dohertj2/ScadaBridge
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
b104760b3af2c36b4d01848c16083c830d533575
ScadaBridge/tests/ZB.MOM.WW.ScadaBridge.NotificationService.Tests/CredentialRedactorTests.cs
T
Joseph Doherty 7b0b9c7365 refactor: rename ScadaLink → ZB.MOM.WW.ScadaBridge (code + projects + namespaces) 
Solution + 23 src projects + 26 test projects renamed; folders, csproj,
namespaces, and ScadaLinkDbContext/ScadaBridgeDbContext class updated.
ActorSystem "scadalink" → "scadabridge", Akka seed-node URLs migrated.
SQL roles/logins, LDAP domains, CLI command name, and CLI config dir
(~/.scadalink → ~/.scadabridge) also renamed.

Build green; 5 Host.Tests fail awaiting SQL login rename in next commit.
Pre-existing StaleTagMonitor timing flakes unchanged.

Rename script committed at tools/rename-to-scadabridge.sh.
2026-05-28 09:37:45 -04:00

77 lines
2.8 KiB
C#
Raw Blame History

namespace ZB.MOM.WW.ScadaBridge.NotificationService.Tests;
/// <summary>
/// NS-009: Tests for scrubbing SMTP credential secrets out of log/result text.
/// </summary>
public class CredentialRedactorTests
{
[Fact]
public void Scrub_BasicAuthPassword_IsMasked()
{
// Password 'Hunter2pass!word' is 16 chars (>= MinSecretLength=12) and
// therefore qualifies as a redactable secret-shaped trailing component.
var text = "535 5.7.8 Authentication failed for user 'svc' with password 'Hunter2pass!word'";
var result = CredentialRedactor.Scrub(text, "svc:Hunter2pass!word");
Assert.DoesNotContain("Hunter2pass!word", result);
Assert.DoesNotContain("svc:Hunter2pass!word", result);
}
[Fact]
public void Scrub_OAuth2ClientSecret_IsMasked()
{
var text = "Token request failed: client_secret=Sup3rSecretValue rejected by tenant";
var result = CredentialRedactor.Scrub(text, "tenant-guid:client-guid:Sup3rSecretValue");
Assert.DoesNotContain("Sup3rSecretValue", result);
}
[Fact]
public void Scrub_NullCredentials_ReturnsTextUnchanged()
{
Assert.Equal("plain text", CredentialRedactor.Scrub("plain text", null));
}
[Fact]
public void Scrub_NullText_ReturnsEmpty()
{
Assert.Equal(string.Empty, CredentialRedactor.Scrub(null, "user:pass"));
}
// --- NS-025: don't over-mask short non-secret components ---
[Fact]
public void Scrub_ShortUserName_IsNotMaskedOutsidePackedString()
{
// 'root' is the Basic Auth user name — short, common, and absolutely
// not a secret. It must NOT be masked when it appears in unrelated
// diagnostic text like a file path.
var text = "Config file at /root/.config/scada.conf was not found.";
var result = CredentialRedactor.Scrub(text, "root:hunter2longenoughpwd");
Assert.Contains("/root/.config", result);
}
[Fact]
public void Scrub_TenantId_IsNotMaskedOutsidePackedString()
{
// The tenant id is not secret — only the client secret is. A tenant id
// appearing in unrelated text (e.g. an error-code suffix) must survive.
var text = "Error code tnt-1234567890-abcd reported by upstream";
var result = CredentialRedactor.Scrub(text, "tnt-1234567890-abcd:cli-guid:RealClientSecretLongEnough");
Assert.Contains("tnt-1234567890-abcd", result);
}
[Fact]
public void Scrub_FullPackedCredential_IsAlwaysMaskedRegardlessOfLength()
{
// Even a short packed string must be masked when it appears verbatim —
// that exact appearance can only come from the credential itself.
var text = "Auth bundle was rejected: u:p";
var result = CredentialRedactor.Scrub(text, "u:p");
Assert.DoesNotContain("u:p", result);
}
}
Reference in New Issue View Git Blame Copy Permalink