dohertj2/scadalink-design
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
e3345a0fc19a9de77b0791b549ea776ac2af8723
scadalink-design/tests/ScadaLink.InboundAPI.Tests/Middleware/MiddlewareOrderTests.cs
Joseph Doherty 7d87994ac0 feat(inboundapi): bound audit capture at InboundMaxBytes (memory safety) 
AuditWriteMiddleware previously buffered the FULL request and response
bodies into memory and only let DefaultAuditPayloadFilter trim them
after persistence. A 500 MiB upload allocated 500 MiB of MemoryStream
plus 1 GiB of UTF-16 string transiently before the filter pulled it
back to the 1 MiB inbound ceiling — the cap was real on the persisted
row but not at the capture site.

Inject IOptionsMonitor<AuditLogOptions> and read InboundMaxBytes
per-request (same convention as DefaultAuditPayloadFilter so a live
config change picks up the next request). The request reader now pulls
at most cap + 1 bytes into a UTF-8 byte-safe-truncated string and
rewinds the stream so the endpoint handler still sees the full body.
The response wrap is a new CapturedResponseStream that forwards every
Write / WriteAsync to the real sink (the client still receives all
bytes) while capturing at most cap + 1 bytes for the audit copy. The
middleware now sets PayloadTruncated itself when either body hit the
cap; the filter still OR's its own determination on top.

Adds a project reference from ScadaLink.InboundAPI to
ScadaLink.AuditLog so AuditLogOptions resolves. AuditLog does NOT
reference InboundAPI back, so no cycle is introduced.

Tests:
 - All 21 existing AuditWriteMiddlewareTests still pass (the helper
   gains an optional AuditLogOptions argument; default is the standard
   1 MiB ceiling so existing small-body tests are unaffected).
 - MiddlewareOrderTests' construction site updated for the new ctor
   arg; a StaticAuditLogOptionsMonitor file-local double mirrors the
   InboundChannelCapTests pattern.
 - New RequestBody_AboveInboundMaxBytes_TruncatedToCap_PayloadTruncatedTrue
   pins a 4 KiB cap against a 20 KB body: audit copy <= 4 KiB,
   PayloadTruncated = true, downstream handler reads the full 20 KB.
 - New ResponseBody_AboveInboundMaxBytes_TruncatedToCap_ClientStillReceivesAllBytes_PayloadTruncatedTrue
   pins the same shape on the response side: client sink receives
   20 KB, audit copy <= 4 KiB, PayloadTruncated = true.

InboundAPI test count: 133 -> 135.
2026-05-23 09:25:00 -04:00

258 lines
11 KiB
C#
Raw Blame History

using Microsoft.AspNetCore.Authentication;
using Microsoft.AspNetCore.Builder;
using Microsoft.AspNetCore.Hosting;
using Microsoft.AspNetCore.Http;
using Microsoft.AspNetCore.TestHost;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Hosting;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using ScadaLink.AuditLog.Configuration;
using ScadaLink.Commons.Entities.Audit;
using ScadaLink.Commons.Interfaces.Services;
using ScadaLink.Commons.Types.Enums;
using ScadaLink.InboundAPI.Middleware;
using System.Security.Claims;
namespace ScadaLink.InboundAPI.Tests.Middleware;
/// <summary>
/// M4 Bundle D (D2) — verifies the production pipeline order from
/// <c>ScadaLink.Host.Program.cs</c> for the inbound API:
/// <c>UseAuthentication → UseAuthorization → UseAuditWriteMiddleware → endpoint</c>.
///
/// <para>
/// The order is load-bearing: the audit middleware must run AFTER auth (so any
/// framework-resolved principal on <see cref="HttpContext.User"/> is in place)
/// and BEFORE the inbound-API endpoint handler (so the handler's stashed actor
/// name from <see cref="HttpContext.Items"/> is observable in the
/// <c>finally</c> block when the handler returns). The order is also what
/// guarantees auth-failure responses (401/403 produced by a future auth scheme)
/// are seen by the middleware so it can emit
/// <see cref="AuditKind.InboundAuthFailure"/>.
/// </para>
/// </summary>
public class MiddlewareOrderTests
{
/// <summary>
/// Captures the order of pipeline stages by appending a token to a shared
/// list as each stage runs. The assertion compares the resulting sequence
/// directly so a regression that re-orders the pipeline fails loudly.
/// </summary>
private sealed class OrderingRecorder
{
public List<string> Stages { get; } = new();
public void Record(string stage)
{
lock (Stages) { Stages.Add(stage); }
}
}
private sealed class RecordingAuditWriter : ICentralAuditWriter
{
public List<AuditEvent> Events { get; } = new();
public Task WriteAsync(AuditEvent evt, CancellationToken ct = default)
{
lock (Events) { Events.Add(evt); }
return Task.CompletedTask;
}
}
[Fact]
public async Task Middleware_Pipeline_PlacesAuditWriteAfterAuth_BeforeScriptExecution()
{
var recorder = new OrderingRecorder();
var writer = new RecordingAuditWriter();
using var host = await BuildHostAsync(recorder, writer);
var client = host.GetTestClient();
var response = await client.PostAsync("/api/echo", new StringContent("{}"));
Assert.Equal(System.Net.HttpStatusCode.OK, response.StatusCode);
// The recorder MUST observe these stages in exactly this order:
// 1. Authentication (UseAuthentication marker)
// 2. Authorization (UseAuthorization marker)
// 3. AuditMiddleware-Before-Next (audit middleware entered)
// 4. Endpoint handler (the route handler ran)
// 5. AuditMiddleware-After-Next (audit middleware completed)
Assert.Equal(
new[]
{
"auth",
"authz",
"audit-before",
"endpoint",
"audit-after",
},
recorder.Stages);
// And exactly one InboundRequest/Delivered audit row was emitted —
// proving the audit middleware actually wrapped the endpoint.
var evt = Assert.Single(writer.Events);
Assert.Equal(AuditKind.InboundRequest, evt.Kind);
Assert.Equal(AuditStatus.Delivered, evt.Status);
Assert.Equal("test-actor", evt.Actor);
}
[Fact]
public async Task Middleware_Pipeline_Records_AuthFailure_Beyond_Endpoint()
{
// A 401 short-circuit happens *inside the endpoint handler* in the real
// InboundAPI (the X-API-Key validator runs there), so the audit
// middleware still wraps it and observes the 401 response status. This
// confirms ordering supports the InboundAuthFailure emission path.
var recorder = new OrderingRecorder();
var writer = new RecordingAuditWriter();
using var host = await BuildHostAsync(recorder, writer, endpointStatus: 401);
var client = host.GetTestClient();
var response = await client.PostAsync("/api/echo", new StringContent("{}"));
Assert.Equal(System.Net.HttpStatusCode.Unauthorized, response.StatusCode);
var evt = Assert.Single(writer.Events);
Assert.Equal(AuditKind.InboundAuthFailure, evt.Kind);
Assert.Equal(AuditStatus.Failed, evt.Status);
Assert.Equal(401, evt.HttpStatus);
}
/// <summary>
/// Builds a minimal in-memory host whose pipeline mirrors the production
/// arrangement in <c>ScadaLink.Host.Program.cs</c>:
/// <c>UseRouting → UseAuthentication → UseAuthorization → UseAuditWriteMiddleware → endpoints</c>.
/// Marker middlewares record their entry into <paramref name="recorder"/> so
/// the test can assert on the resulting ordering.
/// </summary>
private static async Task<IHost> BuildHostAsync(
OrderingRecorder recorder,
ICentralAuditWriter writer,
int endpointStatus = 200)
{
var hostBuilder = new HostBuilder()
.ConfigureWebHost(webBuilder =>
{
webBuilder
.UseTestServer()
.ConfigureServices(services =>
{
services.AddSingleton(writer);
services.AddSingleton<AuditWriteMiddleware>(sp =>
new AuditWriteMiddleware(
// The middleware factory pattern is bypassed
// here so the inner delegate is closed over the
// recorder — UseMiddleware<T> below still
// instantiates the type correctly.
_ => Task.CompletedTask,
writer,
NullLogger<AuditWriteMiddleware>.Instance,
new StaticAuditLogOptionsMonitor(new AuditLogOptions())));
services.AddRouting();
services.AddAuthorization();
services.AddAuthentication("TestScheme")
.AddScheme<AuthenticationSchemeOptions, AlwaysAuthenticatedHandler>(
"TestScheme", _ => { });
})
.Configure(app =>
{
app.UseRouting();
app.Use(async (ctx, next) =>
{
recorder.Record("auth");
await next();
});
app.UseAuthentication();
app.Use(async (ctx, next) =>
{
recorder.Record("authz");
await next();
});
app.UseAuthorization();
// The order-under-test: AuditWriteMiddleware sits
// AFTER auth/authz markers and BEFORE the endpoint
// marker. We wrap with a sentinel marker that fires
// *before* the audit middleware enters so the test can
// pin where the audit middleware lands in the chain.
app.Use(async (ctx, next) =>
{
recorder.Record("audit-before");
await next();
recorder.Record("audit-after");
});
app.UseAuditWriteMiddleware();
app.UseEndpoints(endpoints =>
{
endpoints.MapPost("/api/{methodName}", async ctx =>
{
recorder.Record("endpoint");
if (endpointStatus is 401 or 403)
{
// Simulate an auth-failure short-circuit
// produced by the in-handler API key
// validator — Actor must stay null.
ctx.Response.StatusCode = endpointStatus;
return;
}
// Simulate the production handler stashing
// the resolved API key name AFTER auth.
ctx.Items[AuditWriteMiddleware.AuditActorItemKey] = "test-actor";
ctx.Response.StatusCode = endpointStatus;
await ctx.Response.WriteAsync("ok");
});
});
});
});
var host = await hostBuilder.StartAsync();
return host;
}
/// <summary>
/// Minimal authentication handler that always succeeds — keeps
/// <see cref="HttpContext.User"/> populated so the test's audit middleware
/// path that prefers Items but falls back to User.Identity has a real
/// principal to ignore. The middleware's primary path uses Items so this
/// handler's claim never appears on the emitted Actor.
/// </summary>
private sealed class AlwaysAuthenticatedHandler : AuthenticationHandler<AuthenticationSchemeOptions>
{
public AlwaysAuthenticatedHandler(
Microsoft.Extensions.Options.IOptionsMonitor<AuthenticationSchemeOptions> options,
Microsoft.Extensions.Logging.ILoggerFactory logger,
System.Text.Encodings.Web.UrlEncoder encoder)
: base(options, logger, encoder) { }
protected override Task<AuthenticateResult> HandleAuthenticateAsync()
{
var identity = new ClaimsIdentity(new[] { new Claim(ClaimTypes.Name, "framework-user") }, "TestScheme");
var principal = new ClaimsPrincipal(identity);
var ticket = new AuthenticationTicket(principal, "TestScheme");
return Task.FromResult(AuthenticateResult.Success(ticket));
}
}
/// <summary>
/// File-local <see cref="IOptionsMonitor{TOptions}"/> test double — returns the
/// same snapshot on every read. Mirrors the helper in
/// <c>AuditWriteMiddlewareTests</c>.
/// </summary>
private sealed class StaticAuditLogOptionsMonitor : IOptionsMonitor<AuditLogOptions>
{
private readonly AuditLogOptions _value;
public StaticAuditLogOptionsMonitor(AuditLogOptions value) => _value = value;
public AuditLogOptions CurrentValue => _value;
public AuditLogOptions Get(string? name) => _value;
public IDisposable? OnChange(Action<AuditLogOptions, string?> listener) => null;
}
}
Reference in New Issue View Git Blame Copy Permalink