fix(inbound): authorize+secure Database helper, async/deadline-bound DB, wait-timeout-bound WaitForAttribute
Resolves InboundAPI-026/027/028/029 (+ newly-surfaced -030). - 026: authorize the scoped Database helper in the design doc; SQL-injection protection is parameter binding (values never concatenated); allow writes via ExecuteAsync; drop the false 'read-only' claim. Named connections only. - 027: async ADO.NET end-to-end (no .GetAwaiter().GetResult()); honour the method deadline token on ExecuteScalarAsync/ExecuteReaderAsync/ExecuteNonQueryAsync + a CommandTimeout backstop derived from the method timeout. - 028: negative-path tests (null-gateway, deadline cancellation, parameterization) + e2e Database + WaitForAttribute cases through the real endpoint. - 029: WaitForAttribute is bounded by its WAIT timeout (per-wait CTS + client-abort + explicit token), NOT the method deadline (spec §6) — a long wait may outlive the method timeout; WithRequestAborted threads the raw client-abort token separately. - 030: Central UI compile-surface mirrors (InboundScriptHost / SandboxInboundScriptHost) gained the Database member (drifted since the runtime helper was added) so the authorized async API type-checks at the design-time gate.
This commit is contained in:
Joseph Doherty
@@ -12,46 +12,51 @@ public class InboundDatabaseHelperTests
|
||||
private sealed class SqliteGateway : IDatabaseGateway
|
||||
{
|
||||
private readonly string _cs;
|
||||
public SqliteGateway(string cs) => _cs = cs;
|
||||
// InboundAPI-027 test seam: when false the open ignores the passed token, so a
|
||||
// pre-cancelled token surfaces at Execute/Read (not at open) — letting a test
|
||||
// prove the EXECUTE path honours the deadline token, not just the open.
|
||||
private readonly bool _honorTokenOnOpen;
|
||||
public SqliteGateway(string cs, bool honorTokenOnOpen = true)
|
||||
{ _cs = cs; _honorTokenOnOpen = honorTokenOnOpen; }
|
||||
public async Task<DbConnection> GetConnectionAsync(string name, CancellationToken ct = default)
|
||||
{ var c = new SqliteConnection(_cs); await c.OpenAsync(ct); return c; }
|
||||
{ var c = new SqliteConnection(_cs); await c.OpenAsync(_honorTokenOnOpen ? ct : CancellationToken.None); return c; }
|
||||
public Task<ExternalCallResult> CachedWriteAsync(string c, string s,
|
||||
IReadOnlyDictionary<string, object?>? p = null, string? o = null, CancellationToken ct = default,
|
||||
TrackedOperationId? t = null, Guid? e = null, string? src = null, Guid? pe = null)
|
||||
=> throw new NotImplementedException();
|
||||
}
|
||||
|
||||
private static SqliteGateway SeededGateway()
|
||||
private static SqliteGateway SeededGateway(bool honorTokenOnOpen = true)
|
||||
{
|
||||
var keep = new SqliteConnection("DataSource=file:movein?mode=memory&cache=shared");
|
||||
keep.Open(); // keep-alive: shared in-memory db lives until process exit
|
||||
using var cmd = keep.CreateCommand();
|
||||
cmd.CommandText = "CREATE TABLE IF NOT EXISTS Machine(Code TEXT, SAPID TEXT); DELETE FROM Machine; INSERT INTO Machine VALUES('Z28061A','131453');";
|
||||
cmd.ExecuteNonQuery();
|
||||
return new SqliteGateway("DataSource=file:movein?mode=memory&cache=shared");
|
||||
return new SqliteGateway("DataSource=file:movein?mode=memory&cache=shared", honorTokenOnOpen);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void QuerySingle_returns_first_column_with_bound_parameter()
|
||||
public async Task QuerySingleAsync_returns_first_column_with_bound_parameter()
|
||||
{
|
||||
var helper = new InboundDatabaseHelper(SeededGateway(), CancellationToken.None);
|
||||
var code = helper.QuerySingle<string>("BTDB", "SELECT Code FROM Machine WHERE SAPID=@s", new { s = "131453" });
|
||||
var code = await helper.QuerySingleAsync<string>("BTDB", "SELECT Code FROM Machine WHERE SAPID=@s", new { s = "131453" });
|
||||
Assert.Equal("Z28061A", code);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void QuerySingle_returns_default_when_no_rows()
|
||||
public async Task QuerySingleAsync_returns_default_when_no_rows()
|
||||
{
|
||||
var helper = new InboundDatabaseHelper(SeededGateway(), CancellationToken.None);
|
||||
var code = helper.QuerySingle<string>("BTDB", "SELECT Code FROM Machine WHERE SAPID=@s", new { s = "999999" });
|
||||
var code = await helper.QuerySingleAsync<string>("BTDB", "SELECT Code FROM Machine WHERE SAPID=@s", new { s = "999999" });
|
||||
Assert.Null(code);
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Query_returns_row_with_case_insensitive_keys()
|
||||
public async Task QueryAsync_returns_row_with_case_insensitive_keys()
|
||||
{
|
||||
var helper = new InboundDatabaseHelper(SeededGateway(), CancellationToken.None);
|
||||
var rows = helper.Query("BTDB", "SELECT Code, SAPID FROM Machine WHERE SAPID=@s", new { s = "131453" });
|
||||
var rows = await helper.QueryAsync("BTDB", "SELECT Code, SAPID FROM Machine WHERE SAPID=@s", new { s = "131453" });
|
||||
Assert.Single(rows);
|
||||
var row = rows[0];
|
||||
Assert.Equal("Z28061A", row["code"]);
|
||||
@@ -59,10 +64,82 @@ public class InboundDatabaseHelperTests
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public void Query_returns_empty_list_when_no_rows_match()
|
||||
public async Task QueryAsync_returns_empty_list_when_no_rows_match()
|
||||
{
|
||||
var helper = new InboundDatabaseHelper(SeededGateway(), CancellationToken.None);
|
||||
var rows = helper.Query("BTDB", "SELECT Code, SAPID FROM Machine WHERE SAPID=@s", new { s = "999999" });
|
||||
var rows = await helper.QueryAsync("BTDB", "SELECT Code, SAPID FROM Machine WHERE SAPID=@s", new { s = "999999" });
|
||||
Assert.Empty(rows);
|
||||
}
|
||||
|
||||
// --- InboundAPI-026: writes are permitted (design decision) ---
|
||||
|
||||
[Fact]
|
||||
public async Task ExecuteAsync_performs_write_and_returns_rows_affected()
|
||||
{
|
||||
var helper = new InboundDatabaseHelper(SeededGateway(), CancellationToken.None);
|
||||
var affected = await helper.ExecuteAsync(
|
||||
"BTDB", "UPDATE Machine SET Code=@c WHERE SAPID=@s", new { c = "UPDATED", s = "131453" });
|
||||
Assert.Equal(1, affected);
|
||||
|
||||
// The write actually landed (read it back through the same helper).
|
||||
var code = await helper.QuerySingleAsync<string>("BTDB", "SELECT Code FROM Machine WHERE SAPID=@s", new { s = "131453" });
|
||||
Assert.Equal("UPDATED", code);
|
||||
}
|
||||
|
||||
// --- InboundAPI-026: SQL-injection protection — values are bound, not concatenated ---
|
||||
|
||||
[Fact]
|
||||
public async Task ParameterValues_are_bound_not_concatenated()
|
||||
{
|
||||
// A classic injection payload as the parameter VALUE. If the helper concatenated
|
||||
// it, "WHERE SAPID='131453' OR '1'='1'" would match the seeded row and return
|
||||
// "Z28061A". Because the value is bound as a literal parameter, it matches no
|
||||
// SAPID and the query returns null — proving the value never altered the SQL.
|
||||
var helper = new InboundDatabaseHelper(SeededGateway(), CancellationToken.None);
|
||||
var code = await helper.QuerySingleAsync<string>(
|
||||
"BTDB", "SELECT Code FROM Machine WHERE SAPID=@s", new { s = "131453' OR '1'='1" });
|
||||
Assert.Null(code);
|
||||
}
|
||||
|
||||
// --- InboundAPI-028: negative paths ---
|
||||
|
||||
[Fact]
|
||||
public async Task QuerySingleAsync_null_gateway_throws()
|
||||
{
|
||||
var helper = new InboundDatabaseHelper(gateway: null, CancellationToken.None);
|
||||
await Assert.ThrowsAsync<InvalidOperationException>(
|
||||
() => helper.QuerySingleAsync<string>("BTDB", "SELECT 1"));
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task QueryAsync_null_gateway_throws()
|
||||
{
|
||||
var helper = new InboundDatabaseHelper(gateway: null, CancellationToken.None);
|
||||
await Assert.ThrowsAsync<InvalidOperationException>(
|
||||
() => helper.QueryAsync("BTDB", "SELECT 1"));
|
||||
}
|
||||
|
||||
[Fact]
|
||||
public async Task ExecuteAsync_null_gateway_throws()
|
||||
{
|
||||
var helper = new InboundDatabaseHelper(gateway: null, CancellationToken.None);
|
||||
await Assert.ThrowsAsync<InvalidOperationException>(
|
||||
() => helper.ExecuteAsync("BTDB", "DELETE FROM Machine"));
|
||||
}
|
||||
|
||||
// --- InboundAPI-027: the method-deadline token bounds the query on the EXECUTE path ---
|
||||
|
||||
[Fact]
|
||||
public async Task QuerySingleAsync_honours_cancellation_token_on_execute()
|
||||
{
|
||||
// The gateway opens with None (so the open succeeds), but the helper forwards the
|
||||
// pre-cancelled deadline token to ExecuteScalarAsync — which must observe it. This
|
||||
// proves the fix threads the token past the connection open, where the old
|
||||
// synchronous ExecuteScalar() ignored cancellation entirely.
|
||||
using var cts = new CancellationTokenSource();
|
||||
await cts.CancelAsync();
|
||||
var helper = new InboundDatabaseHelper(SeededGateway(honorTokenOnOpen: false), cts.Token);
|
||||
await Assert.ThrowsAnyAsync<OperationCanceledException>(
|
||||
() => helper.QuerySingleAsync<string>("BTDB", "SELECT Code FROM Machine"));
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user