185 lines
5.8 KiB
C#
185 lines
5.8 KiB
C#
// Copyright 2018-2025 The NATS Authors
|
|
// Licensed under the Apache License, Version 2.0 (the "License");
|
|
// you may not use this file except in compliance with the License.
|
|
// You may obtain a copy of the License at
|
|
//
|
|
// http://www.apache.org/licenses/LICENSE-2.0
|
|
//
|
|
// Unless required by applicable law or agreed to in writing, software
|
|
// distributed under the License is distributed on an "AS IS" BASIS,
|
|
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
// See the License for the specific language governing permissions and
|
|
// limitations under the License.
|
|
|
|
using Shouldly;
|
|
using ZB.MOM.NatsNet.Server.Auth;
|
|
|
|
namespace ZB.MOM.NatsNet.Server.Tests.Auth;
|
|
|
|
/// <summary>
|
|
/// Tests for JwtProcessor functions.
|
|
/// Mirrors Go jwt.go functionality for standalone testable functions.
|
|
/// </summary>
|
|
public class JwtProcessorTests
|
|
{
|
|
// =========================================================================
|
|
// JwtPrefix constant
|
|
// =========================================================================
|
|
|
|
[Fact]
|
|
public void JwtPrefix_IsCorrect()
|
|
{
|
|
JwtProcessor.JwtPrefix.ShouldBe("eyJ");
|
|
}
|
|
|
|
// =========================================================================
|
|
// WipeSlice
|
|
// =========================================================================
|
|
|
|
[Fact]
|
|
public void WipeSlice_FillsWithX()
|
|
{
|
|
var buf = new byte[] { 0x01, 0x02, 0x03 };
|
|
AuthHandler.WipeSlice(buf);
|
|
buf.ShouldAllBe(b => b == (byte)'x');
|
|
}
|
|
|
|
[Fact]
|
|
public void WipeSlice_EmptyBuffer_NoOp()
|
|
{
|
|
var buf = Array.Empty<byte>();
|
|
AuthHandler.WipeSlice(buf);
|
|
}
|
|
|
|
// =========================================================================
|
|
// ValidateSrc
|
|
// =========================================================================
|
|
|
|
[Fact]
|
|
public void ValidateSrc_NullCidrs_ReturnsFalse()
|
|
{
|
|
JwtProcessor.ValidateSrc(null, "192.168.1.1").ShouldBeFalse();
|
|
}
|
|
|
|
[Fact]
|
|
public void ValidateSrc_EmptyCidrs_ReturnsTrue()
|
|
{
|
|
JwtProcessor.ValidateSrc([], "192.168.1.1").ShouldBeTrue();
|
|
}
|
|
|
|
[Fact]
|
|
public void ValidateSrc_EmptyHost_ReturnsFalse()
|
|
{
|
|
JwtProcessor.ValidateSrc(["192.168.0.0/16"], "").ShouldBeFalse();
|
|
}
|
|
|
|
[Fact]
|
|
public void ValidateSrc_InvalidHost_ReturnsFalse()
|
|
{
|
|
JwtProcessor.ValidateSrc(["192.168.0.0/16"], "not-an-ip").ShouldBeFalse();
|
|
}
|
|
|
|
[Fact]
|
|
public void ValidateSrc_MatchingCidr_ReturnsTrue()
|
|
{
|
|
JwtProcessor.ValidateSrc(["192.168.0.0/16"], "192.168.1.100").ShouldBeTrue();
|
|
}
|
|
|
|
[Fact]
|
|
public void ValidateSrc_NonMatchingCidr_ReturnsFalse()
|
|
{
|
|
JwtProcessor.ValidateSrc(["10.0.0.0/8"], "192.168.1.100").ShouldBeFalse();
|
|
}
|
|
|
|
[Fact]
|
|
public void ValidateSrc_MultipleCidrs_MatchesAny()
|
|
{
|
|
var cidrs = new[] { "10.0.0.0/8", "192.168.0.0/16" };
|
|
JwtProcessor.ValidateSrc(cidrs, "192.168.1.100").ShouldBeTrue();
|
|
JwtProcessor.ValidateSrc(cidrs, "10.1.2.3").ShouldBeTrue();
|
|
JwtProcessor.ValidateSrc(cidrs, "172.16.0.1").ShouldBeFalse();
|
|
}
|
|
|
|
[Fact]
|
|
public void ValidateSrc_ExactMatch_SingleHost()
|
|
{
|
|
JwtProcessor.ValidateSrc(["192.168.1.100/32"], "192.168.1.100").ShouldBeTrue();
|
|
JwtProcessor.ValidateSrc(["192.168.1.100/32"], "192.168.1.101").ShouldBeFalse();
|
|
}
|
|
|
|
[Fact]
|
|
public void ValidateSrc_InvalidCidr_ReturnsFalse()
|
|
{
|
|
JwtProcessor.ValidateSrc(["not-a-cidr"], "192.168.1.1").ShouldBeFalse();
|
|
}
|
|
|
|
[Fact]
|
|
public void ValidateSrc_Ipv6_MatchingCidr()
|
|
{
|
|
JwtProcessor.ValidateSrc(["::1/128"], "::1").ShouldBeTrue();
|
|
JwtProcessor.ValidateSrc(["::1/128"], "::2").ShouldBeFalse();
|
|
}
|
|
|
|
[Fact]
|
|
public void ValidateSrc_MismatchedIpFamilies_ReturnsFalse()
|
|
{
|
|
// IPv6 CIDR with IPv4 address should not match.
|
|
JwtProcessor.ValidateSrc(["::1/128"], "127.0.0.1").ShouldBeFalse();
|
|
}
|
|
|
|
// =========================================================================
|
|
// ValidateTimes
|
|
// =========================================================================
|
|
|
|
[Fact]
|
|
public void ValidateTimes_NullRanges_ReturnsFalse()
|
|
{
|
|
var (allowed, remaining) = JwtProcessor.ValidateTimes(null);
|
|
allowed.ShouldBeFalse();
|
|
remaining.ShouldBe(TimeSpan.Zero);
|
|
}
|
|
|
|
[Fact]
|
|
public void ValidateTimes_EmptyRanges_ReturnsTrue()
|
|
{
|
|
var (allowed, remaining) = JwtProcessor.ValidateTimes([]);
|
|
allowed.ShouldBeTrue();
|
|
remaining.ShouldBe(TimeSpan.Zero);
|
|
}
|
|
|
|
[Fact]
|
|
public void ValidateTimes_CurrentTimeInRange_ReturnsTrue()
|
|
{
|
|
var now = DateTimeOffset.Now;
|
|
var start = now.AddMinutes(-30).ToString("HH:mm:ss");
|
|
var end = now.AddMinutes(30).ToString("HH:mm:ss");
|
|
|
|
var ranges = new[] { new TimeRange { Start = start, End = end } };
|
|
var (allowed, remaining) = JwtProcessor.ValidateTimes(ranges);
|
|
allowed.ShouldBeTrue();
|
|
remaining.TotalMinutes.ShouldBeGreaterThan(0);
|
|
remaining.TotalMinutes.ShouldBeLessThanOrEqualTo(30);
|
|
}
|
|
|
|
[Fact]
|
|
public void ValidateTimes_CurrentTimeOutOfRange_ReturnsFalse()
|
|
{
|
|
var now = DateTimeOffset.Now;
|
|
// Set a range entirely in the past today.
|
|
var start = now.AddHours(-3).ToString("HH:mm:ss");
|
|
var end = now.AddHours(-2).ToString("HH:mm:ss");
|
|
|
|
var ranges = new[] { new TimeRange { Start = start, End = end } };
|
|
var (allowed, _) = JwtProcessor.ValidateTimes(ranges);
|
|
allowed.ShouldBeFalse();
|
|
}
|
|
|
|
[Fact]
|
|
public void ValidateTimes_InvalidFormat_ReturnsFalse()
|
|
{
|
|
var ranges = new[] { new TimeRange { Start = "bad", End = "data" } };
|
|
var (allowed, _) = JwtProcessor.ValidateTimes(ranges);
|
|
allowed.ShouldBeFalse();
|
|
}
|
|
}
|