azaion/missions
1
0
Fork 0
mirror of https://github.com/azaion/missions.git synced 2026-06-21 20:41:08 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
26126e621684f79969d320c1cc093b013b01d4ce
missions/tests/Azaion.Missions.JwksMock/Program.cs
T
Oleksandr Bezdieniezhnykh ccd85a09df
ci/woodpecker/push/build-arm Pipeline failed
Details
[AZ-576] Add e2e test infrastructure (xUnit + jwks-mock + reporting) 
Scaffold the blackbox test project the rest of epic AZ-575 (AZ-577..AZ-586)
will build on. Two new csprojs under tests/, plus the TLS materials and
TRX->CSV reporting hand-off the existing docker-compose.test.yml already
calls for.

JWKS mock (tests/Azaion.Missions.JwksMock/):
- ASP.NET Core minimal API on .NET 10, no NuGet deps; JWS is hand-rolled
  to keep the surface tight and avoid version drift with the SUT
- KeyStore with one in-memory ECDSA P-256 keypair + retired-key grace
  window for NFT-RES-07 / NFT-SEC-11 rotation observability
- Endpoints: GET /.well-known/jwks.json, POST /sign, POST /rotate-key
- Mock-only alg_override / kid_override switches drive NFT-SEC-09/10/11
- TLS keypair committed under tls/; tests/jwks-mock-ca.crt is a copy
  mounted into both missions and e2e-consumer per docker-compose.test.yml

E2E consumer (tests/Azaion.Missions.E2E.Tests/):
- xUnit 2.9.2 + Bogus 35.6.1 + Npgsql 10.0.2 + Xunit.SkippableFact 1.4.13
- TestBase / TokenMinter scaffolding for downstream tasks
- Fixtures/ for DbReset, DbSeed, ComposeRestart, JwksRotate, JwksMockReverse
- Helpers/ for DbAssertions (side-channel), HttpAssertions, FixtureSql
- 8 Tests/<category>/Sanity.cs discovery smoke tests (AC-3)
- Tests/InfrastructureSanity.cs SkippableFacts for AC-1/2/5/6
- Tests/AaaPatternEnforcement.cs greps source files for AC-7
- Tests/Reporting/TrxToCsvPostProcessorTests.cs covers AC-4
- Reporting/TrxToCsvPostProcessor.cs handles VSTest TRX -> environment.md
  CSV; xUnit traits are not propagated by the TRX logger so the converter
  reflects them out of the test DLL via GetCustomAttributesData
- Reporting.Cli/ is a separate console csproj that links the converter
  source files (test project excludes Reporting.Cli/** from compile)
- Dockerfile + entrypoint.sh wire dotnet test -> trx -> csv inside the
  e2e-consumer container the compose file already references

Local verification: 13 pass, 3 skip (with explicit reasons), 0 fail.
End-to-end TRX->CSV manually verified against environment.md header spec.
Docker stack build is handed off to autodev Step 7 (test-run skill).

Reports under _docs/03_implementation/.
AZ-576 task spec moved to _docs/tasks/done/.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-15 06:57:40 +03:00

61 lines
2.6 KiB
C#
Raw Blame History

using System.Security.Cryptography.X509Certificates;
using Azaion.Missions.JwksMock.Endpoints;
using Azaion.Missions.JwksMock.Services;
var builder = WebApplication.CreateBuilder(args);
// Tests source these from the compose env block (JWT_ISSUER, JWT_AUDIENCE,
// OLD_KEY_GRACE_SECONDS); appsettings.json supplies dev defaults.
var issuer = builder.Configuration["JWT_ISSUER"]
?? builder.Configuration["Jwks:Issuer"]
?? throw new InvalidOperationException("JWT_ISSUER not configured");
var audience = builder.Configuration["JWT_AUDIENCE"]
?? builder.Configuration["Jwks:Audience"]
?? throw new InvalidOperationException("JWT_AUDIENCE not configured");
var oldKeyGraceSecRaw = builder.Configuration["OLD_KEY_GRACE_SECONDS"]
?? builder.Configuration["Jwks:OldKeyGraceSeconds"]
?? "5";
var oldKeyGrace = TimeSpan.FromSeconds(int.Parse(oldKeyGraceSecRaw, System.Globalization.CultureInfo.InvariantCulture));
builder.Services.AddSingleton(TimeProvider.System);
builder.Services.AddSingleton<KeyStore>(sp => new KeyStore(oldKeyGrace, sp.GetRequiredService<TimeProvider>()));
builder.Services.AddSingleton<TokenSigner>(sp => new TokenSigner(
sp.GetRequiredService<KeyStore>(),
sp.GetRequiredService<TimeProvider>(),
issuer,
audience));
builder.WebHost.ConfigureKestrel(options =>
{
options.ListenAnyIP(8443, listen =>
{
listen.UseHttps(LoadTlsCert());
});
});
var app = builder.Build();
app.MapGet("/.well-known/jwks.json", JwksEndpoint.Handle);
app.MapPost("/sign", SignEndpoint.Handle);
app.MapPost("/rotate-key", RotateKeyEndpoint.Handle);
app.MapGet("/healthz", () => Results.Ok(new { status = "ok" }));
app.Run();
// Loads the server TLS cert + key from the build context. The same cert is
// also published as `tests/jwks-mock-ca.crt` and mounted into the missions +
// e2e-consumer containers as a trust anchor.
static X509Certificate2 LoadTlsCert()
{
var basePath = AppContext.BaseDirectory;
var crtPath = Path.Combine(basePath, "tls", "jwks-mock.crt");
var keyPath = Path.Combine(basePath, "tls", "jwks-mock.key");
if (!File.Exists(crtPath) || !File.Exists(keyPath))
throw new FileNotFoundException(
$"jwks-mock TLS materials not found. Expected:\n {crtPath}\n {keyPath}\n" +
"Run tests/Azaion.Missions.JwksMock/regen-cert.sh to regenerate.");
return X509Certificate2.CreateFromPemFile(crtPath, keyPath);
}
public partial class Program; // For WebApplicationFactory if a host-process test ever needs it.
Reference in New Issue View Git Blame Copy Permalink