azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-21 10:21:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-505] AC-5 fix: enable TLS for HTTP/2 via ALPN
ci/woodpecker/push/01-test Pipeline was successful
Details
ci/woodpecker/push/02-build-push Pipeline was successful
Details

Browse Source 
Kestrel with HttpProtocols.Http1AndHttp2 on a plaintext listener
silently downgrades to HTTP/1.1-only (logs "HTTP/2 is not enabled
... TLS is not enabled"), so AC-5's multiplexed-GET test failed
with HTTP_1_1_REQUIRED. ALPN cannot run over plaintext, so the
fix switches the dev listener to TLS on https://+:8080:

- scripts/run-tests.sh generates a self-signed dev cert idempotently
  (./certs/api.pfx + api.crt) via openssl in an alpine container;
  certs/ is gitignored.
- docker-compose.yml binds Kestrel to ASPNETCORE_URLS=https://+:8080
  with Kestrel__Certificates__Default__Path bound to the .pfx.
- docker-compose.tests.yml mounts api.crt into the integration-tests
  container's CA store and runs update-ca-certificates so HttpClient
  trusts the cert transparently; default API_URL is now https://api:8080.
- Drop the obsolete Http2UnencryptedSupport AppContext switch from
  Http2MultiplexingTests; ALPN over TLS handles negotiation.

Test-data fixes caught on the post-TLS rerun (independent of the TLS
switch but surfaced together):

- Http2MultiplexingTests: switch slippy coords from (154321, 95812)
  -- which Google Maps returns 404 for -- to (158485, 91707), the
  slippy projection of (47.461747, 37.647063) already exercised by
  JwtIntegrationTests.
- TileInventoryTests + LeafletPathIndexOnlyTests: SpecifyKind to
  Unspecified at the binding site for raw Npgsql seed paths writing
  into tiles.captured_at / created_at / updated_at (TIMESTAMP without
  tz). Npgsql v6+ refuses Kind=Utc into plain timestamp columns;
  production goes through Dapper and never hits this code path.
- MigrationTests Az503NewUniqueIndexCoversIntegerKeyAndFlightId:
  accept either idx_tiles_location_hash (migration 014) or its
  AZ-505 successor tiles_leaflet_path (migration 015) -- both have
  location_hash as the leading column, which is the AC-9 intent.

Docs updated to reflect the TLS+ALPN path: tile-inventory.md
Non-Goals, modules/api_program.md, module-layout.md, the AZ-505
task spec's Risk 3, and the cycle 6 implementation + completeness
reports. The full integration test suite passes (mode=full, exit 0).

Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-05-12 22:19:26 +03:00
parent da40534b49
commit c74a2339aa
17 changed files with 148 additions and 42 deletions
Download Patch File Download Diff File Expand all files Collapse all files
scripts/run-tests.sh
+48
View File
@@ -9,6 +9,54 @@ cleanup() {
}
trap cleanup EXIT
# AZ-505 AC-5: HTTP/2 via ALPN requires TLS on the API listener. The cert is
# self-signed for dev/test only — gitignored under certs/ and regenerated on
# demand. PFX is mounted into the API container as the Kestrel cert; the public
# PEM is mounted into the integration-tests container's CA trust store so every
# HttpClient transparently trusts it without per-test handler shims.
ensure_dev_cert() {
local certs_dir="$PROJECT_ROOT/certs"
local pfx="$certs_dir/api.pfx"
local crt="$certs_dir/api.crt"
if [[ -f "$pfx" && -f "$crt" ]]; then
echo "Step 0a: Dev cert present (./certs/api.pfx)"
return 0
fi
echo "Step 0a: Generating dev TLS cert (./certs/api.pfx + api.crt) for HTTP/2 ALPN (AZ-505 AC-5)"
mkdir -p "$certs_dir"
docker run --rm -v "$certs_dir:/work" -w /work alpine:3.20 sh -c '
set -e
apk add --no-cache openssl >/dev/null
cat > /tmp/openssl.cnf <<EOF
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
CN = satellite-provider-dev
[v3_req]
keyUsage = digitalSignature, keyEncipherment
extendedKeyUsage = serverAuth
subjectAltName = @alt_names
[alt_names]
DNS.1 = api
DNS.2 = localhost
IP.1 = 127.0.0.1
EOF
openssl req -x509 -newkey rsa:2048 -nodes \
-keyout api.key -out api.crt \
-days 365 -config /tmp/openssl.cnf
openssl pkcs12 -export -out api.pfx -inkey api.key -in api.crt \
-passout pass:satellite-dev-cert
chmod 644 api.pfx api.crt
'
echo " ✓ Dev cert written (passphrase: satellite-dev-cert — dev-only)"
}
ensure_dev_cert
usage() {
cat <<EOF
Usage: $(basename "$0") [--unit-only | --smoke | --full] [--skip-format] [--keep-state]