feat: port session 06 — Authentication & JWT types, validators, cipher suites

Port independently-testable auth functions from auth.go, ciphersuites.go, and jwt.go. Server-dependent methods (configureAuthorization, checkAuthentication, auth callout, etc.) are stubbed for later sessions. - AuthTypes: User, NkeyUser, SubjectPermission, ResponsePermission, Permissions, RoutePermissions, Account — all with deep Clone() methods - AuthHandler: IsBcrypt, ComparePasswords, ValidateResponsePermissions, ValidateAllowedConnectionTypes, ValidateNoAuthUser, ValidateAuth, DnsAltNameLabels, DnsAltNameMatches, WipeSlice, ConnectionTypes constants - CipherSuites: CipherMap, CipherMapById, DefaultCipherSuites, CurvePreferenceMap, DefaultCurvePreferences - JwtProcessor: JwtPrefix, WipeSlice, ValidateSrc (CIDR matching), ValidateTimes (time-of-day ranges), TimeRange type - ServerOptions: added Users, Nkeys, TrustedOperators properties - 67 new unit tests (all 328 tests pass) - DB: 18 features complete, 25 stubbed; 6 Go tests complete, 125 stubbed
2026-02-26 12:27:33 -05:00
parent ed78a100e2
commit 0a54d342ba
12 changed files with 1698 additions and 8 deletions
--- a/dotnet/tests/ZB.MOM.NatsNet.Server.Tests/Auth/JwtProcessorTests.cs
+++ b/dotnet/tests/ZB.MOM.NatsNet.Server.Tests/Auth/JwtProcessorTests.cs
@@ -0,0 +1,184 @@
+// Copyright 2018-2025 The NATS Authors
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+// http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+using Shouldly;
+using ZB.MOM.NatsNet.Server.Auth;
+
+namespace ZB.MOM.NatsNet.Server.Tests.Auth;
+
+/// <summary>
+/// Tests for JwtProcessor functions.
+/// Mirrors Go jwt.go functionality for standalone testable functions.
+/// </summary>
+public class JwtProcessorTests
+{
+    // =========================================================================
+    // JwtPrefix constant
+    // =========================================================================
+
+    [Fact]
+    public void JwtPrefix_IsCorrect()
+    {
+        JwtProcessor.JwtPrefix.ShouldBe("eyJ");
+    }
+
+    // =========================================================================
+    // WipeSlice
+    // =========================================================================
+
+    [Fact]
+    public void WipeSlice_FillsWithX()
+    {
+        var buf = new byte[] { 0x01, 0x02, 0x03 };
+        JwtProcessor.WipeSlice(buf);
+        buf.ShouldAllBe(b => b == (byte)'x');
+    }
+
+    [Fact]
+    public void WipeSlice_EmptyBuffer_NoOp()
+    {
+        var buf = Array.Empty<byte>();
+        JwtProcessor.WipeSlice(buf);
+    }
+
+    // =========================================================================
+    // ValidateSrc
+    // =========================================================================
+
+    [Fact]
+    public void ValidateSrc_NullCidrs_ReturnsFalse()
+    {
+        JwtProcessor.ValidateSrc(null, "192.168.1.1").ShouldBeFalse();
+    }
+
+    [Fact]
+    public void ValidateSrc_EmptyCidrs_ReturnsTrue()
+    {
+        JwtProcessor.ValidateSrc([], "192.168.1.1").ShouldBeTrue();
+    }
+
+    [Fact]
+    public void ValidateSrc_EmptyHost_ReturnsFalse()
+    {
+        JwtProcessor.ValidateSrc(["192.168.0.0/16"], "").ShouldBeFalse();
+    }
+
+    [Fact]
+    public void ValidateSrc_InvalidHost_ReturnsFalse()
+    {
+        JwtProcessor.ValidateSrc(["192.168.0.0/16"], "not-an-ip").ShouldBeFalse();
+    }
+
+    [Fact]
+    public void ValidateSrc_MatchingCidr_ReturnsTrue()
+    {
+        JwtProcessor.ValidateSrc(["192.168.0.0/16"], "192.168.1.100").ShouldBeTrue();
+    }
+
+    [Fact]
+    public void ValidateSrc_NonMatchingCidr_ReturnsFalse()
+    {
+        JwtProcessor.ValidateSrc(["10.0.0.0/8"], "192.168.1.100").ShouldBeFalse();
+    }
+
+    [Fact]
+    public void ValidateSrc_MultipleCidrs_MatchesAny()
+    {
+        var cidrs = new[] { "10.0.0.0/8", "192.168.0.0/16" };
+        JwtProcessor.ValidateSrc(cidrs, "192.168.1.100").ShouldBeTrue();
+        JwtProcessor.ValidateSrc(cidrs, "10.1.2.3").ShouldBeTrue();
+        JwtProcessor.ValidateSrc(cidrs, "172.16.0.1").ShouldBeFalse();
+    }
+
+    [Fact]
+    public void ValidateSrc_ExactMatch_SingleHost()
+    {
+        JwtProcessor.ValidateSrc(["192.168.1.100/32"], "192.168.1.100").ShouldBeTrue();
+        JwtProcessor.ValidateSrc(["192.168.1.100/32"], "192.168.1.101").ShouldBeFalse();
+    }
+
+    [Fact]
+    public void ValidateSrc_InvalidCidr_ReturnsFalse()
+    {
+        JwtProcessor.ValidateSrc(["not-a-cidr"], "192.168.1.1").ShouldBeFalse();
+    }
+
+    [Fact]
+    public void ValidateSrc_Ipv6_MatchingCidr()
+    {
+        JwtProcessor.ValidateSrc(["::1/128"], "::1").ShouldBeTrue();
+        JwtProcessor.ValidateSrc(["::1/128"], "::2").ShouldBeFalse();
+    }
+
+    [Fact]
+    public void ValidateSrc_MismatchedIpFamilies_ReturnsFalse()
+    {
+        // IPv6 CIDR with IPv4 address should not match.
+        JwtProcessor.ValidateSrc(["::1/128"], "127.0.0.1").ShouldBeFalse();
+    }
+
+    // =========================================================================
+    // ValidateTimes
+    // =========================================================================
+
+    [Fact]
+    public void ValidateTimes_NullRanges_ReturnsFalse()
+    {
+        var (allowed, remaining) = JwtProcessor.ValidateTimes(null);
+        allowed.ShouldBeFalse();
+        remaining.ShouldBe(TimeSpan.Zero);
+    }
+
+    [Fact]
+    public void ValidateTimes_EmptyRanges_ReturnsTrue()
+    {
+        var (allowed, remaining) = JwtProcessor.ValidateTimes([]);
+        allowed.ShouldBeTrue();
+        remaining.ShouldBe(TimeSpan.Zero);
+    }
+
+    [Fact]
+    public void ValidateTimes_CurrentTimeInRange_ReturnsTrue()
+    {
+        var now = DateTimeOffset.Now;
+        var start = now.AddMinutes(-30).ToString("HH:mm:ss");
+        var end = now.AddMinutes(30).ToString("HH:mm:ss");
+
+        var ranges = new[] { new TimeRange { Start = start, End = end } };
+        var (allowed, remaining) = JwtProcessor.ValidateTimes(ranges);
+        allowed.ShouldBeTrue();
+        remaining.TotalMinutes.ShouldBeGreaterThan(0);
+        remaining.TotalMinutes.ShouldBeLessThanOrEqualTo(30);
+    }
+
+    [Fact]
+    public void ValidateTimes_CurrentTimeOutOfRange_ReturnsFalse()
+    {
+        var now = DateTimeOffset.Now;
+        // Set a range entirely in the past today.
+        var start = now.AddHours(-3).ToString("HH:mm:ss");
+        var end = now.AddHours(-2).ToString("HH:mm:ss");
+
+        var ranges = new[] { new TimeRange { Start = start, End = end } };
+        var (allowed, _) = JwtProcessor.ValidateTimes(ranges);
+        allowed.ShouldBeFalse();
+    }
+
+    [Fact]
+    public void ValidateTimes_InvalidFormat_ReturnsFalse()
+    {
+        var ranges = new[] { new TimeRange { Start = "bad", End = "data" } };
+        var (allowed, _) = JwtProcessor.ValidateTimes(ranges);
+        allowed.ShouldBeFalse();
+    }
+}