ecip-observability-stack 1.0.0

package/tests/security-events.test.ts

@@ -0,0 +1,417 @@
+/**
+ * ECIP M08 — Security Events Unit Tests
+ *
+ * Validates the security event emission contract (NFR-SEC-002, NFR-SEC-007):
+ *   1. emitAuthFailure() produces correct ECS-formatted events
+ *   2. emitRbacDenial() produces correct ECS-formatted events
+ *   3. No raw user_id (PII) appears in output — only hashed u_ prefix
+ *   4. Events route to stderr (dedicated OTel logger provider path)
+ *   5. Events include trace context for correlation
+ *   6. Security events NEVER pass through the general logger
+ */
+
+import { describe, it, expect, vi, beforeEach, afterEach } from 'vitest';
+
+// ---------------------------------------------------------------------------
+// Mock OTel API to provide deterministic trace context
+// ---------------------------------------------------------------------------
+
+const MOCK_TRACE_ID = 'abc123def456abc123def456abc123de';
+const MOCK_SPAN_ID = '1234567890abcdef';
+
+vi.mock('@opentelemetry/api', () => ({
+  context: {
+    active: vi.fn(() => ({})),
+  },
+  trace: {
+    getSpan: vi.fn(() => ({
+      spanContext: () => ({
+        traceId: 'abc123def456abc123def456abc123de',
+        spanId: '1234567890abcdef',
+      }),
+    })),
+  },
+}));
+
+// Import AFTER mocking
+import {
+  emitAuthFailure,
+  emitRbacDenial,
+  flushSecurityEvents,
+  type AuthFailureEvent,
+  type RbacDenialEvent,
+} from '../logging-lib/nodejs/src/security-events';
+
+// ---------------------------------------------------------------------------
+// Test utilities
+// ---------------------------------------------------------------------------
+
+function captureStderr(): { output: string[]; restore: () => void } {
+  const output: string[] = [];
+  const originalWrite = process.stderr.write;
+  process.stderr.write = ((chunk: string | Uint8Array) => {
+    output.push(typeof chunk === 'string' ? chunk : chunk.toString());
+    return true;
+  }) as typeof process.stderr.write;
+
+  return {
+    output,
+    restore: () => {
+      process.stderr.write = originalWrite;
+    },
+  };
+}
+
+function parseSecurityEvent(raw: string): Record<string, unknown> {
+  // Each event is a single JSON line on stderr
+  return JSON.parse(raw.trim());
+}
+
+// ---------------------------------------------------------------------------
+// Tests
+// ---------------------------------------------------------------------------
+
+describe('Security Events — emitAuthFailure()', () => {
+  let capture: ReturnType<typeof captureStderr>;
+
+  beforeEach(() => {
+    capture = captureStderr();
+  });
+
+  afterEach(() => {
+    capture.restore();
+  });
+
+  it('should emit ECS-formatted auth failure event', () => {
+    emitAuthFailure({
+      userId: 'user@example.com',
+      reason: 'jwt_expired',
+      sourceIp: '10.0.14.22',
+      module: 'M01',
+    });
+    flushSecurityEvents();
+
+    expect(capture.output.length).toBe(1);
+    const event = parseSecurityEvent(capture.output[0]);
+
+    expect(event['event.kind']).toBe('event');
+    expect(event['event.category']).toBe('authentication');
+    expect(event['event.type']).toBe('denied');
+    expect(event['event.outcome']).toBe('failure');
+    expect(event['reason']).toBe('jwt_expired');
+    expect(event['source.ip']).toBe('10.0.14.22');
+    expect(event['module']).toBe('M01');
+  });
+
+  it('should include @timestamp in ISO-8601 format', () => {
+    emitAuthFailure({
+      userId: 'u_abc',
+      reason: 'jwt_invalid',
+      sourceIp: '192.168.1.1',
+      module: 'M01',
+    });
+    flushSecurityEvents();
+
+    const event = parseSecurityEvent(capture.output[0]);
+    const timestamp = event['@timestamp'] as string;
+
+    expect(timestamp).toBeDefined();
+    // Validate ISO-8601 format
+    expect(new Date(timestamp).toISOString()).toBe(timestamp);
+  });
+
+  it('should include trace.id for distributed trace correlation', () => {
+    emitAuthFailure({
+      userId: 'u_abc',
+      reason: 'jwt_missing',
+      sourceIp: '10.0.0.1',
+      module: 'M01',
+    });
+    flushSecurityEvents();
+
+    const event = parseSecurityEvent(capture.output[0]);
+    // trace.id is always present (either active span or 'no-active-trace')
+    // Exact mock-based assertions are in logging-lib/nodejs/tests/
+    expect(event['trace.id']).toBeDefined();
+    expect(typeof event['trace.id']).toBe('string');
+  });
+
+  it('should accept all valid failure reasons', () => {
+    const reasons: AuthFailureEvent['reason'][] = [
+      'jwt_expired',
+      'jwt_invalid',
+      'jwt_missing',
+      'mtls_rejected',
+    ];
+
+    for (const reason of reasons) {
+      emitAuthFailure({
+        userId: 'u_test',
+        reason,
+        sourceIp: '10.0.0.1',
+        module: 'M01',
+      });
+    }
+    flushSecurityEvents();
+
+    expect(capture.output.length).toBe(reasons.length);
+    reasons.forEach((reason, i) => {
+      const event = parseSecurityEvent(capture.output[i]);
+      expect(event['reason']).toBe(reason);
+    });
+  });
+
+  it('should include metadata when provided', () => {
+    emitAuthFailure({
+      userId: 'u_abc',
+      reason: 'jwt_expired',
+      sourceIp: '10.0.14.22',
+      module: 'M01',
+      metadata: { requestPath: '/api/v1/query', userAgent: 'curl/8.5.0' },
+    });
+    flushSecurityEvents();
+
+    const event = parseSecurityEvent(capture.output[0]);
+    const metadata = event['metadata'] as Record<string, unknown>;
+    expect(metadata).toBeDefined();
+    expect(metadata['requestPath']).toBe('/api/v1/query');
+  });
+});
+
+describe('Security Events — emitRbacDenial()', () => {
+  let capture: ReturnType<typeof captureStderr>;
+
+  beforeEach(() => {
+    capture = captureStderr();
+  });
+
+  afterEach(() => {
+    capture.restore();
+  });
+
+  it('should emit ECS-formatted RBAC denial event', () => {
+    emitRbacDenial({
+      userId: 'user@example.com',
+      resource: 'repo:acme/auth-service',
+      action: 'read',
+      reason: 'rbac_insufficient_role',
+      module: 'M06',
+    });
+    flushSecurityEvents();
+
+    expect(capture.output.length).toBe(1);
+    const event = parseSecurityEvent(capture.output[0]);
+
+    expect(event['event.kind']).toBe('event');
+    expect(event['event.category']).toBe('authorization');
+    expect(event['event.type']).toBe('denied');
+    expect(event['event.outcome']).toBe('failure');
+    expect(event['resource']).toBe('repo:acme/auth-service');
+    expect(event['action']).toBe('read');
+    expect(event['reason']).toBe('rbac_insufficient_role');
+    expect(event['module']).toBe('M06');
+  });
+
+  it('should accept all valid RBAC actions', () => {
+    const actions: RbacDenialEvent['action'][] = ['read', 'write', 'admin'];
+
+    for (const action of actions) {
+      emitRbacDenial({
+        userId: 'u_test',
+        resource: 'repo:test/repo',
+        action,
+        reason: 'denied',
+        module: 'M06',
+      });
+    }
+    flushSecurityEvents();
+
+    expect(capture.output.length).toBe(actions.length);
+    actions.forEach((action, i) => {
+      const event = parseSecurityEvent(capture.output[i]);
+      expect(event['action']).toBe(action);
+    });
+  });
+
+  it('should include trace.id for correlation', () => {
+    emitRbacDenial({
+      userId: 'u_abc',
+      resource: 'repo:acme/api',
+      action: 'write',
+      reason: 'no_write_permission',
+      module: 'M06',
+    });
+    flushSecurityEvents();
+
+    const event = parseSecurityEvent(capture.output[0]);
+    // trace.id is always present (either active span or 'no-active-trace')
+    // Exact mock-based assertions are in logging-lib/nodejs/tests/
+    expect(event['trace.id']).toBeDefined();
+    expect(typeof event['trace.id']).toBe('string');
+  });
+});
+
+describe('Security Events — PII Scrubbing (NFR-SEC-002)', () => {
+  let capture: ReturnType<typeof captureStderr>;
+
+  beforeEach(() => {
+    capture = captureStderr();
+  });
+
+  afterEach(() => {
+    capture.restore();
+  });
+
+  it('should hash raw email addresses — never emit raw PII', () => {
+    const rawEmail = 'alice@acme-corp.com';
+
+    emitAuthFailure({
+      userId: rawEmail,
+      reason: 'jwt_expired',
+      sourceIp: '10.0.14.22',
+      module: 'M01',
+    });
+    flushSecurityEvents();
+
+    const event = parseSecurityEvent(capture.output[0]);
+    const userId = event['user.id'] as string;
+
+    // Raw email must NOT appear anywhere in the event
+    expect(capture.output[0]).not.toContain(rawEmail);
+
+    // user.id must be hashed with u_ prefix
+    expect(userId).toMatch(/^u_[a-f0-9]{12}$/);
+    expect(userId).not.toBe(rawEmail);
+  });
+
+  it('should pass through already-hashed user IDs (u_ prefix)', () => {
+    const hashedId = 'u_abc123def456';
+
+    emitAuthFailure({
+      userId: hashedId,
+      reason: 'jwt_invalid',
+      sourceIp: '10.0.0.1',
+      module: 'M01',
+    });
+    flushSecurityEvents();
+
+    const event = parseSecurityEvent(capture.output[0]);
+    expect(event['user.id']).toBe(hashedId);
+  });
+
+  it('should produce consistent hashes for the same input', () => {
+    emitAuthFailure({
+      userId: 'bob@example.com',
+      reason: 'jwt_expired',
+      sourceIp: '10.0.0.1',
+      module: 'M01',
+    });
+    emitAuthFailure({
+      userId: 'bob@example.com',
+      reason: 'jwt_missing',
+      sourceIp: '10.0.0.2',
+      module: 'M04',
+    });
+    flushSecurityEvents();
+
+    const event1 = parseSecurityEvent(capture.output[0]);
+    const event2 = parseSecurityEvent(capture.output[1]);
+    expect(event1['user.id']).toBe(event2['user.id']);
+  });
+
+  it('should hash RBAC denial user IDs the same way', () => {
+    const rawEmail = 'charlie@acme-corp.com';
+
+    emitRbacDenial({
+      userId: rawEmail,
+      resource: 'repo:acme/secret-repo',
+      action: 'admin',
+      reason: 'no_admin_role',
+      module: 'M06',
+    });
+    flushSecurityEvents();
+
+    const event = parseSecurityEvent(capture.output[0]);
+    const userId = event['user.id'] as string;
+
+    expect(capture.output[0]).not.toContain(rawEmail);
+    expect(userId).toMatch(/^u_[a-f0-9]{12}$/);
+  });
+});
+
+describe('Security Events — Emission Path Isolation', () => {
+  let capture: ReturnType<typeof captureStderr>;
+
+  beforeEach(() => {
+    capture = captureStderr();
+  });
+
+  afterEach(() => {
+    capture.restore();
+  });
+
+  it('should emit to stderr (not stdout) — separate from general logger', () => {
+    const stdoutSpy = vi.spyOn(process.stdout, 'write');
+
+    emitAuthFailure({
+      userId: 'u_test',
+      reason: 'jwt_expired',
+      sourceIp: '10.0.0.1',
+      module: 'M01',
+    });
+    flushSecurityEvents();
+
+    // Security events go to stderr (picked up by OTel Collector security pipeline)
+    expect(capture.output.length).toBeGreaterThan(0);
+
+    // General logger writes to stdout — security events must NOT appear there
+    const stdoutCalls = stdoutSpy.mock.calls;
+    for (const call of stdoutCalls) {
+      const content = typeof call[0] === 'string' ? call[0] : call[0]?.toString() || '';
+      expect(content).not.toContain('event.category');
+      expect(content).not.toContain('authentication');
+    }
+
+    stdoutSpy.mockRestore();
+  });
+
+  it('should emit each event as a single JSON line (for OTel filelog receiver)', () => {
+    emitAuthFailure({
+      userId: 'u_test',
+      reason: 'jwt_expired',
+      sourceIp: '10.0.0.1',
+      module: 'M01',
+    });
+    emitRbacDenial({
+      userId: 'u_test',
+      resource: 'repo:test/repo',
+      action: 'read',
+      reason: 'denied',
+      module: 'M06',
+    });
+    flushSecurityEvents();
+
+    // Each event is a separate line
+    for (const line of capture.output) {
+      const trimmed = line.trim();
+      // Should be valid JSON
+      expect(() => JSON.parse(trimmed)).not.toThrow();
+      // Should be a single line (no embedded newlines)
+      expect(trimmed).not.toContain('\n');
+    }
+  });
+
+  it('should buffer events and flush together', () => {
+    // Emit 3 events without flushing
+    emitAuthFailure({ userId: 'u_1', reason: 'jwt_expired', sourceIp: '1.1.1.1', module: 'M01' });
+    emitAuthFailure({ userId: 'u_2', reason: 'jwt_invalid', sourceIp: '2.2.2.2', module: 'M01' });
+    emitAuthFailure({ userId: 'u_3', reason: 'jwt_missing', sourceIp: '3.3.3.3', module: 'M01' });
+
+    // No output before flush
+    expect(capture.output.length).toBe(0);
+
+    // Flush emits all buffered events
+    flushSecurityEvents();
+    expect(capture.output.length).toBe(3);
+  });
+});

package/tsconfig.json

@@ -0,0 +1,17 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "ESNext",
+    "moduleResolution": "bundler",
+    "esModuleInterop": true,
+    "strict": true,
+    "skipLibCheck": true,
+    "outDir": "dist",
+    "rootDir": ".",
+    "declaration": true,
+    "resolveJsonModule": true,
+    "forceConsistentCasingInFileNames": true
+  },
+  "include": ["tests/**/*.ts", "logging-lib/nodejs/src/**/*.ts"],
+  "exclude": ["node_modules", "dist"]
+}

package/vitest.config.ts

@@ -0,0 +1,21 @@
+import { defineConfig } from 'vitest/config';
+
+export default defineConfig({
+  test: {
+    globals: true,
+    include: [
+      'tests/**/*.test.ts',
+      'logging-lib/nodejs/tests/**/*.test.ts',
+    ],
+    exclude: [
+      'node_modules',
+      '**/otel-pipeline-integration.test.ts', // Requires Docker — run separately
+    ],
+    coverage: {
+      provider: 'v8',
+      reporter: ['text', 'lcov', 'html'],
+      reportsDirectory: 'coverage',
+    },
+    testTimeout: 30000,
+  },
+});

package/vitest.integration.config.ts

@@ -0,0 +1,9 @@
+import { defineConfig } from 'vitest/config';
+
+export default defineConfig({
+  test: {
+    globals: true,
+    include: ['tests/otel-pipeline-integration.test.ts'],
+    testTimeout: 120000, // 2 minutes — containers need time to start
+  },
+});