mirror of
https://github.com/azaion/satellite-provider.git
synced 2026-06-21 14:11:16 +00:00
Oleksandr Bezdieniezhnykh
f979e18811
Option B per user decision: production ships with empty Jwt.Issuer / Jwt.Audience in appsettings.json so the API process refuses to start unless JWT_ISSUER + JWT_AUDIENCE env vars are supplied. Development ships with grep-friendly DEV-ONLY- placeholders so local + docker flows keep working unchanged. AuthenticationServiceCollectionExtensions flips ValidateIssuer + ValidateAudience to true and wires ValidIssuer / ValidAudience via a new ResolveRequiredOrThrow helper that all three required values (secret, iss, aud) now share. JwtTokenFactory.Create + CreateExpired gain optional iss / aud parameters (default null) so existing call sites compile unchanged. JwtTestHelpers adds MintAuthenticated / MintExpired wrappers that resolve iss + aud from env, plus ResolveIssuerOrThrow / ResolveAudienceOrThrow. PerfBootstrap.MintToken + Program.cs JWT bootstrap migrated to the new surface so the perf harness and the integration runner both validate against the same contract. Adds 4 fail-fast unit tests (missing/empty issuer + audience), 2 negative integration scenarios (WrongIssuer_Returns401, WrongAudience_Returns401), and re-tags every existing integration mint site via MintAuthenticated. Compose, .env.example, run-tests.sh, run-performance-tests.sh all load + export JWT_ISSUER + JWT_AUDIENCE alongside JWT_SECRET. Resolves F-AUTH-2 (security_report.md + owasp_review.md). AC-7 (cross-repo suite/_docs/10_auth.md write) deferred — outside this workspace; tracked in deploy_cycle2.md R3 follow-up. Co-authored-by: Cursor <cursoragent@cursor.com>
134 lines
5.2 KiB
Bash
Executable File
134 lines
5.2 KiB
Bash
Executable File
#!/usr/bin/env bash
|
|
set -euo pipefail
|
|
|
|
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
|
|
PROJECT_ROOT="$(dirname "$SCRIPT_DIR")"
|
|
|
|
cleanup() {
|
|
docker compose -f "$PROJECT_ROOT/docker-compose.yml" -f "$PROJECT_ROOT/docker-compose.tests.yml" down --remove-orphans || true
|
|
}
|
|
trap cleanup EXIT
|
|
|
|
usage() {
|
|
cat <<EOF
|
|
Usage: $(basename "$0") [--unit-only | --smoke | --full] [--skip-format] [--keep-state]
|
|
|
|
Modes:
|
|
--unit-only Run only the .NET unit test project (no Docker Compose, no integration tests)
|
|
--smoke Run unit tests + a fast integration subset (~2 min target, tightened timeouts)
|
|
--full Run unit tests + the full integration suite (default if no flag is provided)
|
|
|
|
Flags:
|
|
--skip-format Skip the dotnet format --verify-no-changes check (use only for emergency runs)
|
|
--keep-state Skip the AZ-493 integration test DB-reset hook so leftover rows from the
|
|
previous run remain in Postgres. Useful for debugging a failed run.
|
|
|
|
Environment:
|
|
GOOGLE_MAPS_API_KEY Required for any integration test mode (loaded from .env or shell env).
|
|
JWT_SECRET Required for any integration test mode. Shared HMAC secret used by the
|
|
API and the integration test runner; must be at least 32 bytes (UTF-8).
|
|
Loaded from .env or shell env.
|
|
JWT_ISSUER Required for any integration test mode (AZ-494). Must match the value
|
|
the API container validates. May be a DEV-ONLY value for local runs.
|
|
JWT_AUDIENCE Required for any integration test mode (AZ-494). Same contract as
|
|
JWT_ISSUER — must match what the API container validates.
|
|
EOF
|
|
}
|
|
|
|
mode="full"
|
|
skip_format="false"
|
|
keep_state="false"
|
|
for arg in "$@"; do
|
|
case "$arg" in
|
|
--unit-only) mode="unit"; ;;
|
|
--smoke) mode="smoke"; ;;
|
|
--full) mode="full"; ;;
|
|
--skip-format) skip_format="true"; ;;
|
|
--keep-state) keep_state="true"; ;;
|
|
-h|--help) usage; exit 0; ;;
|
|
"") ;;
|
|
*) echo "Unknown argument: $arg"; usage; exit 2; ;;
|
|
esac
|
|
done
|
|
|
|
echo "=== Satellite Provider Test Suite ==="
|
|
echo "Mode: $mode"
|
|
echo ""
|
|
|
|
if [[ "$skip_format" == "true" ]]; then
|
|
echo "Step 0: Skipping dotnet format check (--skip-format)"
|
|
else
|
|
echo "Step 0: dotnet format whitespace --verify-no-changes"
|
|
if ! docker run --rm -v "$PROJECT_ROOT:/src" -w /src mcr.microsoft.com/dotnet/sdk:8.0 \
|
|
dotnet format whitespace SatelliteProvider.sln --verify-no-changes; then
|
|
echo ""
|
|
echo "ERROR: Whitespace violations detected. Run 'dotnet format whitespace SatelliteProvider.sln' to fix."
|
|
exit 4
|
|
fi
|
|
echo ""
|
|
fi
|
|
|
|
if [[ "$mode" == "unit" ]]; then
|
|
echo "Running unit tests only..."
|
|
docker run --rm -v "$PROJECT_ROOT:/src" -w /src mcr.microsoft.com/dotnet/sdk:8.0 \
|
|
sh -c "dotnet restore SatelliteProvider.sln && dotnet test SatelliteProvider.Tests/SatelliteProvider.Tests.csproj --no-restore --configuration Release --collect:'XPlat Code Coverage' --results-directory /src/TestResults --logger 'console;verbosity=normal'"
|
|
echo ""
|
|
echo "=== Unit tests complete (coverage written to ./TestResults/) ==="
|
|
exit 0
|
|
fi
|
|
|
|
if { [[ -z "${GOOGLE_MAPS_API_KEY:-}" ]] || [[ -z "${JWT_SECRET:-}" ]] || [[ -z "${JWT_ISSUER:-}" ]] || [[ -z "${JWT_AUDIENCE:-}" ]]; } && [[ -f "$PROJECT_ROOT/.env" ]]; then
|
|
set -o allexport
|
|
# shellcheck disable=SC1091
|
|
source "$PROJECT_ROOT/.env"
|
|
set +o allexport
|
|
fi
|
|
|
|
if [[ -z "${GOOGLE_MAPS_API_KEY:-}" ]]; then
|
|
echo "ERROR: GOOGLE_MAPS_API_KEY is not set (export it or add to .env). Integration tests will fail."
|
|
exit 3
|
|
fi
|
|
|
|
if [[ -z "${JWT_SECRET:-}" ]]; then
|
|
echo "ERROR: JWT_SECRET is not set (export it or add to .env). API will fail to start without it."
|
|
exit 3
|
|
fi
|
|
|
|
jwt_secret_bytes=${#JWT_SECRET}
|
|
if (( jwt_secret_bytes < 32 )); then
|
|
echo "ERROR: JWT_SECRET is ${jwt_secret_bytes} bytes; HMAC-SHA256 requires at least 32 bytes."
|
|
exit 3
|
|
fi
|
|
export JWT_SECRET
|
|
|
|
if [[ -z "${JWT_ISSUER:-}" ]]; then
|
|
echo "ERROR: JWT_ISSUER is not set (export it or add to .env). API + integration tests require it (AZ-494)."
|
|
exit 3
|
|
fi
|
|
if [[ -z "${JWT_AUDIENCE:-}" ]]; then
|
|
echo "ERROR: JWT_AUDIENCE is not set (export it or add to .env). API + integration tests require it (AZ-494)."
|
|
exit 3
|
|
fi
|
|
export JWT_ISSUER
|
|
export JWT_AUDIENCE
|
|
|
|
echo "Step 1: Unit tests"
|
|
docker run --rm -v "$PROJECT_ROOT:/src" -w /src mcr.microsoft.com/dotnet/sdk:8.0 \
|
|
sh -c "dotnet restore SatelliteProvider.sln && dotnet test SatelliteProvider.Tests/SatelliteProvider.Tests.csproj --no-restore --configuration Release --collect:'XPlat Code Coverage' --results-directory /src/TestResults --logger 'console;verbosity=normal'"
|
|
|
|
echo ""
|
|
echo "Step 2: Integration tests (Docker Compose, mode=$mode, keep_state=$keep_state)"
|
|
INTEGRATION_KEEP_STATE_VALUE=""
|
|
if [[ "$keep_state" == "true" ]]; then
|
|
INTEGRATION_KEEP_STATE_VALUE="1"
|
|
fi
|
|
INTEGRATION_TESTS_MODE="$mode" \
|
|
INTEGRATION_KEEP_STATE="$INTEGRATION_KEEP_STATE_VALUE" \
|
|
docker compose \
|
|
-f "$PROJECT_ROOT/docker-compose.yml" \
|
|
-f "$PROJECT_ROOT/docker-compose.tests.yml" \
|
|
up --build --abort-on-container-exit --exit-code-from integration-tests
|
|
|
|
echo ""
|
|
echo "=== All tests passed (mode=$mode) ==="
|