azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-27 12:31:14 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
50d4a76be3f5eeb65395c9995a2183235902d4b4
satellite-provider/_docs/02_document/tests/security-tests.md
T
Oleksandr Bezdieniezhnykh c79998bfa7 [AZ-1113] Cycle 10 closeout: docs, perf harness, security 
Co-authored-by: Cursor <cursoragent@cursor.com>
2026-06-26 10:55:59 +03:00

135 lines
9.1 KiB
Markdown
Raw Blame History

# Security Test Scenarios
## SEC-01: SQL Injection via Coordinate Parameters
**Trigger**: GET /api/satellite/tiles/latlon?lat=1;DROP TABLE tiles--&lon=1&zoom=18
**Expected**: Request rejected or treated as invalid parameter
**Pass criterion**: HTTP 400 or parameter parsing error; no database damage; tiles table intact
## SEC-02: Path Traversal in Tile Serving
**Trigger**: GET /tiles/18/../../../etc/passwd
**Expected**: Request rejected; no file outside tiles directory served
**Pass criterion**: HTTP 404 or 400; response body does not contain system file content
## SEC-03: Oversized Region Request
**Trigger**: POST /api/satellite/request with sizeMeters=999999999
**Expected**: Either rejected or handled without resource exhaustion
**Pass criterion**: No OOM; no infinite processing; either error response or bounded processing
## SEC-04: Malformed JSON in Route Request
**Trigger**: POST /api/satellite/route with invalid JSON body (truncated `{` or non-JSON text).
**Expected**: HTTP 400 + RFC 7807 `ProblemDetails`. Post-AZ-809 (cycle 8) the failure surfaces via `GlobalExceptionHandler`'s `JsonException` branch (System.Text.Json `JsonReaderException``BadHttpRequestException` → 400). No stack trace leaks; correlationId present per AZ-353.
**Pass criterion**: HTTP 400; `Content-Type: application/problem+json`; body matches `error-shape.md` v1.0.1; response body does NOT contain `System.` substring; no internal exception type or stack frame in `detail`.
---
## Cycle 2 — AZ-487 JWT validation baseline
The pre-AZ-487 assumption "no authentication" is superseded by these scenarios. The SEC-01..SEC-04 scenarios above still hold (they probe input handling, not the auth layer), but every authenticated test variant must now attach a Bearer token.
## SEC-05: Anonymous Request to Any Authenticated Endpoint Returns 401
**Trigger**: GET `/api/satellite/tiles/latlon?lat=...&lon=...&zoom=18` (or any `/api/satellite/*` endpoint) with NO `Authorization` header.
**Precondition**: API running with `JWT_SECRET` configured.
**Expected**: HTTP 401 Unauthorized; `WWW-Authenticate: Bearer` header present; response body does not leak validation internals.
**Pass criterion**: status == 401 AND `WWW-Authenticate` header starts with `Bearer`.
**AC trace**: AZ-487 AC-1.
## SEC-06: Expired Token Returns 401
**Trigger**: Same request as SEC-05 carrying a JWT signed with the configured secret but with `exp` in the past (clock-skew margin already exceeded).
**Expected**: HTTP 401; the failure reason surfaces via `WWW-Authenticate` (e.g. `error="invalid_token"`, `error_description="The token is expired"`), never in the response body.
**Pass criterion**: status == 401 AND response body does not contain `Expires:` / `NotBefore:` / stack traces / internal exception types.
**AC trace**: AZ-487 AC-2.
## SEC-07: Tampered Signature Returns 401
**Trigger**: Same request as SEC-05 carrying a JWT whose payload was modified after signing so the HMAC no longer verifies.
**Expected**: HTTP 401; body free of cryptographic detail.
**Pass criterion**: status == 401 AND request never reaches downstream handlers (no DB write, no Google Maps fetch).
**AC trace**: AZ-487 AC-3.
## SEC-08: Startup Fails on Missing / Short Secret
**Trigger**: Boot the API container with `JWT_SECRET` unset, empty, or shorter than 32 bytes.
**Observable**: Container exit code, stdout error message.
**Pass criterion**: container exits non-zero within 10s of start; stderr contains a message identifying the missing or short `JWT_SECRET` and the 32-byte minimum; Kestrel never binds to its port.
**AC trace**: AZ-487 AC-5. Behavioral test — no input data.
## SEC-09: Valid Token Reaches Handler Unchanged
**Trigger**: GET `/api/satellite/tiles/latlon?...` with a JWT signed by the configured secret and `exp` in the future.
**Expected**: Response is byte-identical (status, body, headers other than `Authorization`/`WWW-Authenticate`) to the pre-AZ-487 baseline for the same parameters.
**Pass criterion**: status == 200 AND response body matches BT-01 expected schema.
**AC trace**: AZ-487 AC-4. Also exercised by AZ-487 AC-8 / integration smoke parity.
---
## Cycle 2 — AZ-488 UAV upload authorization
## SEC-10: Valid Token Without GPS Permission Returns 403 on UAV Upload
**Trigger**: POST `/api/satellite/upload` carrying a JWT with `permissions: ["FL"]` (no `GPS`); body is an otherwise-valid 1-item batch.
**Precondition**: AZ-487 in place; AZ-488 endpoint registered with the `GPS` permission policy.
**Expected**: HTTP 403 Forbidden; no row in `tiles`; no file under `./tiles/uav/`.
**Pass criterion**: status == 403 AND `SELECT COUNT(*) FROM tiles WHERE source='uav' AND ...` == pre-test count AND uploaded file does NOT exist on disk.
**AC trace**: AZ-488 AC-6.
## SEC-11: Reject-Reason Details Do Not Leak Server Internals
**Trigger**: POST `/api/satellite/upload` with a batch where item-1 deliberately fails Rule 5 (`IMAGE_TOO_UNIFORM`) and item-2 deliberately fails Rule 1 (`INVALID_FORMAT`).
**Precondition**: Authenticated request with `GPS` permission.
**Expected**: HTTP 200 with per-item results; each `rejectDetails` is short, human-readable, and contains none of: server-side file paths, exception type names, stack traces, internal class names, secrets, or hostnames.
**Pass criterion**: For every rejected item, `rejectDetails` matches `^[A-Za-z0-9 .,()<>=:%/-]{0,200}$` AND contains no path separator (`/` or `\`) followed by a directory name from the server image (`tiles`, `src`, `obj`, `bin`).
**AC trace**: AZ-488 § Security NFR.
## SEC-12: Wrong `iss` Claim Returns 401
**Trigger**: Same request as SEC-05 carrying a JWT signed with the configured secret, with valid `exp` / `nbf` / signature, and with an `aud` claim matching `JWT_AUDIENCE` — but with `iss` set to `https://wrong-issuer.invalid/` (not equal to `JWT_ISSUER`).
**Precondition**: AZ-494 in place; API started with `JWT_ISSUER` + `JWT_AUDIENCE` env vars both populated (fail-fast contract).
**Expected**: HTTP 401 Unauthorized; no handler reached; no leaked detail in body.
**Pass criterion**: status == 401 AND response body contains no `iss` / `aud` value or internal exception detail.
**AC trace**: AZ-494 AC-1.
## SEC-13: Wrong `aud` Claim Returns 401
**Trigger**: Same request as SEC-05 carrying a JWT signed with the configured secret, with valid `exp` / `nbf` / signature, and with `iss` matching `JWT_ISSUER` — but with `aud` set to `wrong-audience-not-satellite` (not equal to `JWT_AUDIENCE`).
**Precondition**: AZ-494 in place; API started with `JWT_ISSUER` + `JWT_AUDIENCE` env vars both populated.
**Expected**: HTTP 401 Unauthorized; no handler reached; no leaked detail in body.
**Pass criterion**: status == 401 AND response body contains no `iss` / `aud` value or internal exception detail.
**AC trace**: AZ-494 AC-2.
---
## Cycle 10 — AZ-1113 REST 400 error message sanitization
Extends Inv-5 (`error-shape.md` v1.0.1) to deserializer/binding 400 paths that previously echoed raw `JsonException` / `BadHttpRequestException` text. The 5xx sanitization from AZ-353 is unchanged.
## SEC-14: Deserializer 400 `errors[]` Values Are Static (No Framework Type Leak)
**Trigger**: Authenticated `POST /api/satellite/tiles/inventory` with body `{"tiles":[{"z":18,"x":1,"y":1,"foo":42}]}` (unknown nested field per `UnmappedMemberHandling.Disallow`).
**Expected**: HTTP 400 + `ValidationProblemDetails`; `errors["tiles[0].foo"][0]` equals `"The field value is invalid."` per `error-shape.md` v1.0.1 §Information disclosure.
**Pass criterion**: HTTP 400; response body does NOT contain `System.`; does NOT contain `.NET member`; does NOT echo raw `JsonException.Message`.
**AC trace**: AZ-1113 AC-1.
**Test method**: `TileInventoryValidationTests.UnknownNestedField_Returns400` (integration); `GlobalExceptionHandlerTests.TryHandleAsync_DeserializationFailure_WritesValidationProblemDetailsWithJsonPath_AZ795` (unit).
## SEC-15: Non-JSON `BadHttpRequestException` `detail` Is Static
**Trigger**: Authenticated `GET /api/satellite/tiles/latlon?lat=fifty&lon=37.64&zoom=18` (query binding failure without inner `JsonException`).
**Expected**: HTTP 400 + RFC 7807 `ProblemDetails`; `detail` is `"The request could not be processed."` per `error-shape.md` v1.0.1.
**Pass criterion**: HTTP 400; `detail` does NOT contain `Latitude` or other framework bind-failure text from `BadHttpRequestException.Message`.
**AC trace**: AZ-1113 AC-2.
**Test method**: `GetTileByLatLonValidationTests.LatTypeMismatch_Returns400` (integration); `GlobalExceptionHandlerTests.TryHandleAsync_BadHttpRequestExceptionWithoutJson_UsesStaticDetail` (unit).
## SEC-16: UAV Upload Metadata Parse Error Does Not Leak Exception Message
**Trigger**: Authenticated `POST /api/satellite/upload` with `metadata` form field `{not valid json` (malformed JSON).
**Expected**: HTTP 400 + `errors["metadata"]` equals `` `metadata` could not be parsed as JSON. `` per `error-shape.md` v1.0.1.
**Pass criterion**: HTTP 400; full response body does NOT contain `System.` substring.
**AC trace**: AZ-1113 AC-3 (filter); AC-4 (handler defense-in-depth via unit test).
**Test method**: `UavUploadValidationTests.MetadataNotAnObject_Returns400` (integration); `UavTileUploadHandlerTests.HandleAsync_InvalidMetadataJson_ReturnsEnvelopeError` (unit).
Reference in New Issue View Git Blame Copy Permalink