mirror of
https://github.com/azaion/satellite-provider.git
synced 2026-06-21 13:31:13 +00:00
Oleksandr Bezdieniezhnykh
f979e18811
Option B per user decision: production ships with empty Jwt.Issuer / Jwt.Audience in appsettings.json so the API process refuses to start unless JWT_ISSUER + JWT_AUDIENCE env vars are supplied. Development ships with grep-friendly DEV-ONLY- placeholders so local + docker flows keep working unchanged. AuthenticationServiceCollectionExtensions flips ValidateIssuer + ValidateAudience to true and wires ValidIssuer / ValidAudience via a new ResolveRequiredOrThrow helper that all three required values (secret, iss, aud) now share. JwtTokenFactory.Create + CreateExpired gain optional iss / aud parameters (default null) so existing call sites compile unchanged. JwtTestHelpers adds MintAuthenticated / MintExpired wrappers that resolve iss + aud from env, plus ResolveIssuerOrThrow / ResolveAudienceOrThrow. PerfBootstrap.MintToken + Program.cs JWT bootstrap migrated to the new surface so the perf harness and the integration runner both validate against the same contract. Adds 4 fail-fast unit tests (missing/empty issuer + audience), 2 negative integration scenarios (WrongIssuer_Returns401, WrongAudience_Returns401), and re-tags every existing integration mint site via MintAuthenticated. Compose, .env.example, run-tests.sh, run-performance-tests.sh all load + export JWT_ISSUER + JWT_AUDIENCE alongside JWT_SECRET. Resolves F-AUTH-2 (security_report.md + owasp_review.md). AC-7 (cross-repo suite/_docs/10_auth.md write) deferred — outside this workspace; tracked in deploy_cycle2.md R3 follow-up. Co-authored-by: Cursor <cursoragent@cursor.com>
259 lines
9.8 KiB
C#
259 lines
9.8 KiB
C#
using System.IdentityModel.Tokens.Jwt;
|
|
using FluentAssertions;
|
|
using Microsoft.AspNetCore.Authentication;
|
|
using Microsoft.AspNetCore.Authentication.JwtBearer;
|
|
using Microsoft.Extensions.Configuration;
|
|
using Microsoft.Extensions.DependencyInjection;
|
|
using Microsoft.Extensions.Options;
|
|
using Microsoft.IdentityModel.Tokens;
|
|
using SatelliteProvider.Api.Authentication;
|
|
using SatelliteProvider.TestSupport;
|
|
using AuthExtensions = SatelliteProvider.Api.Authentication.AuthenticationServiceCollectionExtensions;
|
|
|
|
namespace SatelliteProvider.Tests.Authentication;
|
|
|
|
public class AuthenticationServiceCollectionExtensionsTests : IDisposable
|
|
{
|
|
private const string ValidSecret = "test-secret-that-is-definitely-longer-than-32-bytes";
|
|
private const string ValidIssuer = "https://test-issuer.example/";
|
|
private const string ValidAudience = "satellite-provider-tests";
|
|
private readonly string? _originalSecret;
|
|
private readonly string? _originalIssuer;
|
|
private readonly string? _originalAudience;
|
|
|
|
public AuthenticationServiceCollectionExtensionsTests()
|
|
{
|
|
_originalSecret = Environment.GetEnvironmentVariable(AuthExtensions.JwtSecretEnvVar);
|
|
_originalIssuer = Environment.GetEnvironmentVariable(AuthExtensions.JwtIssuerEnvVar);
|
|
_originalAudience = Environment.GetEnvironmentVariable(AuthExtensions.JwtAudienceEnvVar);
|
|
Environment.SetEnvironmentVariable(AuthExtensions.JwtSecretEnvVar, null);
|
|
Environment.SetEnvironmentVariable(AuthExtensions.JwtIssuerEnvVar, null);
|
|
Environment.SetEnvironmentVariable(AuthExtensions.JwtAudienceEnvVar, null);
|
|
}
|
|
|
|
public void Dispose()
|
|
{
|
|
Environment.SetEnvironmentVariable(AuthExtensions.JwtSecretEnvVar, _originalSecret);
|
|
Environment.SetEnvironmentVariable(AuthExtensions.JwtIssuerEnvVar, _originalIssuer);
|
|
Environment.SetEnvironmentVariable(AuthExtensions.JwtAudienceEnvVar, _originalAudience);
|
|
GC.SuppressFinalize(this);
|
|
}
|
|
|
|
[Fact]
|
|
public void AddSatelliteJwt_RegistersJwtBearerScheme()
|
|
{
|
|
// Arrange
|
|
var services = new ServiceCollection();
|
|
services.AddLogging();
|
|
var configuration = BuildValidConfiguration();
|
|
|
|
// Act
|
|
services.AddSatelliteJwt(configuration);
|
|
var provider = services.BuildServiceProvider();
|
|
var schemeProvider = provider.GetRequiredService<IAuthenticationSchemeProvider>();
|
|
var scheme = schemeProvider.GetSchemeAsync(JwtBearerDefaults.AuthenticationScheme).GetAwaiter().GetResult();
|
|
|
|
// Assert
|
|
scheme.Should().NotBeNull("JwtBearer scheme should be registered");
|
|
scheme!.HandlerType.Should().Be(typeof(JwtBearerHandler));
|
|
}
|
|
|
|
[Fact]
|
|
public void AddSatelliteJwt_ConfiguresTokenValidationParameters_AsPerContract()
|
|
{
|
|
// Arrange
|
|
var services = new ServiceCollection();
|
|
services.AddLogging();
|
|
var configuration = BuildValidConfiguration();
|
|
|
|
// Act
|
|
services.AddSatelliteJwt(configuration);
|
|
var provider = services.BuildServiceProvider();
|
|
var options = provider.GetRequiredService<IOptionsMonitor<JwtBearerOptions>>().Get(JwtBearerDefaults.AuthenticationScheme);
|
|
|
|
// Assert
|
|
var p = options.TokenValidationParameters;
|
|
p.ValidateIssuerSigningKey.Should().BeTrue();
|
|
p.ValidateLifetime.Should().BeTrue();
|
|
p.ValidateIssuer.Should().BeTrue("AZ-494 flipped issuer validation on");
|
|
p.ValidIssuer.Should().Be(ValidIssuer);
|
|
p.ValidateAudience.Should().BeTrue("AZ-494 flipped audience validation on");
|
|
p.ValidAudience.Should().Be(ValidAudience);
|
|
p.RequireSignedTokens.Should().BeTrue();
|
|
p.RequireExpirationTime.Should().BeTrue();
|
|
p.ClockSkew.Should().Be(TimeSpan.FromSeconds(30));
|
|
p.IssuerSigningKey.Should().BeOfType<SymmetricSecurityKey>();
|
|
}
|
|
|
|
[Fact]
|
|
public void AddSatelliteJwt_ThrowsOnMissingSecret()
|
|
{
|
|
// Arrange
|
|
var services = new ServiceCollection();
|
|
var configuration = BuildConfiguration(
|
|
("Jwt:Issuer", ValidIssuer),
|
|
("Jwt:Audience", ValidAudience));
|
|
|
|
// Act
|
|
var act = () => services.AddSatelliteJwt(configuration);
|
|
|
|
// Assert
|
|
act.Should().Throw<InvalidOperationException>()
|
|
.WithMessage("*JWT secret is not configured*");
|
|
}
|
|
|
|
[Fact]
|
|
public void AddSatelliteJwt_ThrowsOnEmptySecret()
|
|
{
|
|
// Arrange
|
|
var services = new ServiceCollection();
|
|
var configuration = BuildConfiguration(
|
|
("Jwt:Secret", ""),
|
|
("Jwt:Issuer", ValidIssuer),
|
|
("Jwt:Audience", ValidAudience));
|
|
|
|
// Act
|
|
var act = () => services.AddSatelliteJwt(configuration);
|
|
|
|
// Assert
|
|
act.Should().Throw<InvalidOperationException>()
|
|
.WithMessage("*JWT secret is not configured*");
|
|
}
|
|
|
|
[Fact]
|
|
public void AddSatelliteJwt_ThrowsOnShortSecret()
|
|
{
|
|
// Arrange
|
|
var services = new ServiceCollection();
|
|
var configuration = BuildConfiguration(
|
|
("Jwt:Secret", "too-short-secret"),
|
|
("Jwt:Issuer", ValidIssuer),
|
|
("Jwt:Audience", ValidAudience));
|
|
|
|
// Act
|
|
var act = () => services.AddSatelliteJwt(configuration);
|
|
|
|
// Assert
|
|
act.Should().Throw<InvalidOperationException>()
|
|
.WithMessage("*at least 32 bytes*");
|
|
}
|
|
|
|
[Fact]
|
|
public void AddSatelliteJwt_ThrowsOnMissingIssuer()
|
|
{
|
|
// Arrange — AZ-494 AC-4: fail-fast on missing issuer.
|
|
var services = new ServiceCollection();
|
|
var configuration = BuildConfiguration(
|
|
("Jwt:Secret", ValidSecret),
|
|
("Jwt:Audience", ValidAudience));
|
|
|
|
// Act
|
|
var act = () => services.AddSatelliteJwt(configuration);
|
|
|
|
// Assert
|
|
act.Should().Throw<InvalidOperationException>()
|
|
.WithMessage("*JWT issuer is not configured*")
|
|
.Where(ex => ex.Message.Contains(AuthExtensions.JwtIssuerEnvVar));
|
|
}
|
|
|
|
[Fact]
|
|
public void AddSatelliteJwt_ThrowsOnEmptyIssuer()
|
|
{
|
|
// Arrange
|
|
var services = new ServiceCollection();
|
|
var configuration = BuildConfiguration(
|
|
("Jwt:Secret", ValidSecret),
|
|
("Jwt:Issuer", " "),
|
|
("Jwt:Audience", ValidAudience));
|
|
|
|
// Act
|
|
var act = () => services.AddSatelliteJwt(configuration);
|
|
|
|
// Assert
|
|
act.Should().Throw<InvalidOperationException>()
|
|
.WithMessage("*JWT issuer is not configured*");
|
|
}
|
|
|
|
[Fact]
|
|
public void AddSatelliteJwt_ThrowsOnMissingAudience()
|
|
{
|
|
// Arrange — AZ-494 AC-4: fail-fast on missing audience.
|
|
var services = new ServiceCollection();
|
|
var configuration = BuildConfiguration(
|
|
("Jwt:Secret", ValidSecret),
|
|
("Jwt:Issuer", ValidIssuer));
|
|
|
|
// Act
|
|
var act = () => services.AddSatelliteJwt(configuration);
|
|
|
|
// Assert
|
|
act.Should().Throw<InvalidOperationException>()
|
|
.WithMessage("*JWT audience is not configured*")
|
|
.Where(ex => ex.Message.Contains(AuthExtensions.JwtAudienceEnvVar));
|
|
}
|
|
|
|
[Fact]
|
|
public void AddSatelliteJwt_ThrowsOnEmptyAudience()
|
|
{
|
|
// Arrange
|
|
var services = new ServiceCollection();
|
|
var configuration = BuildConfiguration(
|
|
("Jwt:Secret", ValidSecret),
|
|
("Jwt:Issuer", ValidIssuer),
|
|
("Jwt:Audience", ""));
|
|
|
|
// Act
|
|
var act = () => services.AddSatelliteJwt(configuration);
|
|
|
|
// Assert
|
|
act.Should().Throw<InvalidOperationException>()
|
|
.WithMessage("*JWT audience is not configured*");
|
|
}
|
|
|
|
[Fact]
|
|
public void AddSatelliteJwt_PrefersEnvironmentVariableOverConfiguration()
|
|
{
|
|
// Arrange
|
|
const string envSecret = "env-secret-also-longer-than-thirty-two-bytes-for-hmac";
|
|
const string envIssuer = "https://env-issuer.example/";
|
|
const string envAudience = "env-audience";
|
|
Environment.SetEnvironmentVariable(AuthExtensions.JwtSecretEnvVar, envSecret);
|
|
Environment.SetEnvironmentVariable(AuthExtensions.JwtIssuerEnvVar, envIssuer);
|
|
Environment.SetEnvironmentVariable(AuthExtensions.JwtAudienceEnvVar, envAudience);
|
|
var services = new ServiceCollection();
|
|
services.AddLogging();
|
|
var configuration = BuildConfiguration(
|
|
("Jwt:Secret", "config-secret-also-32-bytes-long-aaaaaaaaaa"),
|
|
("Jwt:Issuer", "https://config-issuer.example/"),
|
|
("Jwt:Audience", "config-audience"));
|
|
|
|
// Act
|
|
services.AddSatelliteJwt(configuration);
|
|
var provider = services.BuildServiceProvider();
|
|
var options = provider.GetRequiredService<IOptionsMonitor<JwtBearerOptions>>().Get(JwtBearerDefaults.AuthenticationScheme);
|
|
var token = JwtTokenFactory.Create(envSecret, issuer: envIssuer, audience: envAudience);
|
|
var handler = new JwtSecurityTokenHandler();
|
|
var act = () => handler.ValidateToken(token, options.TokenValidationParameters, out _);
|
|
|
|
// Assert
|
|
act.Should().NotThrow("token signed with env secret + minted with env iss/aud must validate when env precedence applies");
|
|
options.TokenValidationParameters.ValidIssuer.Should().Be(envIssuer);
|
|
options.TokenValidationParameters.ValidAudience.Should().Be(envAudience);
|
|
}
|
|
|
|
private static IConfiguration BuildValidConfiguration() => BuildConfiguration(
|
|
("Jwt:Secret", ValidSecret),
|
|
("Jwt:Issuer", ValidIssuer),
|
|
("Jwt:Audience", ValidAudience));
|
|
|
|
private static IConfiguration BuildConfiguration(params (string Key, string Value)[] pairs)
|
|
{
|
|
var builder = new ConfigurationBuilder();
|
|
if (pairs.Length > 0)
|
|
{
|
|
builder.AddInMemoryCollection(pairs.Select(p => new KeyValuePair<string, string?>(p.Key, p.Value)));
|
|
}
|
|
return builder.Build();
|
|
}
|
|
}
|