mirror of
https://github.com/azaion/missions.git
synced 2026-06-21 20:11:08 +00:00
Oleksandr Bezdieniezhnykh
24c4561bef
Batch 3 of test implementation cycle 1 (existing-code Step 6). - AZ-581 AuthClaimsTests: NFT-SEC-01..06+04b (foreign-keypair, byte-flip, 30s skew, iss/aud/perms, multi-value permissions array). - AZ-582 CrossCutting/ErrorRedaction/JwksRotation/StartupConfig/CorsConfig: NFT-SEC-07..13 (alg pin, kid rotation grace window, env fail-fast, CORS Production gate). - AZ-583 CascadeF3/CascadeF4/MigratorRestart: NFT-RES-01..04. CascadeF4 pins current walk-order divergence with carry_forward AC-4.6. - AZ-584 ConfigDbStartup/JwksRotationNoRestart/DefaultVehicleRace: NFT-RES-05..08. NFT-RES-08 pins current behaviour (unique-index closes the race) with carry_forward AC-1.4. Mock contract: SignBody accepts permissions OR permissions_array (mutually exclusive). TokenSigner validates kid_override against published keys so NFT-SEC-11 can assert "mock refuses old kid post-grace". Helpers added: ForeignKeypair (test-only ECDSA P-256), MissionsContainerHelper (docker-run wrapper for startup-time scenarios), DockerLogs. 7 of 22 new tests are Skippable, gated on COMPOSE_RESTART_ENABLED + docker CLI in the e2e-consumer image (explicit skip reason; no silent pass). Build green: test csproj + jwks-mock csproj. Co-authored-by: Cursor <cursoragent@cursor.com>
60 lines
2.3 KiB
C#
60 lines
2.3 KiB
C#
using System.Net.Http.Json;
|
|
using System.Text.Json.Serialization;
|
|
|
|
namespace Azaion.Missions.E2E;
|
|
|
|
/// <summary>
|
|
/// Wraps <c>POST {jwks-mock}/sign</c>. Token signing happens ONLY inside the
|
|
/// jwks-mock container — the consumer never imports a JWT signing library.
|
|
/// </summary>
|
|
public sealed class TokenMinter : IDisposable
|
|
{
|
|
private readonly HttpClient _http;
|
|
private readonly Uri _signUrl;
|
|
|
|
public TokenMinter(string signUrl)
|
|
{
|
|
_signUrl = new Uri(signUrl);
|
|
// The jwks-mock CA is added to the container OS trust bundle by
|
|
// docker-entrypoint.sh; an HttpClient with default handler picks it up
|
|
// through OpenSSL.
|
|
_http = new HttpClient { Timeout = TimeSpan.FromSeconds(10) };
|
|
}
|
|
|
|
public Task<MintedToken> MintDefaultAsync(CancellationToken ct = default)
|
|
=> MintAsync(new SignRequest(Permissions: "FL"), ct);
|
|
|
|
public async Task<MintedToken> MintAsync(SignRequest request, CancellationToken ct = default)
|
|
{
|
|
using var response = await _http.PostAsJsonAsync(_signUrl, request, ct).ConfigureAwait(false);
|
|
response.EnsureSuccessStatusCode();
|
|
var body = await response.Content
|
|
.ReadFromJsonAsync<SignResponse>(cancellationToken: ct)
|
|
.ConfigureAwait(false);
|
|
if (body is null)
|
|
throw new InvalidOperationException("jwks-mock /sign returned an empty body");
|
|
return new MintedToken(body.Token, body.Kid);
|
|
}
|
|
|
|
public void Dispose() => _http.Dispose();
|
|
}
|
|
|
|
public sealed record SignRequest(
|
|
[property: JsonPropertyName("iss")] string? Iss = null,
|
|
[property: JsonPropertyName("aud")] string? Aud = null,
|
|
[property: JsonPropertyName("sub")] string? Sub = null,
|
|
[property: JsonPropertyName("exp_offset_seconds")] int? ExpOffsetSeconds = null,
|
|
[property: JsonPropertyName("permissions")] string? Permissions = null,
|
|
[property: JsonPropertyName("permissions_array")] string[]? PermissionsArray = null,
|
|
[property: JsonPropertyName("alg_override")] string? AlgOverride = null,
|
|
[property: JsonPropertyName("kid_override")] string? KidOverride = null);
|
|
|
|
internal sealed record SignResponse(
|
|
[property: JsonPropertyName("token")] string Token,
|
|
[property: JsonPropertyName("kid")] string Kid);
|
|
|
|
public sealed record MintedToken(string Jwt, string Kid)
|
|
{
|
|
public string AsBearer() => $"Bearer {Jwt}";
|
|
}
|