secure gx10 device management writes

2026-06-18 18:15:14 -05:00
parent 09dce583bb
commit adafbb41f7
3 changed files with 85 additions and 12 deletions
--- a/tests/bluejay-infra-lint/FleetManifestLintTests.cs
+++ b/tests/bluejay-infra-lint/FleetManifestLintTests.cs
@@ -999,6 +999,26 @@ public sealed class FleetManifestLintTests
        gatewayManifest.Should().Contain("port: 5400");
    }

+    [Fact]
+    public void Gx10DeviceManagementWriteApis_RequireRuntimeBackedOperatorAuth()
+    {
+        var web = Gx10DeploymentContainer("fc-devicemgmt", "deployment-fc-devicemgmt-web.json");
+
+        JsonEnvValue(web, "FlowerCore__Auth__Enabled").Should().Be("true");
+        JsonEnvSecretName(web, "Auth__ApiKey").Should().Be("fc-devicemgmt-runtime");
+        JsonEnvSecretKey(web, "Auth__ApiKey").Should().Be("DEVICE_MANAGEMENT_OPERATOR_API_KEY");
+        JsonEnvSecretOptional(web, "Auth__ApiKey").Should().BeNull();
+        JsonEnvSecretName(web, "FlowerCore__Auth__ApiKey").Should().Be("fc-devicemgmt-runtime");
+        JsonEnvSecretKey(web, "FlowerCore__Auth__ApiKey").Should().Be("DEVICE_MANAGEMENT_OPERATOR_API_KEY");
+        JsonEnvSecretOptional(web, "FlowerCore__Auth__ApiKey").Should().BeNull();
+        JsonEnvSecretName(web, "Auth__AdminApiKey").Should().Be("fc-devicemgmt-runtime");
+        JsonEnvSecretKey(web, "Auth__AdminApiKey").Should().Be("DEVICE_MANAGEMENT_ADMIN_API_KEY");
+        JsonEnvSecretOptional(web, "Auth__AdminApiKey").Should().BeNull();
+        JsonEnvSecretName(web, "FlowerCore__Auth__AdminApiKey").Should().Be("fc-devicemgmt-runtime");
+        JsonEnvSecretKey(web, "FlowerCore__Auth__AdminApiKey").Should().Be("DEVICE_MANAGEMENT_ADMIN_API_KEY");
+        JsonEnvSecretOptional(web, "FlowerCore__Auth__AdminApiKey").Should().BeNull();
+    }
+
    [Fact]
    public void Gx10PhpTenantRoutes_HaveEdgeControlSubstrate()
    {
@@ -1448,9 +1468,13 @@ public sealed class FleetManifestLintTests

    private static bool? JsonEnvSecretOptional(JsonElement container, string name)
    {
-        return JsonEnvMapping(container, name) is { } env
-            ? env.GetProperty("valueFrom").GetProperty("secretKeyRef").GetProperty("optional").GetBoolean()
-            : null;
+        if (JsonEnvMapping(container, name) is not { } env)
+        {
+            return null;
+        }
+
+        var secretKeyRef = env.GetProperty("valueFrom").GetProperty("secretKeyRef");
+        return secretKeyRef.TryGetProperty("optional", out var optional) ? optional.GetBoolean() : null;
    }

    private static string? JsonEnvValue(JsonElement container, string name)