using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.TestHost;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.Extensions.Logging.Abstractions;
using ScadaLink.Commons.Entities.Audit;
using ScadaLink.Commons.Interfaces.Services;
using ScadaLink.Commons.Types.Enums;
using ScadaLink.InboundAPI.Middleware;
using System.Security.Claims;
namespace ScadaLink.InboundAPI.Tests.Middleware;
///
/// M4 Bundle D (D2) — verifies the production pipeline order from
/// ScadaLink.Host.Program.cs for the inbound API:
/// UseAuthentication → UseAuthorization → UseAuditWriteMiddleware → endpoint.
///
///
/// The order is load-bearing: the audit middleware must run AFTER auth (so any
/// framework-resolved principal on is in place)
/// and BEFORE the inbound-API endpoint handler (so the handler's stashed actor
/// name from is observable in the
/// finally block when the handler returns). The order is also what
/// guarantees auth-failure responses (401/403 produced by a future auth scheme)
/// are seen by the middleware so it can emit
/// .
///
///
public class MiddlewareOrderTests
{
///
/// Captures the order of pipeline stages by appending a token to a shared
/// list as each stage runs. The assertion compares the resulting sequence
/// directly so a regression that re-orders the pipeline fails loudly.
///
private sealed class OrderingRecorder
{
public List Stages { get; } = new();
public void Record(string stage)
{
lock (Stages) { Stages.Add(stage); }
}
}
private sealed class RecordingAuditWriter : ICentralAuditWriter
{
public List Events { get; } = new();
public Task WriteAsync(AuditEvent evt, CancellationToken ct = default)
{
lock (Events) { Events.Add(evt); }
return Task.CompletedTask;
}
}
[Fact]
public async Task Middleware_Pipeline_PlacesAuditWriteAfterAuth_BeforeScriptExecution()
{
var recorder = new OrderingRecorder();
var writer = new RecordingAuditWriter();
using var host = await BuildHostAsync(recorder, writer);
var client = host.GetTestClient();
var response = await client.PostAsync("/api/echo", new StringContent("{}"));
Assert.Equal(System.Net.HttpStatusCode.OK, response.StatusCode);
// The recorder MUST observe these stages in exactly this order:
// 1. Authentication (UseAuthentication marker)
// 2. Authorization (UseAuthorization marker)
// 3. AuditMiddleware-Before-Next (audit middleware entered)
// 4. Endpoint handler (the route handler ran)
// 5. AuditMiddleware-After-Next (audit middleware completed)
Assert.Equal(
new[]
{
"auth",
"authz",
"audit-before",
"endpoint",
"audit-after",
},
recorder.Stages);
// And exactly one InboundRequest/Delivered audit row was emitted —
// proving the audit middleware actually wrapped the endpoint.
var evt = Assert.Single(writer.Events);
Assert.Equal(AuditKind.InboundRequest, evt.Kind);
Assert.Equal(AuditStatus.Delivered, evt.Status);
Assert.Equal("test-actor", evt.Actor);
}
[Fact]
public async Task Middleware_Pipeline_Records_AuthFailure_Beyond_Endpoint()
{
// A 401 short-circuit happens *inside the endpoint handler* in the real
// InboundAPI (the X-API-Key validator runs there), so the audit
// middleware still wraps it and observes the 401 response status. This
// confirms ordering supports the InboundAuthFailure emission path.
var recorder = new OrderingRecorder();
var writer = new RecordingAuditWriter();
using var host = await BuildHostAsync(recorder, writer, endpointStatus: 401);
var client = host.GetTestClient();
var response = await client.PostAsync("/api/echo", new StringContent("{}"));
Assert.Equal(System.Net.HttpStatusCode.Unauthorized, response.StatusCode);
var evt = Assert.Single(writer.Events);
Assert.Equal(AuditKind.InboundAuthFailure, evt.Kind);
Assert.Equal(AuditStatus.Failed, evt.Status);
Assert.Equal(401, evt.HttpStatus);
}
///
/// Builds a minimal in-memory host whose pipeline mirrors the production
/// arrangement in ScadaLink.Host.Program.cs:
/// UseRouting → UseAuthentication → UseAuthorization → UseAuditWriteMiddleware → endpoints.
/// Marker middlewares record their entry into so
/// the test can assert on the resulting ordering.
///
private static async Task BuildHostAsync(
OrderingRecorder recorder,
ICentralAuditWriter writer,
int endpointStatus = 200)
{
var hostBuilder = new HostBuilder()
.ConfigureWebHost(webBuilder =>
{
webBuilder
.UseTestServer()
.ConfigureServices(services =>
{
services.AddSingleton(writer);
services.AddSingleton(sp =>
new AuditWriteMiddleware(
// The middleware factory pattern is bypassed
// here so the inner delegate is closed over the
// recorder — UseMiddleware below still
// instantiates the type correctly.
_ => Task.CompletedTask,
writer,
NullLogger.Instance));
services.AddRouting();
services.AddAuthorization();
services.AddAuthentication("TestScheme")
.AddScheme(
"TestScheme", _ => { });
})
.Configure(app =>
{
app.UseRouting();
app.Use(async (ctx, next) =>
{
recorder.Record("auth");
await next();
});
app.UseAuthentication();
app.Use(async (ctx, next) =>
{
recorder.Record("authz");
await next();
});
app.UseAuthorization();
// The order-under-test: AuditWriteMiddleware sits
// AFTER auth/authz markers and BEFORE the endpoint
// marker. We wrap with a sentinel marker that fires
// *before* the audit middleware enters so the test can
// pin where the audit middleware lands in the chain.
app.Use(async (ctx, next) =>
{
recorder.Record("audit-before");
await next();
recorder.Record("audit-after");
});
app.UseAuditWriteMiddleware();
app.UseEndpoints(endpoints =>
{
endpoints.MapPost("/api/{methodName}", async ctx =>
{
recorder.Record("endpoint");
if (endpointStatus is 401 or 403)
{
// Simulate an auth-failure short-circuit
// produced by the in-handler API key
// validator — Actor must stay null.
ctx.Response.StatusCode = endpointStatus;
return;
}
// Simulate the production handler stashing
// the resolved API key name AFTER auth.
ctx.Items[AuditWriteMiddleware.AuditActorItemKey] = "test-actor";
ctx.Response.StatusCode = endpointStatus;
await ctx.Response.WriteAsync("ok");
});
});
});
});
var host = await hostBuilder.StartAsync();
return host;
}
///
/// Minimal authentication handler that always succeeds — keeps
/// populated so the test's audit middleware
/// path that prefers Items but falls back to User.Identity has a real
/// principal to ignore. The middleware's primary path uses Items so this
/// handler's claim never appears on the emitted Actor.
///
private sealed class AlwaysAuthenticatedHandler : AuthenticationHandler
{
public AlwaysAuthenticatedHandler(
Microsoft.Extensions.Options.IOptionsMonitor options,
Microsoft.Extensions.Logging.ILoggerFactory logger,
System.Text.Encodings.Web.UrlEncoder encoder)
: base(options, logger, encoder) { }
protected override Task HandleAuthenticateAsync()
{
var identity = new ClaimsIdentity(new[] { new Claim(ClaimTypes.Name, "framework-user") }, "TestScheme");
var principal = new ClaimsPrincipal(identity);
var ticket = new AuthenticationTicket(principal, "TestScheme");
return Task.FromResult(AuthenticateResult.Success(ticket));
}
}
}