// Copyright 2017-2026 The NATS Authors
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
// Ported from:
// server/accounts_test.go (5 tests — route account mappings)
// server/auth_callout_test.go (5 tests — external auth callout)
// server/jwt_test.go (11 tests — JWT validation)
using System.Net;
using NATS.Client.Core;
using Shouldly;
using Xunit.Abstractions;
using ZB.MOM.NatsNet.Server;
using ZB.MOM.NatsNet.Server.Auth;
using ZB.MOM.NatsNet.Server.IntegrationTests.Helpers;
namespace ZB.MOM.NatsNet.Server.IntegrationTests.Auth;
///
/// Integration tests for authentication and account features.
/// Mirrors Go tests from accounts_test.go, auth_callout_test.go, and jwt_test.go.
///
[Collection("AuthIntegrationTests")]
[Trait("Category", "Integration")]
public class AuthIntegrationTests : IntegrationTestBase
{
public AuthIntegrationTests(ITestOutputHelper output) : base(output) { }
// =========================================================================
// accounts_test.go — Account Isolation
// =========================================================================
///
/// Verifies that messages published in one account are not delivered to another.
/// Mirrors Go TestAccountIsolation.
///
[Fact(Skip = "deferred: requires running NATS server")]
public void AccountIsolation_ShouldNotCrossAccounts()
{ }
///
/// Verifies that stream import/export enables cross-account delivery.
/// Mirrors Go TestAccountIsolationExportImport.
///
[Fact(Skip = "deferred: requires running NATS server")]
public void AccountIsolationExportImport_ShouldDeliverViaImport()
{ }
///
/// Verifies that multi-account server allows independent connections per account.
/// Mirrors Go TestMultiAccountsIsolation.
///
[Fact(Skip = "deferred: requires running NATS server")]
public void MultiAccountsIsolation_ShouldAllowIndependentSubscriptions()
{ }
///
/// Verifies that accounts configured from options map users correctly.
/// Mirrors Go TestAccountFromOptions.
///
[Fact(Skip = "deferred: requires running NATS server")]
public void AccountFromOptions_ShouldMapUsersCorrectly()
{ }
///
/// Verifies basic pub/sub within a single account on a multi-account server.
/// Mirrors Go TestSimpleMapping (pub/sub behavior).
///
[Fact(Skip = "deferred: requires running NATS server")]
public void SimpleAccountPubSub_ShouldDeliverWithinAccount()
{ }
// =========================================================================
// auth_callout_test.go — Auth Callout
// =========================================================================
///
/// Verifies basic server startup with auth callout configured.
/// Mirrors Go TestAuthCalloutBasics (server boot + connection behavior).
///
[Fact(Skip = "deferred: requires running NATS server")]
public void AuthCalloutBasics_ServerBoots_ShouldSucceed()
{ }
///
/// Verifies that multi-account setup works with designated auth user.
/// Mirrors Go TestAuthCalloutMultiAccounts (multi-account behavior).
///
[Fact(Skip = "deferred: requires running NATS server")]
public void AuthCalloutMultiAccounts_ShouldSupportMultipleAccounts()
{ }
///
/// Verifies that allowed accounts configuration restricts callout routing.
/// Mirrors Go TestAuthCalloutAllowedAccounts.
///
[Fact(Skip = "deferred: requires running NATS server")]
public void AuthCalloutAllowedAccounts_ShouldEnforceAccountBoundaries()
{ }
///
/// Verifies that operator mode restriction prevents inline auth callout config.
/// Mirrors Go TestAuthCalloutOperatorNoServerConfigCalloutAllowed.
///
[Fact(Skip = "deferred: requires running NATS server")]
public void AuthCalloutOperatorNoServerConfigCalloutAllowed_ShouldErrorOnBoot()
{ }
///
/// Verifies server correctly handles connection error on bad callout credentials.
/// Mirrors Go TestAuthCalloutErrorResponse.
///
[Fact(Skip = "deferred: requires running NATS server")]
public void AuthCalloutErrorResponse_ShouldRejectBadCredentials()
{ }
// =========================================================================
// jwt_test.go — JWT Validation
// =========================================================================
///
/// Verifies server requires auth when configured with trusted keys.
/// Mirrors Go TestJWTUser — auth-required behavior.
///
[Fact(Skip = "deferred: requires running NATS server")]
public void JWTUser_AuthRequired_ShouldRejectUnauthenticated()
{ }
///
/// Verifies server rejects connections when trusted keys don't match.
/// Mirrors Go TestJWTUserBadTrusted — bad trusted key behavior.
///
[Fact(Skip = "deferred: requires running NATS server")]
public void JWTUserBadTrusted_ShouldRejectWithBadKeys()
{ }
///
/// Verifies server rejects expired JWT tokens.
/// Mirrors Go TestJWTUserExpired.
///
[Fact(Skip = "deferred: requires running NATS server")]
public void JWTUserExpired_ShouldRejectExpiredToken()
{ }
///
/// Verifies that user permissions are set when connecting.
/// Mirrors Go TestJWTUserPermissionClaims.
///
[Fact(Skip = "deferred: requires running NATS server")]
public void JWTUserPermissionClaims_ShouldApplyPermissionsOnConnect()
{ }
///
/// Verifies response permissions are enforced on connected clients.
/// Mirrors Go TestJWTUserResponsePermissionClaims.
///
[Fact(Skip = "deferred: requires running NATS server")]
public void JWTUserResponsePermissionClaims_ShouldAllowRequestReply()
{ }
///
/// Verifies response permission defaults apply when none are explicitly set.
/// Mirrors Go TestJWTUserResponsePermissionClaimsDefaultValues.
///
[Fact(Skip = "deferred: requires running NATS server")]
public void JWTUserResponsePermissionClaimsDefaultValues_ShouldApplyDefaults()
{ }
///
/// Verifies negative response permission values are handled.
/// Mirrors Go TestJWTUserResponsePermissionClaimsNegativeValues.
///
[Fact(Skip = "deferred: requires running NATS server")]
public void JWTUserResponsePermissionClaimsNegativeValues_ShouldHandleGracefully()
{ }
///
/// Verifies server rejects connections when account claims are expired.
/// Mirrors Go TestJWTAccountExpired.
///
[Fact(Skip = "deferred: requires running NATS server")]
public void JWTAccountExpired_ShouldRejectExpiredAccount()
{ }
///
/// Verifies account expiry behavior after connection is established.
/// Mirrors Go TestJWTAccountExpiresAfterConnect.
///
[Fact(Skip = "deferred: requires running NATS server")]
public void JWTAccountExpiresAfterConnect_ShouldConnectThenExpire()
{ }
///
/// Verifies that JWT account limits on subscriptions are enforced.
/// Mirrors Go TestJWTAccountLimitsSubs.
///
[Fact(Skip = "deferred: requires running NATS server")]
public void JWTAccountLimitsSubs_ShouldEnforceSubscriptionLimits()
{ }
///
/// Verifies that JWT account max payload limits are applied.
/// Mirrors Go TestJWTAccountLimitsMaxPayload.
///
[Fact(Skip = "deferred: requires running NATS server")]
public void JWTAccountLimitsMaxPayload_ShouldEnforcePayloadLimit()
{ }
///
/// Verifies that JWT account max connection limits are enforced.
/// Mirrors Go TestJWTAccountLimitsMaxConns.
///
[Fact(Skip = "deferred: requires running NATS server")]
public void JWTAccountLimitsMaxConns_ShouldEnforceConnectionLimit()
{ }
}