azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-27 09:51:14 +00:00
Code Issues Packages Projects Releases Wiki Activity

[AZ-1113] Cycle 10 closeout: docs, perf harness, security

Browse Source 
Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
Oleksandr Bezdieniezhnykh
2026-06-26 10:55:59 +03:00
parent 01d7e7d584
commit c79998bfa7
24 changed files with 600 additions and 46 deletions
Download Patch File Download Diff File Expand all files Collapse all files
_docs/02_document/tests/blackbox-tests.md
+16
View File
@@ -412,3 +412,19 @@ Cycle 8 extends the AZ-795 shared validation infrastructure (FluentValidation +
**AC trace**: AZ-1074 AC-1..AC-4; AZ-1075 AC-1..AC-3.
**Notes**: gRPC is additive — REST route endpoints (BT-06..BT-12) remain unchanged. Cache-reuse (AZ-1074 AC-2) is covered structurally by the orchestrator unit tests (`RouteTileDeliveryOrchestratorTests.DeliverAsync_CachedTileOnDisk_EmitsBatchWithoutDownload`) plus the integration happy path reusing tiles seeded by prior REST runs in the same compose volume. Consumer-side tests (gps-denied-onboard AZ-1076) are out of scope.
## BT-33: REST 400 Error Message Sanitization (Cross-Endpoint)
**Trigger**: A family of authenticated requests that force deserializer/binding 400 paths on three representative surfaces: JSON-body inventory (`GlobalExceptionHandler` + inner `JsonException`), query-param tile download (`BadHttpRequestException` without `JsonException`), and multipart UAV upload (`UavUploadValidationFilter` metadata parse).
**Precondition**: API up; valid JWT attached (GPS claim for upload). `error-shape.md` v1.0.1 frozen.
**Expected**: HTTP 400 with `Content-Type: application/problem+json` for every sub-case. Message *content* is static per the Information disclosure table; field paths in `errors[]` are unchanged from cycle 8.
| # | AC | Trigger excerpt | Expected message surface | Test method |
|---|-----|-----------------|--------------------------|-------------|
| 1 | AC-1 | Inventory body with unknown nested field `foo` on tile entry | `errors["tiles[0].foo"][0]` == `"The field value is invalid."`; body lacks `System.` | `TileInventoryValidationTests.UnknownNestedField_Returns400` |
| 2 | AC-2 | `GET /api/satellite/tiles/latlon?lat=fifty&lon=37.64&zoom=18` | `detail` == `"The request could not be processed."` | `GetTileByLatLonValidationTests.LatTypeMismatch_Returns400` |
| 3 | AC-3 | `POST /api/satellite/upload` with malformed `metadata` JSON | `errors["metadata"]` == `` `metadata` could not be parsed as JSON. ``; body lacks `System.` | `UavUploadValidationTests.MetadataNotAnObject_Returns400` |
**Pass criterion**: Every sub-case returns HTTP 400; static strings match `error-shape.md` v1.0.1 §Information disclosure; no response body contains `System.` (integration assertion on AC-3 path; AC-1 enforced by unit + integration message equality).
**AC trace**: AZ-1113 AC-1..AC-3 (blackbox); AC-4 (`UavTileUploadHandler` envelope) verified by `UavTileUploadHandlerTests` unit only; AC-5 (contract doc) verified at Step 13.
**Notes**: This is a cross-cutting tightening of Inv-5 for 4xx paths — BT-27..BT-31 strict-validation scenarios remain the binding functional specs; BT-33 adds the message-content contract on top. SEC-14..SEC-16 mirror these three sub-cases in the security category.