stella-ops.org/git.stella-ops.org
1
0
Fork 0
Code Issues Pull Requests Actions 3 Releases Wiki Activity
Files
c2b9cd8d1f1a81af32c757063a460815ff4949a4
git.stella-ops.org/src/Signer/StellaOps.Signer/StellaOps.Signer.Tests/Auth/SignerAuthTests.cs

412 lines
14 KiB
C#
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

// -----------------------------------------------------------------------------
// SignerAuthTests.cs
// Sprint: SPRINT_5100_0009_0006 - Signer Module Test Implementation
// Task: SIGNER-5100-012 - Add auth tests: verify signing requires elevated permissions; unauthorized requests denied
// Description: Authentication and authorization tests for Signer WebService
// -----------------------------------------------------------------------------
using System.Net;
using System.Net.Http.Headers;
using System.Net.Http.Json;
using FluentAssertions;
using Microsoft.AspNetCore.Mvc.Testing;
using Xunit;
namespace StellaOps.Signer.Tests.Auth;
/// <summary>
/// Authentication and authorization tests for Signer WebService.
/// Validates:
/// - Signing requires elevated permissions
/// - Unauthorized requests are denied
/// - Token validation (missing, invalid, expired)
/// - DPoP proof requirements
/// </summary>
[Trait("Category", "Auth")]
[Trait("Category", "Security")]
[Trait("Category", "W1")]
public sealed class SignerAuthTests : IClassFixture<WebApplicationFactory<Program>>
{
private readonly WebApplicationFactory<Program> _factory;
private readonly ITestOutputHelper _output;
public SignerAuthTests(WebApplicationFactory<Program> factory, ITestOutputHelper output)
{
_factory = factory;
_output = output;
}
#region Missing Token Tests
[Fact]
public async Task SignDsse_NoAuthHeader_Returns401()
{
// Arrange
var client = _factory.CreateClient();
var content = JsonContent.Create(CreateBasicSignRequest());
// Act - no authorization header
var response = await client.PostAsync("/api/v1/signer/sign/dsse", content);
// Assert
response.StatusCode.Should().BeOneOf(
HttpStatusCode.Unauthorized,
HttpStatusCode.Forbidden);
_output.WriteLine("✓ No auth header → 401/403");
}
[Fact]
public async Task VerifyDsse_NoAuthHeader_MayBeAllowed()
{
// Arrange
var client = _factory.CreateClient();
var content = JsonContent.Create(new { bundle = new { } });
// Act - verification may have different auth requirements than signing
var response = await client.PostAsync("/api/v1/signer/verify/dsse", content);
// Assert - verify might be less restricted than sign
_output.WriteLine($"✓ Verify without auth → {response.StatusCode}");
// If 404, endpoint doesn't exist (skip)
if (response.StatusCode == HttpStatusCode.NotFound)
{
_output.WriteLine(" (verify endpoint not found)");
return;
}
// Document the auth requirement
var requiresAuth = response.StatusCode == HttpStatusCode.Unauthorized ||
response.StatusCode == HttpStatusCode.Forbidden;
_output.WriteLine($" Requires auth: {requiresAuth}");
}
#endregion
#region Invalid Token Tests
[Fact]
public async Task SignDsse_EmptyBearerToken_Returns401()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "");
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().BeOneOf(
HttpStatusCode.Unauthorized,
HttpStatusCode.Forbidden);
_output.WriteLine("✓ Empty bearer token → 401/403");
}
[Fact]
public async Task SignDsse_MalformedBearerToken_Returns401()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "not.a.valid.jwt");
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().BeOneOf(
HttpStatusCode.Unauthorized,
HttpStatusCode.Forbidden);
_output.WriteLine("✓ Malformed bearer token → 401/403");
}
[Fact]
public async Task SignDsse_WrongAuthScheme_Returns401()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request.Headers.Authorization = new AuthenticationHeaderValue("Basic", "dXNlcjpwYXNz"); // user:pass
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().BeOneOf(
HttpStatusCode.Unauthorized,
HttpStatusCode.Forbidden);
_output.WriteLine("✓ Wrong auth scheme (Basic) → 401/403");
}
[Fact]
public async Task SignDsse_RandomStringToken_Returns401()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", Guid.NewGuid().ToString());
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().BeOneOf(
HttpStatusCode.Unauthorized,
HttpStatusCode.Forbidden);
_output.WriteLine("✓ Random string token → 401/403");
}
#endregion
#region DPoP Tests
[Fact]
public async Task SignDsse_MissingDPoP_MayBeRequired()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
// Note: NOT adding DPoP header
// Act
var response = await client.SendAsync(request);
// Assert - DPoP may or may not be required
_output.WriteLine($"✓ Without DPoP → {response.StatusCode}");
if (response.StatusCode == HttpStatusCode.Forbidden)
{
_output.WriteLine(" DPoP appears to be required for signing");
}
}
[Fact]
public async Task SignDsse_MalformedDPoP_Returns401()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "invalid-dpop-proof");
// Act
var response = await client.SendAsync(request);
// Assert
response.StatusCode.Should().BeOneOf(
HttpStatusCode.Unauthorized,
HttpStatusCode.Forbidden,
HttpStatusCode.BadRequest);
_output.WriteLine($"✓ Malformed DPoP → {response.StatusCode}");
}
#endregion
#region Permission Tests
[Fact]
public async Task SignDsse_RequiresElevatedPermissions()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
// Use a stub token that passes validation but lacks signing permissions
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-readonly-token");
request.Headers.Add("DPoP", "stub-proof");
// Act
var response = await client.SendAsync(request);
// Assert - signing should require specific permissions
if (response.StatusCode == HttpStatusCode.Forbidden)
{
_output.WriteLine("✓ Signing requires elevated permissions (403 Forbidden)");
}
else
{
_output.WriteLine($" Response: {response.StatusCode} (stub token behavior)");
}
}
#endregion
#region Security Header Tests
[Fact]
public async Task Response_ShouldNotExposeSensitiveHeaders()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request.Headers.Add("DPoP", "stub-proof");
// Act
var response = await client.SendAsync(request);
// Assert - should not expose internal details
response.Headers.Should().NotContainKey("X-Powered-By");
response.Headers.Should().NotContainKey("Server"); // If present, should not expose version
_output.WriteLine("✓ Response does not expose sensitive headers");
}
[Fact]
public async Task Error_ShouldNotExposeStackTrace()
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(new { invalid = true })
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
// Act
var response = await client.SendAsync(request);
// Assert
var content = await response.Content.ReadAsStringAsync();
content.Should().NotContain("System.Exception");
content.Should().NotContain("at StellaOps.");
content.Should().NotContain("StackTrace");
_output.WriteLine("✓ Error response does not expose stack trace");
}
#endregion
#region Injection Attack Tests
[Theory]
[InlineData("' OR '1'='1")]
[InlineData("'; DROP TABLE users; --")]
[InlineData("<script>alert('xss')</script>")]
[InlineData("{{7*7}}")]
[InlineData("${7*7}")]
public async Task SignDsse_InjectionInAuth_HandledSafely(string maliciousValue)
{
// Arrange
var client = _factory.CreateClient();
var request = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request.Headers.Authorization = new AuthenticationHeaderValue("Bearer", maliciousValue);
// Act
var response = await client.SendAsync(request);
// Assert - should reject, not execute
response.StatusCode.Should().BeOneOf(
HttpStatusCode.Unauthorized,
HttpStatusCode.Forbidden,
HttpStatusCode.BadRequest);
var content = await response.Content.ReadAsStringAsync();
content.Should().NotContain("49"); // 7*7 result
content.Should().NotContain("<script>");
_output.WriteLine($"✓ Injection '{maliciousValue[..Math.Min(20, maliciousValue.Length)]}...' handled safely");
}
#endregion
#region Token Replay Tests
[Fact]
public async Task SignDsse_TokenReplay_ShouldBeDetectable()
{
// Note: This tests the infrastructure for replay detection
// Actual replay detection depends on DPoP nonce or token tracking
var client = _factory.CreateClient();
var request1 = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request1.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request1.Headers.Add("DPoP", "stub-proof-1");
var request2 = new HttpRequestMessage(HttpMethod.Post, "/api/v1/signer/sign/dsse")
{
Content = JsonContent.Create(CreateBasicSignRequest())
};
request2.Headers.Authorization = new AuthenticationHeaderValue("Bearer", "stub-token");
request2.Headers.Add("DPoP", "stub-proof-1"); // Same proof
// Act
var response1 = await client.SendAsync(request1);
var response2 = await client.SendAsync(request2);
// Assert - at minimum, document the behavior
_output.WriteLine($"✓ First request: {response1.StatusCode}");
_output.WriteLine($"✓ Second request (replay): {response2.StatusCode}");
// If replay detection is active, second should fail
if (response1.IsSuccessStatusCode && !response2.IsSuccessStatusCode)
{
_output.WriteLine(" Replay detection appears active");
}
}
#endregion
#region Helper Methods
private static object CreateBasicSignRequest()
{
return new
{
subject = new[]
{
new
{
name = "pkg:npm/example@1.0.0",
digest = new Dictionary<string, string> { ["sha256"] = "4d5f6e7a8b9c0d1e2f3a4b5c6d7e8f9a0b1c2d3e4f5a6b7c8d9e0f1a2b3c4d5e" }
}
},
predicateType = "https://in-toto.io/Statement/v0.1",
predicate = new { result = "pass" },
scannerImageDigest = "sha256:0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef",
poe = new { format = "jwt", value = "valid-poe" },
options = new { signingMode = "kms", expirySeconds = 600, returnBundle = "dsse+cert" }
};
}
#endregion
}
Reference in New Issue View Git Blame Copy Permalink