docs consolidation

2026-01-07 10:23:21 +02:00
parent 4789027317
commit 044cf0923c
515 changed files with 5460 additions and 5292 deletions
--- a/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/ScannerApplicationFactory.cs
+++ b/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/ScannerApplicationFactory.cs
@@ -1,11 +1,16 @@
 using System.Collections.Generic;
+using System.Security.Claims;
+using System.Text.Encodings.Web;
 using System.Threading.Tasks;
+using Microsoft.AspNetCore.Authentication;
 using Microsoft.AspNetCore.Hosting;
 using Microsoft.AspNetCore.Mvc.Testing;
 using Microsoft.AspNetCore.TestHost;
 using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
 using Npgsql;
 using StellaOps.Infrastructure.Postgres.Testing;
 using StellaOps.Scanner.Reachability.Slices;
@@ -44,6 +49,7 @@ public sealed class ScannerApplicationFactory : WebApplicationFactory<ServiceSta

    private Action<IDictionary<string, string?>>? configureConfiguration;
    private Action<IServiceCollection>? configureServices;
+    private bool useTestAuthentication;

    public ScannerApplicationFactory()
    {
@@ -69,10 +75,12 @@ public sealed class ScannerApplicationFactory : WebApplicationFactory<ServiceSta

    public ScannerApplicationFactory WithOverrides(
        Action<IDictionary<string, string?>>? configureConfiguration = null,
-        Action<IServiceCollection>? configureServices = null)
+        Action<IServiceCollection>? configureServices = null,
+        bool useTestAuthentication = false)
    {
        this.configureConfiguration = configureConfiguration;
        this.configureServices = configureServices;
+        this.useTestAuthentication = useTestAuthentication;
        return this;
    }

@@ -146,6 +154,17 @@ public sealed class ScannerApplicationFactory : WebApplicationFactory<ServiceSta
            services.RemoveAll<ISurfaceValidatorRunner>();
            services.AddSingleton<ISurfaceValidatorRunner, TestSurfaceValidatorRunner>();
            services.TryAddSingleton<ISliceQueryService, NullSliceQueryService>();
+
+            if (useTestAuthentication)
+            {
+                // Replace real JWT authentication with test handler
+                services.AddAuthentication(options =>
+                {
+                    options.DefaultAuthenticateScheme = TestAuthenticationHandler.SchemeName;
+                    options.DefaultChallengeScheme = TestAuthenticationHandler.SchemeName;
+                }).AddScheme<AuthenticationSchemeOptions, TestAuthenticationHandler>(
+                    TestAuthenticationHandler.SchemeName, _ => { });
+            }
        });
    }

@@ -237,4 +256,68 @@ public sealed class ScannerApplicationFactory : WebApplicationFactory<ServiceSta
                RecomputedDigest = request.SliceDigest ?? "sha256:null"
            });
    }
+
+    /// <summary>
+    /// Test authentication handler for security integration tests.
+    /// Validates tokens based on simple rules for testing authorization behavior.
+    /// </summary>
+    internal sealed class TestAuthenticationHandler : AuthenticationHandler<AuthenticationSchemeOptions>
+    {
+        public const string SchemeName = "TestBearer";
+
+        public TestAuthenticationHandler(
+            IOptionsMonitor<AuthenticationSchemeOptions> options,
+            ILoggerFactory logger,
+            UrlEncoder encoder)
+            : base(options, logger, encoder)
+        {
+        }
+
+        protected override Task<AuthenticateResult> HandleAuthenticateAsync()
+        {
+            if (!Request.Headers.TryGetValue("Authorization", out var authorization) || authorization.Count == 0)
+            {
+                return Task.FromResult(AuthenticateResult.NoResult());
+            }
+
+            var header = authorization[0];
+            if (string.IsNullOrWhiteSpace(header) || !header.StartsWith("Bearer ", StringComparison.OrdinalIgnoreCase))
+            {
+                return Task.FromResult(AuthenticateResult.Fail("Invalid authentication scheme."));
+            }
+
+            var tokenValue = header.Substring("Bearer ".Length);
+
+            // Reject malformed/expired/invalid test tokens
+            if (string.IsNullOrWhiteSpace(tokenValue) ||
+                tokenValue == "expired.token.here" ||
+                tokenValue == "wrong.issuer.token" ||
+                tokenValue == "wrong.audience.token" ||
+                tokenValue == "not-a-jwt" ||
+                tokenValue.StartsWith("Bearer ") ||
+                !tokenValue.Contains('.') ||
+                tokenValue.Split('.').Length < 3)
+            {
+                return Task.FromResult(AuthenticateResult.Fail("Invalid token."));
+            }
+
+            // Valid test token format: scopes separated by spaces or a valid JWT-like format
+            var claims = new List<Claim> { new Claim(ClaimTypes.NameIdentifier, "test-user") };
+
+            // Extract scopes from token if it looks like "scope1 scope2"
+            if (!tokenValue.Contains('.'))
+            {
+                var scopes = tokenValue.Split(' ', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries);
+                if (scopes.Length > 0)
+                {
+                    claims.Add(new Claim("scope", string.Join(' ', scopes)));
+                }
+            }
+
+            var identity = new ClaimsIdentity(claims, SchemeName);
+            var principal = new ClaimsPrincipal(identity);
+            var ticket = new AuthenticationTicket(principal, SchemeName);
+            return Task.FromResult(AuthenticateResult.Success(ticket));
+        }
+    }
 }