using System.Collections.Concurrent;
using System.Net;
using System.Net.Http.Json;
using Dapper;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.DependencyInjection;
using Npgsql;
using WorkClub.Domain.Entities;
using WorkClub.Domain.Enums;
using WorkClub.Infrastructure.Data;
using WorkClub.Infrastructure.Data.Interceptors;
using WorkClub.Tests.Integration.Infrastructure;
namespace WorkClub.Tests.Integration.MultiTenancy;
///
/// Comprehensive RLS (Row-Level Security) integration tests proving multi-tenant data isolation.
/// These tests verify that PostgreSQL RLS policies correctly enforce tenant boundaries.
///
public class RlsIsolationTests : IntegrationTestBase
{
private readonly AppDbContext _dbContext;
public RlsIsolationTests(CustomWebApplicationFactory factory) : base(factory)
{
var scope = factory.Services.CreateScope();
_dbContext = scope.ServiceProvider.GetRequiredService();
}
[Fact]
public async Task Test1_CompleteIsolation_TenantsSeeOnlyTheirData()
{
// Arrange: Seed data for two tenants using admin connection
var clubAId = Guid.NewGuid();
var clubBId = Guid.NewGuid();
var memberA1Id = Guid.NewGuid();
var memberB1Id = Guid.NewGuid();
var workItemA1Id = Guid.NewGuid();
var workItemB1Id = Guid.NewGuid();
await using var adminConn = new NpgsqlConnection(GetAdminConnectionString());
await adminConn.OpenAsync();
// Insert Club A with Member and WorkItem
await adminConn.ExecuteAsync(@"
INSERT INTO clubs (id, tenant_id, name, sport_type, created_at, updated_at)
VALUES (@Id, 'club-a', 'Club Alpha', 0, NOW(), NOW())",
new { Id = clubAId });
await adminConn.ExecuteAsync(@"
INSERT INTO members (id, tenant_id, name, email, club_id, role, joined_at, created_at, updated_at)
VALUES (@Id, 'club-a', 'Alice', 'alice@club-a.com', @ClubId, 1, NOW(), NOW(), NOW())",
new { Id = memberA1Id, ClubId = clubAId });
await adminConn.ExecuteAsync(@"
INSERT INTO work_items (id, tenant_id, title, status, created_by_id, club_id, created_at, updated_at)
VALUES (@Id, 'club-a', 'Task Alpha', 0, @MemberId, @ClubId, NOW(), NOW())",
new { Id = workItemA1Id, MemberId = memberA1Id, ClubId = clubAId });
// Insert Club B with Member and WorkItem
await adminConn.ExecuteAsync(@"
INSERT INTO clubs (id, tenant_id, name, sport_type, created_at, updated_at)
VALUES (@Id, 'club-b', 'Club Beta', 1, NOW(), NOW())",
new { Id = clubBId });
await adminConn.ExecuteAsync(@"
INSERT INTO members (id, tenant_id, name, email, club_id, role, joined_at, created_at, updated_at)
VALUES (@Id, 'club-b', 'Bob', 'bob@club-b.com', @ClubId, 1, NOW(), NOW(), NOW())",
new { Id = memberB1Id, ClubId = clubBId });
await adminConn.ExecuteAsync(@"
INSERT INTO work_items (id, tenant_id, title, status, created_by_id, club_id, created_at, updated_at)
VALUES (@Id, 'club-b', 'Task Beta', 0, @MemberId, @ClubId, NOW(), NOW())",
new { Id = workItemB1Id, MemberId = memberB1Id, ClubId = clubBId });
// Act: Query as Club A
await using var connA = new NpgsqlConnection(GetAppUserConnectionString());
await connA.OpenAsync();
await connA.ExecuteAsync("SET LOCAL app.current_tenant_id = 'club-a'");
var workItemsA = (await connA.QueryAsync("SELECT * FROM work_items")).ToList();
var clubsA = (await connA.QueryAsync("SELECT * FROM clubs")).ToList();
// Act: Query as Club B
await using var connB = new NpgsqlConnection(GetAppUserConnectionString());
await connB.OpenAsync();
await connB.ExecuteAsync("SET LOCAL app.current_tenant_id = 'club-b'");
var workItemsB = (await connB.QueryAsync("SELECT * FROM work_items")).ToList();
var clubsB = (await connB.QueryAsync("SELECT * FROM clubs")).ToList();
// Assert: Club A sees only its data
Assert.Single(workItemsA);
Assert.Equal(workItemA1Id, workItemsA[0].Id);
Assert.Equal("club-a", workItemsA[0].TenantId);
Assert.Equal("Task Alpha", workItemsA[0].Title);
Assert.Single(clubsA);
Assert.Equal(clubAId, clubsA[0].Id);
// Assert: Club B sees only its data
Assert.Single(workItemsB);
Assert.Equal(workItemB1Id, workItemsB[0].Id);
Assert.Equal("club-b", workItemsB[0].TenantId);
Assert.Equal("Task Beta", workItemsB[0].Title);
Assert.Single(clubsB);
Assert.Equal(clubBId, clubsB[0].Id);
// Assert: Zero overlap - perfect isolation
Assert.DoesNotContain(workItemsA, w => w.Id == workItemB1Id);
Assert.DoesNotContain(workItemsB, w => w.Id == workItemA1Id);
}
[Fact]
public async Task Test2_NoContext_NoData_RlsBlocksEverything()
{
// Arrange: Seed data for two tenants
var clubAId = Guid.NewGuid();
var clubBId = Guid.NewGuid();
await using var adminConn = new NpgsqlConnection(GetAdminConnectionString());
await adminConn.OpenAsync();
await adminConn.ExecuteAsync(@"
INSERT INTO clubs (id, tenant_id, name, sport_type, created_at, updated_at)
VALUES (@Id1, 'club-a', 'Club Alpha', 0, NOW(), NOW()),
(@Id2, 'club-b', 'Club Beta', 1, NOW(), NOW())",
new { Id1 = clubAId, Id2 = clubBId });
await adminConn.ExecuteAsync(@"
INSERT INTO work_items (id, tenant_id, title, status, created_by_id, club_id, created_at, updated_at)
SELECT gen_random_uuid(), 'club-a', 'Task A' || i, 0, gen_random_uuid(), @ClubId, NOW(), NOW()
FROM generate_series(1, 3) i",
new { ClubId = clubAId });
await adminConn.ExecuteAsync(@"
INSERT INTO work_items (id, tenant_id, title, status, created_by_id, club_id, created_at, updated_at)
SELECT gen_random_uuid(), 'club-b', 'Task B' || i, 0, gen_random_uuid(), @ClubId, NOW(), NOW()
FROM generate_series(1, 3) i",
new { ClubId = clubBId });
// Act: Query WITHOUT setting tenant context
await using var conn = new NpgsqlConnection(GetAppUserConnectionString());
await conn.OpenAsync();
// CRITICAL: Do NOT execute SET LOCAL - simulate missing tenant context
var clubs = (await conn.QueryAsync("SELECT * FROM clubs")).ToList();
var workItems = (await conn.QueryAsync("SELECT * FROM work_items")).ToList();
// Assert: RLS blocks all access when no tenant context is set
Assert.Empty(clubs);
Assert.Empty(workItems);
}
[Fact]
public async Task Test3_InsertProtection_CrossTenantInsertBlocked()
{
// Arrange: Seed Club A
var clubAId = Guid.NewGuid();
var memberAId = Guid.NewGuid();
await using var adminConn = new NpgsqlConnection(GetAdminConnectionString());
await adminConn.OpenAsync();
await adminConn.ExecuteAsync(@"
INSERT INTO clubs (id, tenant_id, name, sport_type, created_at, updated_at)
VALUES (@Id, 'club-a', 'Club Alpha', 0, NOW(), NOW())",
new { Id = clubAId });
await adminConn.ExecuteAsync(@"
INSERT INTO members (id, tenant_id, name, email, club_id, role, joined_at, created_at, updated_at)
VALUES (@Id, 'club-a', 'Alice', 'alice@club-a.com', @ClubId, 1, NOW(), NOW(), NOW())",
new { Id = memberAId, ClubId = clubAId });
// Act: Try to insert WorkItem with Club B tenant_id while context is Club A
await using var conn = new NpgsqlConnection(GetAppUserConnectionString());
await conn.OpenAsync();
await conn.ExecuteAsync("SET LOCAL app.current_tenant_id = 'club-a'");
var workItemId = Guid.NewGuid();
var insertSql = @"
INSERT INTO work_items (id, tenant_id, title, status, created_by_id, club_id, created_at, updated_at)
VALUES (@Id, 'club-b', 'Malicious Task', 0, @MemberId, @ClubId, NOW(), NOW())";
// Assert: RLS blocks the insert (PostgreSQL returns 0 rows affected for policy violation)
var rowsAffected = await conn.ExecuteAsync(insertSql, new { Id = workItemId, MemberId = memberAId, ClubId = clubAId });
Assert.Equal(0, rowsAffected);
// Verify: WorkItem was NOT inserted
await conn.ExecuteAsync("SET LOCAL app.current_tenant_id = 'club-b'");
var insertedItems = (await conn.QueryAsync(
"SELECT * FROM work_items WHERE id = @Id", new { Id = workItemId })).ToList();
Assert.Empty(insertedItems);
}
[Fact]
public async Task Test4_ConcurrentRequests_ConnectionPoolSafety()
{
// Arrange: Seed data for two tenants
var clubAId = Guid.NewGuid();
var clubBId = Guid.NewGuid();
await using var adminConn = new NpgsqlConnection(GetAdminConnectionString());
await adminConn.OpenAsync();
await adminConn.ExecuteAsync(@"
INSERT INTO clubs (id, tenant_id, name, sport_type, created_at, updated_at)
VALUES (@Id1, 'club-a', 'Club Alpha', 0, NOW(), NOW()),
(@Id2, 'club-b', 'Club Beta', 1, NOW(), NOW())",
new { Id1 = clubAId, Id2 = clubBId });
var memberAId = Guid.NewGuid();
var memberBId = Guid.NewGuid();
await adminConn.ExecuteAsync(@"
INSERT INTO members (id, tenant_id, name, email, club_id, role, joined_at, created_at, updated_at)
VALUES (@IdA, 'club-a', 'Alice', 'alice@club-a.com', @ClubAId, 1, NOW(), NOW(), NOW()),
(@IdB, 'club-b', 'Bob', 'bob@club-b.com', @ClubBId, 1, NOW(), NOW(), NOW())",
new { IdA = memberAId, ClubAId = clubAId, IdB = memberBId, ClubBId = clubBId });
// Insert 25 work items for Club A
await adminConn.ExecuteAsync(@"
INSERT INTO work_items (id, tenant_id, title, status, created_by_id, club_id, created_at, updated_at)
SELECT gen_random_uuid(), 'club-a', 'Task A' || i, 0, @MemberId, @ClubId, NOW(), NOW()
FROM generate_series(1, 25) i",
new { MemberId = memberAId, ClubId = clubAId });
// Insert 25 work items for Club B
await adminConn.ExecuteAsync(@"
INSERT INTO work_items (id, tenant_id, title, status, created_by_id, club_id, created_at, updated_at)
SELECT gen_random_uuid(), 'club-b', 'Task B' || i, 0, @MemberId, @ClubId, NOW(), NOW()
FROM generate_series(1, 25) i",
new { MemberId = memberBId, ClubId = clubBId });
// Act: Fire 50 parallel requests (25 for Club A, 25 for Club B)
var results = new ConcurrentBag<(string TenantId, List Items)>();
var tasks = new List();
for (int i = 0; i < 25; i++)
{
tasks.Add(Task.Run(async () =>
{
await using var conn = new NpgsqlConnection(GetAppUserConnectionString());
await conn.OpenAsync();
await conn.ExecuteAsync("SET LOCAL app.current_tenant_id = 'club-a'");
var items = (await conn.QueryAsync("SELECT * FROM work_items")).ToList();
results.Add(("club-a", items));
}));
tasks.Add(Task.Run(async () =>
{
await using var conn = new NpgsqlConnection(GetAppUserConnectionString());
await conn.OpenAsync();
await conn.ExecuteAsync("SET LOCAL app.current_tenant_id = 'club-b'");
var items = (await conn.QueryAsync("SELECT * FROM work_items")).ToList();
results.Add(("club-b", items));
}));
}
await Task.WhenAll(tasks);
// Assert: All 50 requests returned correct tenant-isolated data
Assert.Equal(50, results.Count);
var clubAResults = results.Where(r => r.TenantId == "club-a").ToList();
var clubBResults = results.Where(r => r.TenantId == "club-b").ToList();
Assert.Equal(25, clubAResults.Count);
Assert.Equal(25, clubBResults.Count);
// Verify: Every Club A request saw exactly 25 Club A items
foreach (var (_, items) in clubAResults)
{
Assert.Equal(25, items.Count);
Assert.All(items, item => Assert.Equal("club-a", item.TenantId));
Assert.All(items, item => Assert.StartsWith("Task A", item.Title));
}
// Verify: Every Club B request saw exactly 25 Club B items
foreach (var (_, items) in clubBResults)
{
Assert.Equal(25, items.Count);
Assert.All(items, item => Assert.Equal("club-b", item.TenantId));
Assert.All(items, item => Assert.StartsWith("Task B", item.Title));
}
// Assert: Zero cross-contamination events
var allClubAItems = clubAResults.SelectMany(r => r.Items).ToList();
var allClubBItems = clubBResults.SelectMany(r => r.Items).ToList();
Assert.DoesNotContain(allClubAItems, item => item.TenantId == "club-b");
Assert.DoesNotContain(allClubBItems, item => item.TenantId == "club-a");
}
[Fact]
public async Task Test5_CrossTenantHeaderSpoof_MiddlewareBlocks()
{
// Arrange: Seed Club A only
var clubAId = Guid.NewGuid();
await using var adminConn = new NpgsqlConnection(GetAdminConnectionString());
await adminConn.OpenAsync();
await adminConn.ExecuteAsync(@"
INSERT INTO clubs (id, tenant_id, name, sport_type, created_at, updated_at)
VALUES (@Id, 'club-a', 'Club Alpha', 0, NOW(), NOW())",
new { Id = clubAId });
// Act: Authenticate as user with only club-a membership
AuthenticateAs("alice@club-a.com", new Dictionary
{
["club-a"] = "admin"
});
// Try to access club-b (user is NOT a member)
SetTenant("club-b");
// Make request to API endpoint - TenantValidationMiddleware should block
var response = await Client.GetAsync("/api/clubs");
// Assert: Middleware returns 403 Forbidden
Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
}
[Fact]
public async Task Test6_InterceptorVerification_SetLocalExecuted()
{
// Arrange: Seed data for Club A
var clubAId = Guid.NewGuid();
var memberAId = Guid.NewGuid();
await using var adminConn = new NpgsqlConnection(GetAdminConnectionString());
await adminConn.OpenAsync();
await adminConn.ExecuteAsync(@"
INSERT INTO clubs (id, tenant_id, name, sport_type, created_at, updated_at)
VALUES (@Id, 'club-a', 'Club Alpha', 0, NOW(), NOW())",
new { Id = clubAId });
await adminConn.ExecuteAsync(@"
INSERT INTO members (id, tenant_id, name, email, club_id, role, joined_at, created_at, updated_at)
VALUES (@Id, 'club-a', 'Alice', 'alice@club-a.com', @ClubId, 1, NOW(), NOW(), NOW())",
new { Id = memberAId, ClubId = clubAId });
// Act: Use EF Core with interceptor to query data
// The TenantDbConnectionInterceptor should automatically set app.current_tenant_id
await using var conn = new NpgsqlConnection(GetAppUserConnectionString());
await conn.OpenAsync();
// Simulate interceptor behavior: SET LOCAL is called by TenantDbConnectionInterceptor
await conn.ExecuteAsync("SET LOCAL app.current_tenant_id = 'club-a'");
// Verify: Check current_setting returns correct tenant
var currentTenant = await conn.ExecuteScalarAsync(
"SELECT current_setting('app.current_tenant_id', true)");
Assert.Equal("club-a", currentTenant);
// Verify: Queries respect the tenant context
var members = (await conn.QueryAsync("SELECT * FROM members")).ToList();
Assert.Single(members);
Assert.Equal(memberAId, members[0].Id);
Assert.Equal("club-a", members[0].TenantId);
// Verify: Interceptor is registered in DI container
var scope = Factory.Services.CreateScope();
var interceptor = scope.ServiceProvider.GetService();
Assert.NotNull(interceptor);
}
private string GetAppUserConnectionString()
{
var config = Factory.Services.GetRequiredService();
var connectionString = config["ConnectionStrings:DefaultConnection"];
return connectionString!;
}
private string GetAdminConnectionString()
{
var connString = GetAppUserConnectionString();
return connString;
}
}