90 lines
3.6 KiB
C#
90 lines
3.6 KiB
C#
using System.Reflection;
|
|
using System.Text.Json;
|
|
|
|
namespace ScadaLink.Host.Tests;
|
|
|
|
/// <summary>
|
|
/// Host-003 regression: secrets must not be committed in plaintext in the
|
|
/// shipped <c>appsettings.Central.json</c>. Connection-string passwords, the LDAP
|
|
/// service-account password and the JWT signing key must be supplied via
|
|
/// environment variables (or another secret store) at deployment time — the
|
|
/// committed file may only carry non-sensitive structural defaults or
|
|
/// placeholder values.
|
|
/// </summary>
|
|
public class ConfigSecretsTests
|
|
{
|
|
private static string FindHostProjectDirectory()
|
|
{
|
|
var assemblyDir = Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location)!;
|
|
var dir = new DirectoryInfo(assemblyDir);
|
|
while (dir != null)
|
|
{
|
|
var hostPath = Path.Combine(dir.FullName, "src", "ScadaLink.Host");
|
|
if (Directory.Exists(hostPath))
|
|
return hostPath;
|
|
dir = dir.Parent;
|
|
}
|
|
throw new DirectoryNotFoundException("Could not locate src/ScadaLink.Host");
|
|
}
|
|
|
|
private static JsonElement ScadaLinkSection()
|
|
{
|
|
var path = Path.Combine(FindHostProjectDirectory(), "appsettings.Central.json");
|
|
var json = File.ReadAllText(path);
|
|
using var doc = JsonDocument.Parse(json);
|
|
return doc.RootElement.GetProperty("ScadaLink").Clone();
|
|
}
|
|
|
|
[Fact]
|
|
public void CentralConfig_ConnectionStrings_ContainNoPlaintextPassword()
|
|
{
|
|
var db = ScadaLinkSection().GetProperty("Database");
|
|
foreach (var prop in db.EnumerateObject())
|
|
{
|
|
var value = prop.Value.GetString() ?? string.Empty;
|
|
// A committed connection string must not carry a literal Password= value.
|
|
// Either the password is delivered via an environment variable or the
|
|
// whole connection string is. A placeholder reference is acceptable.
|
|
var idx = value.IndexOf("Password=", StringComparison.OrdinalIgnoreCase);
|
|
if (idx >= 0)
|
|
{
|
|
var after = value[(idx + "Password=".Length)..];
|
|
var literal = after.Split(';')[0];
|
|
Assert.True(
|
|
literal.Length == 0 || literal.Contains('{') || literal.Contains('$'),
|
|
$"appsettings.Central.json '{prop.Name}' contains a plaintext Password value '{literal}'. " +
|
|
"Move the secret to an environment variable.");
|
|
}
|
|
}
|
|
}
|
|
|
|
[Fact]
|
|
public void CentralConfig_LdapServiceAccountPassword_IsNotCommitted()
|
|
{
|
|
var security = ScadaLinkSection().GetProperty("Security");
|
|
if (security.TryGetProperty("LdapServiceAccountPassword", out var pw))
|
|
{
|
|
var value = pw.GetString() ?? string.Empty;
|
|
Assert.True(
|
|
value.Length == 0 || value.Contains('{') || value.Contains('$'),
|
|
$"appsettings.Central.json carries a plaintext LdapServiceAccountPassword '{value}'. " +
|
|
"Move it to an environment variable.");
|
|
}
|
|
}
|
|
|
|
[Fact]
|
|
public void CentralConfig_JwtSigningKey_IsNotCommitted()
|
|
{
|
|
var security = ScadaLinkSection().GetProperty("Security");
|
|
if (security.TryGetProperty("JwtSigningKey", out var key))
|
|
{
|
|
var value = key.GetString() ?? string.Empty;
|
|
Assert.True(
|
|
value.Length == 0 || value.Contains('{') || value.Contains('$'),
|
|
$"appsettings.Central.json carries a committed JwtSigningKey '{value}'. " +
|
|
"A committed signing key lets anyone with repo access forge session tokens. " +
|
|
"Move it to an environment variable.");
|
|
}
|
|
}
|
|
}
|