mirror of
https://github.com/azaion/satellite-provider.git
synced 2026-06-21 15:01:14 +00:00
Oleksandr Bezdieniezhnykh
c74a2339aa
Kestrel with HttpProtocols.Http1AndHttp2 on a plaintext listener silently downgrades to HTTP/1.1-only (logs "HTTP/2 is not enabled ... TLS is not enabled"), so AC-5's multiplexed-GET test failed with HTTP_1_1_REQUIRED. ALPN cannot run over plaintext, so the fix switches the dev listener to TLS on https://+:8080: - scripts/run-tests.sh generates a self-signed dev cert idempotently (./certs/api.pfx + api.crt) via openssl in an alpine container; certs/ is gitignored. - docker-compose.yml binds Kestrel to ASPNETCORE_URLS=https://+:8080 with Kestrel__Certificates__Default__Path bound to the .pfx. - docker-compose.tests.yml mounts api.crt into the integration-tests container's CA store and runs update-ca-certificates so HttpClient trusts the cert transparently; default API_URL is now https://api:8080. - Drop the obsolete Http2UnencryptedSupport AppContext switch from Http2MultiplexingTests; ALPN over TLS handles negotiation. Test-data fixes caught on the post-TLS rerun (independent of the TLS switch but surfaced together): - Http2MultiplexingTests: switch slippy coords from (154321, 95812) -- which Google Maps returns 404 for -- to (158485, 91707), the slippy projection of (47.461747, 37.647063) already exercised by JwtIntegrationTests. - TileInventoryTests + LeafletPathIndexOnlyTests: SpecifyKind to Unspecified at the binding site for raw Npgsql seed paths writing into tiles.captured_at / created_at / updated_at (TIMESTAMP without tz). Npgsql v6+ refuses Kind=Utc into plain timestamp columns; production goes through Dapper and never hits this code path. - MigrationTests Az503NewUniqueIndexCoversIntegerKeyAndFlightId: accept either idx_tiles_location_hash (migration 014) or its AZ-505 successor tiles_leaflet_path (migration 015) -- both have location_hash as the leading column, which is the AC-9 intent. Docs updated to reflect the TLS+ALPN path: tile-inventory.md Non-Goals, modules/api_program.md, module-layout.md, the AZ-505 task spec's Risk 3, and the cycle 6 implementation + completeness reports. The full integration test suite passes (mode=full, exit 0). Co-authored-by: Cursor <cursoragent@cursor.com>
182 lines
6.9 KiB
Bash
Executable File
182 lines
6.9 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
|
|
|
|
cleanup() {
|
|
docker compose -f "$PROJECT_ROOT/docker-compose.yml" -f "$PROJECT_ROOT/docker-compose.tests.yml" down --remove-orphans || true
|
|
}
|
|
trap cleanup EXIT
|
|
|
|
# AZ-505 AC-5: HTTP/2 via ALPN requires TLS on the API listener. The cert is
|
|
# self-signed for dev/test only — gitignored under certs/ and regenerated on
|
|
# demand. PFX is mounted into the API container as the Kestrel cert; the public
|
|
# PEM is mounted into the integration-tests container's CA trust store so every
|
|
# HttpClient transparently trusts it without per-test handler shims.
|
|
ensure_dev_cert() {
|
|
local certs_dir="$PROJECT_ROOT/certs"
|
|
local pfx="$certs_dir/api.pfx"
|
|
local crt="$certs_dir/api.crt"
|
|
if [[ -f "$pfx" && -f "$crt" ]]; then
|
|
echo "Step 0a: Dev cert present (./certs/api.pfx)"
|
|
return 0
|
|
fi
|
|
echo "Step 0a: Generating dev TLS cert (./certs/api.pfx + api.crt) for HTTP/2 ALPN (AZ-505 AC-5)"
|
|
mkdir -p "$certs_dir"
|
|
docker run --rm -v "$certs_dir:/work" -w /work alpine:3.20 sh -c '
|
|
set -e
|
|
apk add --no-cache openssl >/dev/null
|
|
cat > /tmp/openssl.cnf <<EOF
|
|
[req]
|
|
distinguished_name = req_distinguished_name
|
|
x509_extensions = v3_req
|
|
prompt = no
|
|
|
|
[req_distinguished_name]
|
|
CN = satellite-provider-dev
|
|
|
|
[v3_req]
|
|
keyUsage = digitalSignature, keyEncipherment
|
|
extendedKeyUsage = serverAuth
|
|
subjectAltName = @alt_names
|
|
|
|
[alt_names]
|
|
DNS.1 = api
|
|
DNS.2 = localhost
|
|
IP.1 = 127.0.0.1
|
|
EOF
|
|
openssl req -x509 -newkey rsa:2048 -nodes \
|
|
-keyout api.key -out api.crt \
|
|
-days 365 -config /tmp/openssl.cnf
|
|
openssl pkcs12 -export -out api.pfx -inkey api.key -in api.crt \
|
|
-passout pass:satellite-dev-cert
|
|
chmod 644 api.pfx api.crt
|
|
'
|
|
echo " ✓ Dev cert written (passphrase: satellite-dev-cert — dev-only)"
|
|
}
|
|
ensure_dev_cert
|
|
|
|
usage() {
|
|
cat <<EOF
|
|
Usage: $(basename "$0") [--unit-only | --smoke | --full] [--skip-format] [--keep-state]
|
|
|
|
Modes:
|
|
--unit-only Run only the .NET unit test project (no Docker Compose, no integration tests)
|
|
--smoke Run unit tests + a fast integration subset (~2 min target, tightened timeouts)
|
|
--full Run unit tests + the full integration suite (default if no flag is provided)
|
|
|
|
Flags:
|
|
--skip-format Skip the dotnet format --verify-no-changes check (use only for emergency runs)
|
|
--keep-state Skip the AZ-493 integration test DB-reset hook so leftover rows from the
|
|
previous run remain in Postgres. Useful for debugging a failed run.
|
|
|
|
Environment:
|
|
GOOGLE_MAPS_API_KEY Required for any integration test mode (loaded from .env or shell env).
|
|
JWT_SECRET Required for any integration test mode. Shared HMAC secret used by the
|
|
API and the integration test runner; must be at least 32 bytes (UTF-8).
|
|
Loaded from .env or shell env.
|
|
JWT_ISSUER Required for any integration test mode (AZ-494). Must match the value
|
|
the API container validates. May be a DEV-ONLY value for local runs.
|
|
JWT_AUDIENCE Required for any integration test mode (AZ-494). Same contract as
|
|
JWT_ISSUER — must match what the API container validates.
|
|
EOF
|
|
}
|
|
|
|
mode="full"
|
|
skip_format="false"
|
|
keep_state="false"
|
|
for arg in "$@"; do
|
|
case "$arg" in
|
|
--unit-only) mode="unit"; ;;
|
|
--smoke) mode="smoke"; ;;
|
|
--full) mode="full"; ;;
|
|
--skip-format) skip_format="true"; ;;
|
|
--keep-state) keep_state="true"; ;;
|
|
-h|--help) usage; exit 0; ;;
|
|
"") ;;
|
|
*) echo "Unknown argument: $arg"; usage; exit 2; ;;
|
|
esac
|
|
done
|
|
|
|
echo "=== Satellite Provider Test Suite ==="
|
|
echo "Mode: $mode"
|
|
echo ""
|
|
|
|
if [[ "$skip_format" == "true" ]]; then
|
|
echo "Step 0: Skipping dotnet format check (--skip-format)"
|
|
else
|
|
echo "Step 0: dotnet format whitespace --verify-no-changes"
|
|
if ! docker run --rm -v "$PROJECT_ROOT:/src" -w /src mcr.microsoft.com/dotnet/sdk:10.0 \
|
|
dotnet format whitespace SatelliteProvider.sln --verify-no-changes; then
|
|
echo ""
|
|
echo "ERROR: Whitespace violations detected. Run 'dotnet format whitespace SatelliteProvider.sln' to fix."
|
|
exit 4
|
|
fi
|
|
echo ""
|
|
fi
|
|
|
|
if [[ "$mode" == "unit" ]]; then
|
|
echo "Running unit tests only..."
|
|
docker run --rm -v "$PROJECT_ROOT:/src" -w /src mcr.microsoft.com/dotnet/sdk:10.0 \
|
|
sh -c "dotnet restore SatelliteProvider.sln && dotnet test SatelliteProvider.Tests/SatelliteProvider.Tests.csproj --no-restore --configuration Release --collect:'XPlat Code Coverage' --results-directory /src/TestResults --logger 'console;verbosity=normal'"
|
|
echo ""
|
|
echo "=== Unit tests complete (coverage written to ./TestResults/) ==="
|
|
exit 0
|
|
fi
|
|
|
|
if { [[ -z "${GOOGLE_MAPS_API_KEY:-}" ]] || [[ -z "${JWT_SECRET:-}" ]] || [[ -z "${JWT_ISSUER:-}" ]] || [[ -z "${JWT_AUDIENCE:-}" ]]; } && [[ -f "$PROJECT_ROOT/.env" ]]; then
|
|
set -o allexport
|
|
# shellcheck disable=SC1091
|
|
source "$PROJECT_ROOT/.env"
|
|
set +o allexport
|
|
fi
|
|
|
|
if [[ -z "${GOOGLE_MAPS_API_KEY:-}" ]]; then
|
|
echo "ERROR: GOOGLE_MAPS_API_KEY is not set (export it or add to .env). Integration tests will fail."
|
|
exit 3
|
|
fi
|
|
|
|
if [[ -z "${JWT_SECRET:-}" ]]; then
|
|
echo "ERROR: JWT_SECRET is not set (export it or add to .env). API will fail to start without it."
|
|
exit 3
|
|
fi
|
|
|
|
jwt_secret_bytes=${#JWT_SECRET}
|
|
if (( jwt_secret_bytes < 32 )); then
|
|
echo "ERROR: JWT_SECRET is ${jwt_secret_bytes} bytes; HMAC-SHA256 requires at least 32 bytes."
|
|
exit 3
|
|
fi
|
|
export JWT_SECRET
|
|
|
|
if [[ -z "${JWT_ISSUER:-}" ]]; then
|
|
echo "ERROR: JWT_ISSUER is not set (export it or add to .env). API + integration tests require it (AZ-494)."
|
|
exit 3
|
|
fi
|
|
if [[ -z "${JWT_AUDIENCE:-}" ]]; then
|
|
echo "ERROR: JWT_AUDIENCE is not set (export it or add to .env). API + integration tests require it (AZ-494)."
|
|
exit 3
|
|
fi
|
|
export JWT_ISSUER
|
|
export JWT_AUDIENCE
|
|
|
|
echo "Step 1: Unit tests"
|
|
docker run --rm -v "$PROJECT_ROOT:/src" -w /src mcr.microsoft.com/dotnet/sdk:10.0 \
|
|
sh -c "dotnet restore SatelliteProvider.sln && dotnet test SatelliteProvider.Tests/SatelliteProvider.Tests.csproj --no-restore --configuration Release --collect:'XPlat Code Coverage' --results-directory /src/TestResults --logger 'console;verbosity=normal'"
|
|
|
|
echo ""
|
|
echo "Step 2: Integration tests (Docker Compose, mode=$mode, keep_state=$keep_state)"
|
|
INTEGRATION_KEEP_STATE_VALUE=""
|
|
if [[ "$keep_state" == "true" ]]; then
|
|
INTEGRATION_KEEP_STATE_VALUE="1"
|
|
fi
|
|
INTEGRATION_TESTS_MODE="$mode" \
|
|
INTEGRATION_KEEP_STATE="$INTEGRATION_KEEP_STATE_VALUE" \
|
|
docker compose \
|
|
-f "$PROJECT_ROOT/docker-compose.yml" \
|
|
-f "$PROJECT_ROOT/docker-compose.tests.yml" \
|
|
up --build --abort-on-container-exit --exit-code-from integration-tests
|
|
|
|
echo ""
|
|
echo "=== All tests passed (mode=$mode) ==="
|