dohertj2/ScadaBridge
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(centralui): cert-management UI + Trust action + site relay (T17)

Browse Source
This commit is contained in:
Joseph Doherty
2026-06-18 03:53:32 -04:00
parent 2d139442ba
commit 384204b71a
12 changed files with 858 additions and 13 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/ZB.MOM.WW.ScadaBridge.CentralUI/Components/Forms/OpcUaEndpointEditor.razor
+91 -4
View File
@@ -3,7 +3,9 @@
@using ZB.MOM.WW.ScadaBridge.Commons.Messages.Management
@using ZB.MOM.WW.ScadaBridge.Commons.Types.DataConnections
@using ZB.MOM.WW.ScadaBridge.Commons.Types.Flattening
@using ZB.MOM.WW.ScadaBridge.Security
@inject IEndpointVerificationService VerificationService
@inject ICertManagementService CertManagementService
<div class="opcua-endpoint-editor">
<h6 class="text-muted border-bottom pb-1">@Title</h6>
@@ -91,9 +93,44 @@
<dt class="col-sm-3">Not after</dt>
<dd class="col-sm-9">@cert.NotAfterUtc.ToString("u")</dd>
</dl>
<div class="text-muted fst-italic">
Use cert management to trust this certificate.
</div>
<AuthorizeView Policy="@AuthorizationPolicies.RequireAdmin">
<Authorized>
<button type="button" class="btn btn-outline-warning btn-sm mt-1"
data-test="trust-cert-btn"
disabled="@_trusting"
@onclick="() => TrustCert(cert)">
@if (_trusting)
{
<span class="spinner-border spinner-border-sm me-1" role="status" aria-hidden="true"></span>
<span>Trusting…</span>
}
else
{
<span>Trust certificate</span>
}
</button>
<div class="text-muted fst-italic mt-1">
Trusting adds this certificate to every node of the site's
trusted-peer store (node-wide), then re-runs Verify.
</div>
</Authorized>
<NotAuthorized>
<div class="text-muted fst-italic">
An Administrator must trust this certificate (cert management).
</div>
</NotAuthorized>
</AuthorizeView>
@if (_trustError is { } trustError)
{
<div class="text-danger small mt-1" data-test="trust-cert-error">@trustError</div>
}
@if (_trustSucceeded)
{
<div class="text-success small mt-1" data-test="trust-cert-success">
&#10003; Certificate trusted.
</div>
}
</div>
}
}
@@ -322,11 +359,25 @@
private bool _verifying;
private VerifyEndpointResult? _verifyResult;
private bool _trusting;
private bool _trustSucceeded;
private string? _trustError;
private async Task VerifyEndpoint()
private Task VerifyEndpoint() => VerifyEndpoint(clearTrustNotes: true);
private async Task VerifyEndpoint(bool clearTrustNotes)
{
_verifying = true;
_verifyResult = null;
// A fresh (user-initiated) verify supersedes any prior trust outcome — clear
// the inline notes so a stale "trusted" / error banner doesn't linger across
// probes. The trust-triggered re-verify keeps the success note so the operator
// still sees confirmation even if the re-probe also surfaces a (different) cert.
if (clearTrustNotes)
{
_trustSucceeded = false;
_trustError = null;
}
try
{
_verifyResult = await VerificationService.VerifyAsync(
@@ -343,6 +394,42 @@
}
}
// M7 T17: trust the captured untrusted server certificate at every node of the
// owning site, then re-run Verify (which should now succeed and clear the cert
// panel). Administrator-gated by the AuthorizeView wrapping the button; the
// CertManagementService enforces the same role server-side-of-the-trust-boundary.
private async Task TrustCert(ServerCertInfo cert)
{
_trusting = true;
_trustError = null;
_trustSucceeded = false;
try
{
var result = await CertManagementService.TrustAsync(
SiteIdentifier, ConnectionName, cert.DerBase64, cert.Thumbprint);
if (result.Success)
{
_trustSucceeded = true;
// Re-run Verify so the editor reflects the now-trusted state (and
// clears the cert panel on the expected success). Preserve the
// success note (clearTrustNotes:false) so confirmation is shown.
await VerifyEndpoint(clearTrustNotes: false);
}
else
{
_trustError = result.Error ?? "Failed to trust certificate.";
}
}
catch (Exception ex)
{
_trustError = ex.Message;
}
finally
{
_trusting = false;
}
}
private void EnableHeartbeat() =>
Config.Heartbeat = new OpcUaHeartbeatConfig();
src/ZB.MOM.WW.ScadaBridge.CentralUI/Components/Pages/Design/ConnectionCertificates.razor
+183
View File
@@ -0,0 +1,183 @@
@page "/design/connections/{Id:int}/certificates"
@using ZB.MOM.WW.ScadaBridge.Security
@using ZB.MOM.WW.ScadaBridge.Commons.Entities.Sites
@using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Repositories
@using ZB.MOM.WW.ScadaBridge.Commons.Messages.Management
@using ZB.MOM.WW.ScadaBridge.CentralUI.Services
@attribute [Authorize(Policy = AuthorizationPolicies.RequireAdmin)]
@inject ISiteRepository SiteRepository
@inject ICertManagementService CertManagementService
@inject NavigationManager NavigationManager
<div class="container-fluid mt-3" data-test="connection-certificates">
<div class="d-flex align-items-center mb-3">
<button class="btn btn-outline-secondary btn-sm me-3" @onclick="GoBack">&larr; Back</button>
<h4 class="mb-0">Server Certificates@(string.IsNullOrEmpty(_connectionName) ? "" : $" — {_connectionName}")</h4>
</div>
<div class="alert alert-info py-2 small">
The trusted-peer certificate store is <strong>node-wide for the site</strong>
(shared by every site node), not per data connection. Trusting or removing a
certificate affects all OPC UA connections at this site.
</div>
@if (_loading)
{
<LoadingSpinner IsLoading="true" />
}
else if (_loadError is { } loadError)
{
<div class="text-danger small" data-test="cert-load-error">@loadError</div>
}
else
{
@if (_actionError is { } actionError)
{
<div class="text-danger small mb-2" data-test="cert-action-error">@actionError</div>
}
@if (_certs.Count == 0)
{
<div class="text-muted small" data-test="cert-empty">
No certificates are present in this site's trusted-peer or rejected stores.
</div>
}
else
{
<table class="table table-sm table-hover align-middle">
<thead>
<tr>
<th>Subject</th>
<th>Issuer</th>
<th>Thumbprint</th>
<th>Not before</th>
<th>Not after</th>
<th>Status</th>
<th></th>
</tr>
</thead>
<tbody>
@foreach (var cert in _certs)
{
<tr data-test="cert-row">
<td class="small"><code>@cert.Subject</code></td>
<td class="small"><code>@cert.Issuer</code></td>
<td class="small"><code>@cert.Thumbprint</code></td>
<td class="small">@cert.NotBeforeUtc.ToString("u")</td>
<td class="small">@cert.NotAfterUtc.ToString("u")</td>
<td class="small">
@if (cert.Rejected)
{
<span class="badge bg-warning text-dark">Rejected</span>
}
else
{
<span class="badge bg-success">Trusted</span>
}
</td>
<td class="text-end">
<button type="button" class="btn btn-outline-danger btn-sm"
data-test="cert-remove-btn"
disabled="@_removing"
@onclick="() => RemoveCert(cert.Thumbprint)">
Remove
</button>
</td>
</tr>
}
</tbody>
</table>
}
}
</div>
@code {
[Parameter] public int Id { get; set; }
private bool _loading = true;
private bool _removing;
private string? _loadError;
private string? _actionError;
private string _connectionName = string.Empty;
private string _siteIdentifier = string.Empty;
private IReadOnlyList<TrustedCertInfo> _certs = Array.Empty<TrustedCertInfo>();
protected override async Task OnInitializedAsync()
{
try
{
// Resolve the connection's owning site so the cert relay targets the
// right site (the trusted-peer store is node-wide PER SITE node).
var connection = await SiteRepository.GetDataConnectionByIdAsync(Id);
if (connection is null)
{
_loadError = $"Data connection {Id} not found.";
return;
}
_connectionName = connection.Name;
var site = await SiteRepository.GetSiteByIdAsync(connection.SiteId);
if (site is null)
{
_loadError = $"Site {connection.SiteId} not found.";
return;
}
_siteIdentifier = site.SiteIdentifier;
await LoadCertsAsync();
}
catch (Exception ex)
{
_loadError = $"Failed to load: {ex.Message}";
}
finally
{
_loading = false;
}
}
private async Task LoadCertsAsync()
{
var result = await CertManagementService.ListAsync(_siteIdentifier);
if (result.Success)
{
_certs = result.Certs ?? Array.Empty<TrustedCertInfo>();
_loadError = null;
}
else
{
_loadError = result.Error ?? "Failed to list certificates.";
}
}
private async Task RemoveCert(string thumbprint)
{
_removing = true;
_actionError = null;
try
{
var result = await CertManagementService.RemoveAsync(_siteIdentifier, thumbprint);
if (result.Success)
{
// Re-list so the table reflects the removal (the store is node-wide,
// so the authoritative list comes back from the site, not local state).
await LoadCertsAsync();
}
else
{
_actionError = result.Error ?? "Failed to remove certificate.";
}
}
catch (Exception ex)
{
_actionError = ex.Message;
}
finally
{
_removing = false;
}
}
private void GoBack() =>
NavigationManager.NavigateTo($"/design/connections/{Id}/edit");
}
src/ZB.MOM.WW.ScadaBridge.CentralUI/Components/Pages/Design/DataConnectionForm.razor
+15
View File
@@ -72,6 +72,21 @@
<input type="text" class="form-control form-control-sm" @bind="_formName" />
</div>
@if (Id.HasValue && _protocol == "OpcUa")
{
<div class="mb-2">
<a class="btn btn-outline-secondary btn-sm"
data-test="manage-certificates-link"
href="@($"/design/connections/{Id}/certificates")">
Manage certificates
</a>
<div class="form-text">
View, trust, and remove OPC UA server certificates in the
site's node-wide trusted-peer store.
</div>
</div>
}
<h6 class="text-muted mt-3">Primary endpoint</h6>
@if (_protocol == "MxGateway")
{
src/ZB.MOM.WW.ScadaBridge.CentralUI/ServiceCollectionExtensions.cs
+8
View File
@@ -78,6 +78,14 @@ public static class ServiceCollectionExtensions
// on the OPC UA endpoint editor (read-only connect probe, never trusts certs).
services.AddScoped<IEndpointVerificationService, EndpointVerificationService>();
// OPC UA Cert Management (M7 T17 / D6): facade over the three
// CommunicationService cert-trust relay methods. Enforces the CentralUI-side
// role trust boundary (D7: Trust + Remove require Administrator, List requires
// Designer) and translates transport failures into typed CertTrustResults.
// Backs the "Trust certificate" button on the OPC UA endpoint editor and the
// connection-certificates management page (node-wide site PKI store).
services.AddScoped<ICertManagementService, CertManagementService>();
// Test Bindings: facade over CommunicationService.ReadTagValuesAsync —
// same Design-role guard + typed-failure translation as the browse
// service. Backs the Test Bindings dialog on the Configure Instance
src/ZB.MOM.WW.ScadaBridge.CentralUI/Services/CertManagementService.cs
+148
View File
@@ -0,0 +1,148 @@
using Microsoft.AspNetCore.Components.Authorization;
using ZB.MOM.WW.ScadaBridge.Commons.Messages.Management;
using ZB.MOM.WW.ScadaBridge.Communication;
using ZB.MOM.WW.ScadaBridge.Security;
namespace ZB.MOM.WW.ScadaBridge.CentralUI.Services;
/// <summary>
/// Default <see cref="ICertManagementService"/> implementation — a thin facade over
/// the three <see cref="CommunicationService"/> cert-trust relay methods that enforces
/// the CentralUI-side role trust boundary (Decision D7: Trust + Remove require
/// <c>Administrator</c>, List requires <c>Designer</c>), and translates transport
/// exceptions into a typed <see cref="CertTrustResult"/>.
/// </summary>
/// <remarks>
/// Site-side actors (<c>SiteCommunicationActor</c> + <c>DeploymentManagerActor</c>) do
/// not unwrap the central trust envelope, so the role check MUST run here — never on
/// the site (mirrors <see cref="BrowseService"/> and <see cref="EndpointVerificationService"/>).
/// On an unauthorized caller the method returns a non-success
/// <see cref="CertTrustResult"/> with <c>"Not authorized."</c> rather than throwing;
/// transport failures (timeouts, unreachable sites) collapse into a non-success result
/// so the editor / page can render an inline outcome.
/// </remarks>
public sealed class CertManagementService : ICertManagementService
{
private readonly CommunicationService _communication;
private readonly AuthenticationStateProvider _auth;
/// <summary>
/// Initializes a new instance of the <see cref="CertManagementService"/>.
/// </summary>
/// <param name="communication">Central-side cluster communication service.</param>
/// <param name="auth">Authentication state provider used for the role guards.</param>
public CertManagementService(CommunicationService communication, AuthenticationStateProvider auth)
{
_communication = communication ?? throw new ArgumentNullException(nameof(communication));
_auth = auth ?? throw new ArgumentNullException(nameof(auth));
}
/// <inheritdoc/>
public async Task<CertTrustResult> TrustAsync(
string siteIdentifier,
string connectionName,
string derBase64,
string thumbprint,
CancellationToken cancellationToken = default)
{
// D7: trusting a server certificate mutates every site node's PKI store, so
// it is an Administrator-only action. The site does not enforce envelope-level
// roles, so this check must happen here before any cross-cluster traffic.
if (!await HasRoleAsync(Roles.Administrator))
{
return new CertTrustResult(false, "Not authorized.", null);
}
try
{
return await _communication.TrustServerCertAsync(
siteIdentifier,
new TrustServerCertCommand(connectionName, derBase64, thumbprint),
cancellationToken);
}
catch (TimeoutException ex)
{
return new CertTrustResult(false, ex.Message, null);
}
catch (OperationCanceledException)
{
// Caller-initiated cancel — propagate so Blazor can drop the response
// cleanly. Distinct from Timeout (which the UI renders inline).
throw;
}
catch (Exception ex)
{
return new CertTrustResult(false, ex.Message, null);
}
}
/// <inheritdoc/>
public async Task<CertTrustResult> ListAsync(
string siteIdentifier,
CancellationToken cancellationToken = default)
{
// D7: listing trusted certs is read-only, so the lower Designer bar applies
// (an Administrator also satisfies this because admins hold every role claim
// by convention). Same CentralUI-side guard rationale as TrustAsync.
if (!await HasRoleAsync(Roles.Designer))
{
return new CertTrustResult(false, "Not authorized.", null);
}
try
{
return await _communication.ListServerCertsAsync(
siteIdentifier, new ListServerCertsCommand(), cancellationToken);
}
catch (TimeoutException ex)
{
return new CertTrustResult(false, ex.Message, null);
}
catch (OperationCanceledException)
{
throw;
}
catch (Exception ex)
{
return new CertTrustResult(false, ex.Message, null);
}
}
/// <inheritdoc/>
public async Task<CertTrustResult> RemoveAsync(
string siteIdentifier,
string thumbprint,
CancellationToken cancellationToken = default)
{
// D7: removing trust mutates every site node's PKI store, so it is an
// Administrator-only action — same gate as TrustAsync.
if (!await HasRoleAsync(Roles.Administrator))
{
return new CertTrustResult(false, "Not authorized.", null);
}
try
{
return await _communication.RemoveServerCertAsync(
siteIdentifier, new RemoveServerCertCommand(thumbprint), cancellationToken);
}
catch (TimeoutException ex)
{
return new CertTrustResult(false, ex.Message, null);
}
catch (OperationCanceledException)
{
throw;
}
catch (Exception ex)
{
return new CertTrustResult(false, ex.Message, null);
}
}
private async Task<bool> HasRoleAsync(string role)
{
var state = await _auth.GetAuthenticationStateAsync();
return state.User.HasClaim(JwtTokenService.RoleClaimType, role);
}
}
src/ZB.MOM.WW.ScadaBridge.CentralUI/Services/ICertManagementService.cs
+74
View File
@@ -0,0 +1,74 @@
using ZB.MOM.WW.ScadaBridge.Commons.Messages.Management;
namespace ZB.MOM.WW.ScadaBridge.CentralUI.Services;
/// <summary>
/// CentralUI facade over the central-to-site OPC UA server-certificate trust
/// commands (T17 / D6). Backs the "Trust certificate" affordance on the OPC UA
/// endpoint editor and the dedicated connection-certificates management page: it
/// forwards <see cref="TrustServerCertCommand"/> / <see cref="ListServerCertsCommand"/>
/// / <see cref="RemoveServerCertCommand"/> to the owning site via
/// <see cref="ZB.MOM.WW.ScadaBridge.Communication.CommunicationService"/>, which routes
/// them to the site Deployment Manager singleton.
/// </summary>
/// <remarks>
/// The service is the trust boundary for the cert-management capability: site-side
/// actors do not unwrap the central trust envelope, so the role check MUST run here
/// before any cross-cluster traffic is generated (mirrors <see cref="IBrowseService"/>
/// and <see cref="IEndpointVerificationService"/>). Per Decision D7: Trust + Remove
/// require the <c>Administrator</c> role; List requires the <c>Designer</c> role.
/// Transport failures (timeouts, unreachable sites) are translated into a typed
/// <see cref="CertTrustResult"/> so callers can render an inline outcome rather than
/// throwing.
///
/// <para>
/// The trusted-peer store is NODE-WIDE per site node (not per connection); a
/// trust/remove decision is broadcast by the site Deployment Manager to every site
/// node's <c>CertStoreActor</c>, and a list answers from the singleton's own node.
/// </para>
/// </remarks>
public interface ICertManagementService
{
/// <summary>
/// Trusts an OPC UA server certificate at every node of the owning site
/// (Administrator-gated). The captured DER bytes are written into each node's
/// trusted-peer PKI store under the thumbprint filename key.
/// </summary>
/// <param name="siteIdentifier">The target site identifier (the machine-readable <c>SiteIdentifier</c> used in Akka addresses, NOT the numeric primary key).</param>
/// <param name="connectionName">The data connection the certificate was captured from (diagnostics / correlation only).</param>
/// <param name="derBase64">The server certificate's DER encoding, base64-encoded.</param>
/// <param name="thumbprint">The certificate thumbprint — used as the store filename key.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>A task that resolves to a <see cref="CertTrustResult"/> — success, or a classified failure (unauthorized / timeout / transport error).</returns>
Task<CertTrustResult> TrustAsync(
string siteIdentifier,
string connectionName,
string derBase64,
string thumbprint,
CancellationToken cancellationToken = default);
/// <summary>
/// Lists the certificates currently present in the owning site's trusted-peer
/// and rejected PKI stores (Designer-gated). Answered from the site Deployment
/// Manager singleton's own node.
/// </summary>
/// <param name="siteIdentifier">The target site identifier.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>A task that resolves to a <see cref="CertTrustResult"/> carrying the listed certificates on success.</returns>
Task<CertTrustResult> ListAsync(
string siteIdentifier,
CancellationToken cancellationToken = default);
/// <summary>
/// Removes a previously-trusted OPC UA server certificate from every node of
/// the owning site (Administrator-gated), identified by thumbprint.
/// </summary>
/// <param name="siteIdentifier">The target site identifier.</param>
/// <param name="thumbprint">The thumbprint of the certificate to remove.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>A task that resolves to a <see cref="CertTrustResult"/> — success, or a classified failure.</returns>
Task<CertTrustResult> RemoveAsync(
string siteIdentifier,
string thumbprint,
CancellationToken cancellationToken = default);
}
src/ZB.MOM.WW.ScadaBridge.Communication/Actors/SiteCommunicationActor.cs
+12
View File
@@ -161,6 +161,18 @@ public class SiteCommunicationActor : ReceiveActor, IWithTimers
// children holding the live OPC UA sessions.
Receive<ReadTagValuesCommand>(msg => _deploymentManagerProxy.Forward(msg));
// OPC UA server-certificate trust management (T17 / D6) — forward to the
// Deployment Manager singleton, which owns the cross-node trust broadcast.
// The trusted-peer PKI store is node-wide per site node, so a trust/remove
// decision must reach BOTH nodes' CertStoreActor; the singleton broadcasts
// to every site node (list answers from the singleton's own node). The
// singleton always lands on the active node, the same routing rationale as
// BrowseNodeCommand above. Forward preserves the central Ask sender so the
// CertTrustResult routes straight back to the waiting Ask.
Receive<TrustServerCertCommand>(msg => _deploymentManagerProxy.Forward(msg));
Receive<ListServerCertsCommand>(msg => _deploymentManagerProxy.Forward(msg));
Receive<RemoveServerCertCommand>(msg => _deploymentManagerProxy.Forward(msg));
// Pattern 7: Remote Queries
Receive<EventLogQueryRequest>(msg =>
{
src/ZB.MOM.WW.ScadaBridge.Communication/CommunicationService.cs
+67
View File
@@ -416,6 +416,73 @@ public class CommunicationService
envelope, _options.QueryTimeout, cancellationToken);
}
// ── OPC UA Server-Certificate Trust (T17 / D6 — node-wide site PKI store) ──
/// <summary>
/// Asks the owning site to trust an OPC UA server certificate at every site
/// node. Backs the CentralUI cert-management Trust action. The site Deployment
/// Manager singleton broadcasts the captured DER bytes to every site node's
/// <c>CertStoreActor</c>; the result reflects whether every reachable node
/// acked. The Ask is bounded by <see cref="CommunicationOptions.QueryTimeout"/>,
/// mirroring <see cref="BrowseNodeAsync"/> and the other interactive
/// design-time site queries.
/// </summary>
/// <param name="siteId">The target site identifier.</param>
/// <param name="command">The trust-server-cert command (connection name + DER + thumbprint).</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>The cert-trust result (per-node aggregate success + first error).</returns>
public Task<CertTrustResult> TrustServerCertAsync(
string siteId,
TrustServerCertCommand command,
CancellationToken cancellationToken = default)
{
var envelope = new SiteEnvelope(siteId, command);
return GetActor().Ask<CertTrustResult>(
envelope, _options.QueryTimeout, cancellationToken);
}
/// <summary>
/// Asks the owning site to list the certificates in its trusted-peer and
/// rejected PKI stores. Backs the CentralUI cert-management list page. Answered
/// by the site Deployment Manager singleton from its own node (the store is
/// node-wide per site node). The Ask is bounded by
/// <see cref="CommunicationOptions.QueryTimeout"/>.
/// </summary>
/// <param name="siteId">The target site identifier.</param>
/// <param name="command">The list-server-certs command.</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>The cert-trust result carrying the listed certificates on success.</returns>
public Task<CertTrustResult> ListServerCertsAsync(
string siteId,
ListServerCertsCommand command,
CancellationToken cancellationToken = default)
{
var envelope = new SiteEnvelope(siteId, command);
return GetActor().Ask<CertTrustResult>(
envelope, _options.QueryTimeout, cancellationToken);
}
/// <summary>
/// Asks the owning site to remove a previously-trusted OPC UA server
/// certificate from every site node, identified by thumbprint. Backs the
/// CentralUI cert-management Remove action. The site Deployment Manager
/// singleton broadcasts the removal to every site node's <c>CertStoreActor</c>.
/// The Ask is bounded by <see cref="CommunicationOptions.QueryTimeout"/>.
/// </summary>
/// <param name="siteId">The target site identifier.</param>
/// <param name="command">The remove-server-cert command (thumbprint).</param>
/// <param name="cancellationToken">Cancellation token.</param>
/// <returns>The cert-trust result (per-node aggregate success + first error).</returns>
public Task<CertTrustResult> RemoveServerCertAsync(
string siteId,
RemoveServerCertCommand command,
CancellationToken cancellationToken = default)
{
var envelope = new SiteEnvelope(siteId, command);
return GetActor().Ask<CertTrustResult>(
envelope, _options.QueryTimeout, cancellationToken);
}
// ── Test Bindings (one-shot live read of bound tags) ──
/// <summary>