dcovington
/
Campaign_Tracker
1
0
Fork 0
Code Issues 4 Pull-Requests 0 Releases 0 Wiki Aktivität
Du kannst nicht mehr als 25 Themen auswählen Themen müssen entweder mit einem Buchstaben oder einer Ziffer beginnen. Sie können Bindestriche („-“) enthalten und bis zu 35 Zeichen lang sein.
45 Commits
2 Branches
17MB
Struktur: 896c109d20
Branches Tags
${ item.name }
Erstelle Branch ${ searchTerm }
von „896c109d20“
${ noResults }
Campaign_Tracker/Campaign_Tracker.Server.Tests/AuthEndpointTests.cs

427 Zeilen
18KB
Originalformat Blame Verlauf 

  1. using System.Collections.Concurrent;

  2. using System.IdentityModel.Tokens.Jwt;

  3. using System.Net;

  4. using System.Net.Http.Json;

  5. using System.Net.Http.Headers;

  6. using System.Security.Claims;

  7. using System.Text;

  8. using Campaign_Tracker.Server.Audit;

  9. using Campaign_Tracker.Server.Authentication;

  10. using Campaign_Tracker.Server.LegacyData;

  11. using Microsoft.AspNetCore.Hosting;

  12. using Microsoft.AspNetCore.Mvc.Testing;

  13. using Microsoft.Extensions.DependencyInjection;

  14. using Microsoft.IdentityModel.Tokens;

  15. 

  16. namespace Campaign_Tracker.Server.Tests;

  17. 

  18. /// <summary>

  19. /// Custom factory that replaces the file-backed IAuditService with an in-memory

  20. /// passthrough so integration tests have no file-system dependency.

  21. /// Keycloak configuration is also applied here so all tests inherit it without

  22. /// repeating SetEnvironmentVariable calls in every test constructor.

  23. /// </summary>

  24. public sealed class AuthIntegrationTestFactory : WebApplicationFactory<Program>

  25. {

  26.     private const string Issuer = "http://kci-app01.ntp.kentcommunications.com:8180/realms/KCI";

  27.     private const string ClientId = "canopy-web";

  28.     private const string SigningKey = "test-signing-key-with-at-least-32-characters";

  29. 

  30.     protected override void ConfigureWebHost(IWebHostBuilder builder)

  31.     {

  32.         // Apply Keycloak test configuration before the host builds.

  33.         builder.UseSetting("Keycloak:Authority", Issuer);

  34.         builder.UseSetting("Keycloak:ValidIssuer", Issuer);

  35.         builder.UseSetting("Keycloak:PublicAuthority", Issuer);

  36.         builder.UseSetting("Keycloak:ClientId", ClientId);

  37.         builder.UseSetting("Keycloak:DisableHttpsMetadata", "true");

  38.         builder.UseSetting("Keycloak:TestSigningKey", SigningKey);

  39.         builder.UseSetting("LegacySchema:HistoryFile",

  40.             Path.Combine(Path.GetTempPath(), $"campaign-tracker-schema-history-{Guid.NewGuid():N}.jsonl"));

  41.         builder.UseSetting("LegacyLinkIntegrity:Enabled", "false");

  42. 

  43.         builder.ConfigureServices(services =>

  44.         {

  45.             // Replace the file-backed IAuditService with an in-memory passthrough.

  46.             // File persistence is validated in AuditServiceTests; integration tests

  47.             // should not depend on file-system state.

  48.             var auditDescriptor = services.SingleOrDefault(d => d.ServiceType == typeof(IAuditService));

  49.             if (auditDescriptor is not null)

  50.                 services.Remove(auditDescriptor);

  51. 

  52.             services.AddSingleton<IAuditService, InMemoryPassthroughAuditService>();

  53. 

  54.             // Replace the data-file-backed ILegacyDataAccess with hardcoded test defaults so

  55.             // integration tests are not affected by the presence or contents of a seed file.

  56.             var legacyDescriptor = services.SingleOrDefault(d => d.ServiceType == typeof(ILegacyDataAccess));

  57.             if (legacyDescriptor is not null)

  58.                 services.Remove(legacyDescriptor);

  59. 

  60.             services.AddSingleton<ILegacyDataAccess>(new InMemoryLegacyDataAccess());

  61.         });

  62.     }

  63. 

  64.     public static string CreateToken(string subject, string role, string audience = ClientId)

  65.     {

  66.         var credentials = new SigningCredentials(

  67.             new SymmetricSecurityKey(Encoding.UTF8.GetBytes(SigningKey)),

  68.             SecurityAlgorithms.HmacSha256);

  69.         var token = new JwtSecurityToken(

  70.             issuer: Issuer,

  71.             audience: audience,

  72.             claims:

  73.             [

  74.                 new Claim(JwtRegisteredClaimNames.Sub, subject),

  75.                 new Claim(ClaimTypes.Name, subject),

  76.                 new Claim(ClaimTypes.Role, role),

  77.             ],

  78.             expires: DateTime.UtcNow.AddMinutes(10),

  79.             signingCredentials: credentials);

  80. 

  81.         return new JwtSecurityTokenHandler().WriteToken(token);

  82.     }

  83. 

  84.     private sealed class InMemoryPassthroughAuditService : IAuditService

  85.     {

  86.         private readonly ConcurrentQueue<AuditEvent> _events = new();

  87. 

  88.         public void Record(AuditEvent auditEvent) => _events.Enqueue(auditEvent);

  89. 

  90.         public IReadOnlyCollection<AuditEvent> GetRecent(int maxCount = 200)

  91.         {

  92.             if (maxCount < 0)

  93.             {

  94.                 throw new ArgumentOutOfRangeException(nameof(maxCount));

  95.             }

  96. 

  97.             if (maxCount == 0)

  98.             {

  99.                 return [];

  100.             }

  101. 

  102.             var events = _events.ToArray();

  103.             return events.Length > maxCount ? events[^maxCount..] : events;

  104.         }

  105.     }

  106. }

  107. 

  108. public class AuthEndpointTests : IClassFixture<AuthIntegrationTestFactory>

  109. {

  110.     private readonly AuthIntegrationTestFactory _factory;

  111. 

  112.     public AuthEndpointTests(AuthIntegrationTestFactory factory)

  113.     {

  114.         _factory = factory;

  115.     }

  116. 

  117.     [Fact]

  118.     public async Task SessionEndpoint_WithoutToken_ReturnsUnauthorized()

  119.     {

  120.         using var client = _factory.CreateClient();

  121. 

  122.         var response = await client.GetAsync("/api/auth/session");

  123. 

  124.         Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);

  125.     }

  126. 

  127.     [Fact]

  128.     public async Task SessionEndpoint_WithValidToken_ReturnsRoleWorkspaceAndAuditsSuccess()

  129.     {

  130.         using var client = _factory.CreateClient();

  131.         client.DefaultRequestHeaders.Authorization =

  132.             new AuthenticationHeaderValue("Bearer", AuthIntegrationTestFactory.CreateToken("daniel@example.test", "client-services"));

  133. 

  134.         var httpResponse = await client.GetAsync("/api/auth/session");

  135.         var auditStore = _factory.Services.GetRequiredService<IAuthenticationAuditStore>();

  136.         Assert.True(httpResponse.IsSuccessStatusCode, string.Join("; ", auditStore.Events.Select(audit => audit.Reason)));

  137. 

  138.         var response = await httpResponse.Content.ReadFromJsonAsync<AuthSessionResponse>();

  139. 

  140.         Assert.NotNull(response);

  141.         Assert.Equal("daniel@example.test", response.UserName);

  142.         Assert.Contains("ClientServices", response.Roles);

  143.         Assert.Equal("/workspace/client-services", response.WorkspacePath);

  144.         Assert.Contains(auditStore.Events, audit =>

  145.             audit.EventType == AuthenticationAuditEventType.Success &&

  146.             audit.Subject == "daniel@example.test");

  147.     }

  148. 

  149.     [Fact]

  150.     public async Task SessionEndpoint_WithKeycloakDefaultAudience_IsAccepted()

  151.     {

  152.         // Keycloak's default access tokens carry aud="account" (the realm's

  153.         // built-in account client) rather than the resource-server's ClientId.

  154.         // The bearer middleware must accept "account" in addition to "canopy-web",

  155.         // otherwise every real-world login fails with SecurityTokenInvalidAudienceException.

  156.         using var client = _factory.CreateClient();

  157.         client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue(

  158.             "Bearer",

  159.             AuthIntegrationTestFactory.CreateToken(

  160.                 "daniel@example.test",

  161.                 "client-services",

  162.                 audience: "account"));

  163. 

  164.         var response = await client.GetAsync("/api/auth/session");

  165. 

  166.         Assert.Equal(HttpStatusCode.OK, response.StatusCode);

  167.     }

  168. 

  169.     [Fact]

  170.     public async Task SessionEndpoint_WithInvalidToken_ReturnsUnauthorizedAndAuditsFailure()

  171.     {

  172.         using var client = _factory.CreateClient();

  173.         client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", "invalid.jwt.value");

  174. 

  175.         var response = await client.GetAsync("/api/auth/session");

  176.         var auditStore = _factory.Services.GetRequiredService<IAuthenticationAuditStore>();

  177. 

  178.         Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);

  179.         Assert.Contains(auditStore.Events, audit =>

  180.             audit.EventType == AuthenticationAuditEventType.Failure &&

  181.             audit.Reason.Contains("invalid", StringComparison.OrdinalIgnoreCase));

  182.     }

  183. 

  184.     [Fact]

  185.     public async Task TokenExchange_WhenSuccessful_RecordsSharedAuditEvent()

  186.     {

  187.         var stubFactory = _factory.WithWebHostBuilder(builder =>

  188.         {

  189.             builder.ConfigureServices(services =>

  190.             {

  191.                 var descriptor = services.SingleOrDefault(

  192.                     d => d.ServiceType == typeof(IKeycloakTokenClient));

  193.                 if (descriptor is not null)

  194.                 {

  195.                     services.Remove(descriptor);

  196.                 }

  197. 

  198.                 services.AddSingleton<IKeycloakTokenClient, StubKeycloakTokenClient>();

  199.             });

  200.         });

  201. 

  202.         using var client = stubFactory.CreateClient();

  203.         var response = await client.PostAsJsonAsync("/api/auth/token/exchange", new

  204.         {

  205.             code = "code",

  206.             redirectUri = "https://app.example.test/auth/callback",

  207.         });

  208.         var auditService = stubFactory.Services.GetRequiredService<IAuditService>();

  209. 

  210.         Assert.Equal(HttpStatusCode.OK, response.StatusCode);

  211.         Assert.Contains(auditService.GetRecent(), audit =>

  212.             audit.EventType == AuditEventType.SessionLogin &&

  213.             audit.ActorIdentity == "alice@example.test" &&

  214.             audit.Resource == "authentication/token/exchange");

  215.     }

  216. 

  217.     [Fact]

  218.     public async Task TokenRefresh_WhenKeycloakRejects_RecordsSharedAuditFailure()

  219.     {

  220.         var rejectingFactory = _factory.WithWebHostBuilder(builder =>

  221.         {

  222.             builder.ConfigureServices(services =>

  223.             {

  224.                 var descriptor = services.SingleOrDefault(

  225.                     d => d.ServiceType == typeof(IKeycloakTokenClient));

  226.                 if (descriptor is not null)

  227.                 {

  228.                     services.Remove(descriptor);

  229.                 }

  230. 

  231.                 services.AddSingleton<IKeycloakTokenClient, RejectingKeycloakTokenClient>();

  232.             });

  233.         });

  234. 

  235.         using var client = rejectingFactory.CreateClient();

  236.         var response = await client.PostAsJsonAsync("/api/auth/token/refresh", new

  237.         {

  238.             refreshToken = "expired-refresh-token",

  239.         });

  240.         var auditService = rejectingFactory.Services.GetRequiredService<IAuditService>();

  241. 

  242.         Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);

  243.         Assert.Contains(auditService.GetRecent(), audit =>

  244.             audit.EventType == AuditEventType.SessionRefreshFailure &&

  245.             audit.Resource == "authentication/token/refresh");

  246.     }

  247. 

  248.     [Fact]

  249.     public async Task LogoutEndpoint_WithValidIdTokenHint_Returns200AndAuditsSuccessfulLogout()

  250.     {

  251.         var stubFactory = _factory.WithWebHostBuilder(builder =>

  252.         {

  253.             builder.ConfigureServices(services =>

  254.             {

  255.                 var descriptor = services.SingleOrDefault(

  256.                     d => d.ServiceType == typeof(IKeycloakTokenClient));

  257.                 if (descriptor is not null)

  258.                 {

  259.                     services.Remove(descriptor);

  260.                 }

  261. 

  262.                 services.AddSingleton<IKeycloakTokenClient, StubKeycloakTokenClient>();

  263.             });

  264.         });

  265. 

  266.         using var client = stubFactory.CreateClient();

  267.         var idToken = AuthIntegrationTestFactory.CreateToken("alice@example.test", "client-services");

  268.         client.DefaultRequestHeaders.Authorization =

  269.             new AuthenticationHeaderValue("Bearer", idToken);

  270.         var response = await client.PostAsJsonAsync("/api/auth/logout", new { idTokenHint = idToken });

  271.         var auditStore = stubFactory.Services.GetRequiredService<IAuthenticationAuditStore>();

  272. 

  273.         Assert.Equal(HttpStatusCode.OK, response.StatusCode);

  274.         Assert.Contains(auditStore.Events, audit =>

  275.             audit.EventType == AuthenticationAuditEventType.Logout &&

  276.             audit.Subject == "alice@example.test" &&

  277.             audit.Resource == "authentication/logout");

  278.     }

  279. 

  280.     [Fact]

  281.     public async Task LogoutEndpoint_WhenKeycloakUnreachable_StillReturns200AndAuditsFailure()

  282.     {

  283.         var throwingFactory = _factory.WithWebHostBuilder(builder =>

  284.         {

  285.             builder.ConfigureServices(services =>

  286.             {

  287.                 var descriptor = services.SingleOrDefault(

  288.                     d => d.ServiceType == typeof(IKeycloakTokenClient));

  289.                 if (descriptor is not null)

  290.                 {

  291.                     services.Remove(descriptor);

  292.                 }

  293. 

  294.                 services.AddSingleton<IKeycloakTokenClient, ThrowingKeycloakTokenClient>();

  295.             });

  296.         });

  297. 

  298.         using var client = throwingFactory.CreateClient();

  299. 

  300.         var idToken = AuthIntegrationTestFactory.CreateToken("bob@example.test", "production");

  301.         client.DefaultRequestHeaders.Authorization =

  302.             new AuthenticationHeaderValue("Bearer", idToken);

  303.         var response = await client.PostAsJsonAsync("/api/auth/logout", new { idTokenHint = idToken });

  304.         var auditStore = throwingFactory.Services.GetRequiredService<IAuthenticationAuditStore>();

  305. 

  306.         Assert.Equal(HttpStatusCode.OK, response.StatusCode);

  307.         Assert.Contains(auditStore.Events, audit =>

  308.             audit.EventType == AuthenticationAuditEventType.Logout &&

  309.             audit.Resource == "authentication/logout");

  310.     }

  311. 

  312.     [Fact]

  313.     public async Task LogoutEndpoint_WithEmptyIdTokenHint_ReturnsBadRequest()

  314.     {

  315.         using var client = _factory.CreateClient();

  316.         client.DefaultRequestHeaders.Authorization =

  317.             new AuthenticationHeaderValue("Bearer", AuthIntegrationTestFactory.CreateToken("alice@example.test", "client-services"));

  318. 

  319.         var response = await client.PostAsJsonAsync("/api/auth/logout", new { idTokenHint = "" });

  320. 

  321.         Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);

  322.     }

  323. 

  324.     [Fact]

  325.     public async Task LogoutEndpoint_WithMissingBody_ReturnsBadRequest()

  326.     {

  327.         using var client = _factory.CreateClient();

  328.         client.DefaultRequestHeaders.Authorization =

  329.             new AuthenticationHeaderValue("Bearer", AuthIntegrationTestFactory.CreateToken("alice@example.test", "client-services"));

  330. 

  331.         var response = await client.PostAsync("/api/auth/logout", null);

  332. 

  333.         Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);

  334.     }

  335. 

  336.     [Fact]

  337.     public async Task SessionEndpoint_WhenAuditServiceUnavailable_BlocksAction_AC5()

  338.     {

  339.         var failingAuditFactory = _factory.WithWebHostBuilder(builder =>

  340.         {

  341.             builder.ConfigureServices(services =>

  342.             {

  343.                 var descriptor = services.SingleOrDefault(d => d.ServiceType == typeof(IAuditService));

  344.                 if (descriptor is not null)

  345.                 {

  346.                     services.Remove(descriptor);

  347.                 }

  348. 

  349.                 services.AddSingleton<IAuditService, AlwaysFailingAuditService>();

  350.             });

  351.         });

  352. 

  353.         using var client = failingAuditFactory.CreateClient();

  354.         client.DefaultRequestHeaders.Authorization =

  355.             new AuthenticationHeaderValue("Bearer", AuthIntegrationTestFactory.CreateToken("alice@example.test", "client-services"));

  356. 

  357.         var response = await client.GetAsync("/api/auth/session");

  358. 

  359.         // Action must be blocked — not silently succeed (AC #5).

  360.         Assert.NotEqual(HttpStatusCode.OK, response.StatusCode);

  361.     }

  362. 

  363.     private sealed class AuthSessionResponse

  364.     {

  365.         public string UserName { get; init; } = string.Empty;

  366.         public string[] Roles { get; init; } = [];

  367.         public string WorkspacePath { get; init; } = string.Empty;

  368.     }

  369. 

  370.     private sealed class StubKeycloakTokenClient : IKeycloakTokenClient

  371.     {

  372.         public Task<AuthTokenSetResponse> ExchangeAuthorizationCodeAsync(

  373.             string code, string redirectUri, CancellationToken cancellationToken) =>

  374.             Task.FromResult(new AuthTokenSetResponse(

  375.                 AuthIntegrationTestFactory.CreateToken("alice@example.test", "client-services"),

  376.                 "refresh",

  377.                 9999));

  378. 

  379.         public Task<AuthTokenSetResponse> RefreshAccessTokenAsync(

  380.             string refreshToken, CancellationToken cancellationToken) =>

  381.             Task.FromResult(new AuthTokenSetResponse(

  382.                 AuthIntegrationTestFactory.CreateToken("alice@example.test", "client-services"),

  383.                 "refresh",

  384.                 9999));

  385. 

  386.         public Task EndSessionAsync(string idTokenHint, CancellationToken cancellationToken) =>

  387.             Task.CompletedTask;

  388.     }

  389. 

  390.     private sealed class ThrowingKeycloakTokenClient : IKeycloakTokenClient

  391.     {

  392.         public Task<AuthTokenSetResponse> ExchangeAuthorizationCodeAsync(

  393.             string code, string redirectUri, CancellationToken cancellationToken) =>

  394.             Task.FromResult(new AuthTokenSetResponse("access", "refresh", 9999));

  395. 

  396.         public Task<AuthTokenSetResponse> RefreshAccessTokenAsync(

  397.             string refreshToken, CancellationToken cancellationToken) =>

  398.             Task.FromResult(new AuthTokenSetResponse("access", "refresh", 9999));

  399. 

  400.         public Task EndSessionAsync(string idTokenHint, CancellationToken cancellationToken) =>

  401.             throw new HttpRequestException("Simulated Keycloak outage.");

  402.     }

  403. 

  404.     private sealed class RejectingKeycloakTokenClient : IKeycloakTokenClient

  405.     {

  406.         public Task<AuthTokenSetResponse> ExchangeAuthorizationCodeAsync(

  407.             string code, string redirectUri, CancellationToken cancellationToken) =>

  408.             throw new KeycloakTokenRequestException(HttpStatusCode.BadRequest, "invalid_grant");

  409. 

  410.         public Task<AuthTokenSetResponse> RefreshAccessTokenAsync(

  411.             string refreshToken, CancellationToken cancellationToken) =>

  412.             throw new KeycloakTokenRequestException(HttpStatusCode.BadRequest, "invalid_grant");

  413. 

  414.         public Task EndSessionAsync(string idTokenHint, CancellationToken cancellationToken) =>

  415.             Task.CompletedTask;

  416.     }

  417. 

  418.     private sealed class AlwaysFailingAuditService : IAuditService

  419.     {

  420.         public void Record(AuditEvent auditEvent) =>

  421.             throw new AuditServiceUnavailableException("Audit service unavailable (test stub).",

  422.                 new IOException("Simulated disk failure"));

  423. 

  424.         public IReadOnlyCollection<AuditEvent> GetRecent(int maxCount = 200) => [];

  425.     }

  426. }

Powered by TurnKey Linux.