Uwe Schuster
2e11408240
- H-1 cert-DN spoofing: IRuntimeConfig::certAuthTrusted() now defaults to false (fail-closed). X-SSL-Client-DN is an ordinary request header; a loopback bind does not prove it came from a TLS-terminating proxy. Consumers must opt in explicitly behind a header-stripping proxy. - H-3 scope reparenting: ScopeGuardRepository::save() now also checks the EXISTING row's scope (via a new required entity-id accessor), so an actor can't claim an out-of-scope row by relabelling it in the request body. - H-2 IQueryable bypass: add ScopeGuardQueryable<T> — filters query() results through the same predicate so the queryable surface can't escape the scope guard. - H-4 TemporalRepository TOCTOU: serialise the read-modify-write with a per-instance mutex (no more duplicate-live / lost-update under concurrent same-entity saves) and add an optional TxRunner so the close-then-insert pair can commit/rollback atomically. - H-5 SMTP header injection: reject CR/LF/NUL in `to`/`fromAddress` before building the envelope and From:/To: header lines. Tests: expand test_repository_decorators (reparenting + queryable filtering), add curl-guarded test_smtp_transport (base64 vectors + CRLF guard). All 15 ctest targets pass. README updated. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
83 lines
4.2 KiB
CMake
83 lines
4.2 KiB
CMake
# Minimal test harness for oatpp-authkit.
|
|
#
|
|
# Adds plain executable tests linked against the INTERFACE library and oatpp.
|
|
# No third-party test framework — assertions use <cassert> and a tiny REQUIRE
|
|
# macro so the suite stays portable and dependency-free.
|
|
|
|
find_package(oatpp REQUIRED)
|
|
|
|
add_executable(test_negotiation test_negotiation.cpp)
|
|
target_link_libraries(test_negotiation PRIVATE oatpp::authkit oatpp::oatpp)
|
|
add_test(NAME negotiation COMMAND test_negotiation)
|
|
|
|
add_executable(test_body_size_limit test_body_size_limit.cpp)
|
|
target_link_libraries(test_body_size_limit PRIVATE oatpp::authkit oatpp::oatpp)
|
|
add_test(NAME body_size_limit COMMAND test_body_size_limit)
|
|
|
|
add_executable(test_security_headers test_security_headers.cpp)
|
|
target_link_libraries(test_security_headers PRIVATE oatpp::authkit oatpp::oatpp)
|
|
add_test(NAME security_headers COMMAND test_security_headers)
|
|
|
|
add_executable(test_json_serialization test_json_serialization.cpp)
|
|
target_link_libraries(test_json_serialization PRIVATE oatpp::authkit oatpp::oatpp)
|
|
add_test(NAME json_serialization COMMAND test_json_serialization)
|
|
|
|
add_executable(test_repository_interface test_repository_interface.cpp)
|
|
target_link_libraries(test_repository_interface PRIVATE oatpp::authkit oatpp::oatpp)
|
|
add_test(NAME repository_interface COMMAND test_repository_interface)
|
|
|
|
add_executable(test_repository_decorators test_repository_decorators.cpp)
|
|
target_link_libraries(test_repository_decorators PRIVATE oatpp::authkit oatpp::oatpp)
|
|
add_test(NAME repository_decorators COMMAND test_repository_decorators)
|
|
|
|
add_executable(test_queryable test_queryable.cpp)
|
|
target_link_libraries(test_queryable PRIVATE oatpp::authkit oatpp::oatpp)
|
|
add_test(NAME queryable COMMAND test_queryable)
|
|
|
|
add_executable(test_temporal_field_traits test_temporal_field_traits.cpp)
|
|
target_link_libraries(test_temporal_field_traits PRIVATE oatpp::authkit oatpp::oatpp)
|
|
add_test(NAME temporal_field_traits COMMAND test_temporal_field_traits)
|
|
|
|
add_executable(test_audit_log_repository test_audit_log_repository.cpp)
|
|
target_link_libraries(test_audit_log_repository PRIVATE oatpp::authkit oatpp::oatpp)
|
|
add_test(NAME audit_log_repository COMMAND test_audit_log_repository)
|
|
|
|
add_executable(test_schema_contract test_schema_contract.cpp)
|
|
target_link_libraries(test_schema_contract PRIVATE oatpp::authkit oatpp::oatpp)
|
|
add_test(NAME schema_contract COMMAND test_schema_contract)
|
|
|
|
add_executable(test_redacted_field_repository test_redacted_field_repository.cpp)
|
|
target_link_libraries(test_redacted_field_repository PRIVATE oatpp::authkit oatpp::oatpp)
|
|
add_test(NAME redacted_field_repository COMMAND test_redacted_field_repository)
|
|
|
|
# SmtpTransport.hpp pulls in <curl/curl.h> and needs libcurl at link time.
|
|
# Guard the test so the suite still builds where curl dev headers are absent.
|
|
find_package(CURL QUIET)
|
|
if(CURL_FOUND)
|
|
add_executable(test_smtp_transport test_smtp_transport.cpp)
|
|
target_link_libraries(test_smtp_transport PRIVATE oatpp::authkit oatpp::oatpp CURL::libcurl)
|
|
add_test(NAME smtp_transport COMMAND test_smtp_transport)
|
|
endif()
|
|
|
|
# RoleTemplateDb pulls in oatpp-sqlite for its DbClient queries. Linking
|
|
# the test against oatpp::oatpp-sqlite provides the QUERY codegen
|
|
# definitions; the test itself doesn't open a real DB, only compiles
|
|
# against the schema declarations.
|
|
find_package(oatpp-sqlite QUIET)
|
|
find_package(Threads QUIET)
|
|
if(oatpp-sqlite_FOUND AND Threads_FOUND)
|
|
add_executable(test_role_template_schema test_role_template_schema.cpp)
|
|
target_link_libraries(test_role_template_schema
|
|
PRIVATE oatpp::authkit oatpp::oatpp oatpp::oatpp-sqlite Threads::Threads)
|
|
add_test(NAME role_template_schema COMMAND test_role_template_schema)
|
|
|
|
add_executable(test_user_permission_schema test_user_permission_schema.cpp)
|
|
target_link_libraries(test_user_permission_schema
|
|
PRIVATE oatpp::authkit oatpp::oatpp oatpp::oatpp-sqlite Threads::Threads)
|
|
add_test(NAME user_permission_schema COMMAND test_user_permission_schema)
|
|
|
|
add_executable(test_user_schema test_user_schema.cpp)
|
|
target_link_libraries(test_user_schema
|
|
PRIVATE oatpp::authkit oatpp::oatpp oatpp::oatpp-sqlite Threads::Threads)
|
|
add_test(NAME user_schema COMMAND test_user_schema)
|
|
endif()
|