fix(archreview): security authz+hub cluster (SEC-07/05/08/11) + validation hardening
SEC-07: add QueryActiveAlarmsRequest -> events:read scope arm; fix two tests that
constructed StreamAlarmsRequest instead of QueryActiveAlarmsRequest.
SEC-05: shorten hub-token lifetime 30m -> 5m; document that the ?access_token= query
carriage must never be request-logged.
SEC-08: gateway-side CachingApiKeyVerifier (short TTL, keyed on a hash of the presented
secret) skips the per-call store read+last_used write; CoalescingMarkApiKeyStore bounds
last_used writes to <=1/key/min; identity constraints are cached. Invalidation is wired
at the gateway admin sites (revoke/rotate/delete); short TTL backstops out-of-process CLI.
SEC-11: fixed-window rate limit on POST /auth/login + a per-peer (key-id) failure limiter
checked before VerifyAsync; new MxGateway:Security options bound + validated.
Also fixes regressions from the SEC-01/04/06 commit (c185f62) that a narrow test filter
missed (all now covered by a full-suite checkpoint):
- Rooting check is cross-platform: accepts Windows C:\/UNC forms on Unix so the shipped
appsettings path validates on the macOS dev box, still rejecting bare filenames.
- AddGatewayConfiguration TryAdds a non-production IHostEnvironment fallback so the validator
resolves in minimal test/tooling containers; the real host + apikey CLI register the actual
environment first (TryAdd no-op there).
- Test assembly defaults ASPNETCORE_ENVIRONMENT=Development (ModuleInitializer) so full-host
tests exercise wiring instead of tripping the SEC-04/06 production guards.
- GatewayOptionsTests asserts the SEC-01 CommonApplicationData-derived default (platform-correct).
archreview: SEC-07/05/08/11 (P1). Verified: NonWindows build clean; full gateway suite
747 passed / 42 failed, where all 42 are the pre-existing macOS named-pipe-harness failures
(Unix-socket path limit) and 0 are validation/regression failures.
This commit is contained in:
@@ -0,0 +1,66 @@
|
||||
using System.Net;
|
||||
using System.Threading.RateLimiting;
|
||||
using Microsoft.AspNetCore.Http;
|
||||
using ZB.MOM.WW.MxGateway.Server.Configuration;
|
||||
using ZB.MOM.WW.MxGateway.Server.Dashboard;
|
||||
|
||||
namespace ZB.MOM.WW.MxGateway.Tests.Gateway.Dashboard;
|
||||
|
||||
/// <summary>
|
||||
/// SEC-11: the <c>POST /auth/login</c> fixed-window per-IP rate limiter. Exercised through the same
|
||||
/// partition factory the production policy registers, so the test pins the real permit limit and
|
||||
/// per-IP partitioning without standing up an HTTP server.
|
||||
/// </summary>
|
||||
public sealed class DashboardLoginRateLimitTests
|
||||
{
|
||||
/// <summary>A burst beyond the permit limit from one IP has its excess attempts rejected (HTTP 429 in the pipeline).</summary>
|
||||
[Fact]
|
||||
public void LoginRateLimiter_BurstBeyondPermitLimit_RejectsExcessFromSameIp()
|
||||
{
|
||||
SecurityOptions security = new()
|
||||
{
|
||||
LoginRateLimitPermitLimit = 3,
|
||||
LoginRateLimitWindowSeconds = 60,
|
||||
};
|
||||
using PartitionedRateLimiter<HttpContext> limiter =
|
||||
DashboardEndpointRouteBuilderExtensions.CreateLoginRateLimiter(security);
|
||||
HttpContext context = ContextWithIp("10.0.0.7");
|
||||
|
||||
for (int i = 0; i < 3; i++)
|
||||
{
|
||||
using RateLimitLease lease = limiter.AttemptAcquire(context);
|
||||
Assert.True(lease.IsAcquired);
|
||||
}
|
||||
|
||||
using RateLimitLease rejected = limiter.AttemptAcquire(context);
|
||||
Assert.False(rejected.IsAcquired);
|
||||
}
|
||||
|
||||
/// <summary>Distinct client IPs are partitioned independently — one IP's burst does not starve another.</summary>
|
||||
[Fact]
|
||||
public void LoginRateLimiter_DistinctIps_PartitionedIndependently()
|
||||
{
|
||||
SecurityOptions security = new()
|
||||
{
|
||||
LoginRateLimitPermitLimit = 1,
|
||||
LoginRateLimitWindowSeconds = 60,
|
||||
};
|
||||
using PartitionedRateLimiter<HttpContext> limiter =
|
||||
DashboardEndpointRouteBuilderExtensions.CreateLoginRateLimiter(security);
|
||||
|
||||
using RateLimitLease first = limiter.AttemptAcquire(ContextWithIp("10.0.0.1"));
|
||||
using RateLimitLease exhaustedForFirst = limiter.AttemptAcquire(ContextWithIp("10.0.0.1"));
|
||||
using RateLimitLease second = limiter.AttemptAcquire(ContextWithIp("10.0.0.2"));
|
||||
|
||||
Assert.True(first.IsAcquired);
|
||||
Assert.False(exhaustedForFirst.IsAcquired);
|
||||
Assert.True(second.IsAcquired);
|
||||
}
|
||||
|
||||
private static HttpContext ContextWithIp(string ip)
|
||||
{
|
||||
DefaultHttpContext context = new();
|
||||
context.Connection.RemoteIpAddress = IPAddress.Parse(ip);
|
||||
return context;
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user