test(bff): acceptance scenario for BFF access (valid/invalid tokens) (refs #8)
Use-case-level BDD (Reqnroll) driving the real BFF over HTTP with fake downstreams and locally-minted tokens: a valid DigiD token is accepted and the bsn forwarded to the domain; a tokenless submit is 401; the openbaar register is anonymous and never exposes the bsn (ADR-0010). Real Keycloak validation is the verify-bff check. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
This commit is contained in:
80
tests/acceptance/Support/BffAcceptanceHost.cs
Normal file
80
tests/acceptance/Support/BffAcceptanceHost.cs
Normal file
@@ -0,0 +1,80 @@
|
||||
using System.Text;
|
||||
using Bff.Api;
|
||||
using Microsoft.AspNetCore.Authentication.JwtBearer;
|
||||
using Microsoft.AspNetCore.Hosting;
|
||||
using Microsoft.AspNetCore.Mvc.Testing;
|
||||
using Microsoft.AspNetCore.TestHost;
|
||||
using Microsoft.Extensions.DependencyInjection;
|
||||
using Microsoft.IdentityModel.JsonWebTokens;
|
||||
using Microsoft.IdentityModel.Protocols.OpenIdConnect;
|
||||
using Microsoft.IdentityModel.Tokens;
|
||||
|
||||
namespace Acceptance.Support;
|
||||
|
||||
/// <summary>Hosts the real BFF in-process for the acceptance scenario, with fake downstreams and a
|
||||
/// local test signing key so tokens can be minted without a live Keycloak (ADR-0010).</summary>
|
||||
public sealed class BffAcceptanceHost : WebApplicationFactory<Program>
|
||||
{
|
||||
private static readonly SymmetricSecurityKey TestKey =
|
||||
new(Encoding.UTF8.GetBytes("acceptance-bff-signing-key-at-least-256-bits-long!!"));
|
||||
|
||||
public CapturingDomainClient Domain { get; } = new();
|
||||
public StubProjectionClient Projection { get; } = new();
|
||||
|
||||
public static string MintToken(string bsn) => new JsonWebTokenHandler().CreateToken(new SecurityTokenDescriptor
|
||||
{
|
||||
Claims = new Dictionary<string, object> { ["bsn"] = bsn },
|
||||
Expires = DateTime.UtcNow.AddMinutes(30),
|
||||
SigningCredentials = new SigningCredentials(TestKey, SecurityAlgorithms.HmacSha256),
|
||||
});
|
||||
|
||||
protected override void ConfigureWebHost(IWebHostBuilder builder)
|
||||
{
|
||||
builder.UseSetting("Keycloak:Authority", "https://keycloak.invalid/realms/digid");
|
||||
builder.UseSetting("Downstream:Domain:BaseUrl", "http://domain.invalid/");
|
||||
builder.UseSetting("Downstream:Projection:BaseUrl", "http://projection.invalid/");
|
||||
|
||||
builder.ConfigureTestServices(services =>
|
||||
{
|
||||
services.AddSingleton<IDomainClient>(Domain);
|
||||
services.AddSingleton<IProjectionClient>(Projection);
|
||||
services.Configure<JwtBearerOptions>(JwtBearerDefaults.AuthenticationScheme, options =>
|
||||
{
|
||||
options.Authority = null;
|
||||
options.MetadataAddress = null!;
|
||||
options.RequireHttpsMetadata = false;
|
||||
options.Configuration = new OpenIdConnectConfiguration();
|
||||
options.TokenValidationParameters = new TokenValidationParameters
|
||||
{
|
||||
ValidateIssuer = false,
|
||||
ValidateAudience = false,
|
||||
ValidateLifetime = true,
|
||||
ValidateIssuerSigningKey = true,
|
||||
IssuerSigningKey = TestKey,
|
||||
ClockSkew = TimeSpan.Zero,
|
||||
};
|
||||
});
|
||||
});
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>Records the bsn the BFF forwarded.</summary>
|
||||
public sealed class CapturingDomainClient : IDomainClient
|
||||
{
|
||||
public string? SubmittedBsn { get; private set; }
|
||||
|
||||
public Task<SubmitAccepted> SubmitRegistrationAsync(string bsn, CancellationToken ct = default)
|
||||
{
|
||||
SubmittedBsn = bsn;
|
||||
return Task.FromResult(new SubmitAccepted("reg-acc-1", "Ingediend"));
|
||||
}
|
||||
}
|
||||
|
||||
/// <summary>Serves configurable projection rows.</summary>
|
||||
public sealed class StubProjectionClient : IProjectionClient
|
||||
{
|
||||
public List<ProjectionEntry> Entries { get; } = [];
|
||||
|
||||
public Task<IReadOnlyList<ProjectionEntry>> GetRegisterAsync(CancellationToken ct = default)
|
||||
=> Task.FromResult<IReadOnlyList<ProjectionEntry>>(Entries);
|
||||
}
|
||||
Reference in New Issue
Block a user