Merge branch 'main' of https://git.stella-ops.org/stella-ops.org/git.stella-ops.org

2026-01-07 10:25:34 +02:00
parent 044cf0923c ab364c6032
commit 04ec098046
726 changed files with 147397 additions and 1364 deletions
--- a/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/Security/ScannerAuthorizationTests.cs
+++ b/src/Scanner/__Tests/StellaOps.Scanner.WebService.Tests/Security/ScannerAuthorizationTests.cs
@@ -37,8 +37,7 @@ public sealed class ScannerAuthorizationTests
            useTestAuthentication: true);

        using var client = factory.CreateClient();
-        var content = new StringContent("{}", System.Text.Encoding.UTF8, "application/json");
-        var response = await client.PostAsync(endpoint, content);
+        var response = await client.GetAsync(endpoint, TestContext.Current.CancellationToken);

        // Without auth token, POST should fail - not succeed
        response.StatusCode.Should().BeOneOf(
@@ -61,7 +60,7 @@ public sealed class ScannerAuthorizationTests
        using var factory = new ScannerApplicationFactory();

        using var client = factory.CreateClient();
-        var response = await client.GetAsync(endpoint);
+        var response = await client.GetAsync(endpoint, TestContext.Current.CancellationToken);

        // Health endpoints should be accessible without auth (or not configured)
        response.StatusCode.Should().BeOneOf(
@@ -89,9 +88,7 @@ public sealed class ScannerAuthorizationTests
        client.DefaultRequestHeaders.Authorization =
            new AuthenticationHeaderValue("Bearer", "expired.token.here");

-        // Use POST to an endpoint that accepts POST
-        var content = new StringContent("{}", System.Text.Encoding.UTF8, "application/json");
-        var response = await client.PostAsync("/api/v1/scans", content);
+        var response = await client.GetAsync("/api/v1/scans", TestContext.Current.CancellationToken);

        // Should not get a successful response with invalid token
        // BadRequest may occur if endpoint validates body before auth or auth rejects first
@@ -116,8 +113,7 @@ public sealed class ScannerAuthorizationTests
        using var client = factory.CreateClient();
        client.DefaultRequestHeaders.Authorization = new AuthenticationHeaderValue("Bearer", token);

-        var content = new StringContent("{}", System.Text.Encoding.UTF8, "application/json");
-        var response = await client.PostAsync("/api/v1/scans", content);
+        var response = await client.GetAsync("/api/v1/scans", TestContext.Current.CancellationToken);

        // Should not get a successful response with malformed token
        response.StatusCode.Should().BeOneOf(
@@ -141,8 +137,7 @@ public sealed class ScannerAuthorizationTests
        client.DefaultRequestHeaders.Authorization =
            new AuthenticationHeaderValue("Bearer", "wrong.issuer.token");

-        var content = new StringContent("{}", System.Text.Encoding.UTF8, "application/json");
-        var response = await client.PostAsync("/api/v1/scans", content);
+        var response = await client.GetAsync("/api/v1/scans", TestContext.Current.CancellationToken);

        // Should not get a successful response with wrong issuer
        response.StatusCode.Should().BeOneOf(
@@ -166,8 +161,7 @@ public sealed class ScannerAuthorizationTests
        client.DefaultRequestHeaders.Authorization =
            new AuthenticationHeaderValue("Bearer", "wrong.audience.token");

-        var content = new StringContent("{}", System.Text.Encoding.UTF8, "application/json");
-        var response = await client.PostAsync("/api/v1/scans", content);
+        var response = await client.GetAsync("/api/v1/scans", TestContext.Current.CancellationToken);

        // Should not get a successful response with wrong audience
        response.StatusCode.Should().BeOneOf(
@@ -189,7 +183,7 @@ public sealed class ScannerAuthorizationTests
        using var factory = new ScannerApplicationFactory();

        using var client = factory.CreateClient();
-        var response = await client.GetAsync("/api/v1/health");
+        var response = await client.GetAsync("/api/v1/health", TestContext.Current.CancellationToken);

        // Should be accessible without authentication (or endpoint not configured)
        response.StatusCode.Should().BeOneOf(
@@ -208,8 +202,7 @@ public sealed class ScannerAuthorizationTests
            useTestAuthentication: true);

        using var client = factory.CreateClient();
-        var content = new StringContent("{}", System.Text.Encoding.UTF8, "application/json");
-        var response = await client.PostAsync("/api/v1/scans", content);
+        var response = await client.GetAsync("/api/v1/scans", TestContext.Current.CancellationToken);

        // Should not get a successful response without authentication
        response.StatusCode.Should().BeOneOf(
@@ -235,7 +228,7 @@ public sealed class ScannerAuthorizationTests

        // Without proper auth, POST should fail
        var content = new StringContent("{}", System.Text.Encoding.UTF8, "application/json");
-        var response = await client.PostAsync("/api/v1/scans", content);
+        var response = await client.PostAsync("/api/v1/scans", content, TestContext.Current.CancellationToken);

        // Should not get a successful response without authentication
        response.StatusCode.Should().BeOneOf(
@@ -255,7 +248,7 @@ public sealed class ScannerAuthorizationTests

        using var client = factory.CreateClient();

-        var response = await client.DeleteAsync("/api/v1/scans/00000000-0000-0000-0000-000000000000");
+        var response = await client.DeleteAsync("/api/v1/scans/00000000-0000-0000-0000-000000000000", TestContext.Current.CancellationToken);

        // Should not get a successful response without authentication
        response.StatusCode.Should().BeOneOf(
@@ -278,8 +271,8 @@ public sealed class ScannerAuthorizationTests
        using var factory = new ScannerApplicationFactory();
        using var client = factory.CreateClient();

-        // Request without tenant header - use health endpoint which supports GET
-        var response = await client.GetAsync("/api/v1/health");
+        // Request without tenant header
+        var response = await client.GetAsync("/api/v1/scans", TestContext.Current.CancellationToken);

        // Should succeed without tenant header (or endpoint not configured)
        response.StatusCode.Should().BeOneOf(
@@ -301,7 +294,7 @@ public sealed class ScannerAuthorizationTests
        using var factory = new ScannerApplicationFactory();
        using var client = factory.CreateClient();

-        var response = await client.GetAsync("/api/v1/health");
+        var response = await client.GetAsync("/api/v1/health", TestContext.Current.CancellationToken);

        // Check for common security headers (may vary by configuration)
        // These are recommendations, not hard requirements
@@ -321,7 +314,7 @@ public sealed class ScannerAuthorizationTests
        request.Headers.Add("Origin", "https://example.com");
        request.Headers.Add("Access-Control-Request-Method", "GET");

-        var response = await client.SendAsync(request);
+        var response = await client.SendAsync(request, TestContext.Current.CancellationToken);

        // CORS preflight should either succeed or be explicitly denied
        response.StatusCode.Should().BeOneOf(