azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-22 14:51:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-808] [AZ-811] Strict validation on region POST + lat/lon GET

Browse Source 
AZ-808: FluentValidation for POST /api/satellite/request
- RegionRequestValidator: id non-empty, lat/lon/sizeMeters/zoomLevel ranges
- RequestRegionRequest: [JsonRequired] on every property, no implicit defaults
- Wired via .WithValidation<RequestRegionRequest>() in MapPost chain
- Unit + integration tests + curl probe script
- New contract: contracts/api/region-request.md v1.0.0

AZ-811: FluentValidation + envelope filter for GET /api/satellite/tiles/latlon
- GetTileByLatLonQuery: nullable record (double?/int?) so the minimal-API
  binder never short-circuits with BadHttpRequestException before filters
- GetTileByLatLonQueryValidator: Cascade(Stop) + NotNull + InclusiveBetween
  per param; missing surfaces as `\`<name>\` is required.`
- RejectUnknownQueryParamsEndpointFilter: reusable IEndpointFilter that
  rejects any query key outside the allowed set with errors[<key>] map;
  catches legacy `?Latitude=` typos and hostile probes (`?debug=1&admin=1`)
- Handler: [AsParameters] GetTileByLatLonQuery + .Value deref post-validator
- Unit (validator + filter) + integration tests + curl probe script
- New contract: contracts/api/tile-latlon.md v1.0.0

Shared hygiene
- Promote AssertErrorsContainsMention from per-test-file private helpers to
  ProblemDetailsAssertions (closes batch-1 Low-severity DRY warning)
- Sync Swagger param descriptions, README, blackbox/security/perf scripts,
  uuidv5 doc with the new lat/lon/zoom query-param names

Docs
- system-flows.md F1/F2 reference the new contracts + validation layers
- modules/api_program.md adds Api/Validators + Api/DTOs sections
- _autodev_state.md: batch 2 of 4 complete; next batch = AZ-809

All smoke tests green (mode=smoke, exit 0). AZ-808 + AZ-811 transitioned
to In Testing on Jira.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-22 16:29:41 +03:00
parent fcd494f67e
commit 34ee1e0b83
35 changed files with 1993 additions and 122 deletions
Download Patch File Download Diff File Expand all files Collapse all files
SatelliteProvider.IntegrationTests/GetTileByLatLonValidationTests.cs
+173
View File
@@ -0,0 +1,173 @@
namespace SatelliteProvider.IntegrationTests;
// AZ-811: end-to-end coverage for GET /api/satellite/tiles/latlon strict input
// validation. Two enforcement layers:
// 1. RejectUnknownQueryParamsEndpointFilter — rejects any query key outside
// {lat, lon, zoom}, catching typos like `?latitude=` that pre-AZ-811
// silently bound to 0.
// 2. WithValidation<GetTileByLatLonQuery> — range-checks lat, lon, zoom.
// Both surface RFC 7807 ValidationProblemDetails per error-shape.md v1.0.0.
public static class GetTileByLatLonValidationTests
{
private const string LatLonPath = "/api/satellite/tiles/latlon";
public static async Task RunAll(HttpClient httpClient)
{
RouteTestHelpers.PrintTestHeader("Test: GET /api/satellite/tiles/latlon strict validation (AZ-811)");
await HappyPath_Returns200(httpClient);
// Validator rules (range)
await LatOutOfRange_Returns400(httpClient);
await LonOutOfRange_Returns400(httpClient);
await ZoomOutOfRange_Returns400(httpClient);
// Validator rules (missing required)
await MissingLat_Returns400(httpClient);
// Envelope rule: unknown query params
await UnknownQueryParam_LegacyLatitude_Returns400(httpClient);
await UnknownQueryParam_Hostile_Returns400(httpClient);
// Type mismatch (delegates to GlobalExceptionHandler via model-binding)
await LatTypeMismatch_Returns400(httpClient);
Console.WriteLine("✓ GET lat/lon validation tests: PASSED");
}
private static async Task HappyPath_Returns200(HttpClient httpClient)
{
Console.WriteLine();
Console.WriteLine("AZ-811 AC-2: well-formed query → HTTP 200");
// Act
var response = await httpClient.GetAsync($"{LatLonPath}?lat=47.461747&lon=37.647063&zoom=18");
var status = (int)response.StatusCode;
var bodyText = await response.Content.ReadAsStringAsync();
// Assert
if (status != 200)
{
throw new Exception($"AZ-811 happy path: expected HTTP 200, got {status}. Body: {bodyText}");
}
Console.WriteLine(" ✓ {lat,lon,zoom} accepted with HTTP 200");
}
private static async Task LatOutOfRange_Returns400(HttpClient httpClient)
{
Console.WriteLine();
Console.WriteLine("AZ-811 rule 1: lat out of range (-90..90) → HTTP 400");
// Act
var response = await httpClient.GetAsync($"{LatLonPath}?lat=91&lon=37.647063&zoom=18");
var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-811 lat out of range");
// Assert
ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-811 lat out of range", expectedErrorPath: "lat");
Console.WriteLine(" ✓ lat=91 rejected with errors[\"lat\"]");
}
private static async Task LonOutOfRange_Returns400(HttpClient httpClient)
{
Console.WriteLine();
Console.WriteLine("AZ-811 rule 2: lon out of range (-180..180) → HTTP 400");
// Act
var response = await httpClient.GetAsync($"{LatLonPath}?lat=47.461747&lon=181&zoom=18");
var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-811 lon out of range");
// Assert
ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-811 lon out of range", expectedErrorPath: "lon");
Console.WriteLine(" ✓ lon=181 rejected with errors[\"lon\"]");
}
private static async Task ZoomOutOfRange_Returns400(HttpClient httpClient)
{
Console.WriteLine();
Console.WriteLine("AZ-811 rule 3: zoom out of range (0..22) → HTTP 400");
// Act
var response = await httpClient.GetAsync($"{LatLonPath}?lat=47.461747&lon=37.647063&zoom=30");
var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-811 zoom out of range");
// Assert
ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-811 zoom out of range", expectedErrorPath: "zoom");
Console.WriteLine(" ✓ zoom=30 rejected with errors[\"zoom\"]");
}
private static async Task MissingLat_Returns400(HttpClient httpClient)
{
Console.WriteLine();
Console.WriteLine("AZ-811 rule 1: missing `lat` query param → HTTP 400 with errors.lat");
// Act — only lon + zoom supplied; the validator's NotNull rule on Lat must
// fire (binder produces Lat=null because the DTO is nullable; see
// GetTileByLatLonQuery for why).
var response = await httpClient.GetAsync($"{LatLonPath}?lon=37.647063&zoom=18");
var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-811 missing lat");
// Assert
ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-811 missing lat", expectedErrorPath: "lat");
Console.WriteLine(" ✓ Missing lat rejected with errors[\"lat\"] = `lat` is required");
}
private static async Task UnknownQueryParam_LegacyLatitude_Returns400(HttpClient httpClient)
{
Console.WriteLine();
Console.WriteLine("AZ-811 rule 4: legacy `?Latitude=&Longitude=&ZoomLevel=` (pre-AZ-811 wire format) → HTTP 400 (envelope filter)");
// Act — exact pre-AZ-811 wire format; must now fail explicitly instead
// of silently binding to lat=0/lon=0/zoom=0 (typo class).
var response = await httpClient.GetAsync($"{LatLonPath}?Latitude=47.461747&Longitude=37.647063&ZoomLevel=18");
var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-811 legacy param names");
// Assert
ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-811 legacy param names");
ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "Latitude", label: "AZ-811 legacy param names");
Console.WriteLine(" ✓ Legacy ?Latitude=&Longitude=&ZoomLevel= rejected by envelope filter");
}
private static async Task UnknownQueryParam_Hostile_Returns400(HttpClient httpClient)
{
Console.WriteLine();
Console.WriteLine("AZ-811 rule 4: hostile/typo query keys → HTTP 400 (envelope filter)");
// Act
var response = await httpClient.GetAsync($"{LatLonPath}?lat=47.461747&lon=37.647063&zoom=18&debug=1&admin=true");
var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-811 hostile params");
// Assert
ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-811 hostile params");
ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "debug", label: "AZ-811 hostile params");
ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "admin", label: "AZ-811 hostile params");
Console.WriteLine(" ✓ ?debug=1&admin=true rejected; errors map names BOTH unknown keys");
}
private static async Task LatTypeMismatch_Returns400(HttpClient httpClient)
{
Console.WriteLine();
Console.WriteLine("AZ-811 rule 5: lat type mismatch (non-numeric) → HTTP 400");
// Act
var response = await httpClient.GetAsync($"{LatLonPath}?lat=fifty&lon=37.647063&zoom=18");
var status = (int)response.StatusCode;
// Assert — ASP.NET query-param binding produces 400 for type mismatch via
// BadHttpRequestException; the exact ProblemDetails shape varies depending
// on whether the GlobalExceptionHandler intercepts. Either way the wire
// contract is HTTP 400, no body leak.
if (status != 400)
{
throw new Exception($"AZ-811 type mismatch: expected HTTP 400, got {status}.");
}
Console.WriteLine(" ✓ lat=fifty rejected with HTTP 400");
}
}
SatelliteProvider.IntegrationTests/JwtIntegrationTests.cs
+1 -1
View File
@@ -6,7 +6,7 @@ namespace SatelliteProvider.IntegrationTests;
public static class JwtIntegrationTests
{
private const string ProtectedTilesPath = "/api/satellite/tiles/latlon?Latitude=47.461747&Longitude=37.647063&ZoomLevel=18";
private const string ProtectedTilesPath = "/api/satellite/tiles/latlon?lat=47.461747&lon=37.647063&zoom=18";
private const string ProtectedRegionPath = "/api/satellite/region/00000000-0000-0000-0000-000000000000";
public static async Task RunAll(string apiUrl, string secret)
SatelliteProvider.IntegrationTests/ProblemDetailsAssertions.cs
+40
View File
@@ -92,6 +92,46 @@ public static class ProblemDetailsAssertions
}
}
// AZ-808 cycle 8: promoted from per-test-file private helpers (was
// duplicated in TileInventoryValidationTests + RegionFieldRenameTests +
// RegionRequestValidationTests) so every validation test points at one
// source of truth for "is this field-name or substring mentioned anywhere
// in the errors map?".
public static void AssertErrorsContainsMention(JsonElement problem, string expectedMention, string label)
{
if (!problem.TryGetProperty("errors", out var errorsEl) || errorsEl.ValueKind != JsonValueKind.Object)
{
throw new Exception($"{label}: expected 'errors' object in ProblemDetails body.");
}
var found = false;
foreach (var prop in errorsEl.EnumerateObject())
{
if (prop.Name.Contains(expectedMention, StringComparison.OrdinalIgnoreCase))
{
found = true;
break;
}
foreach (var msg in prop.Value.EnumerateArray())
{
if (msg.GetString()?.Contains(expectedMention, StringComparison.OrdinalIgnoreCase) == true)
{
found = true;
break;
}
}
if (found) break;
}
if (!found)
{
var paths = string.Join(", ", errorsEl.EnumerateObject().Select(p => p.Name));
throw new Exception($"{label}: expected '{expectedMention}' to appear in errors keys or messages. Available paths: {paths}.");
}
}
private static IEnumerable<string> EnumeratePaths(JsonElement errorsEl)
{
foreach (var prop in errorsEl.EnumerateObject())
SatelliteProvider.IntegrationTests/Program.cs
+4
View File
@@ -141,6 +141,8 @@ class Program
await TileInventoryTests.RunAll(httpClient);
await TileInventoryValidationTests.RunAll(httpClient);
await RegionFieldRenameTests.RunAll(httpClient);
await RegionRequestValidationTests.RunAll(httpClient);
await GetTileByLatLonValidationTests.RunAll(httpClient);
await LeafletPathIndexOnlyTests.RunAll(connectionString);
await MigrationTests.RunAll();
}
@@ -166,6 +168,8 @@ class Program
await TileInventoryTests.RunAll(httpClient);
await TileInventoryValidationTests.RunAll(httpClient);
await RegionFieldRenameTests.RunAll(httpClient);
await RegionRequestValidationTests.RunAll(httpClient);
await GetTileByLatLonValidationTests.RunAll(httpClient);
await LeafletPathIndexOnlyTests.RunAll(connectionString);
await MigrationTests.RunAll();
}
SatelliteProvider.IntegrationTests/RegionFieldRenameTests.cs
+1 -38
View File
@@ -1,6 +1,4 @@
using System.Net.Http.Json;
using System.Text;
using System.Text.Json;
namespace SatelliteProvider.IntegrationTests;
@@ -63,7 +61,7 @@ public static class RegionFieldRenameTests
// Assert
ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-812 legacy field names");
AssertErrorsContainsMention(problem, expectedMention: "latitude", label: "AZ-812 legacy field names");
ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "latitude", label: "AZ-812 legacy field names");
Console.WriteLine(" ✓ Legacy {latitude,longitude} body rejected with HTTP 400; errors map names the unknown field");
}
@@ -73,39 +71,4 @@ public static class RegionFieldRenameTests
var content = new StringContent(body, Encoding.UTF8, "application/json");
return httpClient.PostAsync(RegionPath, content);
}
private static void AssertErrorsContainsMention(JsonElement problem, string expectedMention, string label)
{
if (!problem.TryGetProperty("errors", out var errorsEl) || errorsEl.ValueKind != JsonValueKind.Object)
{
throw new Exception($"{label}: expected 'errors' object in ProblemDetails body.");
}
var found = false;
foreach (var prop in errorsEl.EnumerateObject())
{
if (prop.Name.Contains(expectedMention, StringComparison.OrdinalIgnoreCase))
{
found = true;
break;
}
foreach (var msg in prop.Value.EnumerateArray())
{
if (msg.GetString()?.Contains(expectedMention, StringComparison.OrdinalIgnoreCase) == true)
{
found = true;
break;
}
}
if (found) break;
}
if (!found)
{
var paths = string.Join(", ", errorsEl.EnumerateObject().Select(p => p.Name));
throw new Exception($"{label}: expected '{expectedMention}' to appear in errors keys or messages. Available paths: {paths}.");
}
}
}
SatelliteProvider.IntegrationTests/RegionRequestValidationTests.cs
+340
View File
@@ -0,0 +1,340 @@
using System.Text;
using System.Text.Json;
namespace SatelliteProvider.IntegrationTests;
// AZ-808: end-to-end coverage for the region-request endpoint's strict input
// validation. Each test exercises one rule from the validator (FluentValidation
// for business rules, JsonSerializerOptions for wire-format rules) and asserts
// the response body conforms to the RFC 7807 ValidationProblemDetails contract
// in `_docs/02_document/contracts/api/error-shape.md` v1.0.0.
//
// Field names use the post-AZ-812 OSM convention (`lat`/`lon`). The legacy
// `latitude`/`longitude` wire format is verified to be rejected by
// RegionFieldRenameTests.cs (AZ-812 AC-4).
public static class RegionRequestValidationTests
{
private const string RegionPath = "/api/satellite/request";
public static async Task RunAll(HttpClient httpClient)
{
RouteTestHelpers.PrintTestHeader("Test: Region endpoint strict validation (AZ-808)");
await HappyPath_Returns200(httpClient);
// Rule 1: body present
await EmptyBody_Returns400(httpClient);
// Rule 2: id required, non-zero Guid
await MissingId_Returns400(httpClient);
await ZeroGuidId_Returns400(httpClient);
// Rule 3: lat required, [-90, 90]
await MissingLat_Returns400(httpClient);
await LatOutOfRange_Returns400(httpClient);
// Rule 4: lon required, [-180, 180]
await MissingLon_Returns400(httpClient);
await LonOutOfRange_Returns400(httpClient);
// Rule 5: sizeMeters required, [100, 10000]
await MissingSizeMeters_Returns400(httpClient);
await SizeMetersOutOfRange_Returns400(httpClient);
// Rule 6: zoomLevel required, [0, 22]
await MissingZoomLevel_Returns400(httpClient);
await ZoomLevelOutOfRange_Returns400(httpClient);
// Rule 7: stitchTiles required (bool, no default)
await MissingStitchTiles_Returns400(httpClient);
// Rule 9: type mismatch
await LatTypeMismatch_Returns400(httpClient);
// Rule 8 (unknown root fields) is covered by RegionFieldRenameTests (AZ-812 AC-4).
Console.WriteLine("✓ Region-request validation tests: PASSED");
}
private static async Task HappyPath_Returns200(HttpClient httpClient)
{
Console.WriteLine();
Console.WriteLine("AZ-808 AC-2: well-formed request → HTTP 200");
// Arrange
var regionId = Guid.NewGuid();
var body = $"{{\"id\":\"{regionId}\",\"lat\":47.461747,\"lon\":37.647063,\"sizeMeters\":200,\"zoomLevel\":18,\"stitchTiles\":false}}";
// Act
var response = await PostJsonAsync(httpClient, body);
var status = (int)response.StatusCode;
var bodyText = await response.Content.ReadAsStringAsync();
// Assert
if (status != 200)
{
throw new Exception($"AZ-808 AC-2 happy path: expected HTTP 200, got {status}. Body: {bodyText}");
}
Console.WriteLine(" ✓ Well-formed body accepted with HTTP 200");
}
private static async Task EmptyBody_Returns400(HttpClient httpClient)
{
Console.WriteLine();
Console.WriteLine("AZ-808 rule 1: empty body → HTTP 400");
// Arrange
const string body = "";
// Act
var response = await PostJsonAsync(httpClient, body);
var status = (int)response.StatusCode;
// Assert
if (status != 400)
{
throw new Exception($"AZ-808 rule 1: expected HTTP 400, got {status}.");
}
Console.WriteLine(" ✓ Empty body rejected with HTTP 400");
}
private static async Task MissingId_Returns400(HttpClient httpClient)
{
Console.WriteLine();
Console.WriteLine("AZ-808 rule 2 (probe-confirmed gap): missing `id` → HTTP 400 (no silent zero-Guid coercion)");
// Arrange — the exact 2026-05-22 probe payload that silently coerced to Guid.Empty pre-AZ-808.
const string body = "{\"lat\":49.94,\"lon\":36.31,\"sizeMeters\":200,\"zoomLevel\":18,\"stitchTiles\":false}";
// Act
var response = await PostJsonAsync(httpClient, body);
var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 missing id");
// Assert
ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 missing id");
ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "id", label: "AZ-808 missing id");
Console.WriteLine(" ✓ Missing `id` rejected with HTTP 400 (no silent coercion)");
}
private static async Task ZeroGuidId_Returns400(HttpClient httpClient)
{
Console.WriteLine();
Console.WriteLine("AZ-808 rule 2: zero-Guid `id` → HTTP 400");
// Arrange
const string body = "{\"id\":\"00000000-0000-0000-0000-000000000000\",\"lat\":47.461747,\"lon\":37.647063,\"sizeMeters\":200,\"zoomLevel\":18,\"stitchTiles\":false}";
// Act
var response = await PostJsonAsync(httpClient, body);
var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 zero-Guid id");
// Assert
ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 zero-Guid id", expectedErrorPath: "id");
Console.WriteLine(" ✓ Zero-Guid `id` rejected with errors[\"id\"]");
}
private static async Task MissingLat_Returns400(HttpClient httpClient)
{
Console.WriteLine();
Console.WriteLine("AZ-808 rule 3: missing `lat` → HTTP 400");
// Arrange
var regionId = Guid.NewGuid();
var body = $"{{\"id\":\"{regionId}\",\"lon\":37.647063,\"sizeMeters\":200,\"zoomLevel\":18,\"stitchTiles\":false}}";
// Act
var response = await PostJsonAsync(httpClient, body);
var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 missing lat");
// Assert
ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 missing lat");
ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "lat", label: "AZ-808 missing lat");
Console.WriteLine(" ✓ Missing `lat` rejected with HTTP 400");
}
private static async Task LatOutOfRange_Returns400(HttpClient httpClient)
{
Console.WriteLine();
Console.WriteLine("AZ-808 rule 3: `lat` out of range (-90..90) → HTTP 400");
// Arrange
var regionId = Guid.NewGuid();
var body = $"{{\"id\":\"{regionId}\",\"lat\":91.0,\"lon\":37.647063,\"sizeMeters\":200,\"zoomLevel\":18,\"stitchTiles\":false}}";
// Act
var response = await PostJsonAsync(httpClient, body);
var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 lat out of range");
// Assert
ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 lat out of range", expectedErrorPath: "lat");
Console.WriteLine(" ✓ `lat=91.0` rejected with errors[\"lat\"]");
}
private static async Task MissingLon_Returns400(HttpClient httpClient)
{
Console.WriteLine();
Console.WriteLine("AZ-808 rule 4: missing `lon` → HTTP 400");
// Arrange
var regionId = Guid.NewGuid();
var body = $"{{\"id\":\"{regionId}\",\"lat\":47.461747,\"sizeMeters\":200,\"zoomLevel\":18,\"stitchTiles\":false}}";
// Act
var response = await PostJsonAsync(httpClient, body);
var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 missing lon");
// Assert
ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 missing lon");
ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "lon", label: "AZ-808 missing lon");
Console.WriteLine(" ✓ Missing `lon` rejected with HTTP 400");
}
private static async Task LonOutOfRange_Returns400(HttpClient httpClient)
{
Console.WriteLine();
Console.WriteLine("AZ-808 rule 4: `lon` out of range (-180..180) → HTTP 400");
// Arrange
var regionId = Guid.NewGuid();
var body = $"{{\"id\":\"{regionId}\",\"lat\":47.461747,\"lon\":181.0,\"sizeMeters\":200,\"zoomLevel\":18,\"stitchTiles\":false}}";
// Act
var response = await PostJsonAsync(httpClient, body);
var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 lon out of range");
// Assert
ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 lon out of range", expectedErrorPath: "lon");
Console.WriteLine(" ✓ `lon=181.0` rejected with errors[\"lon\"]");
}
private static async Task MissingSizeMeters_Returns400(HttpClient httpClient)
{
Console.WriteLine();
Console.WriteLine("AZ-808 rule 5: missing `sizeMeters` → HTTP 400");
// Arrange
var regionId = Guid.NewGuid();
var body = $"{{\"id\":\"{regionId}\",\"lat\":47.461747,\"lon\":37.647063,\"zoomLevel\":18,\"stitchTiles\":false}}";
// Act
var response = await PostJsonAsync(httpClient, body);
var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 missing sizeMeters");
// Assert
ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 missing sizeMeters");
ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "sizeMeters", label: "AZ-808 missing sizeMeters");
Console.WriteLine(" ✓ Missing `sizeMeters` rejected with HTTP 400");
}
private static async Task SizeMetersOutOfRange_Returns400(HttpClient httpClient)
{
Console.WriteLine();
Console.WriteLine("AZ-808 rule 5: `sizeMeters` out of range (100..10000) → HTTP 400");
// Arrange — same 1M cap-exceeder used by SEC-03; this validator replaces the old inline check.
var regionId = Guid.NewGuid();
var body = $"{{\"id\":\"{regionId}\",\"lat\":47.461747,\"lon\":37.647063,\"sizeMeters\":1000000,\"zoomLevel\":18,\"stitchTiles\":false}}";
// Act
var response = await PostJsonAsync(httpClient, body);
var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 sizeMeters out of range");
// Assert
ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 sizeMeters out of range", expectedErrorPath: "sizeMeters");
Console.WriteLine(" ✓ `sizeMeters=1000000` rejected with errors[\"sizeMeters\"]");
}
private static async Task MissingZoomLevel_Returns400(HttpClient httpClient)
{
Console.WriteLine();
Console.WriteLine("AZ-808 rule 6: missing `zoomLevel` → HTTP 400");
// Arrange
var regionId = Guid.NewGuid();
var body = $"{{\"id\":\"{regionId}\",\"lat\":47.461747,\"lon\":37.647063,\"sizeMeters\":200,\"stitchTiles\":false}}";
// Act
var response = await PostJsonAsync(httpClient, body);
var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 missing zoomLevel");
// Assert
ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 missing zoomLevel");
ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "zoomLevel", label: "AZ-808 missing zoomLevel");
Console.WriteLine(" ✓ Missing `zoomLevel` rejected with HTTP 400");
}
private static async Task ZoomLevelOutOfRange_Returns400(HttpClient httpClient)
{
Console.WriteLine();
Console.WriteLine("AZ-808 rule 6: `zoomLevel` out of range (0..22) → HTTP 400");
// Arrange
var regionId = Guid.NewGuid();
var body = $"{{\"id\":\"{regionId}\",\"lat\":47.461747,\"lon\":37.647063,\"sizeMeters\":200,\"zoomLevel\":30,\"stitchTiles\":false}}";
// Act
var response = await PostJsonAsync(httpClient, body);
var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 zoomLevel out of range");
// Assert
ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 zoomLevel out of range", expectedErrorPath: "zoomLevel");
Console.WriteLine(" ✓ `zoomLevel=30` rejected with errors[\"zoomLevel\"]");
}
private static async Task MissingStitchTiles_Returns400(HttpClient httpClient)
{
Console.WriteLine();
Console.WriteLine("AZ-808 rule 7: missing `stitchTiles` → HTTP 400 (no defaulting to false)");
// Arrange
var regionId = Guid.NewGuid();
var body = $"{{\"id\":\"{regionId}\",\"lat\":47.461747,\"lon\":37.647063,\"sizeMeters\":200,\"zoomLevel\":18}}";
// Act
var response = await PostJsonAsync(httpClient, body);
var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 missing stitchTiles");
// Assert
ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 missing stitchTiles");
ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "stitchTiles", label: "AZ-808 missing stitchTiles");
Console.WriteLine(" ✓ Missing `stitchTiles` rejected with HTTP 400");
}
private static async Task LatTypeMismatch_Returns400(HttpClient httpClient)
{
Console.WriteLine();
Console.WriteLine("AZ-808 rule 9: type mismatch (`lat` as string) → HTTP 400");
// Arrange
var regionId = Guid.NewGuid();
var body = $"{{\"id\":\"{regionId}\",\"lat\":\"fifty\",\"lon\":37.647063,\"sizeMeters\":200,\"zoomLevel\":18,\"stitchTiles\":false}}";
// Act
var response = await PostJsonAsync(httpClient, body);
var problem = await ProblemDetailsAssertions.ReadProblemDetailsAsync(response, "AZ-808 lat type mismatch");
// Assert
ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-808 lat type mismatch");
Console.WriteLine(" ✓ `lat:\"fifty\"` rejected with HTTP 400");
}
private static Task<HttpResponseMessage> PostJsonAsync(HttpClient httpClient, string body)
{
var content = new StringContent(body, Encoding.UTF8, "application/json");
return httpClient.PostAsync(RegionPath, content);
}
}
SatelliteProvider.IntegrationTests/SecurityTests.cs
+1 -1
View File
@@ -23,7 +23,7 @@ public static class SecurityTests
Console.WriteLine("SEC-01: SQL injection attempt in coordinate query string");
var injection = "' OR 1=1 --";
var url = $"/api/satellite/tiles/latlon?Latitude={Uri.EscapeDataString(injection)}&Longitude=37.647063&ZoomLevel=18";
var url = $"/api/satellite/tiles/latlon?lat={Uri.EscapeDataString(injection)}&lon=37.647063&zoom=18";
var response = await httpClient.GetAsync(url);
if (response.StatusCode != HttpStatusCode.BadRequest && response.StatusCode != HttpStatusCode.UnprocessableEntity)
SatelliteProvider.IntegrationTests/TileInventoryValidationTests.cs
+4 -39
View File
@@ -199,7 +199,7 @@ public static class TileInventoryValidationTests
// Assert
ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-796 missing z");
AssertErrorsContainsMention(problem, expectedMention: "z", label: "AZ-796 missing z");
ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "z", label: "AZ-796 missing z");
Console.WriteLine(" ✓ Missing `z` rejected with errors map mentioning the field");
}
@@ -325,7 +325,7 @@ public static class TileInventoryValidationTests
// Assert
ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-796 unknown root field");
AssertErrorsContainsMention(problem, expectedMention: "unknownField", label: "AZ-796 unknown root field");
ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "unknownField", label: "AZ-796 unknown root field");
Console.WriteLine(" ✓ Unknown root field rejected; errors map names the field");
}
@@ -344,7 +344,7 @@ public static class TileInventoryValidationTests
// Assert
ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-796 unknown nested field");
AssertErrorsContainsMention(problem, expectedMention: "foo", label: "AZ-796 unknown nested field");
ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "foo", label: "AZ-796 unknown nested field");
Console.WriteLine(" ✓ Unknown nested field rejected; errors map names the field");
}
@@ -364,7 +364,7 @@ public static class TileInventoryValidationTests
// Assert
ProblemDetailsAssertions.AssertValidationProblem(problem, expectedStatus: 400, label: "AZ-794 legacy field");
AssertErrorsContainsMention(problem, expectedMention: "tileZoom", label: "AZ-794 legacy field");
ProblemDetailsAssertions.AssertErrorsContainsMention(problem, expectedMention: "tileZoom", label: "AZ-794 legacy field");
Console.WriteLine(" ✓ Legacy v1.x field names rejected with explicit error (no silent coercion)");
}
@@ -392,39 +392,4 @@ public static class TileInventoryValidationTests
var content = new StringContent(body, Encoding.UTF8, "application/json");
return httpClient.PostAsync(InventoryPath, content);
}
private static void AssertErrorsContainsMention(JsonElement problem, string expectedMention, string label)
{
if (!problem.TryGetProperty("errors", out var errorsEl) || errorsEl.ValueKind != JsonValueKind.Object)
{
throw new Exception($"{label}: expected 'errors' object in ProblemDetails body.");
}
var found = false;
foreach (var prop in errorsEl.EnumerateObject())
{
if (prop.Name.Contains(expectedMention, StringComparison.OrdinalIgnoreCase))
{
found = true;
break;
}
foreach (var msg in prop.Value.EnumerateArray())
{
if (msg.GetString()?.Contains(expectedMention, StringComparison.OrdinalIgnoreCase) == true)
{
found = true;
break;
}
}
if (found) break;
}
if (!found)
{
var paths = string.Join(", ", errorsEl.EnumerateObject().Select(p => p.Name));
throw new Exception($"{label}: expected '{expectedMention}' to appear in errors keys or messages. Available paths: {paths}.");
}
}
}
SatelliteProvider.IntegrationTests/TileTests.cs
+2 -2
View File
@@ -21,7 +21,7 @@ public static class TileTests
Console.WriteLine($"Getting tile at coordinates ({latitude}, {longitude}) with zoom level {zoomLevel}");
var response = await httpClient.GetAsync($"/api/satellite/tiles/latlon?Latitude={latitude}&Longitude={longitude}&ZoomLevel={zoomLevel}");
var response = await httpClient.GetAsync($"/api/satellite/tiles/latlon?lat={latitude}&lon={longitude}&zoom={zoomLevel}");
if (!response.IsSuccessStatusCode)
{
@@ -74,7 +74,7 @@ public static class TileTests
Console.WriteLine();
Console.WriteLine("Testing tile reuse (getting same tile again)...");
var response2 = await httpClient.GetAsync($"/api/satellite/tiles/latlon?Latitude={latitude}&Longitude={longitude}&ZoomLevel={zoomLevel}");
var response2 = await httpClient.GetAsync($"/api/satellite/tiles/latlon?lat={latitude}&lon={longitude}&zoom={zoomLevel}");
if (!response2.IsSuccessStatusCode)
{