dohertj2/ScadaBridge
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(centralui): Secured Writes page — operator submit + verifier queue + history (T14b)

Browse Source
This commit is contained in:
Joseph Doherty
2026-06-18 03:34:08 -04:00
parent b08bfae329
commit 1a7e735149
7 changed files with 972 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/ZB.MOM.WW.ScadaBridge.CentralUI/Services/ISecuredWriteService.cs
+104
View File
@@ -0,0 +1,104 @@
using ZB.MOM.WW.ScadaBridge.Commons.Messages.Management;
namespace ZB.MOM.WW.ScadaBridge.CentralUI.Services;
/// <summary>
/// Outcome of a single secured-write command dispatch. Wraps either the resulting
/// <see cref="SecuredWriteDto"/> (on success) or a human-readable error, so the page
/// can render an inline result/toast rather than reasoning about transport exceptions
/// or the three management response shapes.
/// </summary>
/// <param name="Success">Whether the command succeeded.</param>
/// <param name="Dto">The resulting secured-write row when <paramref name="Success"/> is <c>true</c>; otherwise <c>null</c>.</param>
/// <param name="Error">A human-readable error message when <paramref name="Success"/> is <c>false</c>; otherwise <c>null</c>.</param>
public record SecuredWriteActionResult(bool Success, SecuredWriteDto? Dto, string? Error)
{
/// <summary>Creates a successful result wrapping <paramref name="dto"/>.</summary>
/// <param name="dto">The secured-write row the command produced.</param>
/// <returns>A successful <see cref="SecuredWriteActionResult"/>.</returns>
public static SecuredWriteActionResult Ok(SecuredWriteDto dto) => new(true, dto, null);
/// <summary>Creates a failed result carrying <paramref name="error"/>.</summary>
/// <param name="error">The human-readable failure message.</param>
/// <returns>A failed <see cref="SecuredWriteActionResult"/>.</returns>
public static SecuredWriteActionResult Fail(string error) => new(false, null, error);
}
/// <summary>
/// CentralUI facade over the two-person ("secured") write management commands
/// (M7 OPC UA / MxGateway UX, Task T14b — page C5). It dispatches the strongly-typed
/// <c>SubmitSecuredWriteCommand</c> / <c>ApproveSecuredWriteCommand</c> /
/// <c>RejectSecuredWriteCommand</c> / <c>ListSecuredWritesCommand</c> to the central
/// <c>ManagementActor</c> through the in-process <c>ManagementActorHolder</c> seam —
/// the SAME path the HTTP <c>/management</c> endpoint uses — so the server remains the
/// single enforcer of role gating, separation-of-duties (no self-approval), the actual
/// MxGateway device relay on approve, and the append-only audit trail.
/// </summary>
/// <remarks>
/// The page itself performs NO device I/O and re-implements NO security logic: every
/// mutation is a command submitted to the server. The current user's claims are mapped
/// to an <see cref="AuthenticatedUser"/> so the actor's role check and no-self-approval
/// guard run against the real principal. <c>ManagementUnauthorized</c> /
/// <c>ManagementError</c> / transport failures collapse into a typed
/// <see cref="SecuredWriteActionResult"/> so the page renders an inline outcome rather
/// than throwing.
/// </remarks>
public interface ISecuredWriteService
{
/// <summary>
/// Submits a new pending secured write (Operator action). The target connection
/// must exist within <paramref name="siteId"/> and use the MxGateway protocol —
/// both validated server-side.
/// </summary>
/// <param name="siteId">Site identifier the write targets.</param>
/// <param name="connectionName">MxGateway data connection name within the site.</param>
/// <param name="tagPath">Fully-qualified tag path the value is written to.</param>
/// <param name="valueJson">JSON-serialised value to write.</param>
/// <param name="valueType">Target data type name (e.g. <c>Boolean</c>, <c>Double</c>).</param>
/// <param name="comment">Optional free-text comment supplied by the operator.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>A task resolving to the submit outcome.</returns>
Task<SecuredWriteActionResult> SubmitAsync(
string siteId,
string connectionName,
string tagPath,
string valueJson,
string valueType,
string? comment,
CancellationToken cancellationToken = default);
/// <summary>
/// Approves (and triggers execution of) a pending secured write (Verifier action).
/// The server enforces that the approver differs from the submitter and runs the
/// device relay.
/// </summary>
/// <param name="id">Identity of the pending secured write.</param>
/// <param name="comment">Optional free-text comment supplied by the verifier.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>A task resolving to the approve outcome.</returns>
Task<SecuredWriteActionResult> ApproveAsync(
long id, string? comment, CancellationToken cancellationToken = default);
/// <summary>
/// Rejects a pending secured write (Verifier action). The server enforces that the
/// rejecter differs from the submitter.
/// </summary>
/// <param name="id">Identity of the pending secured write.</param>
/// <param name="comment">Optional free-text comment supplied by the verifier.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>A task resolving to the reject outcome.</returns>
Task<SecuredWriteActionResult> RejectAsync(
long id, string? comment, CancellationToken cancellationToken = default);
/// <summary>
/// Lists secured writes, optionally filtered by <paramref name="status"/> and
/// <paramref name="siteId"/> (read-only — any authenticated user). On any failure
/// an empty list is returned so the page renders gracefully.
/// </summary>
/// <param name="status">Status filter; <c>null</c> matches every status.</param>
/// <param name="siteId">Site id filter; <c>null</c> matches every site.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>A task resolving to the matching rows, newest submission first.</returns>
Task<IReadOnlyList<SecuredWriteDto>> ListAsync(
string? status, string? siteId, CancellationToken cancellationToken = default);
}
src/ZB.MOM.WW.ScadaBridge.CentralUI/Services/SecuredWriteService.cs
+184
View File
@@ -0,0 +1,184 @@
using System.Security.Claims;
using System.Text.Json;
using Akka.Actor;
using Microsoft.AspNetCore.Components.Authorization;
using Microsoft.Extensions.Logging;
using ZB.MOM.WW.ScadaBridge.Commons.Messages.Management;
using ZB.MOM.WW.ScadaBridge.ManagementService;
using ZB.MOM.WW.ScadaBridge.Security;
namespace ZB.MOM.WW.ScadaBridge.CentralUI.Services;
/// <summary>
/// Default <see cref="ISecuredWriteService"/> implementation — a thin facade that
/// dispatches the secured-write management commands to the central
/// <c>ManagementActor</c> through the in-process <see cref="ManagementActorHolder"/>
/// (the same Ask seam the HTTP <c>/management</c> endpoint uses). The actor authorizes
/// the command against the supplied <see cref="AuthenticatedUser"/>, enforces
/// separation-of-duties, runs the MxGateway device relay on approve, and writes the
/// audit row — none of that is re-implemented here.
/// </summary>
/// <remarks>
/// The current Blazor principal is projected to an <see cref="AuthenticatedUser"/> so
/// the server's role gate and no-self-approval guard run against the real identity.
/// The three management response shapes plus any transport fault collapse into a typed
/// <see cref="SecuredWriteActionResult"/> (or an empty list for queries) so the page can
/// render inline outcomes without try/catch noise.
/// </remarks>
public sealed class SecuredWriteService : ISecuredWriteService
{
/// <summary>
/// camelCase + ignore-cycles, matching <c>ManagementActor.SerializeResult</c>'s
/// options. <see cref="ManagementSuccess.JsonData"/> is produced with those settings,
/// so the deserializer must mirror them to bind every property.
/// </summary>
private static readonly JsonSerializerOptions ResultDeserializerOptions = new()
{
PropertyNameCaseInsensitive = true,
PropertyNamingPolicy = JsonNamingPolicy.CamelCase
};
private static readonly TimeSpan AskTimeout = TimeSpan.FromSeconds(30);
private readonly ManagementActorHolder _holder;
private readonly AuthenticationStateProvider _auth;
private readonly ILogger<SecuredWriteService> _logger;
/// <summary>
/// Initializes a new instance of the <see cref="SecuredWriteService"/>.
/// </summary>
/// <param name="holder">Holder for the central <c>ManagementActor</c> reference.</param>
/// <param name="auth">Authentication state provider used to project the current principal.</param>
/// <param name="logger">Logger instance.</param>
public SecuredWriteService(
ManagementActorHolder holder,
AuthenticationStateProvider auth,
ILogger<SecuredWriteService> logger)
{
_holder = holder ?? throw new ArgumentNullException(nameof(holder));
_auth = auth ?? throw new ArgumentNullException(nameof(auth));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
/// <inheritdoc/>
public Task<SecuredWriteActionResult> SubmitAsync(
string siteId, string connectionName, string tagPath, string valueJson,
string valueType, string? comment, CancellationToken cancellationToken = default)
=> DispatchAsync(
new SubmitSecuredWriteCommand(siteId, connectionName, tagPath, valueJson, valueType, comment),
cancellationToken);
/// <inheritdoc/>
public Task<SecuredWriteActionResult> ApproveAsync(
long id, string? comment, CancellationToken cancellationToken = default)
=> DispatchAsync(new ApproveSecuredWriteCommand(id, comment), cancellationToken);
/// <inheritdoc/>
public Task<SecuredWriteActionResult> RejectAsync(
long id, string? comment, CancellationToken cancellationToken = default)
=> DispatchAsync(new RejectSecuredWriteCommand(id, comment), cancellationToken);
/// <inheritdoc/>
public async Task<IReadOnlyList<SecuredWriteDto>> ListAsync(
string? status, string? siteId, CancellationToken cancellationToken = default)
{
var response = await SendAsync(new ListSecuredWritesCommand(status, siteId), cancellationToken);
if (response is ManagementSuccess success)
{
var result = JsonSerializer.Deserialize<SecuredWriteListResult>(
success.JsonData, ResultDeserializerOptions);
return result?.Items ?? Array.Empty<SecuredWriteDto>();
}
// Read path: log + return empty so the queue/history tables render gracefully.
_logger.LogWarning(
"ListSecuredWrites failed: {Response}", DescribeFailure(response));
return Array.Empty<SecuredWriteDto>();
}
/// <summary>
/// Dispatches a single mutating command and maps the response (or any fault) to a
/// typed <see cref="SecuredWriteActionResult"/>.
/// </summary>
private async Task<SecuredWriteActionResult> DispatchAsync(
object command, CancellationToken cancellationToken)
{
var response = await SendAsync(command, cancellationToken);
switch (response)
{
case ManagementSuccess success:
var dto = JsonSerializer.Deserialize<SecuredWriteDto>(
success.JsonData, ResultDeserializerOptions);
return dto is null
? SecuredWriteActionResult.Fail("The server returned an unreadable result.")
: SecuredWriteActionResult.Ok(dto);
case ManagementUnauthorized unauthorized:
return SecuredWriteActionResult.Fail(unauthorized.Message);
case ManagementError error:
return SecuredWriteActionResult.Fail(error.Error);
default:
return SecuredWriteActionResult.Fail(DescribeFailure(response));
}
}
/// <summary>
/// Wraps <paramref name="command"/> in a <see cref="ManagementEnvelope"/> for the
/// current principal and Asks the <c>ManagementActor</c>. Transport faults (timeout,
/// actor not yet started, cancellation→propagated) become a synthetic
/// <see cref="ManagementError"/> so callers handle one response shape.
/// </summary>
private async Task<object> SendAsync(object command, CancellationToken cancellationToken)
{
var actor = _holder.ActorRef;
if (actor is null)
{
return new ManagementError(
string.Empty, "Management service is not ready.", "SERVICE_UNAVAILABLE");
}
var user = await BuildAuthenticatedUserAsync();
var envelope = new ManagementEnvelope(user, command, Guid.NewGuid().ToString("N"));
try
{
return await actor.Ask<object>(envelope, AskTimeout, cancellationToken);
}
catch (OperationCanceledException)
{
// Caller-initiated cancel (e.g. circuit teardown) — propagate cleanly.
throw;
}
catch (Exception ex)
{
_logger.LogError(ex, "ManagementActor Ask failed for {Command}", command.GetType().Name);
return new ManagementError(string.Empty, ex.Message, "TRANSPORT_ERROR");
}
}
/// <summary>
/// Projects the current Blazor <see cref="ClaimsPrincipal"/> to the
/// <see cref="AuthenticatedUser"/> the actor authorizes against — username,
/// display name, role claims, and the permitted-site scope claims (mirrors the
/// claim set the HTTP endpoint constructs).
/// </summary>
private async Task<AuthenticatedUser> BuildAuthenticatedUserAsync()
{
var state = await _auth.GetAuthenticationStateAsync();
var principal = state.User;
var username = principal.FindFirst(JwtTokenService.UsernameClaimType)?.Value ?? "unknown";
var displayName = principal.FindFirst(JwtTokenService.DisplayNameClaimType)?.Value ?? username;
var roles = principal.FindAll(JwtTokenService.RoleClaimType).Select(c => c.Value).ToArray();
var permittedSiteIds = principal.FindAll(JwtTokenService.SiteIdClaimType).Select(c => c.Value).ToArray();
return new AuthenticatedUser(username, displayName, roles, permittedSiteIds);
}
/// <summary>Renders a fallback description for an unexpected/failure response.</summary>
private static string DescribeFailure(object response) => response switch
{
ManagementUnauthorized unauthorized => unauthorized.Message,
ManagementError error => error.Error,
_ => "Unexpected response from the management service."
};
}