cameleer3-server-app/src/test/java/com/cameleer3/server/app/TestSecurityHelper.java

package com.cameleer3.server.app;

import com.cameleer3.server.core.agent.AgentRegistryService;
import com.cameleer3.server.core.security.JwtService;
import org.springframework.http.HttpHeaders;
import org.springframework.http.MediaType;
import org.springframework.stereotype.Component;

import java.util.List;
import java.util.Map;

/**
 * Test utility for creating JWT-authenticated requests in integration tests.
 * <p>
 * Registers a test agent and issues a JWT access token that can be used
 * to authenticate against protected endpoints.
 */
@Component
public class TestSecurityHelper {

    private final JwtService jwtService;
    private final AgentRegistryService agentRegistryService;

    public TestSecurityHelper(JwtService jwtService, AgentRegistryService agentRegistryService) {
        this.jwtService = jwtService;
        this.agentRegistryService = agentRegistryService;
    }

    /**
     * Registers a test agent and returns a valid JWT access token with AGENT role.
     */
    public String registerTestAgent(String agentId) {
        agentRegistryService.register(agentId, "test", "test-group", "1.0", List.of(), Map.of());
        return jwtService.createAccessToken(agentId, "test-group", List.of("AGENT"));
    }

    /**
     * Returns a valid JWT access token with the given roles (no agent registration).
     */
    public String createToken(String subject, String application, List<String> roles) {
        return jwtService.createAccessToken(subject, application, roles);
    }

    /**
     * Returns a valid JWT access token with OPERATOR role.
     */
    public String operatorToken() {
        // Subject must start with "user:" for JwtAuthenticationFilter to treat it as a UI user token
        return jwtService.createAccessToken("user:test-operator", "user", List.of("OPERATOR"));
    }

    /**
     * Returns a valid JWT access token with ADMIN role.
     */
    public String adminToken() {
        return jwtService.createAccessToken("user:test-admin", "user", List.of("ADMIN"));
    }

    /**
     * Returns a valid JWT access token with VIEWER role.
     */
    public String viewerToken() {
        return jwtService.createAccessToken("user:test-viewer", "user", List.of("VIEWER"));
    }

    /**
     * Returns HttpHeaders with JWT Bearer authorization, protocol version, and JSON content type.
     */
    public HttpHeaders authHeaders(String jwt) {
        HttpHeaders headers = new HttpHeaders();
        headers.set("Authorization", "Bearer " + jwt);
        headers.set("X-Cameleer-Protocol-Version", "1");
        headers.setContentType(MediaType.APPLICATION_JSON);
        return headers;
    }

    /**
     * Returns HttpHeaders with JWT Bearer authorization and protocol version (no content type).
     */
    public HttpHeaders authHeadersNoBody(String jwt) {
        HttpHeaders headers = new HttpHeaders();
        headers.set("Authorization", "Bearer " + jwt);
        headers.set("X-Cameleer-Protocol-Version", "1");
        return headers;
    }

    /**
     * Returns HttpHeaders with bootstrap token authorization, protocol version, and JSON content type.
     */
    public HttpHeaders bootstrapHeaders() {
        HttpHeaders headers = new HttpHeaders();
        headers.set("Authorization", "Bearer test-bootstrap-token");
        headers.set("X-Cameleer-Protocol-Version", "1");
        headers.setContentType(MediaType.APPLICATION_JSON);
        return headers;
    }
}
test(04-02): adapt all ITs for JWT auth and add 4 security integration tests - Replace TestSecurityConfig permit-all with real SecurityConfig active in tests - Create TestSecurityHelper for JWT-authenticated test requests - Update 15 existing ITs to use JWT Bearer auth and bootstrap token headers - Add SecurityFilterIT: protected/public endpoint access control (6 tests) - Add BootstrapTokenIT: registration requires valid bootstrap token (4 tests) - Add RegistrationSecurityIT: registration returns tokens + public key (3 tests) - Add JwtRefreshIT: refresh flow with valid/invalid/mismatched tokens (5 tests) - Add /error to SecurityConfig permitAll for proper error page forwarding - Exclude register and refresh paths from ProtocolVersionInterceptor - All 91 tests pass (18 new security + 73 existing) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-11 20:38:28 +01:00			`package com.cameleer3.server.app;`

			`import com.cameleer3.server.core.agent.AgentRegistryService;`
			`import com.cameleer3.server.core.security.JwtService;`
			`import org.springframework.http.HttpHeaders;`
			`import org.springframework.http.MediaType;`
			`import org.springframework.stereotype.Component;`

			`import java.util.List;`
			`import java.util.Map;`

			`/**`
			`* Test utility for creating JWT-authenticated requests in integration tests.`
			`* <p>`
			`* Registers a test agent and issues a JWT access token that can be used`
			`* to authenticate against protected endpoints.`
			`*/`
			`@Component`
			`public class TestSecurityHelper {`

			`private final JwtService jwtService;`
			`private final AgentRegistryService agentRegistryService;`

			`public TestSecurityHelper(JwtService jwtService, AgentRegistryService agentRegistryService) {`
			`this.jwtService = jwtService;`
			`this.agentRegistryService = agentRegistryService;`
			`}`

			`/**`
fix: use correct role-based JWT tokens in all integration tests Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-16 20:03:38 +01:00			`* Registers a test agent and returns a valid JWT access token with AGENT role.`
test(04-02): adapt all ITs for JWT auth and add 4 security integration tests - Replace TestSecurityConfig permit-all with real SecurityConfig active in tests - Create TestSecurityHelper for JWT-authenticated test requests - Update 15 existing ITs to use JWT Bearer auth and bootstrap token headers - Add SecurityFilterIT: protected/public endpoint access control (6 tests) - Add BootstrapTokenIT: registration requires valid bootstrap token (4 tests) - Add RegistrationSecurityIT: registration returns tokens + public key (3 tests) - Add JwtRefreshIT: refresh flow with valid/invalid/mismatched tokens (5 tests) - Add /error to SecurityConfig permitAll for proper error page forwarding - Exclude register and refresh paths from ProtocolVersionInterceptor - All 91 tests pass (18 new security + 73 existing) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-11 20:38:28 +01:00			`*/`
			`public String registerTestAgent(String agentId) {`
			`agentRegistryService.register(agentId, "test", "test-group", "1.0", List.of(), Map.of());`
fix: use correct role-based JWT tokens in all integration tests Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-16 20:03:38 +01:00			`return jwtService.createAccessToken(agentId, "test-group", List.of("AGENT"));`
			`}`

			`/**`
			`* Returns a valid JWT access token with the given roles (no agent registration).`
			`*/`
refactor: rename agent group→application across entire codebase Complete the group→application terminology rename in the agent registry subsystem: - AgentInfo: field group → application, all wither methods updated - AgentRegistryService: findByGroup → findByApplication - AgentInstanceResponse: field group → application (API response) - AgentRegistrationRequest: field group → application (API request) - JwtServiceImpl: parameter names group → application (JWT claim string "group" preserved for token backward compatibility) - All controllers, lifecycle monitor, command controller updated - Integration tests: JSON request bodies "group" → "application" - Frontend: schema.d.ts, openapi.json, agent queries, AgentHealth RBAC group references (groups table, GroupAdminController, etc.) are NOT affected — they are a separate domain concept. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-24 08:48:12 +01:00			`public String createToken(String subject, String application, List<String> roles) {`
			`return jwtService.createAccessToken(subject, application, roles);`
fix: use correct role-based JWT tokens in all integration tests Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-16 20:03:38 +01:00			`}`

			`/**`
			`* Returns a valid JWT access token with OPERATOR role.`
			`*/`
			`public String operatorToken() {`
fix: prefix user tokens with 'user:' for JwtAuthenticationFilter routing 2026-03-16 21:01:57 +01:00			`// Subject must start with "user:" for JwtAuthenticationFilter to treat it as a UI user token`
			`return jwtService.createAccessToken("user:test-operator", "user", List.of("OPERATOR"));`
fix: use correct role-based JWT tokens in all integration tests Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-16 20:03:38 +01:00			`}`

			`/**`
			`* Returns a valid JWT access token with ADMIN role.`
			`*/`
			`public String adminToken() {`
fix: prefix user tokens with 'user:' for JwtAuthenticationFilter routing 2026-03-16 21:01:57 +01:00			`return jwtService.createAccessToken("user:test-admin", "user", List.of("ADMIN"));`
fix: use correct role-based JWT tokens in all integration tests Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com> 2026-03-16 20:03:38 +01:00			`}`

			`/**`
			`* Returns a valid JWT access token with VIEWER role.`
			`*/`
			`public String viewerToken() {`
fix: prefix user tokens with 'user:' for JwtAuthenticationFilter routing 2026-03-16 21:01:57 +01:00			`return jwtService.createAccessToken("user:test-viewer", "user", List.of("VIEWER"));`
test(04-02): adapt all ITs for JWT auth and add 4 security integration tests - Replace TestSecurityConfig permit-all with real SecurityConfig active in tests - Create TestSecurityHelper for JWT-authenticated test requests - Update 15 existing ITs to use JWT Bearer auth and bootstrap token headers - Add SecurityFilterIT: protected/public endpoint access control (6 tests) - Add BootstrapTokenIT: registration requires valid bootstrap token (4 tests) - Add RegistrationSecurityIT: registration returns tokens + public key (3 tests) - Add JwtRefreshIT: refresh flow with valid/invalid/mismatched tokens (5 tests) - Add /error to SecurityConfig permitAll for proper error page forwarding - Exclude register and refresh paths from ProtocolVersionInterceptor - All 91 tests pass (18 new security + 73 existing) Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com> 2026-03-11 20:38:28 +01:00			`}`

			`/**`
			`* Returns HttpHeaders with JWT Bearer authorization, protocol version, and JSON content type.`
			`*/`
			`public HttpHeaders authHeaders(String jwt) {`
			`HttpHeaders headers = new HttpHeaders();`
			`headers.set("Authorization", "Bearer " + jwt);`
			`headers.set("X-Cameleer-Protocol-Version", "1");`
			`headers.setContentType(MediaType.APPLICATION_JSON);`
			`return headers;`
			`}`

			`/**`
			`* Returns HttpHeaders with JWT Bearer authorization and protocol version (no content type).`
			`*/`
			`public HttpHeaders authHeadersNoBody(String jwt) {`
			`HttpHeaders headers = new HttpHeaders();`
			`headers.set("Authorization", "Bearer " + jwt);`
			`headers.set("X-Cameleer-Protocol-Version", "1");`
			`return headers;`
			`}`

			`/**`
			`* Returns HttpHeaders with bootstrap token authorization, protocol version, and JSON content type.`
			`*/`
			`public HttpHeaders bootstrapHeaders() {`
			`HttpHeaders headers = new HttpHeaders();`
			`headers.set("Authorization", "Bearer test-bootstrap-token");`
			`headers.set("X-Cameleer-Protocol-Version", "1");`
			`headers.setContentType(MediaType.APPLICATION_JSON);`
			`return headers;`
			`}`
			`}`