17f16ea181
SEC-07: add QueryActiveAlarmsRequest -> events:read scope arm; fix two tests that
constructed StreamAlarmsRequest instead of QueryActiveAlarmsRequest.
SEC-05: shorten hub-token lifetime 30m -> 5m; document that the ?access_token= query
carriage must never be request-logged.
SEC-08: gateway-side CachingApiKeyVerifier (short TTL, keyed on a hash of the presented
secret) skips the per-call store read+last_used write; CoalescingMarkApiKeyStore bounds
last_used writes to <=1/key/min; identity constraints are cached. Invalidation is wired
at the gateway admin sites (revoke/rotate/delete); short TTL backstops out-of-process CLI.
SEC-11: fixed-window rate limit on POST /auth/login + a per-peer (key-id) failure limiter
checked before VerifyAsync; new MxGateway:Security options bound + validated.
Also fixes regressions from the SEC-01/04/06 commit (c185f62) that a narrow test filter
missed (all now covered by a full-suite checkpoint):
- Rooting check is cross-platform: accepts Windows C:\/UNC forms on Unix so the shipped
appsettings path validates on the macOS dev box, still rejecting bare filenames.
- AddGatewayConfiguration TryAdds a non-production IHostEnvironment fallback so the validator
resolves in minimal test/tooling containers; the real host + apikey CLI register the actual
environment first (TryAdd no-op there).
- Test assembly defaults ASPNETCORE_ENVIRONMENT=Development (ModuleInitializer) so full-host
tests exercise wiring instead of tripping the SEC-04/06 production guards.
- GatewayOptionsTests asserts the SEC-01 CommonApplicationData-derived default (platform-correct).
archreview: SEC-07/05/08/11 (P1). Verified: NonWindows build clean; full gateway suite
747 passed / 42 failed, where all 42 are the pre-existing macOS named-pipe-harness failures
(Unix-socket path limit) and 0 are validation/regression failures.
178 lines
6.5 KiB
C#
178 lines
6.5 KiB
C#
using System.Security.Claims;
|
|
using Microsoft.AspNetCore.DataProtection;
|
|
using ZB.MOM.WW.MxGateway.Server.Dashboard;
|
|
|
|
namespace ZB.MOM.WW.MxGateway.Tests.Gateway.Dashboard;
|
|
|
|
public sealed class HubTokenServiceTests
|
|
{
|
|
/// <summary>
|
|
/// A token whose data-protected payload has both
|
|
/// <c>Name</c> and <c>NameIdentifier</c> null (the principal that
|
|
/// minted the token had no identity claims) must be rejected by
|
|
/// <see cref="HubTokenService.Validate"/>. The role claims alone are
|
|
/// not enough — without a caller identity, the resulting
|
|
/// <see cref="ClaimsPrincipal"/> would satisfy
|
|
/// <c>IsAuthenticated</c> / <c>IsInRole</c> checks without an
|
|
/// associated user.
|
|
/// </summary>
|
|
[Fact]
|
|
public void Validate_TokenWithNullNameAndNullNameIdentifier_ReturnsNull()
|
|
{
|
|
HubTokenService service = new(new EphemeralDataProtectionProvider());
|
|
|
|
// Issue from a principal with NO Name claim and NO NameIdentifier
|
|
// claim. The Issue method's payload will then carry
|
|
// (Name = null, NameIdentifier = null, Roles = ["Viewer"]).
|
|
ClaimsIdentity identity = new(
|
|
[new Claim(ClaimTypes.Role, DashboardRoles.Viewer)],
|
|
authenticationType: "test");
|
|
ClaimsPrincipal principal = new(identity);
|
|
string token = service.Issue(principal);
|
|
|
|
ClaimsPrincipal? result = service.Validate(token);
|
|
|
|
Assert.Null(result);
|
|
}
|
|
|
|
/// <summary>
|
|
/// Sanity check: a token minted from a principal with a Name claim
|
|
/// validates and returns a principal carrying that identity. Pins
|
|
/// that the null-identity rejection above does not over-reject valid tokens.
|
|
/// </summary>
|
|
[Fact]
|
|
public void Validate_TokenWithName_ReturnsAuthenticatedPrincipal()
|
|
{
|
|
HubTokenService service = new(new EphemeralDataProtectionProvider());
|
|
|
|
ClaimsIdentity identity = new(
|
|
[
|
|
new Claim(ClaimTypes.Name, "alice"),
|
|
new Claim(ClaimTypes.NameIdentifier, "alice-id"),
|
|
new Claim(ClaimTypes.Role, DashboardRoles.Admin),
|
|
],
|
|
authenticationType: "test",
|
|
nameType: ClaimTypes.Name,
|
|
roleType: ClaimTypes.Role);
|
|
ClaimsPrincipal principal = new(identity);
|
|
string token = service.Issue(principal);
|
|
|
|
ClaimsPrincipal? result = service.Validate(token);
|
|
|
|
Assert.NotNull(result);
|
|
Assert.Equal("alice", result.Identity?.Name);
|
|
Assert.True(result.IsInRole(DashboardRoles.Admin));
|
|
}
|
|
|
|
/// <summary>
|
|
/// Sanity check: a token minted with only a NameIdentifier (no Name)
|
|
/// still validates — a non-null caller identity is the contract,
|
|
/// either field is sufficient.
|
|
/// </summary>
|
|
[Fact]
|
|
public void Validate_TokenWithOnlyNameIdentifier_ReturnsPrincipal()
|
|
{
|
|
HubTokenService service = new(new EphemeralDataProtectionProvider());
|
|
|
|
ClaimsIdentity identity = new(
|
|
[
|
|
new Claim(ClaimTypes.NameIdentifier, "alice-id"),
|
|
new Claim(ClaimTypes.Role, DashboardRoles.Viewer),
|
|
],
|
|
authenticationType: "test");
|
|
ClaimsPrincipal principal = new(identity);
|
|
string token = service.Issue(principal);
|
|
|
|
ClaimsPrincipal? result = service.Validate(token);
|
|
|
|
Assert.NotNull(result);
|
|
Assert.True(result.IsInRole(DashboardRoles.Viewer));
|
|
}
|
|
|
|
/// <summary>Verifies that a null token returns null.</summary>
|
|
[Fact]
|
|
public void Validate_NullToken_ReturnsNull()
|
|
{
|
|
HubTokenService service = new(new EphemeralDataProtectionProvider());
|
|
|
|
Assert.Null(service.Validate(null));
|
|
}
|
|
|
|
/// <summary>Verifies that an empty token returns null.</summary>
|
|
[Fact]
|
|
public void Validate_EmptyToken_ReturnsNull()
|
|
{
|
|
HubTokenService service = new(new EphemeralDataProtectionProvider());
|
|
|
|
Assert.Null(service.Validate(string.Empty));
|
|
}
|
|
|
|
/// <summary>Verifies that an invalid token returns null.</summary>
|
|
[Fact]
|
|
public void Validate_GarbageToken_ReturnsNull()
|
|
{
|
|
HubTokenService service = new(new EphemeralDataProtectionProvider());
|
|
|
|
Assert.Null(service.Validate("this-is-not-a-protected-payload"));
|
|
}
|
|
|
|
/// <summary>
|
|
/// Issue/validate round-trip: a freshly minted token (default <see cref="HubTokenService.TokenLifetime"/>)
|
|
/// validates and reconstructs the caller's identity and roles.
|
|
/// </summary>
|
|
[Fact]
|
|
public void IssueThenValidate_FreshToken_RoundTripsIdentityAndRoles()
|
|
{
|
|
HubTokenService service = new(new EphemeralDataProtectionProvider());
|
|
ClaimsIdentity identity = new(
|
|
[
|
|
new Claim(ClaimTypes.Name, "bob"),
|
|
new Claim(ClaimTypes.NameIdentifier, "bob-id"),
|
|
new Claim(ClaimTypes.Role, DashboardRoles.Viewer),
|
|
new Claim(ClaimTypes.Role, DashboardRoles.Admin),
|
|
],
|
|
authenticationType: "test",
|
|
nameType: ClaimTypes.Name,
|
|
roleType: ClaimTypes.Role);
|
|
|
|
string token = service.Issue(new ClaimsPrincipal(identity));
|
|
ClaimsPrincipal? result = service.Validate(token);
|
|
|
|
Assert.NotNull(result);
|
|
Assert.Equal("bob", result.Identity?.Name);
|
|
Assert.True(result.IsInRole(DashboardRoles.Viewer));
|
|
Assert.True(result.IsInRole(DashboardRoles.Admin));
|
|
}
|
|
|
|
/// <summary>
|
|
/// The default token lifetime is the short (5-minute) window mandated by SEC-05, not the
|
|
/// former 30-minute window. Pins the value so a regression that widens the exposure window
|
|
/// of an irrevocable, query-string-carried token is caught in CI.
|
|
/// </summary>
|
|
[Fact]
|
|
public void TokenLifetime_IsFiveMinutes()
|
|
{
|
|
Assert.Equal(TimeSpan.FromMinutes(5), HubTokenService.TokenLifetime);
|
|
}
|
|
|
|
/// <summary>
|
|
/// A token whose lifetime has elapsed is rejected by <see cref="HubTokenService.Validate"/>.
|
|
/// Uses the internal lifetime-issuing seam with a negative lifetime so the token is already
|
|
/// expired at mint time — deterministic, no wall-clock delay.
|
|
/// </summary>
|
|
[Fact]
|
|
public void Validate_ExpiredToken_ReturnsNull()
|
|
{
|
|
HubTokenService service = new(new EphemeralDataProtectionProvider());
|
|
ClaimsIdentity identity = new(
|
|
[new Claim(ClaimTypes.Name, "carol")],
|
|
authenticationType: "test");
|
|
|
|
string expiredToken = service.Issue(
|
|
new ClaimsPrincipal(identity),
|
|
TimeSpan.FromMinutes(-1));
|
|
|
|
Assert.Null(service.Validate(expiredToken));
|
|
}
|
|
}
|