feature(#22): this commit adds end-to-end tests for key rotation and key purging

https-richardy · https-richardy · commit fe4d115d58ed · 2026-04-21T17:20:01.000-03:00
diff --git a/Applications/Backend/Tests/Integration/Security/KeyRotationIntegrationTests.cs b/Applications/Backend/Tests/Integration/Security/KeyRotationIntegrationTests.cs
@@ -187,4 +187,160 @@ public async Task WhenRotateKeys_ShouldKeepOldTokenValidWhileOldKeyIsPublished()
 
         Assert.True(validationSucceeded);
     }
+
+    [Fact(DisplayName = "[e2e] - when rotating keys jwks should contain multiple keys during grace period")]
+    public async Task WhenRotateKeys_JwksShouldContainMultipleKeysDuringGracePeriod()
+    {
+        var httpClient = factory.HttpClient.WithRealmHeader("master");
+
+        var rotationService = factory.Services.GetRequiredService<ISecretRotationService>();
+        var realmCollection = factory.Services.GetRequiredService<IRealmCollection>();
+
+        var jwksResponseBefore = await httpClient.GetAsync("master/.well-known/jwks.json");
+        var jwksRawBefore = await jwksResponseBefore.Content.ReadAsStringAsync();
+
+        using var jwksBefore = JsonDocument.Parse(jwksRawBefore);
+
+        Assert.NotNull(jwksBefore);
+        Assert.True(jwksBefore.RootElement.TryGetProperty("keys", out var keysBefore));
+
+        var oldKidsCount = keysBefore.EnumerateArray()
+            .Where(key => key.TryGetProperty("kid", out _))
+            .Count();
+
+        var realmFilters = RealmFilters.WithSpecifications()
+            .WithName("master")
+            .Build();
+
+        var realms = await realmCollection.GetRealmsAsync(realmFilters, CancellationToken.None);
+        var realm = realms.FirstOrDefault();
+
+        Assert.NotNull(realm);
+
+        await rotationService.RotateSecretAsync(realm, CancellationToken.None);
+
+        string? newKid = null;
+        var started = DateTimeOffset.UtcNow;
+
+        while (DateTimeOffset.UtcNow - started < TimeSpan.FromSeconds(10))
+        {
+            var response = await httpClient.PostAsJsonAsync("api/v1/identity/authenticate", new AuthenticationCredentials
+            {
+                Username = "federation.testing.user",
+                Password = "federation.testing.password"
+            });
+
+            var authentication = await response.Content.ReadFromJsonAsync<AuthenticationResult>();
+
+            Assert.NotNull(authentication);
+            Assert.NotEmpty(authentication.AccessToken);
+
+            var jwt = new JwtSecurityTokenHandler().ReadJwtToken(authentication.AccessToken);
+
+            newKid = jwt.Header.Kid;
+
+            var jwksResponse = await httpClient.GetAsync("master/.well-known/jwks.json");
+            var jwksRaw = await jwksResponse.Content.ReadAsStringAsync();
+
+            using var jwks = JsonDocument.Parse(jwksRaw);
+
+            Assert.True(jwks.RootElement.TryGetProperty("keys", out var keysAfter));
+
+            var newKidsCount = keysAfter.EnumerateArray()
+                .Where(key => key.TryGetProperty("kid", out _))
+                .Count();
+
+            if (newKidsCount > oldKidsCount)
+            {
+                var jwksKids = keysAfter.EnumerateArray()
+                    .Where(key => key.TryGetProperty("kid", out _))
+                    .Select(key => key.GetProperty("kid").GetString())
+                    .Where(key => !string.IsNullOrWhiteSpace(key))
+                    .Cast<string>()
+                    .ToArray();
+
+                Assert.NotEmpty(jwksKids);
+                Assert.True(jwksKids.Length >= 2, "JWKS should contain at least 2 keys during grace period");
+
+                return;
+            }
+
+            await Task.Delay(300);
+        }
+
+        Assert.Fail("JWKS never showed multiple keys during grace period");
+    }
+
+    [Fact(DisplayName = "[e2e] - when grace period expires old key should be removed from database")]
+    public async Task WhenGracePeriodExpires_ShouldRemoveOldKeyFromDatabase()
+    {
+        var httpClient = factory.HttpClient.WithRealmHeader("master");
+
+        var rotationService = factory.Services.GetRequiredService<ISecretRotationService>();
+        var realmCollection = factory.Services.GetRequiredService<IRealmCollection>();
+        var secretCollection = factory.Services.GetRequiredService<ISecretCollection>();
+
+        var realmFilters = RealmFilters.WithSpecifications()
+            .WithName("master")
+            .Build();
+
+        var realms = await realmCollection.GetRealmsAsync(realmFilters, CancellationToken.None);
+        var realm = realms.FirstOrDefault();
+
+        Assert.NotNull(realm);
+
+        var secretFiltersBefore = SecretFilters.WithSpecifications()
+            .WithRealm(realm.Id)
+            .Build();
+
+        var secretsBefore = await secretCollection.GetSecretsAsync(secretFiltersBefore, CancellationToken.None);
+        var countBefore = secretsBefore.Count;
+
+        await rotationService.RotateSecretAsync(realm, CancellationToken.None);
+
+        var started = DateTimeOffset.UtcNow;
+        while (DateTimeOffset.UtcNow - started < TimeSpan.FromSeconds(10))
+        {
+            var auth = await httpClient.PostAsJsonAsync("api/v1/identity/authenticate", new AuthenticationCredentials
+            {
+                Username = "federation.testing.user",
+                Password = "federation.testing.password"
+            });
+
+            var authResult = await auth.Content.ReadFromJsonAsync<AuthenticationResult>();
+
+            Assert.NotNull(authResult);
+
+            var secretsAfterRotation = await secretCollection.GetSecretsAsync(secretFiltersBefore, CancellationToken.None);
+            var countAfterRotation = secretsAfterRotation.Count;
+
+            if (countAfterRotation > countBefore)
+            {
+                var oldSecret = secretsAfterRotation.FirstOrDefault(secret => secret.GracePeriodEndsAt is not null);
+
+                Assert.NotNull(oldSecret);
+                Assert.NotNull(oldSecret.GracePeriodEndsAt);
+
+                oldSecret.GracePeriodEndsAt = DateTime.UtcNow.AddSeconds(-1);
+
+                await secretCollection.UpdateAsync(oldSecret, cancellation: CancellationToken.None);
+                await rotationService.PruneSecretsAsync(realm, CancellationToken.None);
+
+                var secretsAfterPrune = await secretCollection.GetSecretsAsync(secretFiltersBefore, CancellationToken.None);
+                var countAfterPrune = secretsAfterPrune.Count;
+
+                Assert.True(countAfterPrune <= countAfterRotation);
+
+                var removedSecret = secretsAfterPrune.FirstOrDefault(secret => secret.Id == oldSecret.Id);
+
+                Assert.Null(removedSecret);
+
+                return;
+            }
+
+            await Task.Delay(300);
+        }
+
+        Assert.Fail("Grace period test timeout: rotation did not complete in time");
+    }
 }
