1424a21419
Add a secret:NAME arm to GalaxySecretRef.ResolveApiKey that resolves the Galaxy gateway API key through the shared ISecretResolver — fail-closed if the secret is absent (never falls through to the cleartext literal arm), retiring the dev:/literal in-DB path for production. Because GetAsync is async the method becomes ResolveApiKeyAsync; the await cascade threads ISecretResolver by ctor injection into GalaxyDriver + GalaxyDriverBrowser and (since GalaxyDriver is built by a static factory closure, not DI) through GalaxyDriverFactoryExtensions + DriverFactoryBootstrap (which pulls the real resolver from the service provider — registered unconditionally in Slice 1). A NullSecretResolver null-object backs the parse-only/test paths only; the runtime path always gets the real resolver (verified end-to-end). TDD: 3 new secret:-arm tests (resolve / fail-closed-on-absent / no-literal-warning) RED without the arm, GREEN with it; 338 Galaxy tests pass; no sync-over-async.
232 lines
9.6 KiB
C#
232 lines
9.6 KiB
C#
using Microsoft.Extensions.Logging;
|
|
using Shouldly;
|
|
using Xunit;
|
|
using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Config;
|
|
using ZB.MOM.WW.Secrets.Abstractions;
|
|
|
|
namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Tests;
|
|
|
|
/// <summary>
|
|
/// Follow-up #2 + G-2a — pins the five resolution forms supported by
|
|
/// <see cref="GalaxySecretRef.ResolveApiKeyAsync"/>: <c>env:NAME</c>, <c>file:PATH</c>,
|
|
/// <c>dev:KEY</c>, <c>secret:NAME</c> (via the shared <see cref="ISecretResolver"/>), and
|
|
/// the literal-string fallback. The <c>secret:</c> arm is fail-closed — an absent secret
|
|
/// throws rather than leaking the ref string as the key. (The resolver was extracted from
|
|
/// <c>GalaxyDriver</c> to the shared <c>GalaxySecretRef</c> in Driver.Galaxy.Contracts so the
|
|
/// runtime driver and the AdminUI browser share one copy.)
|
|
/// </summary>
|
|
public sealed class GalaxyDriverApiKeyResolverTests
|
|
{
|
|
/// <summary>Name the fake resolver knows; matches the SecretName-normalized form.</summary>
|
|
private const string KnownSecretName = "galaxy/inst1/apikey";
|
|
|
|
/// <summary>The value the fake resolver returns for <see cref="KnownSecretName"/>.</summary>
|
|
private const string KnownSecretValue = "key-from-secret-store";
|
|
|
|
/// <summary>A fake resolver: returns a known value for one known name, null otherwise.</summary>
|
|
private static ISecretResolver FakeResolver() => new StubSecretResolver();
|
|
|
|
/// <summary>Verifies that a literal string is returned unchanged.</summary>
|
|
[Fact]
|
|
public async Task Literal_string_is_returned_unchanged()
|
|
{
|
|
(await GalaxySecretRef.ResolveApiKeyAsync("plain-text-key", FakeResolver()))
|
|
.ShouldBe("plain-text-key");
|
|
}
|
|
|
|
/// <summary>Verifies that env: prefix resolves to an environment variable.</summary>
|
|
[Fact]
|
|
public async Task Env_prefix_resolves_to_environment_variable()
|
|
{
|
|
const string name = "OTOPCUA_TEST_GALAXY_API_KEY";
|
|
Environment.SetEnvironmentVariable(name, "key-from-env");
|
|
try
|
|
{
|
|
(await GalaxySecretRef.ResolveApiKeyAsync($"env:{name}", FakeResolver()))
|
|
.ShouldBe("key-from-env");
|
|
}
|
|
finally
|
|
{
|
|
Environment.SetEnvironmentVariable(name, null);
|
|
}
|
|
}
|
|
|
|
/// <summary>Verifies that unset environment variables throw with a descriptive message.</summary>
|
|
[Fact]
|
|
public async Task Env_prefix_unset_variable_throws_with_descriptive_message()
|
|
{
|
|
const string name = "OTOPCUA_TEST_GALAXY_API_KEY_UNSET";
|
|
Environment.SetEnvironmentVariable(name, null);
|
|
|
|
var ex = await Should.ThrowAsync<InvalidOperationException>(() =>
|
|
GalaxySecretRef.ResolveApiKeyAsync($"env:{name}", FakeResolver()));
|
|
ex.Message.ShouldContain(name);
|
|
ex.Message.ShouldContain("unset");
|
|
}
|
|
|
|
/// <summary>Verifies that file: prefix resolves to trimmed file contents.</summary>
|
|
[Fact]
|
|
public async Task File_prefix_resolves_to_trimmed_file_contents()
|
|
{
|
|
var path = Path.Combine(Path.GetTempPath(), $"galaxy-key-{Guid.NewGuid():N}.txt");
|
|
File.WriteAllText(path, " key-from-file \n");
|
|
try
|
|
{
|
|
(await GalaxySecretRef.ResolveApiKeyAsync($"file:{path}", FakeResolver()))
|
|
.ShouldBe("key-from-file");
|
|
}
|
|
finally
|
|
{
|
|
File.Delete(path);
|
|
}
|
|
}
|
|
|
|
/// <summary>Verifies that file: prefix with missing path throws.</summary>
|
|
[Fact]
|
|
public async Task File_prefix_missing_path_throws()
|
|
{
|
|
var path = Path.Combine(Path.GetTempPath(), $"does-not-exist-{Guid.NewGuid():N}.txt");
|
|
var ex = await Should.ThrowAsync<InvalidOperationException>(() =>
|
|
GalaxySecretRef.ResolveApiKeyAsync($"file:{path}", FakeResolver()));
|
|
ex.Message.ShouldContain(path);
|
|
ex.Message.ShouldContain("doesn't exist");
|
|
}
|
|
|
|
// ===== G-2a: secret: arm — resolves through the shared ISecretResolver, fail-closed =====
|
|
|
|
/// <summary>Verifies that secret: prefix resolves through the ISecretResolver.</summary>
|
|
[Fact]
|
|
public async Task Secret_prefix_resolves_through_secret_resolver()
|
|
{
|
|
(await GalaxySecretRef.ResolveApiKeyAsync($"secret:{KnownSecretName}", FakeResolver()))
|
|
.ShouldBe(KnownSecretValue);
|
|
}
|
|
|
|
/// <summary>Verifies that an absent secret throws (fail-closed) and does NOT leak the ref string.</summary>
|
|
[Fact]
|
|
public async Task Secret_prefix_absent_secret_throws_fail_closed()
|
|
{
|
|
const string missingRef = "secret:galaxy/missing/apikey";
|
|
|
|
var ex = await Should.ThrowAsync<InvalidOperationException>(() =>
|
|
GalaxySecretRef.ResolveApiKeyAsync(missingRef, FakeResolver()));
|
|
|
|
// Fail-closed: must throw, must reference the secret + "absent"/"fail-closed", and
|
|
// must NOT return the ref string as the key.
|
|
ex.Message.ShouldContain("galaxy/missing/apikey");
|
|
ex.Message.ShouldContain("absent");
|
|
}
|
|
|
|
/// <summary>Verifies that the secret: arm does not consult the logger's literal warning.</summary>
|
|
[Fact]
|
|
public async Task Secret_prefix_does_not_emit_literal_warning()
|
|
{
|
|
var logger = new CaptureLogger();
|
|
await GalaxySecretRef.ResolveApiKeyAsync($"secret:{KnownSecretName}", FakeResolver(), logger);
|
|
logger.Entries.ShouldNotContain(e => e.Level == LogLevel.Warning);
|
|
}
|
|
|
|
// ===== Driver.Galaxy-010 regression: literal arm warns + dev: prefix path =====
|
|
|
|
/// <summary>Verifies that literal strings emit a warning when a logger is supplied.</summary>
|
|
[Fact]
|
|
public async Task Literal_string_emits_warning_when_logger_supplied()
|
|
{
|
|
// A literal API key on a production deployment means the cleartext key sits
|
|
// in the DriverConfig JSON. The resolver must surface a warning so an
|
|
// operator who committed one by accident sees it at startup.
|
|
var logger = new CaptureLogger();
|
|
var key = await GalaxySecretRef.ResolveApiKeyAsync("plain-text-key", FakeResolver(), logger);
|
|
|
|
key.ShouldBe("plain-text-key");
|
|
logger.Entries.ShouldContain(e =>
|
|
e.Level == LogLevel.Warning && e.Message.Contains("literal", StringComparison.OrdinalIgnoreCase));
|
|
}
|
|
|
|
/// <summary>Verifies that dev: prefix returns literal text without emitting warnings.</summary>
|
|
[Fact]
|
|
public async Task Dev_prefix_returns_literal_without_warning()
|
|
{
|
|
// An explicit dev: prefix signals the operator knowingly opted into a literal
|
|
// key (dev / parity rig). The resolver must accept it AND suppress the
|
|
// warning so production logs aren't polluted on a deliberate dev choice.
|
|
var logger = new CaptureLogger();
|
|
var key = await GalaxySecretRef.ResolveApiKeyAsync("dev:plain-text-key", FakeResolver(), logger);
|
|
|
|
key.ShouldBe("plain-text-key");
|
|
logger.Entries.ShouldNotContain(e => e.Level == LogLevel.Warning);
|
|
}
|
|
|
|
/// <summary>Verifies that env: prefix does not emit literal string warnings.</summary>
|
|
[Fact]
|
|
public async Task Env_prefix_does_not_emit_literal_warning()
|
|
{
|
|
const string name = "OTOPCUA_TEST_GALAXY_API_KEY_NOWARN";
|
|
Environment.SetEnvironmentVariable(name, "v");
|
|
try
|
|
{
|
|
var logger = new CaptureLogger();
|
|
await GalaxySecretRef.ResolveApiKeyAsync($"env:{name}", FakeResolver(), logger);
|
|
logger.Entries.ShouldNotContain(e => e.Level == LogLevel.Warning);
|
|
}
|
|
finally
|
|
{
|
|
Environment.SetEnvironmentVariable(name, null);
|
|
}
|
|
}
|
|
|
|
/// <summary>Verifies that a null resolver is rejected (ArgumentNullException).</summary>
|
|
[Fact]
|
|
public async Task Null_resolver_throws()
|
|
{
|
|
await Should.ThrowAsync<ArgumentNullException>(() =>
|
|
GalaxySecretRef.ResolveApiKeyAsync("plain-text-key", resolver: null!));
|
|
}
|
|
|
|
/// <summary>A test logger that captures log entries for verification.</summary>
|
|
private sealed class CaptureLogger : ILogger
|
|
{
|
|
/// <summary>Gets the list of captured log entries with their levels and messages.</summary>
|
|
public List<(LogLevel Level, string Message)> Entries { get; } = new();
|
|
|
|
/// <inheritdoc />
|
|
public IDisposable? BeginScope<TState>(TState state) where TState : notnull => null;
|
|
|
|
/// <inheritdoc />
|
|
public bool IsEnabled(LogLevel logLevel) => true;
|
|
|
|
/// <inheritdoc />
|
|
public void Log<TState>(LogLevel logLevel, EventId eventId, TState state, Exception? exception, Func<TState, Exception?, string> formatter)
|
|
=> Entries.Add((logLevel, formatter(state, exception)));
|
|
}
|
|
|
|
/// <summary>A fake ISecretResolver returning one known value; null for every other name.</summary>
|
|
private sealed class StubSecretResolver : ISecretResolver
|
|
{
|
|
/// <inheritdoc />
|
|
public Task<string?> GetAsync(SecretName name, CancellationToken ct) =>
|
|
Task.FromResult<string?>(
|
|
string.Equals(name.Value, KnownSecretName, StringComparison.Ordinal)
|
|
? KnownSecretValue
|
|
: null);
|
|
}
|
|
|
|
/// <summary>Verifies that file: prefix with empty file throws.</summary>
|
|
[Fact]
|
|
public async Task File_prefix_empty_file_throws()
|
|
{
|
|
var path = Path.Combine(Path.GetTempPath(), $"galaxy-key-empty-{Guid.NewGuid():N}.txt");
|
|
File.WriteAllText(path, " \n ");
|
|
try
|
|
{
|
|
var ex = await Should.ThrowAsync<InvalidOperationException>(() =>
|
|
GalaxySecretRef.ResolveApiKeyAsync($"file:{path}", FakeResolver()));
|
|
ex.Message.ShouldContain("empty");
|
|
}
|
|
finally
|
|
{
|
|
File.Delete(path);
|
|
}
|
|
}
|
|
}
|