dohertj2/ScadaBridge
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(centralui): Secured Writes page — operator submit + verifier queue + history (T14b)

Browse Source
This commit is contained in:
Joseph Doherty
2026-06-18 03:34:08 -04:00
parent b08bfae329
commit 1a7e735149
7 changed files with 972 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/ZB.MOM.WW.ScadaBridge.CentralUI/Components/Layout/NavMenu.razor
+24
View File
@@ -83,6 +83,30 @@
</Authorized>
</AuthorizeView>
@* Operations — Secured Writes (M7 T14b). Two-person MxGateway write workflow:
Operator submits, a different Verifier approves/rejects. The section must show
for Operator OR Verifier. There is no combined policy, so the OR is expressed
as: Operator → render; otherwise (NotAuthorized) fall through to a Verifier
check. This renders the section EXACTLY ONCE for a user holding either (or both)
roles — important in dev where DisableLogin grants one identity every role —
and hides the heading entirely from a user with neither. *@
<AuthorizeView Policy="@AuthorizationPolicies.RequireOperator">
<Authorized Context="operationsOperatorContext">
<NavRailSection Title="Operations" Key="operations">
<NavRailItem Href="/operations/secured-writes" Text="Secured Writes" />
</NavRailSection>
</Authorized>
<NotAuthorized Context="operationsNonOperatorContext">
<AuthorizeView Policy="@AuthorizationPolicies.RequireVerifier">
<Authorized Context="operationsVerifierContext">
<NavRailSection Title="Operations" Key="operations">
<NavRailItem Href="/operations/secured-writes" Text="Secured Writes" />
</NavRailSection>
</Authorized>
</AuthorizeView>
</NotAuthorized>
</AuthorizeView>
@* Monitoring — Health Dashboard is all-roles; Event Logs and
Parked Messages are Deployer-role only (Component-CentralUI).
The section is ungated because Health Dashboard is always
src/ZB.MOM.WW.ScadaBridge.CentralUI/Components/Pages/Operations/SecuredWrites.razor
+382
View File
@@ -0,0 +1,382 @@
@page "/operations/secured-writes"
@attribute [Authorize]
@using ZB.MOM.WW.ScadaBridge.CentralUI.Services
@using ZB.MOM.WW.ScadaBridge.Commons.Entities.Sites
@using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Repositories
@using ZB.MOM.WW.ScadaBridge.Commons.Messages.Management
@using ZB.MOM.WW.ScadaBridge.Commons.Types.Enums
@using ZB.MOM.WW.ScadaBridge.Security
@inject ISecuredWriteService SecuredWriteSvc
@inject ISiteRepository SiteRepository
@inject AuthenticationStateProvider AuthStateProvider
@inject IDialogService Dialog
@inject ILogger<SecuredWrites> Logger
@* Secured Writes (M7 OPC UA / MxGateway UX, Task C5 / T14b). Two-person workflow:
an Operator submits a write against an MxGateway connection; a DIFFERENT Verifier
approves (which relays the write to the device) or rejects. This page only SUBMITS
commands — the server (ManagementActor) enforces roles, the no-self-approval guard,
the device relay, and the audit trail. Dev caveat: with DisableLogin on, one identity
holds every role, so both role regions render; approve/reject on a row this user
submitted is disabled (the server rejects it too, but the UI surfaces it up front). *@
<div class="container-fluid mt-3" data-test="secured-writes">
<ToastNotification @ref="_toast" />
<div class="d-flex align-items-baseline flex-wrap mb-3">
<h4 class="mb-0 me-3">Secured Writes</h4>
<span class="text-muted small">Two-person MxGateway writes — operator submits, a different verifier approves.</span>
</div>
@* ── Operator region: submit form ───────────────────────────────────── *@
<AuthorizeView Policy="@AuthorizationPolicies.RequireOperator">
<Authorized Context="operatorContext">
<div class="card mb-4" data-test="secured-write-submit-region">
<div class="card-header py-2"><strong>Submit a secured write</strong> <span class="text-muted small">(Operator)</span></div>
<div class="card-body">
<div class="row g-3">
<div class="col-md-4">
<label class="form-label form-label-sm">Site</label>
<select class="form-select form-select-sm" @bind="_formSiteIdentifier" data-test="secured-write-site">
<option value="">— select site —</option>
@foreach (var site in _sites)
{
<option value="@site.SiteIdentifier">@site.Name</option>
}
</select>
</div>
<div class="col-md-4">
<label class="form-label form-label-sm">MxGateway connection</label>
<select class="form-select form-select-sm" @bind="_formConnectionName" data-test="secured-write-connection"
disabled="@(MxConnectionsForForm.Count == 0)">
<option value="">@(MxConnectionsForForm.Count == 0 ? "— no MxGateway connections —" : "— select connection —")</option>
@foreach (var conn in MxConnectionsForForm)
{
<option value="@conn.Name">@conn.Name</option>
}
</select>
</div>
<div class="col-md-4">
<label class="form-label form-label-sm">Tag path</label>
<input class="form-control form-control-sm" @bind="_formTagPath"
placeholder="e.g. PLC1.Pump.Setpoint" data-test="secured-write-tagpath" />
</div>
<div class="col-md-4">
<label class="form-label form-label-sm">Value</label>
<input class="form-control form-control-sm" @bind="_formValue" data-test="secured-write-value" />
</div>
<div class="col-md-4">
<label class="form-label form-label-sm">Data type</label>
<select class="form-select form-select-sm" @bind="_formValueType" data-test="secured-write-datatype">
@foreach (var dt in Enum.GetNames<DataType>())
{
<option value="@dt">@dt</option>
}
</select>
</div>
<div class="col-md-4">
<label class="form-label form-label-sm">Comment <span class="text-muted">(optional)</span></label>
<input class="form-control form-control-sm" @bind="_formComment" data-test="secured-write-comment" />
</div>
</div>
<div class="mt-3">
<button class="btn btn-primary btn-sm" @onclick="Submit"
disabled="@(_submitting || !CanSubmit)" data-test="secured-write-submit">
@if (_submitting)
{
<span class="spinner-border spinner-border-sm me-1" role="status"></span>
}
Submit for verification
</button>
</div>
</div>
</div>
</Authorized>
</AuthorizeView>
@* ── Verifier region: pending queue ─────────────────────────────────── *@
<AuthorizeView Policy="@AuthorizationPolicies.RequireVerifier">
<Authorized Context="verifierContext">
<div class="card mb-4" data-test="secured-write-pending-region">
<div class="card-header py-2"><strong>Pending verification</strong> <span class="text-muted small">(Verifier)</span></div>
<div class="card-body p-0">
@if (_pending.Count == 0)
{
<p class="text-muted small p-3 mb-0">No pending secured writes.</p>
}
else
{
<table class="table table-sm table-hover mb-0 align-middle">
<thead>
<tr>
<th>Site</th>
<th>Connection</th>
<th>Tag</th>
<th>Value</th>
<th>Type</th>
<th>Operator</th>
<th>Submitted</th>
<th class="text-end">Actions</th>
</tr>
</thead>
<tbody>
@foreach (var row in _pending)
{
var isOwn = string.Equals(row.OperatorUser, _currentUsername, StringComparison.OrdinalIgnoreCase);
<tr @key="row.Id" data-test="secured-write-pending-row">
<td>@row.SiteId</td>
<td>@row.ConnectionName</td>
<td><code>@row.TagPath</code></td>
<td>@row.ValueJson</td>
<td>@row.ValueType</td>
<td>@row.OperatorUser</td>
<td class="text-nowrap">@row.SubmittedAtUtc.ToString("u")</td>
<td class="text-end text-nowrap">
@if (isOwn)
{
<span class="text-muted small me-2" data-test="secured-write-own-note">your submission</span>
}
<button class="btn btn-outline-success btn-sm me-1"
@onclick="() => Approve(row)"
disabled="@(isOwn || _actionInProgress)"
data-test="secured-write-approve">
Approve
</button>
<button class="btn btn-outline-danger btn-sm"
@onclick="() => Reject(row)"
disabled="@(isOwn || _actionInProgress)"
data-test="secured-write-reject">
Reject
</button>
</td>
</tr>
}
</tbody>
</table>
}
</div>
</div>
</Authorized>
</AuthorizeView>
@* ── History region: terminal rows (any authenticated user) ─────────── *@
<div class="card" data-test="secured-write-history-region">
<div class="card-header py-2"><strong>History</strong> <span class="text-muted small">(decided / executed)</span></div>
<div class="card-body p-0">
@if (_history.Count == 0)
{
<p class="text-muted small p-3 mb-0">No completed secured writes.</p>
}
else
{
<table class="table table-sm mb-0 align-middle">
<thead>
<tr>
<th>Site</th>
<th>Connection</th>
<th>Tag</th>
<th>Value</th>
<th>Status</th>
<th>Operator</th>
<th>Verifier</th>
<th>Submitted</th>
<th>Decided</th>
<th>Executed</th>
<th>Error</th>
</tr>
</thead>
<tbody>
@foreach (var row in _history)
{
<tr @key="row.Id" data-test="secured-write-history-row">
<td>@row.SiteId</td>
<td>@row.ConnectionName</td>
<td><code>@row.TagPath</code></td>
<td>@row.ValueJson</td>
<td><span class="badge @StatusBadgeClass(row.Status)">@row.Status</span></td>
<td>@row.OperatorUser</td>
<td>@(row.VerifierUser ?? "—")</td>
<td class="text-nowrap">@row.SubmittedAtUtc.ToString("u")</td>
<td class="text-nowrap">@(row.DecidedAtUtc?.ToString("u") ?? "—")</td>
<td class="text-nowrap">@(row.ExecutedAtUtc?.ToString("u") ?? "—")</td>
<td class="text-danger small">@(row.ExecutionError ?? "")</td>
</tr>
}
</tbody>
</table>
}
</div>
</div>
</div>
@code {
private ToastNotification _toast = default!;
private IReadOnlyList<Site> _sites = Array.Empty<Site>();
private readonly Dictionary<string, IReadOnlyList<DataConnection>> _connectionsBySite = new(StringComparer.Ordinal);
private List<SecuredWriteDto> _pending = new();
private List<SecuredWriteDto> _history = new();
private string _currentUsername = ClaimsPrincipalExtensions.UnknownUser;
// Submit-form state.
private string _formSiteIdentifier = "";
private string _formConnectionName = "";
private string _formTagPath = "";
private string _formValue = "";
private string _formValueType = nameof(DataType.Boolean);
private string _formComment = "";
private bool _submitting;
private bool _actionInProgress;
/// <summary>Terminal statuses surfaced in the History table.</summary>
private static readonly string[] TerminalStatuses = ["Executed", "Failed", "Rejected", "Expired"];
private IReadOnlyList<DataConnection> MxConnectionsForForm =>
string.IsNullOrEmpty(_formSiteIdentifier) || !_connectionsBySite.TryGetValue(_formSiteIdentifier, out var conns)
? Array.Empty<DataConnection>()
: conns.Where(c => string.Equals(c.Protocol, "MxGateway", StringComparison.OrdinalIgnoreCase)).ToList();
private bool CanSubmit =>
!string.IsNullOrWhiteSpace(_formSiteIdentifier)
&& !string.IsNullOrWhiteSpace(_formConnectionName)
&& !string.IsNullOrWhiteSpace(_formTagPath)
&& !string.IsNullOrWhiteSpace(_formValue);
protected override async Task OnInitializedAsync()
{
_currentUsername = await AuthStateProvider.GetCurrentUsernameAsync();
await LoadSitesAsync();
await RefreshListsAsync();
}
private async Task LoadSitesAsync()
{
try
{
_sites = await SiteRepository.GetAllSitesAsync();
foreach (var site in _sites)
{
_connectionsBySite[site.SiteIdentifier] =
await SiteRepository.GetDataConnectionsBySiteIdAsync(site.Id);
}
}
catch (Exception ex)
{
Logger.LogError(ex, "Failed to load sites/connections for the Secured Writes form.");
_toast.ShowError("Failed to load sites.");
}
}
private async Task RefreshListsAsync()
{
var all = await SecuredWriteSvc.ListAsync(status: null, siteId: null);
_pending = all.Where(w => string.Equals(w.Status, "Pending", StringComparison.OrdinalIgnoreCase)).ToList();
_history = all.Where(w => TerminalStatuses.Contains(w.Status, StringComparer.OrdinalIgnoreCase)).ToList();
}
private async Task Submit()
{
if (!CanSubmit) return;
_submitting = true;
try
{
var result = await SecuredWriteSvc.SubmitAsync(
_formSiteIdentifier, _formConnectionName, _formTagPath,
_formValue, _formValueType,
string.IsNullOrWhiteSpace(_formComment) ? null : _formComment);
if (result.Success)
{
_toast.ShowSuccess("Secured write submitted for verification.");
_formTagPath = "";
_formValue = "";
_formComment = "";
await RefreshListsAsync();
}
else
{
_toast.ShowError(result.Error ?? "Submit failed.");
}
}
finally
{
_submitting = false;
}
}
private async Task Approve(SecuredWriteDto row)
{
var confirmed = await Dialog.ConfirmAsync(
"Approve secured write",
$"Approving will write to the device.\n\n" +
$"Site: {row.SiteId}\nConnection: {row.ConnectionName}\nTag: {row.TagPath}\n" +
$"Value: {row.ValueJson} ({row.ValueType})\nOperator: {row.OperatorUser}",
danger: true);
if (!confirmed) return;
_actionInProgress = true;
try
{
var result = await SecuredWriteSvc.ApproveAsync(row.Id, comment: null);
if (result.Success)
{
var status = result.Dto?.Status ?? "decided";
if (string.Equals(status, "Executed", StringComparison.OrdinalIgnoreCase))
{
_toast.ShowSuccess("Secured write approved and executed.");
}
else
{
_toast.ShowWarning($"Secured write approved but not executed (status: {status}).");
}
await RefreshListsAsync();
}
else
{
_toast.ShowError(result.Error ?? "Approve failed.");
}
}
finally
{
_actionInProgress = false;
}
}
private async Task Reject(SecuredWriteDto row)
{
var confirmed = await Dialog.ConfirmAsync(
"Reject secured write",
$"Reject the secured write to {row.SiteId}/{row.ConnectionName}/{row.TagPath}?",
danger: true);
if (!confirmed) return;
_actionInProgress = true;
try
{
var result = await SecuredWriteSvc.RejectAsync(row.Id, comment: null);
if (result.Success)
{
_toast.ShowSuccess("Secured write rejected.");
await RefreshListsAsync();
}
else
{
_toast.ShowError(result.Error ?? "Reject failed.");
}
}
finally
{
_actionInProgress = false;
}
}
private static string StatusBadgeClass(string status) => status switch
{
"Executed" => "text-bg-success",
"Failed" => "text-bg-danger",
"Rejected" => "text-bg-secondary",
"Expired" => "text-bg-secondary",
_ => "text-bg-light"
};
}
src/ZB.MOM.WW.ScadaBridge.CentralUI/ServiceCollectionExtensions.cs
+8
View File
@@ -93,6 +93,14 @@ public static class ServiceCollectionExtensions
services.AddScoped<IInstanceSnapshotClient, CommunicationInstanceSnapshotClient>();
services.AddScoped<IAlarmSummaryService, AlarmSummaryService>();
// Secured Writes (M7 T14b): dispatches the two-person secured-write commands
// (submit / approve / reject / list) to the central ManagementActor through the
// in-process ManagementActorHolder seam — the same Ask path the HTTP /management
// endpoint uses. The server stays the single enforcer of role gating,
// separation-of-duties (no self-approval), the MxGateway device relay on approve,
// and the append-only audit trail; the page only SUBMITS commands.
services.AddScoped<ISecuredWriteService, SecuredWriteService>();
// Roslyn-backed C# analysis for the Monaco script editor.
// Scoped because SharedScriptCatalog wraps a scoped service.
services.AddMemoryCache(o => o.SizeLimit = 200);
src/ZB.MOM.WW.ScadaBridge.CentralUI/Services/ISecuredWriteService.cs
+104
View File
@@ -0,0 +1,104 @@
using ZB.MOM.WW.ScadaBridge.Commons.Messages.Management;
namespace ZB.MOM.WW.ScadaBridge.CentralUI.Services;
/// <summary>
/// Outcome of a single secured-write command dispatch. Wraps either the resulting
/// <see cref="SecuredWriteDto"/> (on success) or a human-readable error, so the page
/// can render an inline result/toast rather than reasoning about transport exceptions
/// or the three management response shapes.
/// </summary>
/// <param name="Success">Whether the command succeeded.</param>
/// <param name="Dto">The resulting secured-write row when <paramref name="Success"/> is <c>true</c>; otherwise <c>null</c>.</param>
/// <param name="Error">A human-readable error message when <paramref name="Success"/> is <c>false</c>; otherwise <c>null</c>.</param>
public record SecuredWriteActionResult(bool Success, SecuredWriteDto? Dto, string? Error)
{
/// <summary>Creates a successful result wrapping <paramref name="dto"/>.</summary>
/// <param name="dto">The secured-write row the command produced.</param>
/// <returns>A successful <see cref="SecuredWriteActionResult"/>.</returns>
public static SecuredWriteActionResult Ok(SecuredWriteDto dto) => new(true, dto, null);
/// <summary>Creates a failed result carrying <paramref name="error"/>.</summary>
/// <param name="error">The human-readable failure message.</param>
/// <returns>A failed <see cref="SecuredWriteActionResult"/>.</returns>
public static SecuredWriteActionResult Fail(string error) => new(false, null, error);
}
/// <summary>
/// CentralUI facade over the two-person ("secured") write management commands
/// (M7 OPC UA / MxGateway UX, Task T14b — page C5). It dispatches the strongly-typed
/// <c>SubmitSecuredWriteCommand</c> / <c>ApproveSecuredWriteCommand</c> /
/// <c>RejectSecuredWriteCommand</c> / <c>ListSecuredWritesCommand</c> to the central
/// <c>ManagementActor</c> through the in-process <c>ManagementActorHolder</c> seam —
/// the SAME path the HTTP <c>/management</c> endpoint uses — so the server remains the
/// single enforcer of role gating, separation-of-duties (no self-approval), the actual
/// MxGateway device relay on approve, and the append-only audit trail.
/// </summary>
/// <remarks>
/// The page itself performs NO device I/O and re-implements NO security logic: every
/// mutation is a command submitted to the server. The current user's claims are mapped
/// to an <see cref="AuthenticatedUser"/> so the actor's role check and no-self-approval
/// guard run against the real principal. <c>ManagementUnauthorized</c> /
/// <c>ManagementError</c> / transport failures collapse into a typed
/// <see cref="SecuredWriteActionResult"/> so the page renders an inline outcome rather
/// than throwing.
/// </remarks>
public interface ISecuredWriteService
{
/// <summary>
/// Submits a new pending secured write (Operator action). The target connection
/// must exist within <paramref name="siteId"/> and use the MxGateway protocol —
/// both validated server-side.
/// </summary>
/// <param name="siteId">Site identifier the write targets.</param>
/// <param name="connectionName">MxGateway data connection name within the site.</param>
/// <param name="tagPath">Fully-qualified tag path the value is written to.</param>
/// <param name="valueJson">JSON-serialised value to write.</param>
/// <param name="valueType">Target data type name (e.g. <c>Boolean</c>, <c>Double</c>).</param>
/// <param name="comment">Optional free-text comment supplied by the operator.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>A task resolving to the submit outcome.</returns>
Task<SecuredWriteActionResult> SubmitAsync(
string siteId,
string connectionName,
string tagPath,
string valueJson,
string valueType,
string? comment,
CancellationToken cancellationToken = default);
/// <summary>
/// Approves (and triggers execution of) a pending secured write (Verifier action).
/// The server enforces that the approver differs from the submitter and runs the
/// device relay.
/// </summary>
/// <param name="id">Identity of the pending secured write.</param>
/// <param name="comment">Optional free-text comment supplied by the verifier.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>A task resolving to the approve outcome.</returns>
Task<SecuredWriteActionResult> ApproveAsync(
long id, string? comment, CancellationToken cancellationToken = default);
/// <summary>
/// Rejects a pending secured write (Verifier action). The server enforces that the
/// rejecter differs from the submitter.
/// </summary>
/// <param name="id">Identity of the pending secured write.</param>
/// <param name="comment">Optional free-text comment supplied by the verifier.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>A task resolving to the reject outcome.</returns>
Task<SecuredWriteActionResult> RejectAsync(
long id, string? comment, CancellationToken cancellationToken = default);
/// <summary>
/// Lists secured writes, optionally filtered by <paramref name="status"/> and
/// <paramref name="siteId"/> (read-only — any authenticated user). On any failure
/// an empty list is returned so the page renders gracefully.
/// </summary>
/// <param name="status">Status filter; <c>null</c> matches every status.</param>
/// <param name="siteId">Site id filter; <c>null</c> matches every site.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>A task resolving to the matching rows, newest submission first.</returns>
Task<IReadOnlyList<SecuredWriteDto>> ListAsync(
string? status, string? siteId, CancellationToken cancellationToken = default);
}
src/ZB.MOM.WW.ScadaBridge.CentralUI/Services/SecuredWriteService.cs
+184
View File
@@ -0,0 +1,184 @@
using System.Security.Claims;
using System.Text.Json;
using Akka.Actor;
using Microsoft.AspNetCore.Components.Authorization;
using Microsoft.Extensions.Logging;
using ZB.MOM.WW.ScadaBridge.Commons.Messages.Management;
using ZB.MOM.WW.ScadaBridge.ManagementService;
using ZB.MOM.WW.ScadaBridge.Security;
namespace ZB.MOM.WW.ScadaBridge.CentralUI.Services;
/// <summary>
/// Default <see cref="ISecuredWriteService"/> implementation — a thin facade that
/// dispatches the secured-write management commands to the central
/// <c>ManagementActor</c> through the in-process <see cref="ManagementActorHolder"/>
/// (the same Ask seam the HTTP <c>/management</c> endpoint uses). The actor authorizes
/// the command against the supplied <see cref="AuthenticatedUser"/>, enforces
/// separation-of-duties, runs the MxGateway device relay on approve, and writes the
/// audit row — none of that is re-implemented here.
/// </summary>
/// <remarks>
/// The current Blazor principal is projected to an <see cref="AuthenticatedUser"/> so
/// the server's role gate and no-self-approval guard run against the real identity.
/// The three management response shapes plus any transport fault collapse into a typed
/// <see cref="SecuredWriteActionResult"/> (or an empty list for queries) so the page can
/// render inline outcomes without try/catch noise.
/// </remarks>
public sealed class SecuredWriteService : ISecuredWriteService
{
/// <summary>
/// camelCase + ignore-cycles, matching <c>ManagementActor.SerializeResult</c>'s
/// options. <see cref="ManagementSuccess.JsonData"/> is produced with those settings,
/// so the deserializer must mirror them to bind every property.
/// </summary>
private static readonly JsonSerializerOptions ResultDeserializerOptions = new()
{
PropertyNameCaseInsensitive = true,
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
};
private static readonly TimeSpan AskTimeout = TimeSpan.FromSeconds(30);
private readonly ManagementActorHolder _holder;
private readonly AuthenticationStateProvider _auth;
private readonly ILogger<SecuredWriteService> _logger;
/// <summary>
/// Initializes a new instance of the <see cref="SecuredWriteService"/>.
/// </summary>
/// <param name="holder">Holder for the central <c>ManagementActor</c> reference.</param>
/// <param name="auth">Authentication state provider used to project the current principal.</param>
/// <param name="logger">Logger instance.</param>
public SecuredWriteService(
ManagementActorHolder holder,
AuthenticationStateProvider auth,
ILogger<SecuredWriteService> logger)
{
_holder = holder ?? throw new ArgumentNullException(nameof(holder));
_auth = auth ?? throw new ArgumentNullException(nameof(auth));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
/// <inheritdoc/>
public Task<SecuredWriteActionResult> SubmitAsync(
string siteId, string connectionName, string tagPath, string valueJson,
string valueType, string? comment, CancellationToken cancellationToken = default)
=> DispatchAsync(
new SubmitSecuredWriteCommand(siteId, connectionName, tagPath, valueJson, valueType, comment),
cancellationToken);
/// <inheritdoc/>
public Task<SecuredWriteActionResult> ApproveAsync(
long id, string? comment, CancellationToken cancellationToken = default)
=> DispatchAsync(new ApproveSecuredWriteCommand(id, comment), cancellationToken);
/// <inheritdoc/>
public Task<SecuredWriteActionResult> RejectAsync(
long id, string? comment, CancellationToken cancellationToken = default)
=> DispatchAsync(new RejectSecuredWriteCommand(id, comment), cancellationToken);
/// <inheritdoc/>
public async Task<IReadOnlyList<SecuredWriteDto>> ListAsync(
string? status, string? siteId, CancellationToken cancellationToken = default)
{
var response = await SendAsync(new ListSecuredWritesCommand(status, siteId), cancellationToken);
if (response is ManagementSuccess success)
{
var result = JsonSerializer.Deserialize<SecuredWriteListResult>(
success.JsonData, ResultDeserializerOptions);
return result?.Items ?? Array.Empty<SecuredWriteDto>();
}
// Read path: log + return empty so the queue/history tables render gracefully.
_logger.LogWarning(
"ListSecuredWrites failed: {Response}", DescribeFailure(response));
return Array.Empty<SecuredWriteDto>();
}
/// <summary>
/// Dispatches a single mutating command and maps the response (or any fault) to a
/// typed <see cref="SecuredWriteActionResult"/>.
/// </summary>
private async Task<SecuredWriteActionResult> DispatchAsync(
object command, CancellationToken cancellationToken)
{
var response = await SendAsync(command, cancellationToken);
switch (response)
{
case ManagementSuccess success:
var dto = JsonSerializer.Deserialize<SecuredWriteDto>(
success.JsonData, ResultDeserializerOptions);
return dto is null
? SecuredWriteActionResult.Fail("The server returned an unreadable result.")
: SecuredWriteActionResult.Ok(dto);
case ManagementUnauthorized unauthorized:
return SecuredWriteActionResult.Fail(unauthorized.Message);
case ManagementError error:
return SecuredWriteActionResult.Fail(error.Error);
default:
return SecuredWriteActionResult.Fail(DescribeFailure(response));
}
}
/// <summary>
/// Wraps <paramref name="command"/> in a <see cref="ManagementEnvelope"/> for the
/// current principal and Asks the <c>ManagementActor</c>. Transport faults (timeout,
/// actor not yet started, cancellation→propagated) become a synthetic
/// <see cref="ManagementError"/> so callers handle one response shape.
/// </summary>
private async Task<object> SendAsync(object command, CancellationToken cancellationToken)
{
var actor = _holder.ActorRef;
if (actor is null)
{
return new ManagementError(
string.Empty, "Management service is not ready.", "SERVICE_UNAVAILABLE");
}
var user = await BuildAuthenticatedUserAsync();
var envelope = new ManagementEnvelope(user, command, Guid.NewGuid().ToString("N"));
try
{
return await actor.Ask<object>(envelope, AskTimeout, cancellationToken);
}
catch (OperationCanceledException)
{
// Caller-initiated cancel (e.g. circuit teardown) — propagate cleanly.
throw;
}
catch (Exception ex)
{
_logger.LogError(ex, "ManagementActor Ask failed for {Command}", command.GetType().Name);
return new ManagementError(string.Empty, ex.Message, "TRANSPORT_ERROR");
}
}
/// <summary>
/// Projects the current Blazor <see cref="ClaimsPrincipal"/> to the
/// <see cref="AuthenticatedUser"/> the actor authorizes against — username,
/// display name, role claims, and the permitted-site scope claims (mirrors the
/// claim set the HTTP endpoint constructs).
/// </summary>
private async Task<AuthenticatedUser> BuildAuthenticatedUserAsync()
{
var state = await _auth.GetAuthenticationStateAsync();
var principal = state.User;
var username = principal.FindFirst(JwtTokenService.UsernameClaimType)?.Value ?? "unknown";
var displayName = principal.FindFirst(JwtTokenService.DisplayNameClaimType)?.Value ?? username;
var roles = principal.FindAll(JwtTokenService.RoleClaimType).Select(c => c.Value).ToArray();
var permittedSiteIds = principal.FindAll(JwtTokenService.SiteIdClaimType).Select(c => c.Value).ToArray();
return new AuthenticatedUser(username, displayName, roles, permittedSiteIds);
}
/// <summary>Renders a fallback description for an unexpected/failure response.</summary>
private static string DescribeFailure(object response) => response switch
{
ManagementUnauthorized unauthorized => unauthorized.Message,
ManagementError error => error.Error,
_ => "Unexpected response from the management service."
};
}
src/ZB.MOM.WW.ScadaBridge.CentralUI/ZB.MOM.WW.ScadaBridge.CentralUI.csproj
+4
View File
@@ -31,6 +31,10 @@
<ProjectReference Include="../ZB.MOM.WW.ScadaBridge.KpiHistory/ZB.MOM.WW.ScadaBridge.KpiHistory.csproj" />
<ProjectReference Include="../ZB.MOM.WW.ScadaBridge.Communication/ZB.MOM.WW.ScadaBridge.Communication.csproj" />
<ProjectReference Include="../ZB.MOM.WW.ScadaBridge.Transport/ZB.MOM.WW.ScadaBridge.Transport.csproj" />
<!-- Secured Writes (M7 T14b / C5): the SecuredWriteService dispatches the secured-write
management commands to the central ManagementActor via the in-process
ManagementActorHolder seam (the same Ask path the HTTP /management endpoint uses). -->
<ProjectReference Include="../ZB.MOM.WW.ScadaBridge.ManagementService/ZB.MOM.WW.ScadaBridge.ManagementService.csproj" />
</ItemGroup>
</Project>
tests/ZB.MOM.WW.ScadaBridge.CentralUI.Tests/Components/SecuredWritesTests.cs
+266
View File
@@ -0,0 +1,266 @@
using System.Security.Claims;
using Bunit;
using Microsoft.AspNetCore.Authorization;
using Microsoft.AspNetCore.Components;
using Microsoft.AspNetCore.Components.Authorization;
using Microsoft.Extensions.DependencyInjection;
using NSubstitute;
using ZB.MOM.WW.ScadaBridge.CentralUI.Components.Shared;
using ZB.MOM.WW.ScadaBridge.CentralUI.Services;
using ZB.MOM.WW.ScadaBridge.Commons.Entities.Sites;
using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Repositories;
using ZB.MOM.WW.ScadaBridge.Commons.Messages.Management;
using ZB.MOM.WW.ScadaBridge.Security;
using SecuredWritesPage = ZB.MOM.WW.ScadaBridge.CentralUI.Components.Pages.Operations.SecuredWrites;
namespace ZB.MOM.WW.ScadaBridge.CentralUI.Tests.Components;
/// <summary>
/// bUnit rendering + interaction tests for the Secured Writes page (M7 T14b / C5).
/// The page is the UI for the two-person MxGateway write workflow: an Operator submits,
/// a different Verifier approves/rejects, and everyone sees the history. The page only
/// SUBMITS commands through <see cref="ISecuredWriteService"/> — the server enforces
/// roles, the no-self-approval guard, the device relay, and the audit trail — so these
/// tests substitute the service and assert the page wires the inputs/actions correctly.
/// The real policies are registered so the per-region <c>AuthorizeView Policy=...</c>
/// blocks are genuinely evaluated against the test principal's role claims.
/// </summary>
public class SecuredWritesTests : BunitContext
{
private readonly ISecuredWriteService _service = Substitute.For<ISecuredWriteService>();
private readonly ISiteRepository _siteRepo = Substitute.For<ISiteRepository>();
private readonly IDialogService _dialog = Substitute.For<IDialogService>();
public SecuredWritesTests()
{
Services.AddSingleton(_service);
Services.AddSingleton(_siteRepo);
Services.AddSingleton(_dialog);
// Confirm dialogs resolve to "yes" without a DialogHost in the render scope.
_dialog.ConfirmAsync(Arg.Any<string>(), Arg.Any<string>(), Arg.Any<bool>())
.Returns(Task.FromResult(true));
// Empty list by default; individual tests seed the queue/history.
_service.ListAsync(Arg.Any<string?>(), Arg.Any<string?>(), Arg.Any<CancellationToken>())
.Returns(Task.FromResult<IReadOnlyList<SecuredWriteDto>>(Array.Empty<SecuredWriteDto>()));
}
/// <summary>
/// Registers the real authorization stack + a principal with the given username and
/// roles so the page's <c>AuthorizeView Policy=...</c> regions evaluate genuinely.
/// </summary>
private void AddAuth(string username, params string[] roles)
{
var claims = new List<Claim> { new(JwtTokenService.UsernameClaimType, username) };
claims.AddRange(roles.Select(r => new Claim(JwtTokenService.RoleClaimType, r)));
var user = new ClaimsPrincipal(new ClaimsIdentity(claims, "TestAuth"));
Services.AddSingleton<AuthenticationStateProvider>(new TestAuthStateProvider(user));
Services.AddAuthorizationCore();
AuthorizationPolicies.AddScadaBridgeAuthorization(Services);
// BunitContext pre-registers a placeholder IAuthorizationService that throws on
// policy evaluation; force the real one so the regions are actually gated.
Services.AddSingleton<IAuthorizationService, DefaultAuthorizationService>();
}
private void SeedSites(params Site[] sites)
{
_siteRepo.GetAllSitesAsync(Arg.Any<CancellationToken>())
.Returns(Task.FromResult<IReadOnlyList<Site>>(sites.ToList()));
foreach (var site in sites)
{
_siteRepo.GetDataConnectionsBySiteIdAsync(site.Id, Arg.Any<CancellationToken>())
.Returns(Task.FromResult<IReadOnlyList<DataConnection>>(Array.Empty<DataConnection>()));
}
}
private void SeedConnections(int siteId, params DataConnection[] connections)
=> _siteRepo.GetDataConnectionsBySiteIdAsync(siteId, Arg.Any<CancellationToken>())
.Returns(Task.FromResult<IReadOnlyList<DataConnection>>(connections.ToList()));
/// <summary>
/// Renders the page inside a <see cref="CascadingAuthenticationState"/> so its
/// <c>AuthorizeView</c> regions have the cascading <c>Task&lt;AuthenticationState&gt;</c>
/// they require (mirrors the NavMenu tests).
/// </summary>
private IRenderedComponent<SecuredWritesPage> RenderPage()
{
var host = Render<CascadingAuthenticationState>(parameters => parameters
.Add(p => p.ChildContent, (RenderFragment)(builder =>
{
builder.OpenComponent<SecuredWritesPage>(0);
builder.CloseComponent();
})));
return host.FindComponent<SecuredWritesPage>();
}
private static SecuredWriteDto Dto(
long id, string status, string operatorUser,
string? verifier = null, string? executionError = null,
string siteId = "plant-a", string connection = "GW-1", string tag = "Pump.Setpoint",
string valueJson = "true", string valueType = "Boolean") =>
new(id, siteId, connection, tag, valueJson, valueType, status, operatorUser,
OperatorComment: null, SubmittedAtUtc: DateTime.UtcNow,
VerifierUser: verifier, VerifierComment: null,
DecidedAtUtc: status == "Pending" ? null : DateTime.UtcNow,
ExecutedAtUtc: status is "Executed" or "Failed" ? DateTime.UtcNow : null,
ExecutionError: executionError);
// ── (a) Operator: submit form present + Submit calls SubmitAsync with the values ──
[Fact]
public void Operator_SeesSubmitForm()
{
AddAuth("op-user", Roles.Operator);
SeedSites(new Site("Plant-A", "plant-a") { Id = 1 });
var cut = RenderPage();
cut.WaitForAssertion(() =>
{
Assert.NotNull(cut.Find("[data-test='secured-write-submit-region']"));
Assert.NotNull(cut.Find("[data-test='secured-write-submit']"));
});
}
[Fact]
public void Operator_Submit_CallsServiceWithEnteredValues()
{
AddAuth("op-user", Roles.Operator);
SeedSites(new Site("Plant-A", "plant-a") { Id = 1 });
SeedConnections(1, new DataConnection("GW-1", "MxGateway", 1) { Id = 10 });
_service.SubmitAsync(
Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string>(),
Arg.Any<string>(), Arg.Any<string>(), Arg.Any<string?>(), Arg.Any<CancellationToken>())
.Returns(Task.FromResult(SecuredWriteActionResult.Ok(Dto(1, "Pending", "op-user"))));
var cut = RenderPage();
cut.Find("[data-test='secured-write-site']").Change("plant-a");
cut.Find("[data-test='secured-write-connection']").Change("GW-1");
cut.Find("[data-test='secured-write-tagpath']").Change("Pump.Setpoint");
cut.Find("[data-test='secured-write-value']").Change("true");
cut.Find("[data-test='secured-write-datatype']").Change("Boolean");
cut.Find("[data-test='secured-write-comment']").Change("routine setpoint");
cut.Find("[data-test='secured-write-submit']").Click();
_service.Received(1).SubmitAsync(
"plant-a", "GW-1", "Pump.Setpoint", "true", "Boolean", "routine setpoint",
Arg.Any<CancellationToken>());
}
// ── (b) Verifier: pending row renders with Approve/Reject; own-row actions disabled ──
[Fact]
public void Verifier_PendingRow_HasEnabledActions_ForOtherOperatorsRow()
{
AddAuth("verifier-user", Roles.Verifier);
SeedSites(new Site("Plant-A", "plant-a") { Id = 1 });
_service.ListAsync(Arg.Any<string?>(), Arg.Any<string?>(), Arg.Any<CancellationToken>())
.Returns(Task.FromResult<IReadOnlyList<SecuredWriteDto>>(
new[] { Dto(1, "Pending", "someone-else") }));
var cut = RenderPage();
cut.WaitForAssertion(() =>
{
Assert.NotNull(cut.Find("[data-test='secured-write-pending-region']"));
var approve = cut.Find("[data-test='secured-write-approve']");
var reject = cut.Find("[data-test='secured-write-reject']");
Assert.False(approve.HasAttribute("disabled"));
Assert.False(reject.HasAttribute("disabled"));
});
}
[Fact]
public void Verifier_OwnSubmission_HasApproveAndRejectDisabled()
{
// DisableLogin dev caveat: one identity holds both roles; the page must still
// disable approve/reject on a row the current user submitted (server enforces
// this too, but the UI surfaces it up front).
AddAuth("self", Roles.Operator, Roles.Verifier);
SeedSites(new Site("Plant-A", "plant-a") { Id = 1 });
_service.ListAsync(Arg.Any<string?>(), Arg.Any<string?>(), Arg.Any<CancellationToken>())
.Returns(Task.FromResult<IReadOnlyList<SecuredWriteDto>>(
new[] { Dto(1, "Pending", "self") }));
var cut = RenderPage();
cut.WaitForAssertion(() =>
{
var approve = cut.Find("[data-test='secured-write-approve']");
var reject = cut.Find("[data-test='secured-write-reject']");
Assert.True(approve.HasAttribute("disabled"));
Assert.True(reject.HasAttribute("disabled"));
Assert.NotNull(cut.Find("[data-test='secured-write-own-note']"));
});
}
[Fact]
public void Verifier_Approve_CallsApproveAsync()
{
AddAuth("verifier-user", Roles.Verifier);
SeedSites(new Site("Plant-A", "plant-a") { Id = 1 });
_service.ListAsync(Arg.Any<string?>(), Arg.Any<string?>(), Arg.Any<CancellationToken>())
.Returns(Task.FromResult<IReadOnlyList<SecuredWriteDto>>(
new[] { Dto(7, "Pending", "someone-else") }));
_service.ApproveAsync(Arg.Any<long>(), Arg.Any<string?>(), Arg.Any<CancellationToken>())
.Returns(Task.FromResult(SecuredWriteActionResult.Ok(Dto(7, "Executed", "someone-else", "verifier-user"))));
var cut = RenderPage();
cut.Find("[data-test='secured-write-approve']").Click();
_service.Received(1).ApproveAsync(7, Arg.Any<string?>(), Arg.Any<CancellationToken>());
}
// ── (c) History: terminal rows render ──
[Fact]
public void History_RendersTerminalRows()
{
AddAuth("viewer", Roles.Viewer);
SeedSites(new Site("Plant-A", "plant-a") { Id = 1 });
_service.ListAsync(Arg.Any<string?>(), Arg.Any<string?>(), Arg.Any<CancellationToken>())
.Returns(Task.FromResult<IReadOnlyList<SecuredWriteDto>>(new[]
{
Dto(1, "Executed", "op-a", "ver-a", tag: "Pump.Setpoint"),
Dto(2, "Rejected", "op-b", "ver-b", tag: "Valve.Cmd"),
Dto(3, "Failed", "op-c", "ver-c", executionError: "device timeout", tag: "Motor.Run"),
Dto(4, "Pending", "op-d", tag: "ShouldNotAppear"),
}));
var cut = RenderPage();
cut.WaitForAssertion(() =>
{
Assert.NotNull(cut.Find("[data-test='secured-write-history-region']"));
var rows = cut.FindAll("[data-test='secured-write-history-row']");
// Three terminal rows (Executed/Rejected/Failed); the Pending row is excluded.
Assert.Equal(3, rows.Count);
Assert.Contains("Executed", cut.Markup);
Assert.Contains("Rejected", cut.Markup);
Assert.Contains("device timeout", cut.Markup);
Assert.DoesNotContain("ShouldNotAppear", cut.Markup);
});
}
[Fact]
public void Viewer_DoesNotSeeOperatorOrVerifierRegions()
{
AddAuth("viewer", Roles.Viewer);
SeedSites(new Site("Plant-A", "plant-a") { Id = 1 });
var cut = RenderPage();
cut.WaitForAssertion(() =>
{
Assert.Empty(cut.FindAll("[data-test='secured-write-submit-region']"));
Assert.Empty(cut.FindAll("[data-test='secured-write-pending-region']"));
// History is visible to any authenticated user.
Assert.NotNull(cut.Find("[data-test='secured-write-history-region']"));
});
}
}