test(evidence): live-serving integration test for getEvidenceJwks#195
Merged
Conversation
JwksEndpointIntegrationTest (extends BaseIntegrationTest: full @SpringBootTest RANDOM_PORT, real Tomcat + the Spring Security filter chain ACTIVE, Testcontainers Redis) proves the JWK Set endpoint serves over real HTTP WITHOUT an API key — the /v1/.well-known/** public-path exemption actually holds end-to-end through the filter chain, not just as an array entry (the JwksControllerTest @WebMvcTest runs with filters disabled, so it can't show this). With the evidence signing identity set via @TestPropertySource: GET /v1/.well-known/cycles-jwks.json with no header → 200 + a JWK whose x decodes to exactly the configured signer_did bytes, correct kid/cycles_nbf_ms/status, and Cache-Control: public, max-age (NOT immutable); a bogus API key still yields 200 (public, never 401). The base class's contract-validating interceptor also checks the body against the published CyclesEvidenceJwks schema (cycles-protocol@main, #113). codex review: no findings. 2 tests; test-only (impl shipped in v0.1.25.32 / #194; no production/wire/spec change).
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
What
Live-serving integration test for
getEvidenceJwksover real HTTP — the live half of the evidence authority-loop validation. Test-only (the endpoint shipped in v0.1.25.32 / #194).JwksEndpointIntegrationTestextendsBaseIntegrationTest: full@SpringBootTest(RANDOM_PORT), real Tomcat with the Spring Security filter chain ACTIVE, Testcontainers Redis. This proves what theJwksControllerTest@WebMvcTestcan't — that@WebMvcTestruns with filters disabled, so it can't show the public-path exemption actually works.Assertions
/v1/.well-known/cycles-jwks.jsonwith no API key →200(the/v1/.well-known/**permitAll+ the tenant filter's public-path skip hold end-to-end through the real chain).xdecodes to exactly the configuredsigner_didbytes;kid/cycles_nbf_ms/statusare property-backed;Cache-Control: public, max-age(NOT immutable).X-Cycles-API-Keystill yields200(a public endpoint must not turn into a 401).CyclesEvidenceJwksschema (cycles-protocol@main, fix(deps): bump Spring Boot 3.5.11→3.5.13, pin tomcat 10.1.54 (v0.1.25.16) #113).Review
codex-reviewed: no findings (confirmed it genuinely hits the real HTTP stack + filter chain, meaningful assertions, no
@TestPropertySourcecontext pollution).2 tests, green locally. Test-only — no production/wire/spec change.
Refs: #194, runcycles/cycles-protocol#113.