azaion/satellite-provider
1
0
Fork 0
mirror of https://github.com/azaion/satellite-provider.git synced 2026-06-21 16:11:14 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
ea278afb370a43ef49e8beb9064e0c0c8dc726f4
satellite-provider/SatelliteProvider.Api/Authentication/PermissionsRequirement.cs
T
Oleksandr Bezdieniezhnykh 1802d32107 [AZ-488] UAV tile batch upload + 5-rule quality gate 
Replaces the 501 stub at POST /api/satellite/upload with a multipart
batch endpoint that ingests UAV-captured tiles, runs each item through
a 5-rule quality gate, and persists accepted tiles via the AZ-484
multi-source storage path with source='uav'.

Quality gate (in fixed order, first failure wins): JPEG format
(content-type + magic), size band 5 KiB-5 MiB, exact 256x256
dimensions, captured-at age (no future >30 s skew, no older than
7 days), luminance variance on 32x32 downsample. Closed reject-reason
enumeration in v1.0.0 contract.

Authorization: custom PermissionsRequirement / PermissionsAuthorization
Handler that reads the JWT `permissions` claim (tolerates both
repeated-string and JSON-array shapes). Endpoint protected by
RequiresGpsPermission policy; 401 without token, 403 without GPS perm.

Persistence: file-first to ./tiles/uav/{z}/{x}/{y}.jpg, then
ITileRepository.InsertAsync UPSERT (per-source UPSERT contract from
AZ-484). Per-item failures reported in response without aborting the
batch. Kestrel MaxRequestBodySize and FormOptions limits set to
MaxBatchSize x MaxBytes (default 100 x 5 MiB = 500 MiB).

New frozen contract: _docs/02_document/contracts/api/uav-tile-upload.md
v1.0.0. PT-08 NFR added to performance-tests.md as Deferred (harness
work tracked in PT-07 leftover, per AZ-488 § Risk 4).

Tests: 11 quality-gate unit tests, 5 handler unit tests, 3 file-path
unit tests, 12 permission-handler unit tests, 7 integration tests
(AC-1..AC-6, AC-8). All 253 unit tests + smoke integration suite
green.

Co-authored-by: Cursor <cursoragent@cursor.com>
2026-05-11 23:50:49 +03:00

120 lines
3.6 KiB
C#
Raw Blame History

using System.Security.Claims;
using System.Text.Json;
using Microsoft.AspNetCore.Authorization;
namespace SatelliteProvider.Api.Authentication;
// AZ-488: enforces a required permission from the `permissions` JWT claim.
// The claim may arrive as either:
// - a JWT array claim (multiple ClaimType="permissions" entries — Microsoft.IdentityModel
// splits arrays this way), OR
// - a single JSON-array string ("[\"GPS\",\"FL\"]") when a producer mis-encodes.
// Both shapes are matched so the satellite-provider remains tolerant of upstream
// producers that do not split array claims out of the box.
public sealed class PermissionsRequirement : IAuthorizationRequirement
{
public PermissionsRequirement(string requiredPermission)
{
if (string.IsNullOrWhiteSpace(requiredPermission))
{
throw new ArgumentException("Required permission must be a non-empty string.", nameof(requiredPermission));
}
RequiredPermission = requiredPermission;
}
public string RequiredPermission { get; }
}
public sealed class PermissionsAuthorizationHandler : AuthorizationHandler<PermissionsRequirement>
{
public const string ClaimType = "permissions";
protected override Task HandleRequirementAsync(AuthorizationHandlerContext context, PermissionsRequirement requirement)
{
ArgumentNullException.ThrowIfNull(context);
ArgumentNullException.ThrowIfNull(requirement);
var user = context.User;
if (user?.Identity?.IsAuthenticated != true)
{
return Task.CompletedTask;
}
if (UserHasPermission(user, requirement.RequiredPermission))
{
context.Succeed(requirement);
}
return Task.CompletedTask;
}
private static bool UserHasPermission(ClaimsPrincipal user, string requiredPermission)
{
foreach (var claim in user.FindAll(ClaimType))
{
if (string.Equals(claim.Value, requiredPermission, StringComparison.Ordinal))
{
return true;
}
if (TryReadJsonArray(claim.Value, out var values))
{
foreach (var value in values)
{
if (string.Equals(value, requiredPermission, StringComparison.Ordinal))
{
return true;
}
}
}
}
return false;
}
private static bool TryReadJsonArray(string value, out IReadOnlyList<string> items)
{
items = Array.Empty<string>();
if (string.IsNullOrWhiteSpace(value) || value[0] != '[')
{
return false;
}
try
{
using var document = JsonDocument.Parse(value);
if (document.RootElement.ValueKind != JsonValueKind.Array)
{
return false;
}
var result = new List<string>(document.RootElement.GetArrayLength());
foreach (var element in document.RootElement.EnumerateArray())
{
if (element.ValueKind == JsonValueKind.String)
{
var text = element.GetString();
if (!string.IsNullOrEmpty(text))
{
result.Add(text);
}
}
}
items = result;
return result.Count > 0;
}
catch (JsonException)
{
return false;
}
}
}
public static class SatellitePermissions
{
public const string Gps = "GPS";
public const string UavUploadPolicy = "RequiresGpsPermission";
}
Reference in New Issue View Git Blame Copy Permalink