azaion/missions
1
0
Fork 0
mirror of https://github.com/azaion/missions.git synced 2026-06-21 06:41:07 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
24c4561bef0e07660509c2d7933c6ccf90aeef6c
missions/tests/Azaion.Missions.E2E.Tests/Helpers/ForeignKeypair.cs
T
Oleksandr Bezdieniezhnykh 24c4561bef [AZ-581] [AZ-582] [AZ-583] [AZ-584] Sec+Res NFT tests 
Batch 3 of test implementation cycle 1 (existing-code Step 6).

- AZ-581 AuthClaimsTests: NFT-SEC-01..06+04b (foreign-keypair, byte-flip,
  30s skew, iss/aud/perms, multi-value permissions array).
- AZ-582 CrossCutting/ErrorRedaction/JwksRotation/StartupConfig/CorsConfig:
  NFT-SEC-07..13 (alg pin, kid rotation grace window, env fail-fast, CORS
  Production gate).
- AZ-583 CascadeF3/CascadeF4/MigratorRestart: NFT-RES-01..04. CascadeF4
  pins current walk-order divergence with carry_forward AC-4.6.
- AZ-584 ConfigDbStartup/JwksRotationNoRestart/DefaultVehicleRace:
  NFT-RES-05..08. NFT-RES-08 pins current behaviour (unique-index closes
  the race) with carry_forward AC-1.4.

Mock contract: SignBody accepts permissions OR permissions_array (mutually
exclusive). TokenSigner validates kid_override against published keys so
NFT-SEC-11 can assert "mock refuses old kid post-grace".

Helpers added: ForeignKeypair (test-only ECDSA P-256),
MissionsContainerHelper (docker-run wrapper for startup-time scenarios),
DockerLogs.

7 of 22 new tests are Skippable, gated on COMPOSE_RESTART_ENABLED + docker
CLI in the e2e-consumer image (explicit skip reason; no silent pass).

Build green: test csproj + jwks-mock csproj.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-15 08:58:59 +03:00

71 lines
2.5 KiB
C#
Raw Blame History

using System.Security.Cryptography;
using System.Text;
using System.Text.Json;
using System.Text.Json.Nodes;
namespace Azaion.Missions.E2E.Helpers;
/// <summary>
/// Test-only ECDSA P-256 signer used by NFT-SEC-02 to mint a token signed by
/// a keypair the JWKS endpoint never published. This is the ONE in-test
/// signing path allowed by the task spec — every other test mints via the
/// jwks-mock <c>POST /sign</c> endpoint.
/// </summary>
/// <remarks>
/// The private key lives entirely in the test process and is disposed with
/// the helper. The wire shape mirrors <c>JwksMock.TokenSigner</c> (JWS-compact
/// ES256) so the only thing that differs from a "real" mock-minted token is
/// the signing key — defeating any IssuerSigningKeyResolver that fails to
/// match <c>kid</c> against the published JWKS.
/// </remarks>
public sealed class ForeignKeypair : IDisposable
{
private readonly ECDsa _ec;
private readonly string _kid;
public ForeignKeypair()
{
_ec = ECDsa.Create(ECCurve.NamedCurves.nistP256);
// Deterministic kid that is clearly NOT what jwks-mock issues
// (mock kids are base64url SHA-256 hashes; this label is plain ASCII).
_kid = "foreign-keypair-not-in-jwks";
}
public string Mint(string issuer, string audience, string permissions, int expOffsetSeconds = 3600)
{
var nowUnix = DateTimeOffset.UtcNow.ToUnixTimeSeconds();
var expUnix = nowUnix + expOffsetSeconds;
var header = new JsonObject
{
["alg"] = "ES256",
["kid"] = _kid,
["typ"] = "JWT"
};
var payload = new JsonObject
{
["iss"] = issuer,
["aud"] = audience,
["iat"] = nowUnix,
["exp"] = expUnix,
["permissions"] = permissions
};
var headerSeg = Base64UrlEncode(JsonSerializer.SerializeToUtf8Bytes(header));
var payloadSeg = Base64UrlEncode(JsonSerializer.SerializeToUtf8Bytes(payload));
var signingInput = Encoding.ASCII.GetBytes($"{headerSeg}.{payloadSeg}");
var signature = _ec.SignData(signingInput, HashAlgorithmName.SHA256,
DSASignatureFormat.IeeeP1363FixedFieldConcatenation);
var sigSeg = Base64UrlEncode(signature);
return $"{headerSeg}.{payloadSeg}.{sigSeg}";
}
public void Dispose() => _ec.Dispose();
private static string Base64UrlEncode(ReadOnlySpan<byte> bytes)
{
var b64 = Convert.ToBase64String(bytes);
return b64.Replace('+', '-').Replace('/', '_').TrimEnd('=');
}
}
Reference in New Issue View Git Blame Copy Permalink