dohertj2/ScadaBridge
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

test(security): DL-3 review nits — assert OnValidatePrincipal on prod path + warning/doc polish

Browse Source
This commit is contained in:
Joseph Doherty
2026-06-16 08:52:28 -04:00
parent e89604298d
commit 75919cec31
3 changed files with 36 additions and 2 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/ZB.MOM.WW.ScadaBridge.Security/Auth/AuthDisableLoginOptions.cs
+9 -1
View File
@@ -8,7 +8,15 @@ namespace ZB.MOM.WW.ScadaBridge.Security.Auth;
/// </summary> /// </summary>
public sealed class AuthDisableLoginOptions public sealed class AuthDisableLoginOptions
{ {
/// <summary>Configuration section name (<c>ScadaBridge:Security:Auth</c>).</summary> /// <summary>
/// Configuration section name (<c>ScadaBridge:Security:Auth</c>).
/// This is a CHILD sub-section of <c>ScadaBridge:Security</c> (where
/// <see cref="SecurityOptions"/> binds the parent fields) — not a sibling.
/// In appsettings.json nest it under the existing <c>Security</c> object:
/// <code>
/// "ScadaBridge": { "Security": { "Auth": { "DisableLogin": true } } }
/// </code>
/// </summary>
public const string SectionName = "ScadaBridge:Security:Auth"; public const string SectionName = "ScadaBridge:Security:Auth";
/// <summary>When true, disable login and auto-authenticate every request. Default false.</summary> /// <summary>When true, disable login and auto-authenticate every request. Default false.</summary>
tests/ZB.MOM.WW.ScadaBridge.Security.Tests/DisableLoginRegistrationTests.cs
+26
View File
@@ -32,4 +32,30 @@ public class DisableLoginRegistrationTests
var scheme = await ResolveCookieSchemeAsync(disableLogin: false); var scheme = await ResolveCookieSchemeAsync(disableLogin: false);
Assert.Equal(typeof(CookieAuthenticationHandler), scheme!.HandlerType); Assert.Equal(typeof(CookieAuthenticationHandler), scheme!.HandlerType);
} }
/// <summary>
/// When <c>disableLogin: false</c> (the production path) the M2.19 idle-timeout /
/// role-refresh hook MUST be wired on the cookie scheme's
/// <see cref="Microsoft.AspNetCore.Authentication.Cookies.CookieAuthenticationEvents.OnValidatePrincipal"/>.
/// This pin-test ensures a future refactor cannot silently drop the hook without
/// a red test.
/// </summary>
[Fact]
public async Task FlagFalse_CookieScheme_OnValidatePrincipalIsWired()
{
var services = new ServiceCollection();
services.AddLogging();
// Provide default SecurityOptions so the PostConfigure that reads
// IOptions<SecurityOptions> (cookie-hardening + name) can resolve successfully.
services.Configure<SecurityOptions>(_ => { });
services.AddSecurity(disableLogin: false);
await using var sp = services.BuildServiceProvider();
var options = sp
.GetRequiredService<Microsoft.Extensions.Options.IOptionsMonitor<CookieAuthenticationOptions>>()
.Get(CookieAuthenticationDefaults.AuthenticationScheme);
Assert.NotNull(options.Events?.OnValidatePrincipal);
}
} }