test: add permission enforcement and NKey integration tests

Fix NKey nonce verification: the NATS client signs the nonce string (ASCII bytes of the base64url-encoded nonce), not the raw nonce bytes. Pass the encoded nonce string bytes to the authenticator for verification.
2026-02-22 23:03:41 -05:00
parent 9cb3e2fe0f
commit c40c2cd994
3 changed files with 206 additions and 2 deletions
--- a/tests/NATS.Server.Tests/NKeyIntegrationTests.cs
+++ b/tests/NATS.Server.Tests/NKeyIntegrationTests.cs
@@ -0,0 +1,82 @@
+using System.Net;
+using System.Net.Sockets;
+using Microsoft.Extensions.Logging.Abstractions;
+using NATS.Client.Core;
+using NATS.NKeys;
+using NATS.Server.Auth;
+
+namespace NATS.Server.Tests;
+
+public class NKeyIntegrationTests : IAsyncLifetime
+{
+    private NatsServer _server = null!;
+    private int _port;
+    private readonly CancellationTokenSource _cts = new();
+    private Task _serverTask = null!;
+    private KeyPair _userKeyPair = null!;
+    private string _userSeed = null!;
+    private string _userPublicKey = null!;
+
+    private static int GetFreePort()
+    {
+        using var sock = new Socket(AddressFamily.InterNetwork, SocketType.Stream, ProtocolType.Tcp);
+        sock.Bind(new IPEndPoint(IPAddress.Loopback, 0));
+        return ((IPEndPoint)sock.LocalEndPoint!).Port;
+    }
+
+    public async Task InitializeAsync()
+    {
+        _port = GetFreePort();
+        _userKeyPair = KeyPair.CreatePair(PrefixByte.User);
+        _userPublicKey = _userKeyPair.GetPublicKey();
+        _userSeed = _userKeyPair.GetSeed();
+
+        _server = new NatsServer(new NatsOptions
+        {
+            Port = _port,
+            NKeys = [new NKeyUser { Nkey = _userPublicKey }],
+        }, NullLoggerFactory.Instance);
+
+        _serverTask = _server.StartAsync(_cts.Token);
+        await _server.WaitForReadyAsync();
+    }
+
+    public async Task DisposeAsync()
+    {
+        await _cts.CancelAsync();
+        _server.Dispose();
+    }
+
+    [Fact]
+    public async Task NKey_auth_success()
+    {
+        await using var client = new NatsConnection(new NatsOpts
+        {
+            Url = $"nats://127.0.0.1:{_port}",
+            AuthOpts = new NatsAuthOpts { NKey = _userPublicKey, Seed = _userSeed },
+        });
+
+        await client.ConnectAsync();
+        await client.PingAsync();
+    }
+
+    [Fact]
+    public async Task NKey_auth_wrong_key_fails()
+    {
+        // Generate a different key pair not known to the server
+        var otherKp = KeyPair.CreatePair(PrefixByte.User);
+
+        await using var client = new NatsConnection(new NatsOpts
+        {
+            Url = $"nats://127.0.0.1:{_port}",
+            AuthOpts = new NatsAuthOpts { NKey = otherKp.GetPublicKey(), Seed = otherKp.GetSeed() },
+            MaxReconnectRetry = 0,
+        });
+
+        await Should.ThrowAsync<NatsException>(async () =>
+        {
+            await client.ConnectAsync();
+            await client.PingAsync();
+        });
+    }
+}