refactor: extract NATS.Server.Auth.Tests project

Move 50 auth/accounts/permissions/JWT/NKey test files from NATS.Server.Tests into a dedicated NATS.Server.Auth.Tests project. Update namespaces, replace private GetFreePort/ReadUntilAsync helpers with TestUtilities calls, replace Task.Delay with TaskCompletionSource in test doubles, and add InternalsVisibleTo. 690 tests pass.
2026-03-12 15:54:07 -04:00
parent 0c086522a4
commit 36b9dfa654
53 changed files with 138 additions and 185 deletions
--- a/tests/NATS.Server.Auth.Tests/Auth/TlsMapAuthParityBatch1Tests.cs
+++ b/tests/NATS.Server.Auth.Tests/Auth/TlsMapAuthParityBatch1Tests.cs
@@ -0,0 +1,65 @@
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
+using NATS.Server.Auth;
+
+namespace NATS.Server.Auth.Tests.Auth;
+
+public class TlsMapAuthParityBatch1Tests
+{
+    [Fact]
+    public void GetTlsAuthDcs_extracts_domain_components_from_subject()
+    {
+        using var cert = CreateSelfSignedCert("CN=alice,DC=example,DC=com");
+
+        TlsMapAuthenticator.GetTlsAuthDcs(cert.SubjectName).ShouldBe("DC=example,DC=com");
+    }
+
+    [Fact]
+    public void DnsAltNameLabels_and_matches_follow_rfc6125_shape()
+    {
+        var labels = TlsMapAuthenticator.DnsAltNameLabels("*.Example.COM");
+        labels.ShouldBe(["*", "example", "com"]);
+
+        TlsMapAuthenticator.DnsAltNameMatches(labels, [new Uri("nats://node.example.com:6222")]).ShouldBeTrue();
+        TlsMapAuthenticator.DnsAltNameMatches(labels, [new Uri("nats://a.b.example.com:6222")]).ShouldBeFalse();
+    }
+
+    [Fact]
+    public void Authenticate_can_match_user_from_email_or_dns_san()
+    {
+        using var cert = CreateSelfSignedCertWithSan("CN=ignored", "ops@example.com", "router.example.com");
+        var auth = new TlsMapAuthenticator([
+            new User { Username = "ops@example.com", Password = "" },
+            new User { Username = "router.example.com", Password = "" },
+        ]);
+
+        var ctx = new ClientAuthContext
+        {
+            Opts = new Protocol.ClientOptions(),
+            Nonce = [],
+            ClientCertificate = cert,
+        };
+
+        var result = auth.Authenticate(ctx);
+        result.ShouldNotBeNull();
+        (result.Identity == "ops@example.com" || result.Identity == "router.example.com").ShouldBeTrue();
+    }
+
+    private static X509Certificate2 CreateSelfSignedCert(string subjectName)
+    {
+        using var rsa = RSA.Create(2048);
+        var req = new CertificateRequest(subjectName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+        return req.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(1));
+    }
+
+    private static X509Certificate2 CreateSelfSignedCertWithSan(string subjectName, string email, string dns)
+    {
+        using var rsa = RSA.Create(2048);
+        var req = new CertificateRequest(subjectName, rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
+        var sans = new SubjectAlternativeNameBuilder();
+        sans.AddEmailAddress(email);
+        sans.AddDnsName(dns);
+        req.CertificateExtensions.Add(sans.Build());
+        return req.CreateSelfSigned(DateTimeOffset.UtcNow, DateTimeOffset.UtcNow.AddYears(1));
+    }
+}