azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-21 15:11:14 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
de609cffa1d9adf1199cb05c2c100b15df1f4e75
satellite-provider/SatelliteProvider.Tests/Authentication/JwtTokenFactoryTests.cs
T
Oleksandr Bezdieniezhnykh c396740644
ci/woodpecker/push/01-test Pipeline was successful
Details
ci/woodpecker/push/02-build-push Pipeline was successful
Details
[AZ-491] Cycle 3 batch 2: consolidate JWT test-mint helpers into TestSupport 
AZ-491 (3 SP): eliminate the cycle-2 duplicate of JWT-minting logic
that existed in both SatelliteProvider.Tests/TestUtilities/
JwtTokenFactory.cs (unit-side) and SatelliteProvider.IntegrationTests/
JwtTestHelpers.cs (integration-side), where the same Expires <
NotBefore bug needed parallel fixes in commits f64d0d7 + 11b7074.

Option A chosen: new SatelliteProvider.TestSupport class library
(no test framework) holds the canonical JwtTokenFactory.Create /
CreateExpired / TamperSignature. Both Tests and IntegrationTests
consume it via ProjectReference; production projects (Api, Common,
DataAccess, Services.*) cannot depend on it. The notBefore-shift
workaround is preserved with an inline regression-prevention comment
back-referencing the cycle-2 fix commits.

SatelliteProvider.IntegrationTests/JwtTestHelpers.cs is stripped to
runner-only concerns: ResolveSecretOrThrow, AttachDefaultAuthorization,
and the DefaultSubject = "integration-tests" constant. Call sites in
Program.cs, JwtIntegrationTests.cs, and UavUploadTests.cs (10 sites)
switched to JwtTokenFactory.* with JwtTestHelpers.DefaultSubject
explicitly passed for the runner subject - behavior parity preserved.

Dockerfile for IntegrationTests gets the new TestSupport csproj
in its pre-restore COPY layer. Api Dockerfile unchanged (TestSupport
is NOT a production dependency).

A new code-review SKILL.md Phase 6 checklist row flags near-identical
helper logic across test projects as a Medium / Maintainability
finding with explicit cycle-2 retro back-reference, so this whole
pattern stops at one occurrence.

module-layout.md adds a TestSupport Shared/Cross-Cutting entry
documenting the production-isolation invariant. tests_unit.md +
tests_integration.md updated to describe the consolidated layout.
sln updated.

Test-suite gate (AC-2 + AC-3) deferred to Step 16 Final Test Run
per implement-skill convention. Per-batch review verdict:
PASS_WITH_WARNINGS with 1 Low (pre-existing 7.0.3 version pin
preserved verbatim from cycle-2 IntegrationTests csproj for parity;
not blocking; deferred bump).

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-12 01:32:24 +03:00

96 lines
3.3 KiB
C#
Raw Blame History

using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Text;
using FluentAssertions;
using Microsoft.IdentityModel.Tokens;
using SatelliteProvider.TestSupport;
namespace SatelliteProvider.Tests.Authentication;
public class JwtTokenFactoryTests
{
private const string Secret = "factory-secret-that-is-longer-than-thirty-two-bytes-bytes";
[Fact]
public void Create_ProducesTokenValidatedByMatchingParameters()
{
// Arrange — disable inbound claim remapping so the test asserts
// the factory's actual output ("sub", "email", ...) rather than
// the framework's ClaimTypes.* aliases.
var token = JwtTokenFactory.Create(Secret, subject: "alice");
var parameters = BuildParameters(Secret);
var handler = new JwtSecurityTokenHandler { MapInboundClaims = false };
// Act
var principal = handler.ValidateToken(token, parameters, out var validatedToken);
// Assert
principal.Identity!.IsAuthenticated.Should().BeTrue();
principal.FindFirst(JwtRegisteredClaimNames.Sub)!.Value.Should().Be("alice");
validatedToken.Should().BeOfType<JwtSecurityToken>();
}
[Fact]
public void Create_WithExtraClaims_PropagatesClaimsThroughValidation()
{
// Arrange
var claims = new[]
{
new Claim("email", "alice@example.com"),
new Claim("role", "operator"),
new Claim("permissions", "GPS"),
new Claim("permissions", "FL")
};
var token = JwtTokenFactory.Create(Secret, extraClaims: claims);
var handler = new JwtSecurityTokenHandler { MapInboundClaims = false };
// Act
var principal = handler.ValidateToken(token, BuildParameters(Secret), out _);
// Assert
principal.FindAll("permissions").Select(c => c.Value).Should().BeEquivalentTo(new[] { "GPS", "FL" });
principal.FindFirst("email")!.Value.Should().Be("alice@example.com");
}
[Fact]
public void CreateExpired_TokenFailsValidationWithLifetimeException()
{
// Arrange
var token = JwtTokenFactory.CreateExpired(Secret);
var handler = new JwtSecurityTokenHandler();
// Act
var act = () => handler.ValidateToken(token, BuildParameters(Secret), out _);
// Assert
act.Should().Throw<SecurityTokenExpiredException>();
}
[Fact]
public void TamperSignature_TokenFailsValidationWithSignatureException()
{
// Arrange
var token = JwtTokenFactory.Create(Secret);
var tampered = JwtTokenFactory.TamperSignature(token);
var handler = new JwtSecurityTokenHandler();
// Act
var act = () => handler.ValidateToken(tampered, BuildParameters(Secret), out _);
// Assert
act.Should().Throw<SecurityTokenInvalidSignatureException>();
}
private static TokenValidationParameters BuildParameters(string secret) => new()
{
ValidateIssuerSigningKey = true,
IssuerSigningKey = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(secret)),
ValidateLifetime = true,
ClockSkew = TimeSpan.FromSeconds(30),
ValidateIssuer = false,
ValidateAudience = false,
RequireSignedTokens = true,
RequireExpirationTime = true
};
}
Reference in New Issue View Git Blame Copy Permalink