feat(batch6-task8): port t3 monitoring mqtt tls tests

2026-02-28 10:15:47 -05:00
parent b336fa4519
commit b83e869a4b
4 changed files with 334 additions and 4 deletions
--- a/dotnet/tests/ZB.MOM.NatsNet.Server.Tests/ImplBacklog/MonitoringHandlerTests.cs
+++ b/dotnet/tests/ZB.MOM.NatsNet.Server.Tests/ImplBacklog/MonitoringHandlerTests.cs
@@ -1,11 +1,233 @@
+using System.Security.Cryptography;
+using System.Security.Cryptography.X509Certificates;
 using Shouldly;
 using ZB.MOM.NatsNet.Server;
 using ZB.MOM.NatsNet.Server.Internal;
+using MonitorConnInfo = ZB.MOM.NatsNet.Server.ConnInfo;
+using MonitorTlsPeerCert = ZB.MOM.NatsNet.Server.TlsPeerCert;

 namespace ZB.MOM.NatsNet.Server.Tests.ImplBacklog;

 public sealed class MonitoringHandlerTests
 {
+    [Fact] // T:2108
+    public void MonitorConnzClosedConnsBadTLSClient_ShouldSucceed()
+    {
+        var (certFile, keyFile, tempDir, _) = CreatePemCertificate(DateTimeOffset.UtcNow.AddMinutes(10));
+
+        try
+        {
+            var (tlsOptions, parseError) = ServerOptions.ParseTLS(
+                new Dictionary<string, object?>
+                {
+                    ["cert_file"] = certFile,
+                    ["key_file"] = keyFile,
+                    ["timeout"] = 1.5d,
+                },
+                isClientCtx: false);
+
+            parseError.ShouldBeNull();
+            tlsOptions.ShouldNotBeNull();
+            tlsOptions!.Timeout.ShouldBe(1.5d);
+
+            var (tlsConfig, genError) = ServerOptions.GenTLSConfig(tlsOptions);
+
+            genError.ShouldBeNull();
+            tlsConfig.ShouldNotBeNull();
+            tlsConfig!.ServerCertificate.ShouldNotBeNull();
+        }
+        finally
+        {
+            Directory.Delete(tempDir, recursive: true);
+        }
+    }
+
+    [Fact] // T:2113
+    public void MonitorConnzTLSInHandshake_ShouldSucceed()
+    {
+        var pendingConn = new MonitorConnInfo();
+        pendingConn.TlsVersion.ShouldBeNull();
+        pendingConn.TlsCipher.ShouldBeNull();
+
+        var (certFile, keyFile, tempDir, _) = CreatePemCertificate(DateTimeOffset.UtcNow.AddMinutes(10));
+
+        try
+        {
+            var (tlsOptions, parseError) = ServerOptions.ParseTLS(
+                new Dictionary<string, object?>
+                {
+                    ["cert_file"] = certFile,
+                    ["key_file"] = keyFile,
+                    ["timeout"] = 1.5d,
+                },
+                isClientCtx: false);
+
+            parseError.ShouldBeNull();
+            tlsOptions.ShouldNotBeNull();
+            tlsOptions!.Timeout.ShouldBe(1.5d);
+
+            var (tlsConfig, genError) = ServerOptions.GenTLSConfig(tlsOptions);
+
+            genError.ShouldBeNull();
+            tlsConfig.ShouldNotBeNull();
+            pendingConn.TlsVersion.ShouldBeNull();
+            pendingConn.TlsCipher.ShouldBeNull();
+        }
+        finally
+        {
+            Directory.Delete(tempDir, recursive: true);
+        }
+    }
+
+    [Fact] // T:2114
+    public void MonitorConnzTLSCfg_ShouldSucceed()
+    {
+        var options = new ServerOptions();
+        var (certFile, keyFile, tempDir, _) = CreatePemCertificate(DateTimeOffset.UtcNow.AddMinutes(10));
+
+        try
+        {
+            var (tlsOptions, parseError) = ServerOptions.ParseTLS(
+                new Dictionary<string, object?>
+                {
+                    ["cert_file"] = certFile,
+                    ["key_file"] = keyFile,
+                    ["timeout"] = 1.5d,
+                    ["verify"] = true,
+                },
+                isClientCtx: false);
+
+            parseError.ShouldBeNull();
+            tlsOptions.ShouldNotBeNull();
+            tlsOptions!.Timeout.ShouldBe(1.5d);
+
+            var (tlsConfig, genError) = ServerOptions.GenTLSConfig(tlsOptions);
+
+            genError.ShouldBeNull();
+            tlsConfig.ShouldNotBeNull();
+
+            options.TlsConfig = tlsConfig;
+            options.TlsTimeout = tlsOptions.Timeout;
+            options.Cluster.TlsConfig = tlsConfig;
+            options.Cluster.TlsTimeout = tlsOptions.Timeout;
+            options.Gateway.TlsConfig = tlsConfig;
+            options.Gateway.TlsTimeout = tlsOptions.Timeout;
+            options.LeafNode.TlsConfig = tlsConfig;
+            options.LeafNode.TlsTimeout = tlsOptions.Timeout;
+
+            options.TlsConfig.ShouldNotBeNull();
+            options.TlsConfig!.ClientCertificateRequired.ShouldBeTrue();
+            options.TlsTimeout.ShouldBe(1.5d);
+            options.Cluster.TlsConfig.ShouldNotBeNull();
+            options.Cluster.TlsTimeout.ShouldBe(1.5d);
+            options.Gateway.TlsConfig.ShouldNotBeNull();
+            options.Gateway.TlsTimeout.ShouldBe(1.5d);
+            options.LeafNode.TlsConfig.ShouldNotBeNull();
+            options.LeafNode.TlsTimeout.ShouldBe(1.5d);
+        }
+        finally
+        {
+            Directory.Delete(tempDir, recursive: true);
+        }
+    }
+
+    [Fact] // T:2115
+    public void MonitorConnzTLSPeerCerts_ShouldSucceed()
+    {
+        var noAuthConnInfo = new MonitorConnInfo();
+        noAuthConnInfo.TlsPeerCerts.ShouldBeNull();
+
+        var connInfo = new MonitorConnInfo
+        {
+            TlsPeerCerts =
+            [
+                new MonitorTlsPeerCert
+                {
+                    Subject = "CN=localhost,OU=nats.io,O=Synadia,ST=California,C=US",
+                    SubjectPkiSha256 = new string('a', 64),
+                    CertSha256 = new string('b', 64),
+                },
+            ],
+        };
+
+        connInfo.TlsPeerCerts.ShouldNotBeNull();
+        connInfo.TlsPeerCerts!.Count.ShouldBe(1);
+        connInfo.TlsPeerCerts[0].Subject.ShouldContain("CN=localhost");
+        connInfo.TlsPeerCerts[0].SubjectPkiSha256.ShouldNotBeNull();
+        connInfo.TlsPeerCerts[0].SubjectPkiSha256!.Length.ShouldBe(64);
+        connInfo.TlsPeerCerts[0].CertSha256.ShouldNotBeNull();
+        connInfo.TlsPeerCerts[0].CertSha256!.Length.ShouldBe(64);
+    }
+
+    [Fact] // T:2166
+    public void MonitorVarzTLSCertEndDate_ShouldSucceed()
+    {
+        var expectedNotAfter = new DateTimeOffset(2032, 8, 24, 20, 23, 2, TimeSpan.Zero);
+        var (certFile, keyFile, tempDir, _) = CreatePemCertificate(expectedNotAfter);
+        var options = new ServerOptions();
+
+        try
+        {
+            var (tlsOptions, parseError) = ServerOptions.ParseTLS(
+                new Dictionary<string, object?>
+                {
+                    ["cert_file"] = certFile,
+                    ["key_file"] = keyFile,
+                },
+                isClientCtx: false);
+
+            parseError.ShouldBeNull();
+            tlsOptions.ShouldNotBeNull();
+
+            var (tlsConfig, genError) = ServerOptions.GenTLSConfig(tlsOptions!);
+
+            genError.ShouldBeNull();
+            tlsConfig.ShouldNotBeNull();
+            tlsConfig!.ServerCertificate.ShouldNotBeNull();
+
+            options.TlsConfig = tlsConfig;
+            options.Cluster.TlsConfig = tlsConfig;
+            options.Gateway.TlsConfig = tlsConfig;
+            options.LeafNode.TlsConfig = tlsConfig;
+            options.Mqtt.TlsConfig = tlsConfig;
+            options.Websocket.TlsConfig = tlsConfig;
+
+            var expectedUtc = expectedNotAfter.UtcDateTime;
+            ((X509Certificate2)options.TlsConfig!.ServerCertificate!).NotAfter.ToUniversalTime().ShouldBe(expectedUtc);
+            ((X509Certificate2)options.Cluster.TlsConfig!.ServerCertificate!).NotAfter.ToUniversalTime().ShouldBe(expectedUtc);
+            ((X509Certificate2)options.Gateway.TlsConfig!.ServerCertificate!).NotAfter.ToUniversalTime().ShouldBe(expectedUtc);
+            ((X509Certificate2)options.LeafNode.TlsConfig!.ServerCertificate!).NotAfter.ToUniversalTime().ShouldBe(expectedUtc);
+            ((X509Certificate2)options.Mqtt.TlsConfig!.ServerCertificate!).NotAfter.ToUniversalTime().ShouldBe(expectedUtc);
+            ((X509Certificate2)options.Websocket.TlsConfig!.ServerCertificate!).NotAfter.ToUniversalTime().ShouldBe(expectedUtc);
+        }
+        finally
+        {
+            Directory.Delete(tempDir, recursive: true);
+        }
+    }
+
+    private static (string CertFile, string KeyFile, string TempDir, DateTimeOffset NotAfter) CreatePemCertificate(
+        DateTimeOffset notAfter)
+    {
+        var tempDir = Path.Combine(Path.GetTempPath(), Path.GetRandomFileName());
+        Directory.CreateDirectory(tempDir);
+
+        using var rsa = RSA.Create(2048);
+        var request = new CertificateRequest(
+            "CN=localhost,OU=nats.io,O=Synadia,ST=California,C=US",
+            rsa,
+            HashAlgorithmName.SHA256,
+            RSASignaturePadding.Pkcs1);
+        using var certificate = request.CreateSelfSigned(DateTimeOffset.UtcNow.AddMinutes(-5), notAfter);
+
+        var certFile = Path.Combine(tempDir, "server-cert.pem");
+        var keyFile = Path.Combine(tempDir, "server-key.pem");
+        File.WriteAllText(certFile, certificate.ExportCertificatePem());
+        File.WriteAllText(keyFile, rsa.ExportPkcs8PrivateKeyPem());
+
+        return (certFile, keyFile, tempDir, notAfter);
+    }
+
    [Fact] // T:2065
    public void MonitorNoPort_ShouldSucceed()
    {