Restructure solution layout by module

2025-10-28 15:10:40 +02:00
parent 95daa159c4
commit d870da18ce
4103 changed files with 192899 additions and 187024 deletions
--- a/src/Scheduler/__Tests/StellaOps.Scheduler.WebService.Tests/EventWebhookEndpointTests.cs
+++ b/src/Scheduler/__Tests/StellaOps.Scheduler.WebService.Tests/EventWebhookEndpointTests.cs
@@ -0,0 +1,128 @@
+using System;
+using System.Collections.Generic;
+using System.Net;
+using System.Security.Cryptography;
+using System.Text;
+using System.Text.Json;
+using System.Threading.Tasks;
+using Microsoft.AspNetCore.Mvc.Testing;
+using Microsoft.Extensions.Configuration;
+
+namespace StellaOps.Scheduler.WebService.Tests;
+
+public sealed class EventWebhookEndpointTests : IClassFixture<WebApplicationFactory<Program>>
+{
+    static EventWebhookEndpointTests()
+    {
+        Environment.SetEnvironmentVariable("Scheduler__Events__Webhooks__Feedser__HmacSecret", FeedserSecret);
+        Environment.SetEnvironmentVariable("Scheduler__Events__Webhooks__Feedser__Enabled", "true");
+        Environment.SetEnvironmentVariable("Scheduler__Events__Webhooks__Vexer__HmacSecret", VexerSecret);
+        Environment.SetEnvironmentVariable("Scheduler__Events__Webhooks__Vexer__Enabled", "true");
+    }
+
+    private const string FeedserSecret = "feedser-secret";
+    private const string VexerSecret = "vexer-secret";
+
+    private readonly WebApplicationFactory<Program> _factory;
+
+    public EventWebhookEndpointTests(WebApplicationFactory<Program> factory)
+    {
+        _factory = factory;
+    }
+
+    [Fact]
+    public async Task FeedserWebhook_AcceptsValidSignature()
+    {
+        using var client = _factory.CreateClient();
+        var payload = new
+        {
+            exportId = "feedser-exp-1",
+            changedProductKeys = new[] { "pkg:rpm/openssl", "pkg:deb/nginx" },
+            kev = new[] { "CVE-2024-0001" },
+            window = new { from = DateTimeOffset.UtcNow.AddHours(-1), to = DateTimeOffset.UtcNow }
+        };
+
+        var json = JsonSerializer.Serialize(payload, new JsonSerializerOptions(JsonSerializerDefaults.Web));
+        using var request = new HttpRequestMessage(HttpMethod.Post, "/events/feedser-export")
+        {
+            Content = new StringContent(json, Encoding.UTF8, "application/json")
+        };
+        request.Headers.TryAddWithoutValidation("X-Scheduler-Signature", ComputeSignature(FeedserSecret, json));
+
+        var response = await client.SendAsync(request);
+        Assert.Equal(HttpStatusCode.Accepted, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task FeedserWebhook_RejectsInvalidSignature()
+    {
+        using var client = _factory.CreateClient();
+        var payload = new
+        {
+            exportId = "feedser-exp-2",
+            changedProductKeys = new[] { "pkg:nuget/log4net" }
+        };
+
+        var json = JsonSerializer.Serialize(payload, new JsonSerializerOptions(JsonSerializerDefaults.Web));
+        using var request = new HttpRequestMessage(HttpMethod.Post, "/events/feedser-export")
+        {
+            Content = new StringContent(json, Encoding.UTF8, "application/json")
+        };
+        request.Headers.TryAddWithoutValidation("X-Scheduler-Signature", "sha256=invalid");
+
+        var response = await client.SendAsync(request);
+        Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+    }
+
+    [Fact]
+    public async Task VexerWebhook_HonoursRateLimit()
+    {
+        using var restrictedFactory = _factory.WithWebHostBuilder(builder =>
+        {
+            builder.ConfigureAppConfiguration((_, configuration) =>
+            {
+                configuration.AddInMemoryCollection(new Dictionary<string, string?>
+                {
+                    ["Scheduler:Events:Webhooks:Vexer:RateLimitRequests"] = "1",
+                    ["Scheduler:Events:Webhooks:Vexer:RateLimitWindowSeconds"] = "60"
+                });
+            });
+        });
+
+        using var client = restrictedFactory.CreateClient();
+        var payload = new
+        {
+            exportId = "vexer-exp-1",
+            changedClaims = new[]
+            {
+                new { productKey = "pkg:deb/openssl", vulnerabilityId = "CVE-2024-1234", status = "affected" }
+            }
+        };
+
+        var json = JsonSerializer.Serialize(payload, new JsonSerializerOptions(JsonSerializerDefaults.Web));
+
+        using var first = new HttpRequestMessage(HttpMethod.Post, "/events/vexer-export")
+        {
+            Content = new StringContent(json, Encoding.UTF8, "application/json")
+        };
+        first.Headers.TryAddWithoutValidation("X-Scheduler-Signature", ComputeSignature(VexerSecret, json));
+        var firstResponse = await client.SendAsync(first);
+        Assert.Equal(HttpStatusCode.Accepted, firstResponse.StatusCode);
+
+        using var second = new HttpRequestMessage(HttpMethod.Post, "/events/vexer-export")
+        {
+            Content = new StringContent(json, Encoding.UTF8, "application/json")
+        };
+        second.Headers.TryAddWithoutValidation("X-Scheduler-Signature", ComputeSignature(VexerSecret, json));
+        var secondResponse = await client.SendAsync(second);
+        Assert.Equal((HttpStatusCode)429, secondResponse.StatusCode);
+        Assert.True(secondResponse.Headers.Contains("Retry-After"));
+    }
+
+    private static string ComputeSignature(string secret, string payload)
+    {
+        using var hmac = new HMACSHA256(Encoding.UTF8.GetBytes(secret));
+        var hash = hmac.ComputeHash(Encoding.UTF8.GetBytes(payload));
+        return "sha256=" + Convert.ToHexString(hash).ToLowerInvariant();
+    }
+}