azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-22 20:01:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-487] JWT validation baseline (HS256, all endpoints)
ci/woodpecker/push/01-test Pipeline failed
Details
ci/woodpecker/push/02-build-push unknown status
Details

Browse Source 
Adds Microsoft.AspNetCore.Authentication.JwtBearer 8.0.21 and the
SatelliteProvider.Api.Authentication.AddSatelliteJwt extension that
validates HS256 tokens against a shared JWT_SECRET (>=32 bytes, fail
fast at startup). Every minimal-API endpoint now carries
.RequireAuthorization(); the middleware chain is UseExceptionHandler ->
UseHttpsRedirection -> UseCors -> UseAuthentication -> UseAuthorization
-> endpoints. Swagger UI gets a Bearer security definition so the
Authorize button works.

Test infrastructure: JwtTokenFactory (unit) and JwtTestHelpers
(integration) mint deterministic tokens against the same secret; the
integration test runner attaches a default Bearer token to its shared
HttpClient so existing tests continue to exercise protected endpoints.
JwtIntegrationTests adds AC-1..AC-4 and AC-7 (Swagger advertises
Bearer) end-to-end; AuthenticationServiceCollectionExtensionsTests
covers AC-5 (missing/empty/short secret fail-fast) plus env-var
precedence; JwtTokenFactoryTests covers AC-6 (claims pass through
the JwtSecurityTokenHandler.ValidateToken path JwtBearer uses).

docker-compose and scripts/run-tests.sh now propagate JWT_SECRET to
the api and integration-tests containers, with a >=32-byte guard.
.env.example documents the required keys; .env stays gitignored.

Code review verdict: PASS_WITH_WARNINGS (2 Low findings surfaced
in _docs/03_implementation/reviews/batch_01_cycle2_review.md).

Cross-component coordination: gps-denied-onboard and the mission
planner UI must attach Bearer tokens before this lands in dev.

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-11 23:06:23 +03:00
parent 8e15e53782
commit 96cd3c4495
23 changed files with 872 additions and 15 deletions
Download Patch File Download Diff File Expand all files Collapse all files
SatelliteProvider.IntegrationTests/JwtIntegrationTests.cs
+146
View File
@@ -0,0 +1,146 @@
using System.Net;
using System.Net.Http.Headers;
namespace SatelliteProvider.IntegrationTests;
public static class JwtIntegrationTests
{
private const string ProtectedTilesPath = "/api/satellite/tiles/latlon?Latitude=47.461747&Longitude=37.647063&ZoomLevel=18";
private const string ProtectedRegionPath = "/api/satellite/region/00000000-0000-0000-0000-000000000000";
public static async Task RunAll(string apiUrl, string secret)
{
RouteTestHelpers.PrintTestHeader("Test: JWT auth baseline (AZ-487)");
await AnonymousRequest_To_AnyEndpoint_Returns401(apiUrl);
await ExpiredToken_Returns401(apiUrl, secret);
await InvalidSignature_Returns401(apiUrl, secret);
await ValidToken_Returns200_OnHealthyEndpoint(apiUrl, secret);
await SwaggerDocument_AdvertisesBearerSecurityScheme(apiUrl);
Console.WriteLine("✓ JWT integration tests: PASSED");
}
private static async Task AnonymousRequest_To_AnyEndpoint_Returns401(string apiUrl)
{
Console.WriteLine();
Console.WriteLine("AZ-487 AC-1: Anonymous request to a protected endpoint returns 401");
using var anon = new HttpClient { BaseAddress = new Uri(apiUrl), Timeout = TimeSpan.FromMinutes(1) };
var response = await anon.GetAsync(ProtectedTilesPath);
var status = (int)response.StatusCode;
if (status != 401)
{
throw new Exception($"Expected 401 for anonymous request, got {status}");
}
Console.WriteLine($" ✓ Anonymous request rejected with HTTP {status}");
}
private static async Task ExpiredToken_Returns401(string apiUrl, string secret)
{
Console.WriteLine();
Console.WriteLine("AZ-487 AC-2: Expired token returns 401");
using var client = new HttpClient { BaseAddress = new Uri(apiUrl), Timeout = TimeSpan.FromMinutes(1) };
var expired = JwtTestHelpers.MintExpiredToken(secret);
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", expired);
var response = await client.GetAsync(ProtectedTilesPath);
var status = (int)response.StatusCode;
if (status != 401)
{
throw new Exception($"Expected 401 for expired token, got {status}");
}
Console.WriteLine($" ✓ Expired token rejected with HTTP {status}");
}
private static async Task InvalidSignature_Returns401(string apiUrl, string secret)
{
Console.WriteLine();
Console.WriteLine("AZ-487 AC-3: Tampered signature returns 401");
using var client = new HttpClient { BaseAddress = new Uri(apiUrl), Timeout = TimeSpan.FromMinutes(1) };
var valid = JwtTestHelpers.MintValidToken(secret);
var tampered = JwtTestHelpers.TamperSignature(valid);
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", tampered);
var response = await client.GetAsync(ProtectedRegionPath);
var status = (int)response.StatusCode;
if (status != 401)
{
throw new Exception($"Expected 401 for tampered signature, got {status}");
}
Console.WriteLine($" ✓ Tampered signature rejected with HTTP {status}");
}
private static async Task ValidToken_Returns200_OnHealthyEndpoint(string apiUrl, string secret)
{
Console.WriteLine();
Console.WriteLine("AZ-487 AC-4: Valid token reaches handler unchanged");
using var client = new HttpClient { BaseAddress = new Uri(apiUrl), Timeout = TimeSpan.FromMinutes(2) };
var valid = JwtTestHelpers.MintValidToken(secret);
client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", valid);
var response = await client.GetAsync(ProtectedTilesPath);
var status = (int)response.StatusCode;
// The endpoint may legitimately return 200 (tile available) or a tile-download-related
// error; what we care about for AZ-487 is that the request reached the handler at all
// (i.e. NOT 401 / 403). Treat 200 as confirmation; treat anything other than 401/403 as
// "passed auth" — the handler decided the outcome.
if (status == 401 || status == 403)
{
var body = await response.Content.ReadAsStringAsync();
throw new Exception($"Expected valid-token request to bypass auth, got {status}. Body: {body}");
}
Console.WriteLine($" ✓ Valid-token request reached handler (HTTP {status})");
}
private static async Task SwaggerDocument_AdvertisesBearerSecurityScheme(string apiUrl)
{
// AC-7: Swagger UI accepts a Bearer token via the "Authorize" button. The button is
// rendered only when the OpenAPI document declares a `Bearer` security scheme — so the
// existence of that scheme in the document is the automatable signal for AC-7.
Console.WriteLine();
Console.WriteLine("AZ-487 AC-7: Swagger document advertises Bearer security scheme");
using var anon = new HttpClient { BaseAddress = new Uri(apiUrl), Timeout = TimeSpan.FromMinutes(1) };
var response = await anon.GetAsync("/swagger/v1/swagger.json");
if (!response.IsSuccessStatusCode)
{
throw new Exception($"Expected Swagger document to be reachable, got HTTP {(int)response.StatusCode}");
}
var body = await response.Content.ReadAsStringAsync();
using var doc = System.Text.Json.JsonDocument.Parse(body);
var root = doc.RootElement;
if (!root.TryGetProperty("components", out var components) ||
!components.TryGetProperty("securitySchemes", out var schemes) ||
!schemes.TryGetProperty("Bearer", out var bearer))
{
throw new Exception("Swagger document is missing `components.securitySchemes.Bearer`.");
}
var type = bearer.GetProperty("type").GetString();
var scheme = bearer.GetProperty("scheme").GetString();
var format = bearer.TryGetProperty("bearerFormat", out var bf) ? bf.GetString() : null;
if (!string.Equals(type, "http", StringComparison.OrdinalIgnoreCase) ||
!string.Equals(scheme, "bearer", StringComparison.OrdinalIgnoreCase) ||
!string.Equals(format, "JWT", StringComparison.OrdinalIgnoreCase))
{
throw new Exception($"Bearer scheme has wrong shape: type={type}, scheme={scheme}, bearerFormat={format}");
}
Console.WriteLine($" ✓ Swagger document declares Bearer (http, bearer, JWT)");
}
}
SatelliteProvider.IntegrationTests/JwtTestHelpers.cs
+86
View File
@@ -0,0 +1,86 @@
using System.IdentityModel.Tokens.Jwt;
using System.Net.Http.Headers;
using System.Security.Claims;
using System.Text;
using Microsoft.IdentityModel.Tokens;
namespace SatelliteProvider.IntegrationTests;
public static class JwtTestHelpers
{
public const string JwtSecretEnvVar = "JWT_SECRET";
public const string DefaultSubject = "integration-tests";
public static string ResolveSecretOrThrow()
{
var secret = Environment.GetEnvironmentVariable(JwtSecretEnvVar);
if (string.IsNullOrWhiteSpace(secret))
{
throw new InvalidOperationException(
$"{JwtSecretEnvVar} is not set in the integration test environment. " +
"It must match the JWT_SECRET configured for the API container.");
}
var byteLength = Encoding.UTF8.GetByteCount(secret);
if (byteLength < 32)
{
throw new InvalidOperationException(
$"{JwtSecretEnvVar} is {byteLength} bytes; the test runner requires at least 32 bytes to match API validation.");
}
return secret;
}
public static string MintValidToken(string secret, string subject = DefaultSubject, TimeSpan? lifetime = null, IEnumerable<Claim>? extraClaims = null)
{
ArgumentNullException.ThrowIfNull(secret);
var signingKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(secret));
var credentials = new SigningCredentials(signingKey, SecurityAlgorithms.HmacSha256);
var now = DateTime.UtcNow;
var claims = new List<Claim>
{
new(JwtRegisteredClaimNames.Sub, subject),
new(JwtRegisteredClaimNames.Jti, Guid.NewGuid().ToString("N"))
};
if (extraClaims is not null)
{
claims.AddRange(extraClaims);
}
var token = new JwtSecurityToken(
issuer: null,
audience: null,
claims: claims,
notBefore: now,
expires: now.Add(lifetime ?? TimeSpan.FromHours(1)),
signingCredentials: credentials);
return new JwtSecurityTokenHandler().WriteToken(token);
}
public static string MintExpiredToken(string secret, string subject = DefaultSubject)
{
return MintValidToken(secret, subject, lifetime: TimeSpan.FromMinutes(-10));
}
public static string TamperSignature(string token)
{
var parts = token.Split('.');
if (parts.Length != 3)
{
throw new ArgumentException("JWT must have three dot-separated segments.", nameof(token));
}
var signature = parts[2];
var firstChar = signature[0];
parts[2] = (firstChar == 'A' ? 'B' : 'A') + signature[1..];
return string.Join('.', parts);
}
public static void AttachDefaultAuthorization(HttpClient httpClient, string token)
{
httpClient.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);
}
}
SatelliteProvider.IntegrationTests/Program.cs
+18
View File
@@ -17,10 +17,23 @@ class Program
TestRunMode.Smoke = modeEnv == "smoke";
}
string jwtSecret;
try
{
jwtSecret = JwtTestHelpers.ResolveSecretOrThrow();
}
catch (InvalidOperationException ex)
{
Console.WriteLine("❌ Integration tests cannot start without a valid JWT secret.");
Console.WriteLine($" {ex.Message}");
return 1;
}
Console.WriteLine("Starting Integration Tests");
Console.WriteLine("=========================");
Console.WriteLine($"API URL : {apiUrl}");
Console.WriteLine($"Mode : {(TestRunMode.Smoke ? "smoke (fast subset, tightened timeouts)" : "full")}");
Console.WriteLine($"Auth : JWT_SECRET resolved ({System.Text.Encoding.UTF8.GetByteCount(jwtSecret)} bytes)");
Console.WriteLine();
using var httpClient = new HttpClient
@@ -29,6 +42,9 @@ class Program
Timeout = TimeSpan.FromMinutes(15)
};
var defaultToken = JwtTestHelpers.MintValidToken(jwtSecret);
JwtTestHelpers.AttachDefaultAuthorization(httpClient, defaultToken);
try
{
Console.WriteLine("Waiting for API to be ready...");
@@ -36,6 +52,8 @@ class Program
Console.WriteLine("✓ API is ready");
Console.WriteLine();
await JwtIntegrationTests.RunAll(apiUrl, jwtSecret);
if (TestRunMode.Smoke)
{
await RunSmokeSuite(httpClient);
SatelliteProvider.IntegrationTests/SatelliteProvider.IntegrationTests.csproj
+1
View File
@@ -9,6 +9,7 @@
<ItemGroup>
<PackageReference Include="Npgsql" Version="9.0.2" />
<PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="7.0.3" />
</ItemGroup>
</Project>