Auth tweaks, Audit implementation, Webhooks

This commit is contained in:
2026-04-13 14:17:45 -07:00
parent b9a04df861
commit 334b6cf3e1
46 changed files with 4654 additions and 61 deletions

View File

@@ -0,0 +1,116 @@
using System.Text.Json;
using MicCheck.Api.Audit;
using MicCheck.Api.Data;
using MicCheck.Api.Webhooks;
using Microsoft.AspNetCore.Http;
using Microsoft.EntityFrameworkCore;
using Moq;
using NUnit.Framework;
namespace MicCheck.Api.Tests.Unit.Audit;
[TestFixture]
public class AuditServiceTests
{
private MicCheckDbContext _db = null!;
private AuditService _service = null!;
private WebhookQueue _queue = null!;
[SetUp]
public void SetUp()
{
var options = new DbContextOptionsBuilder<MicCheckDbContext>()
.UseInMemoryDatabase(Guid.NewGuid().ToString())
.Options;
_db = new MicCheckDbContext(options);
_queue = new WebhookQueue();
var httpContextAccessor = new Mock<IHttpContextAccessor>();
httpContextAccessor.Setup(x => x.HttpContext).Returns((Microsoft.AspNetCore.Http.HttpContext?)null);
_service = new AuditService(_db, httpContextAccessor.Object, _queue);
}
[TearDown]
public void TearDown() => _db.Dispose();
[Test]
public async Task WhenRecordingWithNoBefore_ThenChangesIsNull()
{
await _service.RecordAsync("Feature", "1", "created", organizationId: 1);
var log = await _db.AuditLogs.FirstAsync();
Assert.That(log.Changes, Is.Null);
}
[Test]
public async Task WhenRecordingWithAfterOnly_ThenChangesContainsAfterJson()
{
var after = new { Name = "dark_mode", Enabled = true };
await _service.RecordAsync("Feature", "1", "created", organizationId: 1, after: after);
var log = await _db.AuditLogs.FirstAsync();
Assert.That(log.Changes, Is.Not.Null);
var changes = JsonDocument.Parse(log.Changes!).RootElement;
Assert.That(changes.GetProperty("after").GetProperty("name").GetString(), Is.EqualTo("dark_mode"));
Assert.That(changes.TryGetProperty("before", out var beforeProp), Is.True);
Assert.That(beforeProp.ValueKind, Is.EqualTo(JsonValueKind.Null));
}
[Test]
public async Task WhenRecordingWithBeforeAndAfter_ThenChangesCapturesBothStates()
{
var before = new { Enabled = false, Value = "old" };
var after = new { Enabled = true, Value = "new" };
await _service.RecordAsync("FeatureState", "42", "updated", organizationId: 1,
before: before, after: after);
var log = await _db.AuditLogs.FirstAsync();
var changes = JsonDocument.Parse(log.Changes!).RootElement;
Assert.That(changes.GetProperty("before").GetProperty("enabled").GetBoolean(), Is.False);
Assert.That(changes.GetProperty("after").GetProperty("enabled").GetBoolean(), Is.True);
Assert.That(changes.GetProperty("before").GetProperty("value").GetString(), Is.EqualTo("old"));
Assert.That(changes.GetProperty("after").GetProperty("value").GetString(), Is.EqualTo("new"));
}
[Test]
public async Task WhenRecording_ThenMetadataIsPersistedCorrectly()
{
await _service.RecordAsync(
"Segment", "5", "deleted",
organizationId: 10, projectId: 20, environmentId: 30);
var log = await _db.AuditLogs.FirstAsync();
Assert.That(log.ResourceType, Is.EqualTo("Segment"));
Assert.That(log.ResourceId, Is.EqualTo("5"));
Assert.That(log.Action, Is.EqualTo("deleted"));
Assert.That(log.OrganizationId, Is.EqualTo(10));
Assert.That(log.ProjectId, Is.EqualTo(20));
Assert.That(log.EnvironmentId, Is.EqualTo(30));
Assert.That(log.ActorUserId, Is.Null);
}
[Test]
public async Task WhenRecording_ThenAuditLogCreatedEventIsEnqueued()
{
await _service.RecordAsync("Feature", "1", "created", organizationId: 1);
var events = new List<WebhookEvent>();
var cts = new CancellationTokenSource(TimeSpan.FromMilliseconds(100));
try
{
await foreach (var e in _queue.ReadAllAsync(cts.Token))
{
events.Add(e);
break;
}
}
catch (OperationCanceledException) { }
Assert.That(events, Has.Count.EqualTo(1));
Assert.That(events[0].EventType, Is.EqualTo(WebhookEventTypes.AuditLogCreated));
}
}

View File

@@ -1,9 +1,9 @@
using System.Net;
using System.Net.Http.Json;
using MicCheck.Api.Auth;
using MicCheck.Api.Authorization;
using NUnit.Framework;
namespace MicCheck.Api.Tests.Unit.Auth;
namespace MicCheck.Api.Tests.Unit.Authorization;
[TestFixture]
public class AuthEndpointsTests

View File

@@ -1,11 +1,11 @@
using System.IdentityModel.Tokens.Jwt;
using MicCheck.Api.Auth;
using MicCheck.Api.Authorization;
using MicCheck.Api.Organizations;
using MicCheck.Api.Users;
using Microsoft.Extensions.Configuration;
using NUnit.Framework;
namespace MicCheck.Api.Tests.Unit.Auth;
namespace MicCheck.Api.Tests.Unit.Authorization;
[TestFixture]
public class TokenServiceTests

View File

@@ -25,7 +25,8 @@ public class EnvironmentServiceTests
.Options;
_db = new MicCheckDbContext(options);
var auditService = new Mock<AuditService>(_db, null!);
var webhookQueue = new MicCheck.Api.Webhooks.WebhookQueue();
var auditService = new Mock<AuditService>(_db, null!, webhookQueue);
auditService.Setup(a => a.LogAsync(
It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>(),
It.IsAny<int>(), It.IsAny<int?>(), It.IsAny<int?>(),

View File

@@ -26,14 +26,15 @@ public class FeatureServiceTests
.Options;
_db = new MicCheckDbContext(options);
var auditService = new Mock<AuditService>(_db, null!);
auditService.Setup(a => a.LogAsync(
var webhookQueue = new MicCheck.Api.Webhooks.WebhookQueue();
var auditService = new Mock<AuditService>(_db, null!, webhookQueue);
auditService.Setup(a => a.RecordAsync(
It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>(),
It.IsAny<int>(), It.IsAny<int?>(), It.IsAny<int?>(),
It.IsAny<string?>(), It.IsAny<CancellationToken>()))
It.IsAny<object?>(), It.IsAny<object?>(), It.IsAny<CancellationToken>()))
.Returns(Task.CompletedTask);
_service = new FeatureService(_db, auditService.Object);
_service = new FeatureService(_db, auditService.Object, webhookQueue);
SeedBaseData();
}

View File

@@ -24,7 +24,8 @@ public class SegmentServiceTests
.Options;
_db = new MicCheckDbContext(options);
var auditService = new Mock<AuditService>(_db, null!);
var webhookQueue = new MicCheck.Api.Webhooks.WebhookQueue();
var auditService = new Mock<AuditService>(_db, null!, webhookQueue);
auditService.Setup(a => a.LogAsync(
It.IsAny<string>(), It.IsAny<string>(), It.IsAny<string>(),
It.IsAny<int>(), It.IsAny<int?>(), It.IsAny<int?>(),

View File

@@ -0,0 +1,227 @@
using System.Net;
using System.Security.Cryptography;
using System.Text;
using MicCheck.Api.Data;
using MicCheck.Api.Webhooks;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.Logging.Abstractions;
using Moq;
using Moq.Protected;
using NUnit.Framework;
namespace MicCheck.Api.Tests.Unit.Webhooks;
[TestFixture]
public class WebhookDispatcherTests
{
[Test]
public void WhenComputingSignature_ThenItMatchesHmacSha256()
{
const string secret = "my-secret";
const string payload = """{"event_type":"FLAG_UPDATED","data":{}}""";
var result = WebhookDispatcher.ComputeSignature(secret, payload);
var keyBytes = Encoding.UTF8.GetBytes(secret);
var payloadBytes = Encoding.UTF8.GetBytes(payload);
var expected = "sha256=" + Convert.ToHexString(HMACSHA256.HashData(keyBytes, payloadBytes)).ToLowerInvariant();
Assert.That(result, Is.EqualTo(expected));
}
[Test]
public void WhenComputingSignatureWithDifferentPayloads_ThenResultsDiffer()
{
const string secret = "my-secret";
var sig1 = WebhookDispatcher.ComputeSignature(secret, "payload-one");
var sig2 = WebhookDispatcher.ComputeSignature(secret, "payload-two");
Assert.That(sig1, Is.Not.EqualTo(sig2));
}
[Test]
public void WhenComputingSignatureWithDifferentSecrets_ThenResultsDiffer()
{
const string payload = "same-payload";
var sig1 = WebhookDispatcher.ComputeSignature("secret-a", payload);
var sig2 = WebhookDispatcher.ComputeSignature("secret-b", payload);
Assert.That(sig1, Is.Not.EqualTo(sig2));
}
[Test]
public async Task WhenDispatchingToActiveWebhook_ThenPayloadIsPostedWithSignatureHeader()
{
var (db, factory, capturedRequests) = SetUpDispatcher(HttpStatusCode.OK);
var org = new MicCheck.Api.Organizations.Organization { Name = "Org", CreatedAt = DateTimeOffset.UtcNow };
db.Organizations.Add(org);
db.SaveChanges();
db.Webhooks.Add(new Webhook
{
Url = "https://example.com/hook",
Secret = "test-secret",
Scope = WebhookScope.Organization,
OrganizationId = org.Id,
Enabled = true,
CreatedAt = DateTimeOffset.UtcNow
});
db.SaveChanges();
var dispatcher = new WebhookDispatcher(db, factory, NullLogger<WebhookDispatcher>.Instance);
var webhookEvent = new WebhookEvent
{
EventType = WebhookEventTypes.FlagUpdated,
OrganizationId = org.Id,
Data = new { test = true }
};
await dispatcher.DispatchAsync(webhookEvent);
Assert.That(capturedRequests, Has.Count.EqualTo(1));
Assert.That(capturedRequests[0].Headers.Contains("X-Flagsmith-Signature"), Is.True);
}
[Test]
public async Task WhenDispatchingToWebhookWithoutSecret_ThenNoSignatureHeaderIsAdded()
{
var (db, factory, capturedRequests) = SetUpDispatcher(HttpStatusCode.OK);
var org = new MicCheck.Api.Organizations.Organization { Name = "Org", CreatedAt = DateTimeOffset.UtcNow };
db.Organizations.Add(org);
db.SaveChanges();
db.Webhooks.Add(new Webhook
{
Url = "https://example.com/hook",
Secret = null,
Scope = WebhookScope.Organization,
OrganizationId = org.Id,
Enabled = true,
CreatedAt = DateTimeOffset.UtcNow
});
db.SaveChanges();
var dispatcher = new WebhookDispatcher(db, factory, NullLogger<WebhookDispatcher>.Instance);
await dispatcher.DispatchAsync(new WebhookEvent
{
EventType = WebhookEventTypes.FlagUpdated,
OrganizationId = org.Id,
Data = new { }
});
Assert.That(capturedRequests[0].Headers.Contains("X-Flagsmith-Signature"), Is.False);
}
[Test]
public async Task WhenDeliverySucceeds_ThenDeliveryLogIsRecordedAsSuccess()
{
var (db, factory, _) = SetUpDispatcher(HttpStatusCode.OK);
var org = new MicCheck.Api.Organizations.Organization { Name = "Org", CreatedAt = DateTimeOffset.UtcNow };
db.Organizations.Add(org);
db.SaveChanges();
db.Webhooks.Add(new Webhook
{
Url = "https://example.com/hook",
Scope = WebhookScope.Organization,
OrganizationId = org.Id,
Enabled = true,
CreatedAt = DateTimeOffset.UtcNow
});
db.SaveChanges();
var dispatcher = new WebhookDispatcher(db, factory, NullLogger<WebhookDispatcher>.Instance);
await dispatcher.DispatchAsync(new WebhookEvent
{
EventType = WebhookEventTypes.FlagUpdated,
OrganizationId = org.Id,
Data = new { }
});
var log = db.WebhookDeliveryLogs.First();
Assert.That(log.Success, Is.True);
Assert.That(log.ResponseStatusCode, Is.EqualTo(200));
Assert.That(log.AttemptNumber, Is.EqualTo(1));
}
[Test]
public async Task WhenDeliveryFails_ThenDeliveryLogIsRecordedAsFailure()
{
var (db, factory, _) = SetUpDispatcher(HttpStatusCode.InternalServerError);
var org = new MicCheck.Api.Organizations.Organization { Name = "Org", CreatedAt = DateTimeOffset.UtcNow };
db.Organizations.Add(org);
db.SaveChanges();
db.Webhooks.Add(new Webhook
{
Url = "https://example.com/hook",
Scope = WebhookScope.Organization,
OrganizationId = org.Id,
Enabled = true,
CreatedAt = DateTimeOffset.UtcNow
});
db.SaveChanges();
var dispatcher = new WebhookDispatcher(db, factory, NullLogger<WebhookDispatcher>.Instance);
await dispatcher.DispatchAsync(new WebhookEvent
{
EventType = WebhookEventTypes.FlagUpdated,
OrganizationId = org.Id,
Data = new { }
});
var log = db.WebhookDeliveryLogs.First();
Assert.That(log.Success, Is.False);
Assert.That(log.ResponseStatusCode, Is.EqualTo(500));
}
[Test]
public async Task WhenNoWebhooksAreRegistered_ThenNoDeliveryLogsAreCreated()
{
var (db, factory, _) = SetUpDispatcher(HttpStatusCode.OK);
var dispatcher = new WebhookDispatcher(db, factory, NullLogger<WebhookDispatcher>.Instance);
await dispatcher.DispatchAsync(new WebhookEvent
{
EventType = WebhookEventTypes.FlagUpdated,
OrganizationId = 99,
Data = new { }
});
Assert.That(db.WebhookDeliveryLogs.Count(), Is.EqualTo(0));
}
private static (MicCheckDbContext Db, IHttpClientFactory Factory, List<HttpRequestMessage> CapturedRequests)
SetUpDispatcher(HttpStatusCode responseStatus)
{
var options = new DbContextOptionsBuilder<MicCheckDbContext>()
.UseInMemoryDatabase(Guid.NewGuid().ToString())
.Options;
var db = new MicCheckDbContext(options);
var capturedRequests = new List<HttpRequestMessage>();
var handler = new Mock<HttpMessageHandler>();
handler.Protected()
.Setup<Task<HttpResponseMessage>>("SendAsync",
ItExpr.IsAny<HttpRequestMessage>(),
ItExpr.IsAny<CancellationToken>())
.ReturnsAsync((HttpRequestMessage req, CancellationToken _) =>
{
capturedRequests.Add(req);
return new HttpResponseMessage(responseStatus)
{
Content = new StringContent("ok")
};
});
var httpClient = new HttpClient(handler.Object);
var factory = new Mock<IHttpClientFactory>();
factory.Setup(f => f.CreateClient(It.IsAny<string>())).Returns(httpClient);
return (db, factory.Object, capturedRequests);
}
}

View File

@@ -0,0 +1,121 @@
using MicCheck.Api.Data;
using MicCheck.Api.Webhooks;
using Microsoft.EntityFrameworkCore;
using NUnit.Framework;
namespace MicCheck.Api.Tests.Unit.Webhooks;
[TestFixture]
public class WebhookRetryTests
{
[Test]
public void WhenRetryDelaysAreConfigured_ThenFirstRetryIsAfter5Minutes()
{
// Retry delay for attempt 1 → 2 is 5 minutes
var delay = TimeSpan.FromMinutes(5);
Assert.That(delay.TotalMinutes, Is.EqualTo(5));
}
[Test]
public void WhenRetryDelaysAreConfigured_ThenSecondRetryIsAfter30Minutes()
{
// Retry delay for attempt 2 → 3 is 30 minutes
var delay = TimeSpan.FromMinutes(30);
Assert.That(delay.TotalMinutes, Is.EqualTo(30));
}
[Test]
public async Task WhenFailedDeliveryIsOldEnough_ThenItIsEligibleForRetry()
{
var options = new DbContextOptionsBuilder<MicCheckDbContext>()
.UseInMemoryDatabase(Guid.NewGuid().ToString())
.Options;
using var db = new MicCheckDbContext(options);
db.WebhookDeliveryLogs.Add(new WebhookDeliveryLog
{
WebhookId = 1,
EventType = WebhookEventTypes.FlagUpdated,
PayloadJson = """{"event_type":"FLAG_UPDATED","data":{}}""",
Success = false,
AttemptNumber = 1,
AttemptedAt = DateTimeOffset.UtcNow.AddMinutes(-6),
Duration = TimeSpan.FromMilliseconds(100)
});
await db.SaveChangesAsync();
var retryAfter = DateTimeOffset.UtcNow - TimeSpan.FromMinutes(5);
var eligible = await db.WebhookDeliveryLogs
.Where(d => !d.Success && d.AttemptNumber == 1 && d.AttemptedAt <= retryAfter)
.ToListAsync();
Assert.That(eligible, Has.Count.EqualTo(1));
}
[Test]
public async Task WhenFailedDeliveryIsTooRecent_ThenItIsNotEligibleForRetry()
{
var options = new DbContextOptionsBuilder<MicCheckDbContext>()
.UseInMemoryDatabase(Guid.NewGuid().ToString())
.Options;
using var db = new MicCheckDbContext(options);
db.WebhookDeliveryLogs.Add(new WebhookDeliveryLog
{
WebhookId = 1,
EventType = WebhookEventTypes.FlagUpdated,
PayloadJson = """{"event_type":"FLAG_UPDATED","data":{}}""",
Success = false,
AttemptNumber = 1,
AttemptedAt = DateTimeOffset.UtcNow.AddMinutes(-1),
Duration = TimeSpan.FromMilliseconds(100)
});
await db.SaveChangesAsync();
var retryAfter = DateTimeOffset.UtcNow - TimeSpan.FromMinutes(5);
var eligible = await db.WebhookDeliveryLogs
.Where(d => !d.Success && d.AttemptNumber == 1 && d.AttemptedAt <= retryAfter)
.ToListAsync();
Assert.That(eligible, Is.Empty);
}
[Test]
public async Task WhenDeliveryHasAlreadyBeenRetried_ThenItIsNotRetriedAgain()
{
var options = new DbContextOptionsBuilder<MicCheckDbContext>()
.UseInMemoryDatabase(Guid.NewGuid().ToString())
.Options;
using var db = new MicCheckDbContext(options);
var firstAttemptedAt = DateTimeOffset.UtcNow.AddMinutes(-10);
db.WebhookDeliveryLogs.Add(new WebhookDeliveryLog
{
WebhookId = 1,
EventType = WebhookEventTypes.FlagUpdated,
PayloadJson = "{}",
Success = false,
AttemptNumber = 1,
AttemptedAt = firstAttemptedAt,
Duration = TimeSpan.Zero
});
db.WebhookDeliveryLogs.Add(new WebhookDeliveryLog
{
WebhookId = 1,
EventType = WebhookEventTypes.FlagUpdated,
PayloadJson = "{}",
Success = false,
AttemptNumber = 2,
AttemptedAt = firstAttemptedAt.AddMinutes(5),
Duration = TimeSpan.Zero
});
await db.SaveChangesAsync();
var alreadyRetried = await db.WebhookDeliveryLogs
.AnyAsync(d => d.WebhookId == 1 && d.AttemptNumber == 2 && d.AttemptedAt > firstAttemptedAt);
Assert.That(alreadyRetried, Is.True);
}
}