Joseph Doherty
819f1b4665
Each finding is a focused validation guard or upper bound at a trust boundary.
Highlights:
- Commons-015: EncryptionMetadata ctor now validates Algorithm (AES-256-GCM
only), Kdf (PBKDF2-SHA256 only), Iterations ([100k, 10M]), non-null Salt/IV.
- Transport-004: new BundleUnlockRateLimiter (sliding-window, per-key,
singleton) wired into BundleImporter.LoadAsync; over-budget callers see
BundleUnlockRateLimitedException. Per-bundle 3-strike + per-window cap.
- ESG-022: ExternalSystemClient.InvokeHttpAsync allow-lists the documented
GET/POST/PUT/PATCH/DELETE set (case-insensitive); unknown verbs throw.
- SEL-015: SiteEventLogger queue now bounded (10k cap, DropOldest); dropped
events fault their Task and increment FailedWriteCount so the drop is
observable instead of an unbounded memory growth.
- SEL-017: EventLogQueryService clamps caller-supplied PageSize to a new
MaxQueryPageSize cap (default 500) so int.MaxValue can't OOM the host.
- SEL-020: LogEventAsync rejects severities outside {Info, Warning, Error}
(matches SQLite BINARY-collation query filter).
- InboundAPI-020: ContentType "json" check now case-insensitive
(application/JSON no longer slips through as not-json).
- InboundAPI-024: _knownBadMethods capped at 1000 entries (drops new entries
once full); per-request DB lookup remains the correctness path.
- SR-025: HandleSetStaticAttribute validates the attribute name against the
deployed config; unknown names now return Success=false instead of
leaking orphan override rows into the SQLite store.
- TE-021: MoveTemplateAsync runs the sibling-name-collision check at the
destination, mirroring TemplateFolderService.MoveFolderAsync.
- TE-022: LockEnforcer's once-locked-stays-locked rule now also covers
LockedInDerived (was previously only IsLocked).
New regression tests across 8 test projects (EncryptionMetadata, rate
limiter, ESG client allow-list, SEL bounded channel / PageSize clamp /
severity validation, InboundAPI ContentType + bad-methods cap, SiteRT
unknown-attribute, TemplateEngine MoveTemplate + LockedInDerived).
Build clean; affected suites all green. README regenerated: 93 open (was 104).
Note: a separate manual re-run was needed for the SiteEventLogging hunk
because its initial subagent's source edits never landed on disk despite
reporting success (file-collision-style failure mode).
130 lines
5.4 KiB
C#
130 lines
5.4 KiB
C#
using System.IO.Compression;
|
|
using System.Security.Cryptography;
|
|
using ScadaLink.Commons.Types.Transport;
|
|
using ScadaLink.Transport.Encryption;
|
|
using ScadaLink.Transport.Serialization;
|
|
|
|
namespace ScadaLink.Transport.Tests.Serialization;
|
|
|
|
public sealed class BundleSerializerTests
|
|
{
|
|
// Commons-015 sets the documented PBKDF2 floor to 100_000 (OWASP minimum).
|
|
// Using the floor keeps the suite fast while passing EncryptionMetadata
|
|
// validation.
|
|
private const int TestIterations = EncryptionMetadata.MinPbkdf2Iterations;
|
|
|
|
private static BundleContentDto SampleContent() => new(
|
|
TemplateFolders: new[] { new TemplateFolderDto("Root", ParentName: null, SortOrder: 0) },
|
|
Templates: Array.Empty<TemplateDto>(),
|
|
SharedScripts: new[] { new SharedScriptDto("util", "return 42;", ParameterDefinitions: null, ReturnDefinition: null) },
|
|
ExternalSystems: Array.Empty<ExternalSystemDto>(),
|
|
DatabaseConnections: Array.Empty<DatabaseConnectionDto>(),
|
|
NotificationLists: Array.Empty<NotificationListDto>(),
|
|
SmtpConfigs: Array.Empty<SmtpConfigDto>(),
|
|
ApiKeys: Array.Empty<ApiKeyDto>(),
|
|
ApiMethods: Array.Empty<ApiMethodDto>());
|
|
|
|
private static BundleManifest BuildManifestFor(byte[] contentBytes, EncryptionMetadata? encryption = null) =>
|
|
new ManifestBuilder().Build(
|
|
sourceEnvironment: "test-env",
|
|
exportedBy: "tester",
|
|
scadaLinkVersion: "1.0.0",
|
|
encryption: encryption,
|
|
summary: new BundleSummary(0, 1, 1, 0, 0, 0, 0, 0, 0),
|
|
contents: Array.Empty<ManifestContentEntry>(),
|
|
contentBytes: contentBytes);
|
|
|
|
[Fact]
|
|
public void Pack_emits_manifest_and_content_json_when_no_passphrase()
|
|
{
|
|
var sut = new BundleSerializer();
|
|
var content = SampleContent();
|
|
var contentJson = sut.SerializeContentBytes(content);
|
|
var manifest = BuildManifestFor(contentJson);
|
|
|
|
using var stream = sut.Pack(content, manifest, passphrase: null, encryptor: null);
|
|
|
|
using var archive = new ZipArchive(stream, ZipArchiveMode.Read, leaveOpen: true);
|
|
Assert.NotNull(archive.GetEntry("manifest.json"));
|
|
Assert.NotNull(archive.GetEntry("content.json"));
|
|
Assert.Null(archive.GetEntry("content.enc"));
|
|
}
|
|
|
|
[Fact]
|
|
public void Pack_emits_manifest_and_content_enc_when_passphrase_supplied()
|
|
{
|
|
var sut = new BundleSerializer();
|
|
var encryptor = new BundleSecretEncryptor();
|
|
var content = SampleContent();
|
|
var contentJson = sut.SerializeContentBytes(content);
|
|
var (cipher, meta) = encryptor.Encrypt(contentJson, "pass", TestIterations);
|
|
var manifest = BuildManifestFor(cipher, encryption: meta);
|
|
|
|
using var stream = sut.Pack(content, manifest, passphrase: "pass", encryptor: encryptor);
|
|
|
|
using var archive = new ZipArchive(stream, ZipArchiveMode.Read, leaveOpen: true);
|
|
Assert.NotNull(archive.GetEntry("manifest.json"));
|
|
Assert.Null(archive.GetEntry("content.json"));
|
|
Assert.NotNull(archive.GetEntry("content.enc"));
|
|
}
|
|
|
|
[Fact]
|
|
public void Roundtrip_through_temp_stream_recovers_identical_content()
|
|
{
|
|
var sut = new BundleSerializer();
|
|
var content = SampleContent();
|
|
var contentJson = sut.SerializeContentBytes(content);
|
|
var manifest = BuildManifestFor(contentJson);
|
|
|
|
using var stream = sut.Pack(content, manifest, passphrase: null, encryptor: null);
|
|
|
|
stream.Position = 0;
|
|
var readManifest = sut.ReadManifest(stream);
|
|
stream.Position = 0;
|
|
var contentBytes = sut.ReadContentBytes(stream, readManifest);
|
|
var unpacked = sut.UnpackContent(contentBytes, readManifest, passphrase: null, encryptor: null);
|
|
|
|
Assert.Equal(manifest.ContentHash, readManifest.ContentHash);
|
|
Assert.Single(unpacked.TemplateFolders);
|
|
Assert.Equal("Root", unpacked.TemplateFolders[0].Name);
|
|
var shared = Assert.Single(unpacked.SharedScripts);
|
|
Assert.Equal("util", shared.Name);
|
|
Assert.Equal("return 42;", shared.Code);
|
|
}
|
|
|
|
[Fact]
|
|
public void ReadManifest_throws_when_zip_missing_manifest_json()
|
|
{
|
|
var sut = new BundleSerializer();
|
|
using var ms = new MemoryStream();
|
|
using (var archive = new ZipArchive(ms, ZipArchiveMode.Create, leaveOpen: true))
|
|
{
|
|
var entry = archive.CreateEntry("garbage.txt");
|
|
using var es = entry.Open();
|
|
es.Write(new byte[] { 1, 2, 3 });
|
|
}
|
|
ms.Position = 0;
|
|
|
|
Assert.Throws<InvalidDataException>(() => sut.ReadManifest(ms));
|
|
}
|
|
|
|
[Fact]
|
|
public void UnpackContent_throws_CryptographicException_on_wrong_passphrase()
|
|
{
|
|
var sut = new BundleSerializer();
|
|
var encryptor = new BundleSecretEncryptor();
|
|
var content = SampleContent();
|
|
var contentJson = sut.SerializeContentBytes(content);
|
|
var (cipher, meta) = encryptor.Encrypt(contentJson, "right", TestIterations);
|
|
var manifest = BuildManifestFor(cipher, encryption: meta);
|
|
|
|
using var stream = sut.Pack(content, manifest, passphrase: "right", encryptor: encryptor);
|
|
stream.Position = 0;
|
|
var readManifest = sut.ReadManifest(stream);
|
|
stream.Position = 0;
|
|
var contentBytes = sut.ReadContentBytes(stream, readManifest);
|
|
|
|
Assert.ThrowsAny<CryptographicException>(() => sut.UnpackContent(contentBytes, readManifest, "wrong", encryptor));
|
|
}
|
|
}
|