|
|
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
|
|
}
|
|
}
|
|
|
|
private static string? ScalarToRegclass(string table)
|
|
{
|
|
using var conn = new NpgsqlConnection(TestEnvironment.DbSideChannel);
|
|
conn.Open();
|
|
using var cmd = conn.CreateCommand();
|
|
cmd.CommandText = "SELECT to_regclass(@t)::TEXT";
|
|
cmd.Parameters.AddWithValue("t", table);
|
|
return cmd.ExecuteScalar() as string;
|
|
}
|
|
}
|