azaion/missions
1
0
Fork 0
mirror of https://github.com/azaion/missions.git synced 2026-06-21 06:41:07 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
24c4561bef0e07660509c2d7933c6ccf90aeef6c
missions/tests/Azaion.Missions.E2E.Tests/Tests/Security/AuthClaimsTests.cs
T
Oleksandr Bezdieniezhnykh 24c4561bef [AZ-581] [AZ-582] [AZ-583] [AZ-584] Sec+Res NFT tests 
Batch 3 of test implementation cycle 1 (existing-code Step 6).

- AZ-581 AuthClaimsTests: NFT-SEC-01..06+04b (foreign-keypair, byte-flip,
  30s skew, iss/aud/perms, multi-value permissions array).
- AZ-582 CrossCutting/ErrorRedaction/JwksRotation/StartupConfig/CorsConfig:
  NFT-SEC-07..13 (alg pin, kid rotation grace window, env fail-fast, CORS
  Production gate).
- AZ-583 CascadeF3/CascadeF4/MigratorRestart: NFT-RES-01..04. CascadeF4
  pins current walk-order divergence with carry_forward AC-4.6.
- AZ-584 ConfigDbStartup/JwksRotationNoRestart/DefaultVehicleRace:
  NFT-RES-05..08. NFT-RES-08 pins current behaviour (unique-index closes
  the race) with carry_forward AC-1.4.

Mock contract: SignBody accepts permissions OR permissions_array (mutually
exclusive). TokenSigner validates kid_override against published keys so
NFT-SEC-11 can assert "mock refuses old kid post-grace".

Helpers added: ForeignKeypair (test-only ECDSA P-256),
MissionsContainerHelper (docker-run wrapper for startup-time scenarios),
DockerLogs.

7 of 22 new tests are Skippable, gated on COMPOSE_RESTART_ENABLED + docker
CLI in the e2e-consumer image (explicit skip reason; no silent pass).

Build green: test csproj + jwks-mock csproj.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-15 08:58:59 +03:00

236 lines
9.4 KiB
C#
Raw Blame History

using System.Net;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using Azaion.Missions.E2E.Fixtures;
using Azaion.Missions.E2E.Helpers;
using Xunit;
namespace Azaion.Missions.E2E.Tests.Security;
/// <summary>
/// NFT-SEC-01..06 + 04b — JWT authn/authz scenarios from
/// <c>_docs/02_document/tests/security-tests.md</c>.
/// Traces: AC-5.2..AC-5.6, AC-5.8, AC-5.11, AC-5.12, AC-9.1, AC-9.2.
/// </summary>
[Collection("SecurityAuthClaims")]
[Trait("Category", "Sec")]
[Trait("db_access", "seed-or-assert-only")]
public sealed class AuthClaimsTests : TestBase, IClassFixture<DbResetFixture>
{
[Fact]
[Trait("Traces", "AC-5.4")]
[Trait("max_ms", "5000")]
public async Task NFT_SEC_01_missing_authorization_header_rejects_protected_endpoints_with_401_and_no_db_write()
{
// Arrange
DbResetFixture.ResetDatabase(TestEnvironment.DbSideChannel);
Seeds.Apply(Seeds.OneDefaultVehicle.Sql);
var anyMissionId = Guid.NewGuid();
var preCount = DbAssertions.TableRowCount("vehicles");
// Act + Assert — GET /vehicles
using (var resp = await Missions.GetAsync("/vehicles"))
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
using (var resp = await Missions.GetAsync("/missions"))
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
using (var resp = await Missions.GetAsync($"/missions/{anyMissionId}/waypoints"))
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
var postBody = new
{
Type = 0,
Model = "Bayraktar",
Name = "BR-noauth",
FuelType = 1,
BatteryCapacity = 0,
EngineConsumption = 5,
EngineConsumptionIdle = 1,
IsDefault = false
};
using (var post = new HttpRequestMessage(HttpMethod.Post, "/vehicles")
{
Content = JsonContent.Create(postBody)
})
using (var resp = await Missions.SendAsync(post))
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
// Assert — POST 401 did not write a row.
var postCount = DbAssertions.TableRowCount("vehicles");
Assert.Equal(preCount, postCount);
}
[Fact]
[Trait("Traces", "AC-5.5")]
[Trait("max_ms", "5000")]
public async Task NFT_SEC_02_invalid_signature_rejects_byte_flip_and_foreign_keypair_with_401()
{
// Arrange — single-byte-flip uses a mock-signed token; foreign-keypair
// uses a local ECDSA P-256 (the one in-test signing path the task
// spec permits).
var good = await Tokens.MintDefaultAsync();
var flipped = FlipFirstSignatureChar(good.Jwt);
using var foreign = new ForeignKeypair();
var foreignJwt = foreign.Mint(
TestEnvironment.JwtIssuer, TestEnvironment.JwtAudience, "FL");
// Act + Assert — flipped signature
using (var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles"))
{
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", flipped);
using var resp = await Missions.SendAsync(req);
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
}
// Act + Assert — foreign keypair token (kid not in JWKS).
using (var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles"))
{
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", foreignJwt);
using var resp = await Missions.SendAsync(req);
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
}
}
[Fact]
[Trait("Traces", "AC-5.2,AC-5.6")]
[Trait("max_ms", "5000")]
public async Task NFT_SEC_03_clock_skew_30s_rejects_minus_60_and_accepts_minus_15()
{
// Arrange — both tokens are otherwise identical; only exp differs.
var expiredBeyondSkew = await Tokens.MintAsync(
new SignRequest(Permissions: "FL", ExpOffsetSeconds: -60));
var expiredWithinSkew = await Tokens.MintAsync(
new SignRequest(Permissions: "FL", ExpOffsetSeconds: -15));
// Act + Assert — outside the 30s skew window.
using (var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles"))
{
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", expiredBeyondSkew.Jwt);
using var resp = await Missions.SendAsync(req);
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
}
// Inside the 30s skew window.
using (var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles"))
{
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", expiredWithinSkew.Jwt);
using var resp = await Missions.SendAsync(req);
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.OK);
}
}
[Fact]
[Trait("Traces", "AC-5.3,AC-5.11")]
[Trait("max_ms", "5000")]
public async Task NFT_SEC_04_wrong_iss_rejected_default_iss_accepted()
{
// Arrange
var wrongIss = await Tokens.MintAsync(
new SignRequest(Iss: "https://attacker.example.com", Permissions: "FL"));
var defaultIss = await Tokens.MintDefaultAsync();
// Act + Assert
using (var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles"))
{
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", wrongIss.Jwt);
using var resp = await Missions.SendAsync(req);
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
}
using (var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles"))
{
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", defaultIss.Jwt);
using var resp = await Missions.SendAsync(req);
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.OK);
}
}
[Fact]
[Trait("Traces", "AC-5.3,AC-5.12")]
[Trait("max_ms", "5000")]
public async Task NFT_SEC_04b_wrong_aud_rejected()
{
// Arrange
var wrongAud = await Tokens.MintAsync(
new SignRequest(Aud: "wrong-audience", Permissions: "FL"));
// Act + Assert
using var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles");
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", wrongAud.Jwt);
using var resp = await Missions.SendAsync(req);
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Unauthorized);
}
[Fact]
[Trait("Traces", "AC-5.8,AC-9.1")]
[Trait("max_ms", "5000")]
public async Task NFT_SEC_05_missing_permissions_claim_returns_403()
{
// Arrange — Permissions=null + PermissionsArray=null omits the claim.
var noPermissions = await Tokens.MintAsync(new SignRequest());
// Act
using var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles");
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", noPermissions.Jwt);
using var resp = await Missions.SendAsync(req);
// Assert — authentication succeeds, authorization fails → 403 (NOT 401).
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Forbidden);
}
[Theory]
[InlineData("ADMIN")]
[InlineData("fl")]
[InlineData("FLight")]
[Trait("Traces", "AC-9.1,AC-9.2")]
[Trait("max_ms", "5000")]
public async Task NFT_SEC_06_wrong_single_permission_value_returns_403(string permissions)
{
// Arrange
var token = await Tokens.MintAsync(new SignRequest(Permissions: permissions));
// Act
using var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles");
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token.Jwt);
using var resp = await Missions.SendAsync(req);
// Assert — RequireClaim("permissions","FL") is case-sensitive exact match.
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.Forbidden);
}
[Fact]
[Trait("Traces", "AC-9.1,AC-9.2")]
[Trait("max_ms", "5000")]
public async Task NFT_SEC_06_multi_value_permissions_array_accepts_when_FL_is_present()
{
// Arrange — array permissions claim; ASP.NET's JWT handler flattens
// an array claim into multiple per-value claims, so RequireClaim
// matches if ANY value equals "FL".
var token = await Tokens.MintAsync(
new SignRequest(PermissionsArray: new[] { "FL", "ADMIN" }));
// Act
using var req = new HttpRequestMessage(HttpMethod.Get, "/vehicles");
req.Headers.Authorization = new AuthenticationHeaderValue("Bearer", token.Jwt);
using var resp = await Missions.SendAsync(req);
// Assert
await HttpAssertions.AssertStatusAsync(resp, HttpStatusCode.OK);
}
private static string FlipFirstSignatureChar(string jwt)
{
var parts = jwt.Split('.');
if (parts.Length != 3)
throw new InvalidOperationException(
"expected a JWS-compact JWT with exactly 3 segments");
var sig = parts[2].ToCharArray();
// Toggle the first char between two base64url-valid letters so the
// result is still parseable but signature verification fails.
sig[0] = sig[0] == 'A' ? 'B' : 'A';
return $"{parts[0]}.{parts[1]}.{new string(sig)}";
}
}
Reference in New Issue View Git Blame Copy Permalink