stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 2 Releases Wiki Activity

Add tests for SBOM generation determinism across multiple formats

Browse Source 
- Created `StellaOps.TestKit.Tests` project for unit tests related to determinism.
- Implemented `DeterminismManifestTests` to validate deterministic output for canonical bytes and strings, file read/write operations, and error handling for invalid schema versions.
- Added `SbomDeterminismTests` to ensure identical inputs produce consistent SBOMs across SPDX 3.0.1 and CycloneDX 1.6/1.7 formats, including parallel execution tests.
- Updated project references in `StellaOps.Integration.Determinism` to include the new determinism testing library.
This commit is contained in:
master
2025-12-23 18:56:12 +02:00
committed by StellaOps Bot
parent 7ac70ece71
commit 491e883653
409 changed files with 23797 additions and 17779 deletions
Download Patch File Download Diff File Expand all files Collapse all files

273
src/Authority/__Tests/StellaOps.Authority.Storage.Postgres.Tests/ApiKeyConcurrencyTests.cs Normal file
View File

@@ -0,0 +1,273 @@
// -----------------------------------------------------------------------------
// ApiKeyConcurrencyTests.cs
// Sprint: SPRINT_5100_0007_0004_storage_harness
// Task: STOR-HARNESS-010
// Description: Model S1 concurrency tests for Authority API key storage
// -----------------------------------------------------------------------------
using FluentAssertions;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using Npgsql;
using StellaOps.Authority.Storage.Postgres;
using StellaOps.Authority.Storage.Postgres.Models;
using StellaOps.Authority.Storage.Postgres.Repositories;
using StellaOps.TestKit;
using Xunit;
namespace StellaOps.Authority.Storage.Postgres.Tests;
/// <summary>
/// Concurrency tests for API key storage operations.
/// Implements Model S1 (Storage/Postgres) test requirements:
/// - Parallel writes to same key → correct conflict behavior
/// - Parallel reads during write → consistent state
/// - No deadlocks under load
/// </summary>
[Collection(AuthorityPostgresCollection.Name)]
[Trait("Category", TestCategories.Integration)]
[Trait("Category", TestCategories.StorageConcurrency)]
public sealed class ApiKeyConcurrencyTests : IAsyncLifetime
{
private readonly AuthorityPostgresFixture _fixture;
private ApiKeyRepository _repository = null!;
private NpgsqlDataSource _npgsqlDataSource = null!;
private readonly string _tenantId = Guid.NewGuid().ToString();
private readonly Guid _userId = Guid.NewGuid();
public ApiKeyConcurrencyTests(AuthorityPostgresFixture fixture)
{
_fixture = fixture;
}
public async Task InitializeAsync()
{
await _fixture.TruncateAllTablesAsync();
var options = _fixture.Fixture.CreateOptions();
options.SchemaName = _fixture.SchemaName;
var dataSource = new AuthorityDataSource(Options.Create(options), NullLogger<AuthorityDataSource>.Instance);
_repository = new ApiKeyRepository(dataSource, NullLogger<ApiKeyRepository>.Instance);
_npgsqlDataSource = NpgsqlDataSource.Create(_fixture.ConnectionString);
await SeedTenantAsync();
await SeedUserAsync();
}
public async Task DisposeAsync()
{
await _npgsqlDataSource.DisposeAsync();
}
[Fact]
public async Task ParallelCreates_DifferentIds_All_Succeed()
{
// Arrange
const int parallelCount = 20;
var keys = Enumerable.Range(0, parallelCount)
.Select(i => CreateApiKeyEntity(Guid.NewGuid(), $"Parallel-{i}"))
.ToList();
// Act - Create all keys in parallel
var tasks = keys.Select(k => _repository.CreateAsync(_tenantId, k));
await Task.WhenAll(tasks);
// Assert - All keys should be created
var allKeys = await _repository.ListAsync(_tenantId);
allKeys.Should().HaveCount(parallelCount);
}
[Fact]
public async Task ConcurrentReads_SameKey_All_Succeed()
{
// Arrange
var key = CreateApiKeyEntity(Guid.NewGuid(), "Concurrent Read Test");
await _repository.CreateAsync(_tenantId, key);
// Act - 50 concurrent reads
var readTasks = Enumerable.Range(0, 50)
.Select(_ => _repository.GetByIdAsync(_tenantId, key.Id))
.ToList();
var results = await Task.WhenAll(readTasks);
// Assert - All reads should succeed and return same data
results.Should().AllSatisfy(r => r.Should().NotBeNull());
results.Select(r => r!.Id).Distinct().Should().HaveCount(1,
"all concurrent reads should return same key");
}
[Fact]
public async Task ParallelReadsDuringWrite_ReturnsConsistentState()
{
// Arrange
var key = CreateApiKeyEntity(Guid.NewGuid(), "Read During Write");
await _repository.CreateAsync(_tenantId, key);
// Act - Parallel reads while updating
var readTasks = Enumerable.Range(0, 20)
.Select(_ => _repository.GetByIdAsync(_tenantId, key.Id))
.ToList();
var writeTask = _repository.UpdateLastUsedAsync(_tenantId, key.Id);
await Task.WhenAll(readTasks.Cast<Task>().Append(writeTask));
var readResults = await Task.WhenAll(readTasks);
// Assert - All reads should return valid state
readResults.Should().AllSatisfy(r =>
{
r.Should().NotBeNull();
r!.Id.Should().Be(key.Id);
r.Status.Should().Be(ApiKeyStatus.Active);
});
}
[Fact]
public async Task ConcurrentUpdateLastUsed_SameKey_NoConflict()
{
// Arrange
var key = CreateApiKeyEntity(Guid.NewGuid(), "Concurrent Update");
await _repository.CreateAsync(_tenantId, key);
// Act - Multiple concurrent updates
var updateTasks = Enumerable.Range(0, 10)
.Select(_ => _repository.UpdateLastUsedAsync(_tenantId, key.Id))
.ToList();
var action = () => Task.WhenAll(updateTasks);
// Assert - Should not throw
await action.Should().NotThrowAsync();
var result = await _repository.GetByIdAsync(_tenantId, key.Id);
result.Should().NotBeNull();
result!.LastUsedAt.Should().NotBeNull("at least one update should have succeeded");
}
[Fact]
public async Task ParallelListOperations_NoDeadlock()
{
// Arrange - Create some keys first
for (int i = 0; i < 5; i++)
{
await _repository.CreateAsync(_tenantId, CreateApiKeyEntity(Guid.NewGuid(), $"List-{i}"));
}
// Act - Parallel list operations
var listTasks = Enumerable.Range(0, 30)
.Select(_ => _repository.ListAsync(_tenantId))
.ToList();
var completedInTime = Task.WaitAll([.. listTasks], TimeSpan.FromSeconds(30));
// Assert
completedInTime.Should().BeTrue("parallel list operations should not deadlock");
}
[Fact]
public async Task MixedOperations_NoDeadlock()
{
// Arrange
var existingKeys = new List<Guid>();
for (int i = 0; i < 5; i++)
{
var key = CreateApiKeyEntity(Guid.NewGuid(), $"Mixed-{i}");
await _repository.CreateAsync(_tenantId, key);
existingKeys.Add(key.Id);
}
// Act - Mixed operations in parallel
var tasks = new List<Task>();
// Reads
tasks.AddRange(existingKeys.Select(id => _repository.GetByIdAsync(_tenantId, id)));
// Lists
tasks.AddRange(Enumerable.Range(0, 5).Select(_ => _repository.ListAsync(_tenantId)));
// Updates
tasks.AddRange(existingKeys.Select(id => _repository.UpdateLastUsedAsync(_tenantId, id)));
// Creates
tasks.AddRange(Enumerable.Range(0, 5).Select(i =>
_repository.CreateAsync(_tenantId, CreateApiKeyEntity(Guid.NewGuid(), $"NewKey-{i}"))));
var completedInTime = Task.WaitAll([.. tasks], TimeSpan.FromSeconds(30));
// Assert
completedInTime.Should().BeTrue("mixed operations should not deadlock");
}
[Fact]
public async Task RapidSuccessiveWrites_AllSucceed()
{
// Arrange
const int iterations = 50;
// Act - Rapid successive creates
for (int i = 0; i < iterations; i++)
{
await _repository.CreateAsync(_tenantId, CreateApiKeyEntity(Guid.NewGuid(), $"Rapid-{i}"));
}
// Assert
var allKeys = await _repository.ListAsync(_tenantId);
allKeys.Should().HaveCount(iterations);
}
[Fact]
public async Task ConcurrentDeleteAndRead_ReturnsConsistentState()
{
// Arrange
var key = CreateApiKeyEntity(Guid.NewGuid(), "Delete Race");
await _repository.CreateAsync(_tenantId, key);
// Act - Delete and read in parallel
var deleteTask = _repository.DeleteAsync(_tenantId, key.Id);
var readTasks = Enumerable.Range(0, 10)
.Select(_ => _repository.GetByIdAsync(_tenantId, key.Id))
.ToList();
await Task.WhenAll(readTasks.Cast<Task>().Append(deleteTask));
var readResults = await Task.WhenAll(readTasks);
// Assert - Reads should either return the key or null (after delete)
// No partial/corrupted data should be returned
foreach (var result in readResults)
{
if (result != null)
{
result.Id.Should().Be(key.Id);
result.Status.Should().BeOneOf(ApiKeyStatus.Active, ApiKeyStatus.Revoked);
}
}
}
private ApiKeyEntity CreateApiKeyEntity(Guid id, string name) => new()
{
Id = id,
TenantId = _tenantId,
UserId = _userId,
Name = name,
KeyHash = "sha256_" + Guid.NewGuid().ToString("N"),
KeyPrefix = "sk_" + Guid.NewGuid().ToString("N")[..8],
Scopes = ["read"],
Status = ApiKeyStatus.Active,
ExpiresAt = DateTimeOffset.UtcNow.AddMonths(6)
};
private Task SeedTenantAsync() =>
_fixture.ExecuteSqlAsync(
$"INSERT INTO authority.tenants (tenant_id, name, status, settings, metadata) " +
$"VALUES ('{_tenantId}', 'Tenant {_tenantId}', 'active', '{{}}', '{{}}') " +
"ON CONFLICT (tenant_id) DO NOTHING;");
private Task SeedUserAsync() =>
_fixture.ExecuteSqlAsync(
$"INSERT INTO authority.users (id, tenant_id, username, status) " +
$"VALUES ('{_userId}', '{_tenantId}', 'user-{_userId:N}', 'active') " +
"ON CONFLICT (id) DO NOTHING;");
}

228
src/Authority/__Tests/StellaOps.Authority.Storage.Postgres.Tests/ApiKeyIdempotencyTests.cs Normal file
View File

@@ -0,0 +1,228 @@
// -----------------------------------------------------------------------------
// ApiKeyIdempotencyTests.cs
// Sprint: SPRINT_5100_0007_0004_storage_harness
// Task: STOR-HARNESS-010
// Description: Model S1 idempotency tests for Authority API key storage
// -----------------------------------------------------------------------------
using FluentAssertions;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using Npgsql;
using StellaOps.Authority.Storage.Postgres;
using StellaOps.Authority.Storage.Postgres.Models;
using StellaOps.Authority.Storage.Postgres.Repositories;
using StellaOps.TestKit;
using Xunit;
namespace StellaOps.Authority.Storage.Postgres.Tests;
/// <summary>
/// Idempotency tests for API key storage operations.
/// Implements Model S1 (Storage/Postgres) test requirements:
/// - Insert same entity twice → no duplicates
/// - Upsert creates when not exists
/// - Upsert updates when exists
/// </summary>
[Collection(AuthorityPostgresCollection.Name)]
[Trait("Category", TestCategories.Integration)]
[Trait("Category", TestCategories.StorageIdempotency)]
public sealed class ApiKeyIdempotencyTests : IAsyncLifetime
{
private readonly AuthorityPostgresFixture _fixture;
private ApiKeyRepository _repository = null!;
private NpgsqlDataSource _npgsqlDataSource = null!;
private readonly string _tenantId = Guid.NewGuid().ToString();
private readonly Guid _userId = Guid.NewGuid();
public ApiKeyIdempotencyTests(AuthorityPostgresFixture fixture)
{
_fixture = fixture;
}
public async Task InitializeAsync()
{
await _fixture.TruncateAllTablesAsync();
var options = _fixture.Fixture.CreateOptions();
options.SchemaName = _fixture.SchemaName;
var dataSource = new AuthorityDataSource(Options.Create(options), NullLogger<AuthorityDataSource>.Instance);
_repository = new ApiKeyRepository(dataSource, NullLogger<ApiKeyRepository>.Instance);
_npgsqlDataSource = NpgsqlDataSource.Create(_fixture.ConnectionString);
await SeedTenantAsync();
await SeedUserAsync();
}
public async Task DisposeAsync()
{
await _npgsqlDataSource.DisposeAsync();
}
[Fact]
public async Task CreateAsync_SameId_Twice_Should_Not_Duplicate()
{
// Arrange
var keyId = Guid.NewGuid();
var key1 = CreateApiKeyEntity(keyId, "First Key");
var key2 = CreateApiKeyEntity(keyId, "Second Key");
// Act
await _repository.CreateAsync(_tenantId, key1);
// Second creation with same ID should throw or be ignored
var createSecond = async () => await _repository.CreateAsync(_tenantId, key2);
// Assert - Either throws or upserts, but should not create duplicate
try
{
await createSecond();
// If no exception, verify only one record exists
var all = await _repository.ListAsync(_tenantId);
all.Count(k => k.Id == keyId).Should().Be(1,
"duplicate ID should not create multiple records");
}
catch (PostgresException)
{
// Expected if DB enforces uniqueness
}
}
[Fact]
public async Task CreateAsync_DifferentIds_SamePrefix_Should_Not_Duplicate()
{
// Arrange
var prefix = "sk_unique_" + Guid.NewGuid().ToString("N")[..6];
var key1 = CreateApiKeyEntity(Guid.NewGuid(), "Key One");
key1.KeyPrefix = prefix;
var key2 = CreateApiKeyEntity(Guid.NewGuid(), "Key Two");
key2.KeyPrefix = prefix; // Same prefix
// Act
await _repository.CreateAsync(_tenantId, key1);
var createSecond = async () => await _repository.CreateAsync(_tenantId, key2);
// Assert - Should fail due to unique constraint on key_prefix
try
{
await createSecond();
var result = await _repository.GetByPrefixAsync(prefix);
result.Should().NotBeNull("at least one key should exist");
}
catch (PostgresException)
{
// Expected if DB enforces uniqueness on prefix
}
}
[Fact]
public async Task UpdateLastUsedAsync_Twice_Should_Be_Idempotent()
{
// Arrange
var key = CreateApiKeyEntity(Guid.NewGuid(), "Update Test");
await _repository.CreateAsync(_tenantId, key);
// Act - Update last used twice
await _repository.UpdateLastUsedAsync(_tenantId, key.Id);
var after1 = await _repository.GetByIdAsync(_tenantId, key.Id);
await Task.Delay(50); // Small delay to ensure different timestamp potential
await _repository.UpdateLastUsedAsync(_tenantId, key.Id);
var after2 = await _repository.GetByIdAsync(_tenantId, key.Id);
// Assert - Should have exactly one key, second update should succeed
after1.Should().NotBeNull();
after2.Should().NotBeNull();
after2!.Id.Should().Be(key.Id);
}
[Fact]
public async Task RevokeAsync_Twice_Should_Be_Idempotent()
{
// Arrange
var key = CreateApiKeyEntity(Guid.NewGuid(), "Revoke Test");
await _repository.CreateAsync(_tenantId, key);
// Act - Revoke twice
await _repository.RevokeAsync(_tenantId, key.Id, "admin@test.com");
var after1 = await _repository.GetByIdAsync(_tenantId, key.Id);
await _repository.RevokeAsync(_tenantId, key.Id, "admin2@test.com");
var after2 = await _repository.GetByIdAsync(_tenantId, key.Id);
// Assert - Key should be revoked, second revoke should not fail
after1.Should().NotBeNull();
after1!.Status.Should().Be(ApiKeyStatus.Revoked);
after2.Should().NotBeNull();
after2!.Status.Should().Be(ApiKeyStatus.Revoked);
}
[Fact]
public async Task DeleteAsync_Twice_Should_Be_Idempotent()
{
// Arrange
var key = CreateApiKeyEntity(Guid.NewGuid(), "Delete Test");
await _repository.CreateAsync(_tenantId, key);
// Act - Delete twice
await _repository.DeleteAsync(_tenantId, key.Id);
var afterFirst = await _repository.GetByIdAsync(_tenantId, key.Id);
// Second delete should not throw
var deleteSecond = async () => await _repository.DeleteAsync(_tenantId, key.Id);
await deleteSecond.Should().NotThrowAsync();
var afterSecond = await _repository.GetByIdAsync(_tenantId, key.Id);
// Assert
afterFirst.Should().BeNull("first delete should remove key");
afterSecond.Should().BeNull("second delete should also succeed");
}
[Fact]
public async Task CreateAsync_Multiple_Keys_For_Same_User_Allowed()
{
// Arrange - Create 5 keys for same user
var keys = Enumerable.Range(0, 5)
.Select(i => CreateApiKeyEntity(Guid.NewGuid(), $"MultiKey-{i}"))
.ToList();
// Act
foreach (var key in keys)
{
await _repository.CreateAsync(_tenantId, key);
}
// Assert
var userKeys = await _repository.GetByUserIdAsync(_tenantId, _userId);
userKeys.Should().HaveCount(5, "user can have multiple API keys");
}
private ApiKeyEntity CreateApiKeyEntity(Guid id, string name) => new()
{
Id = id,
TenantId = _tenantId,
UserId = _userId,
Name = name,
KeyHash = "sha256_" + Guid.NewGuid().ToString("N"),
KeyPrefix = "sk_" + Guid.NewGuid().ToString("N")[..8],
Scopes = ["read"],
Status = ApiKeyStatus.Active,
ExpiresAt = DateTimeOffset.UtcNow.AddMonths(6)
};
private Task SeedTenantAsync() =>
_fixture.ExecuteSqlAsync(
$"INSERT INTO authority.tenants (tenant_id, name, status, settings, metadata) " +
$"VALUES ('{_tenantId}', 'Tenant {_tenantId}', 'active', '{{}}', '{{}}') " +
"ON CONFLICT (tenant_id) DO NOTHING;");
private Task SeedUserAsync() =>
_fixture.ExecuteSqlAsync(
$"INSERT INTO authority.users (id, tenant_id, username, status) " +
$"VALUES ('{_userId}', '{_tenantId}', 'user-{_userId:N}', 'active') " +
"ON CONFLICT (id) DO NOTHING;");
}

82
src/Authority/__Tests/StellaOps.Authority.Storage.Postgres.Tests/AuthorityPostgresFixture.cs
View File

@@ -1,8 +1,21 @@
// -----------------------------------------------------------------------------
// AuthorityPostgresFixture.cs
// Sprint: SPRINT_5100_0007_0004_storage_harness
// Task: STOR-HARNESS-010
// Description: Authority PostgreSQL test fixture with TestKit integration
// -----------------------------------------------------------------------------
using System.Reflection;
using StellaOps.Authority.Storage.Postgres;
using StellaOps.Infrastructure.Postgres.Testing;
using StellaOps.TestKit;
using StellaOps.TestKit.Fixtures;
using Xunit;
// Type aliases to disambiguate TestKit and Infrastructure fixtures
using TestKitPostgresFixture = StellaOps.TestKit.Fixtures.PostgresFixture;
using TestKitPostgresIsolationMode = StellaOps.TestKit.Fixtures.PostgresIsolationMode;
namespace StellaOps.Authority.Storage.Postgres.Tests;
/// <summary>
@@ -21,8 +34,75 @@ public sealed class AuthorityPostgresFixture : PostgresIntegrationFixture, IColl
/// Collection definition for Authority PostgreSQL integration tests.
/// Tests in this collection share a single PostgreSQL container instance.
/// </summary>
[CollectionDefinition(Name)]
[CollectionDefinition(AuthorityPostgresCollection.Name)]
public sealed class AuthorityPostgresCollection : ICollectionFixture<AuthorityPostgresFixture>
{
public const string Name = "AuthorityPostgres";
}
/// <summary>
/// TestKit-based PostgreSQL fixture for Authority storage tests.
/// Provides TestKit features like isolation modes, session management,
/// and integration with deterministic time/random utilities.
/// </summary>
public sealed class AuthorityTestKitPostgresFixture : IAsyncLifetime
{
private TestKitPostgresFixture _fixture = null!;
/// <summary>
/// Gets the underlying TestKit PostgresFixture.
/// </summary>
public TestKitPostgresFixture Fixture => _fixture;
/// <summary>
/// Gets the connection string for the PostgreSQL container.
/// </summary>
public string ConnectionString => _fixture.ConnectionString;
/// <summary>
/// Gets or sets the isolation mode for tests.
/// </summary>
public TestKitPostgresIsolationMode IsolationMode
{
get => _fixture.IsolationMode;
set => _fixture.IsolationMode = value;
}
public async Task InitializeAsync()
{
_fixture = new TestKitPostgresFixture
{
IsolationMode = TestKitPostgresIsolationMode.Truncation
};
await _fixture.InitializeAsync();
// Apply Authority migrations
var migrationAssembly = typeof(AuthorityDataSource).Assembly;
await _fixture.ApplyMigrationsFromAssemblyAsync(migrationAssembly, "authority", "Migrations");
}
public async Task DisposeAsync()
{
await _fixture.DisposeAsync();
}
/// <summary>
/// Truncates all tables for test isolation.
/// </summary>
public Task TruncateAllTablesAsync() => _fixture.TruncateAllTablesAsync();
/// <summary>
/// Creates an isolated test session for a test.
/// </summary>
public Task<PostgresTestSession> CreateSessionAsync(string? testName = null)
=> _fixture.CreateSessionAsync(testName);
}
/// <summary>
/// Collection definition for Authority TestKit PostgreSQL tests.
/// </summary>
[CollectionDefinition(AuthorityTestKitPostgresCollection.Name)]
public sealed class AuthorityTestKitPostgresCollection : ICollectionFixture<AuthorityTestKitPostgresFixture>
{
public const string Name = "AuthorityTestKitPostgres";
}

446
src/Authority/__Tests/StellaOps.Authority.Storage.Postgres.Tests/RoleBasedAccessTests.cs Normal file
View File

@@ -0,0 +1,446 @@
// -----------------------------------------------------------------------------
// RoleBasedAccessTests.cs
// Sprint: SPRINT_5100_0009_0005_authority_tests
// Task: AUTHORITY-5100-005
// Description: Model L0 role-based access control tests for Authority module
// -----------------------------------------------------------------------------
using FluentAssertions;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using StellaOps.Authority.Storage.Postgres;
using StellaOps.Authority.Storage.Postgres.Models;
using StellaOps.Authority.Storage.Postgres.Repositories;
using Xunit;
namespace StellaOps.Authority.Storage.Postgres.Tests;
/// <summary>
/// Role-based access control (RBAC) tests for Authority module.
/// Implements Model L0 (Core Logic) test requirements:
/// - User with role gets correct permissions
/// - User without role cannot access (deny-by-default)
/// - Expired role assignments are not honored
/// - Multiple roles accumulate permissions
/// </summary>
[Collection(AuthorityPostgresCollection.Name)]
public sealed class RoleBasedAccessTests : IAsyncLifetime
{
private readonly AuthorityPostgresFixture _fixture;
private RoleRepository _roleRepository = null!;
private PermissionRepository _permissionRepository = null!;
private UserRepository _userRepository = null!;
private readonly string _tenantId = Guid.NewGuid().ToString();
public RoleBasedAccessTests(AuthorityPostgresFixture fixture)
{
_fixture = fixture;
}
public async Task InitializeAsync()
{
await _fixture.TruncateAllTablesAsync();
var options = _fixture.Fixture.CreateOptions();
options.SchemaName = _fixture.SchemaName;
var dataSource = new AuthorityDataSource(Options.Create(options), NullLogger<AuthorityDataSource>.Instance);
_roleRepository = new RoleRepository(dataSource, NullLogger<RoleRepository>.Instance);
_permissionRepository = new PermissionRepository(dataSource, NullLogger<PermissionRepository>.Instance);
_userRepository = new UserRepository(dataSource, NullLogger<UserRepository>.Instance);
await SeedTenantAsync();
}
public Task DisposeAsync() => Task.CompletedTask;
#region User-Role Assignment Tests
[Fact]
public async Task UserWithRole_GetsRolePermissions()
{
// Arrange
var user = await CreateUserAsync("rbac-user-1");
var role = await CreateRoleAsync("Admin");
var permission1 = await CreatePermissionAsync("scanner", "scan");
var permission2 = await CreatePermissionAsync("scanner", "view");
// Assign permissions to role
await _permissionRepository.AssignToRoleAsync(_tenantId, role.Id, permission1.Id);
await _permissionRepository.AssignToRoleAsync(_tenantId, role.Id, permission2.Id);
// Assign role to user
await _roleRepository.AssignToUserAsync(_tenantId, user.Id, role.Id, "admin@test.com", null);
// Act
var userPermissions = await _permissionRepository.GetUserPermissionsAsync(_tenantId, user.Id);
// Assert
userPermissions.Should().HaveCount(2);
userPermissions.Should().Contain(p => p.Resource == "scanner" && p.Action == "scan");
userPermissions.Should().Contain(p => p.Resource == "scanner" && p.Action == "view");
}
[Fact]
public async Task UserWithoutRole_HasNoPermissions_DenyByDefault()
{
// Arrange
var user = await CreateUserAsync("rbac-user-no-role");
var role = await CreateRoleAsync("Admin");
var permission = await CreatePermissionAsync("scanner", "scan");
// Assign permission to role but NOT role to user
await _permissionRepository.AssignToRoleAsync(_tenantId, role.Id, permission.Id);
// Act
var userPermissions = await _permissionRepository.GetUserPermissionsAsync(_tenantId, user.Id);
var userRoles = await _roleRepository.GetUserRolesAsync(_tenantId, user.Id);
// Assert - Deny by default: no roles = no permissions
userRoles.Should().BeEmpty();
userPermissions.Should().BeEmpty();
}
[Fact]
public async Task UserWithExpiredRole_HasNoPermissions()
{
// Arrange
var user = await CreateUserAsync("rbac-user-expired");
var role = await CreateRoleAsync("TempAdmin");
var permission = await CreatePermissionAsync("scanner", "admin");
await _permissionRepository.AssignToRoleAsync(_tenantId, role.Id, permission.Id);
// Assign role with expiry in the past
var expiredAt = DateTimeOffset.UtcNow.AddHours(-1);
await _roleRepository.AssignToUserAsync(_tenantId, user.Id, role.Id, "admin@test.com", expiredAt);
// Act
var userPermissions = await _permissionRepository.GetUserPermissionsAsync(_tenantId, user.Id);
var userRoles = await _roleRepository.GetUserRolesAsync(_tenantId, user.Id);
// Assert - Expired role should not grant permissions
userRoles.Should().BeEmpty("expired role should not be returned");
userPermissions.Should().BeEmpty("expired role should not grant permissions");
}
[Fact]
public async Task UserWithFutureExpiryRole_HasPermissions()
{
// Arrange
var user = await CreateUserAsync("rbac-user-future");
var role = await CreateRoleAsync("LimitedAdmin");
var permission = await CreatePermissionAsync("policy", "read");
await _permissionRepository.AssignToRoleAsync(_tenantId, role.Id, permission.Id);
// Assign role with expiry in the future
var expiresAt = DateTimeOffset.UtcNow.AddDays(30);
await _roleRepository.AssignToUserAsync(_tenantId, user.Id, role.Id, "admin@test.com", expiresAt);
// Act
var userPermissions = await _permissionRepository.GetUserPermissionsAsync(_tenantId, user.Id);
var userRoles = await _roleRepository.GetUserRolesAsync(_tenantId, user.Id);
// Assert - Non-expired role should grant permissions
userRoles.Should().HaveCount(1);
userPermissions.Should().HaveCount(1);
userPermissions.Should().Contain(p => p.Resource == "policy" && p.Action == "read");
}
[Fact]
public async Task UserWithNoExpiryRole_HasPermissions()
{
// Arrange
var user = await CreateUserAsync("rbac-user-no-expiry");
var role = await CreateRoleAsync("PermanentAdmin");
var permission = await CreatePermissionAsync("authority", "manage");
await _permissionRepository.AssignToRoleAsync(_tenantId, role.Id, permission.Id);
// Assign role without expiry (null = permanent)
await _roleRepository.AssignToUserAsync(_tenantId, user.Id, role.Id, "admin@test.com", null);
// Act
var userPermissions = await _permissionRepository.GetUserPermissionsAsync(_tenantId, user.Id);
var userRoles = await _roleRepository.GetUserRolesAsync(_tenantId, user.Id);
// Assert - Permanent role should grant permissions
userRoles.Should().HaveCount(1);
userPermissions.Should().HaveCount(1);
}
#endregion
#region Multiple Roles Tests
[Fact]
public async Task UserWithMultipleRoles_AccumulatesPermissions()
{
// Arrange
var user = await CreateUserAsync("rbac-user-multi");
var readerRole = await CreateRoleAsync("Reader");
var writerRole = await CreateRoleAsync("Writer");
var readPermission = await CreatePermissionAsync("scanner", "read");
var writePermission = await CreatePermissionAsync("scanner", "write");
var deletePermission = await CreatePermissionAsync("scanner", "delete");
// Reader gets read
await _permissionRepository.AssignToRoleAsync(_tenantId, readerRole.Id, readPermission.Id);
// Writer gets write and delete
await _permissionRepository.AssignToRoleAsync(_tenantId, writerRole.Id, writePermission.Id);
await _permissionRepository.AssignToRoleAsync(_tenantId, writerRole.Id, deletePermission.Id);
// User has both roles
await _roleRepository.AssignToUserAsync(_tenantId, user.Id, readerRole.Id, "admin@test.com", null);
await _roleRepository.AssignToUserAsync(_tenantId, user.Id, writerRole.Id, "admin@test.com", null);
// Act
var userPermissions = await _permissionRepository.GetUserPermissionsAsync(_tenantId, user.Id);
var userRoles = await _roleRepository.GetUserRolesAsync(_tenantId, user.Id);
// Assert - Permissions from both roles should be combined
userRoles.Should().HaveCount(2);
userPermissions.Should().HaveCount(3);
userPermissions.Should().Contain(p => p.Action == "read");
userPermissions.Should().Contain(p => p.Action == "write");
userPermissions.Should().Contain(p => p.Action == "delete");
}
[Fact]
public async Task UserWithOverlappingRolePermissions_GetsDistinctPermissions()
{
// Arrange
var user = await CreateUserAsync("rbac-user-overlap");
var role1 = await CreateRoleAsync("Role1");
var role2 = await CreateRoleAsync("Role2");
var sharedPermission = await CreatePermissionAsync("concelier", "view");
var uniquePermission = await CreatePermissionAsync("concelier", "edit");
// Both roles have the shared permission
await _permissionRepository.AssignToRoleAsync(_tenantId, role1.Id, sharedPermission.Id);
await _permissionRepository.AssignToRoleAsync(_tenantId, role2.Id, sharedPermission.Id);
// Only role2 has unique permission
await _permissionRepository.AssignToRoleAsync(_tenantId, role2.Id, uniquePermission.Id);
// User has both roles
await _roleRepository.AssignToUserAsync(_tenantId, user.Id, role1.Id, "admin@test.com", null);
await _roleRepository.AssignToUserAsync(_tenantId, user.Id, role2.Id, "admin@test.com", null);
// Act
var userPermissions = await _permissionRepository.GetUserPermissionsAsync(_tenantId, user.Id);
// Assert - Should get distinct permissions (no duplicates)
userPermissions.Should().HaveCount(2);
userPermissions.Select(p => p.Id).Should().OnlyHaveUniqueItems();
}
[Fact]
public async Task UserWithOneExpiredRole_StillHasOtherRolePermissions()
{
// Arrange
var user = await CreateUserAsync("rbac-user-partial-expired");
var permanentRole = await CreateRoleAsync("Permanent");
var tempRole = await CreateRoleAsync("Temporary");
var permPerm = await CreatePermissionAsync("system", "basic");
var tempPerm = await CreatePermissionAsync("system", "admin");
await _permissionRepository.AssignToRoleAsync(_tenantId, permanentRole.Id, permPerm.Id);
await _permissionRepository.AssignToRoleAsync(_tenantId, tempRole.Id, tempPerm.Id);
// Permanent role (no expiry)
await _roleRepository.AssignToUserAsync(_tenantId, user.Id, permanentRole.Id, "admin@test.com", null);
// Temporary role (expired)
await _roleRepository.AssignToUserAsync(_tenantId, user.Id, tempRole.Id, "admin@test.com",
DateTimeOffset.UtcNow.AddHours(-1));
// Act
var userPermissions = await _permissionRepository.GetUserPermissionsAsync(_tenantId, user.Id);
var userRoles = await _roleRepository.GetUserRolesAsync(_tenantId, user.Id);
// Assert - Only permanent role and its permissions
userRoles.Should().HaveCount(1);
userRoles.Should().Contain(r => r.Name == "Permanent");
userPermissions.Should().HaveCount(1);
userPermissions.Should().Contain(p => p.Action == "basic");
userPermissions.Should().NotContain(p => p.Action == "admin");
}
#endregion
#region Role Removal Tests
[Fact]
public async Task RemovingRole_RemovesPermissions()
{
// Arrange
var user = await CreateUserAsync("rbac-user-remove");
var role = await CreateRoleAsync("Removable");
var permission = await CreatePermissionAsync("resource", "action");
await _permissionRepository.AssignToRoleAsync(_tenantId, role.Id, permission.Id);
await _roleRepository.AssignToUserAsync(_tenantId, user.Id, role.Id, "admin@test.com", null);
// Verify permissions before removal
var beforeRemoval = await _permissionRepository.GetUserPermissionsAsync(_tenantId, user.Id);
beforeRemoval.Should().HaveCount(1);
// Act - Remove role from user
await _roleRepository.RemoveFromUserAsync(_tenantId, user.Id, role.Id);
// Assert
var afterRemoval = await _permissionRepository.GetUserPermissionsAsync(_tenantId, user.Id);
var userRoles = await _roleRepository.GetUserRolesAsync(_tenantId, user.Id);
userRoles.Should().BeEmpty();
afterRemoval.Should().BeEmpty();
}
[Fact]
public async Task RemovingPermissionFromRole_AffectsAllUsersWithRole()
{
// Arrange
var user1 = await CreateUserAsync("rbac-user-a");
var user2 = await CreateUserAsync("rbac-user-b");
var role = await CreateRoleAsync("SharedRole");
var permission = await CreatePermissionAsync("shared", "access");
await _permissionRepository.AssignToRoleAsync(_tenantId, role.Id, permission.Id);
await _roleRepository.AssignToUserAsync(_tenantId, user1.Id, role.Id, "admin@test.com", null);
await _roleRepository.AssignToUserAsync(_tenantId, user2.Id, role.Id, "admin@test.com", null);
// Verify both users have permission
var user1Before = await _permissionRepository.GetUserPermissionsAsync(_tenantId, user1.Id);
var user2Before = await _permissionRepository.GetUserPermissionsAsync(_tenantId, user2.Id);
user1Before.Should().HaveCount(1);
user2Before.Should().HaveCount(1);
// Act - Remove permission from role
await _permissionRepository.RemoveFromRoleAsync(_tenantId, role.Id, permission.Id);
// Assert - Both users lose the permission
var user1After = await _permissionRepository.GetUserPermissionsAsync(_tenantId, user1.Id);
var user2After = await _permissionRepository.GetUserPermissionsAsync(_tenantId, user2.Id);
user1After.Should().BeEmpty();
user2After.Should().BeEmpty();
}
#endregion
#region Role Permission Enforcement Tests
[Fact]
public async Task GetRolePermissions_ReturnsOnlyAssignedPermissions()
{
// Arrange
var role = await CreateRoleAsync("LimitedRole");
var assignedPerm = await CreatePermissionAsync("allowed", "yes");
var unassignedPerm = await CreatePermissionAsync("notallowed", "no");
await _permissionRepository.AssignToRoleAsync(_tenantId, role.Id, assignedPerm.Id);
// Note: unassignedPerm is NOT assigned to role
// Act
var rolePermissions = await _permissionRepository.GetRolePermissionsAsync(_tenantId, role.Id);
// Assert
rolePermissions.Should().HaveCount(1);
rolePermissions.Should().Contain(p => p.Resource == "allowed");
rolePermissions.Should().NotContain(p => p.Resource == "notallowed");
}
[Fact]
public async Task SystemRole_CanHaveSpecialPermissions()
{
// Arrange
var systemRole = new RoleEntity
{
Id = Guid.NewGuid(),
TenantId = _tenantId,
Name = "SystemAdmin",
IsSystem = true,
CreatedAt = DateTimeOffset.UtcNow,
UpdatedAt = DateTimeOffset.UtcNow
};
await _roleRepository.CreateAsync(_tenantId, systemRole);
var superPermission = await CreatePermissionAsync("*", "*"); // Wildcard permission
await _permissionRepository.AssignToRoleAsync(_tenantId, systemRole.Id, superPermission.Id);
// Act
var rolePermissions = await _permissionRepository.GetRolePermissionsAsync(_tenantId, systemRole.Id);
// Assert
rolePermissions.Should().HaveCount(1);
rolePermissions.Should().Contain(p => p.Resource == "*" && p.Action == "*");
}
#endregion
#region Helper Methods
private async Task<UserEntity> CreateUserAsync(string username)
{
var user = new UserEntity
{
Id = Guid.NewGuid(),
TenantId = _tenantId,
Username = username,
Email = $"{username}@test.com",
Enabled = true,
Settings = "{}",
Metadata = "{}",
CreatedAt = DateTimeOffset.UtcNow,
UpdatedAt = DateTimeOffset.UtcNow
};
await _userRepository.CreateAsync(user);
return user;
}
private async Task<RoleEntity> CreateRoleAsync(string name)
{
var role = new RoleEntity
{
Id = Guid.NewGuid(),
TenantId = _tenantId,
Name = name,
Description = $"{name} role",
CreatedAt = DateTimeOffset.UtcNow,
UpdatedAt = DateTimeOffset.UtcNow
};
await _roleRepository.CreateAsync(_tenantId, role);
return role;
}
private async Task<PermissionEntity> CreatePermissionAsync(string resource, string action)
{
var permission = new PermissionEntity
{
Id = Guid.NewGuid(),
TenantId = _tenantId,
Name = $"{resource}:{action}",
Resource = resource,
Action = action,
CreatedAt = DateTimeOffset.UtcNow
};
await _permissionRepository.CreateAsync(_tenantId, permission);
return permission;
}
private Task SeedTenantAsync() =>
_fixture.ExecuteSqlAsync(
$"INSERT INTO authority.tenants (tenant_id, name, status, settings, metadata) " +
$"VALUES ('{_tenantId}', 'Tenant {_tenantId}', 'active', '{{}}', '{{}}') " +
"ON CONFLICT (tenant_id) DO NOTHING;");
#endregion
}

1
src/Authority/__Tests/StellaOps.Authority.Storage.Postgres.Tests/StellaOps.Authority.Storage.Postgres.Tests.csproj
View File

@@ -30,6 +30,7 @@
<ItemGroup>
<ProjectReference Include="..\..\__Libraries\StellaOps.Authority.Storage.Postgres\StellaOps.Authority.Storage.Postgres.csproj" />
<ProjectReference Include="..\..\..\__Libraries\StellaOps.Infrastructure.Postgres.Testing\StellaOps.Infrastructure.Postgres.Testing.csproj" />
<ProjectReference Include="..\..\..\__Libraries\StellaOps.TestKit\StellaOps.TestKit.csproj" />
</ItemGroup>
</Project>