feat(centralui): cert-management UI + Trust action + site relay (T17)

src/ZB.MOM.WW.ScadaBridge.CentralUI/Services/CertManagementService.cs

@@ -0,0 +1,148 @@
+using Microsoft.AspNetCore.Components.Authorization;
+using ZB.MOM.WW.ScadaBridge.Commons.Messages.Management;
+using ZB.MOM.WW.ScadaBridge.Communication;
+using ZB.MOM.WW.ScadaBridge.Security;
+
+namespace ZB.MOM.WW.ScadaBridge.CentralUI.Services;
+
+/// <summary>
+/// Default <see cref="ICertManagementService"/> implementation — a thin facade over
+/// the three <see cref="CommunicationService"/> cert-trust relay methods that enforces
+/// the CentralUI-side role trust boundary (Decision D7: Trust + Remove require
+/// <c>Administrator</c>, List requires <c>Designer</c>), and translates transport
+/// exceptions into a typed <see cref="CertTrustResult"/>.
+/// </summary>
+/// <remarks>
+/// Site-side actors (<c>SiteCommunicationActor</c> + <c>DeploymentManagerActor</c>) do
+/// not unwrap the central trust envelope, so the role check MUST run here — never on
+/// the site (mirrors <see cref="BrowseService"/> and <see cref="EndpointVerificationService"/>).
+/// On an unauthorized caller the method returns a non-success
+/// <see cref="CertTrustResult"/> with <c>"Not authorized."</c> rather than throwing;
+/// transport failures (timeouts, unreachable sites) collapse into a non-success result
+/// so the editor / page can render an inline outcome.
+/// </remarks>
+public sealed class CertManagementService : ICertManagementService
+{
+    private readonly CommunicationService _communication;
+    private readonly AuthenticationStateProvider _auth;
+
+    /// <summary>
+    /// Initializes a new instance of the <see cref="CertManagementService"/>.
+    /// </summary>
+    /// <param name="communication">Central-side cluster communication service.</param>
+    /// <param name="auth">Authentication state provider used for the role guards.</param>
+    public CertManagementService(CommunicationService communication, AuthenticationStateProvider auth)
+    {
+        _communication = communication ?? throw new ArgumentNullException(nameof(communication));
+        _auth = auth ?? throw new ArgumentNullException(nameof(auth));
+    }
+
+    /// <inheritdoc/>
+    public async Task<CertTrustResult> TrustAsync(
+        string siteIdentifier,
+        string connectionName,
+        string derBase64,
+        string thumbprint,
+        CancellationToken cancellationToken = default)
+    {
+        // D7: trusting a server certificate mutates every site node's PKI store, so
+        // it is an Administrator-only action. The site does not enforce envelope-level
+        // roles, so this check must happen here before any cross-cluster traffic.
+        if (!await HasRoleAsync(Roles.Administrator))
+        {
+            return new CertTrustResult(false, "Not authorized.", null);
+        }
+
+        try
+        {
+            return await _communication.TrustServerCertAsync(
+                siteIdentifier,
+                new TrustServerCertCommand(connectionName, derBase64, thumbprint),
+                cancellationToken);
+        }
+        catch (TimeoutException ex)
+        {
+            return new CertTrustResult(false, ex.Message, null);
+        }
+        catch (OperationCanceledException)
+        {
+            // Caller-initiated cancel — propagate so Blazor can drop the response
+            // cleanly. Distinct from Timeout (which the UI renders inline).
+            throw;
+        }
+        catch (Exception ex)
+        {
+            return new CertTrustResult(false, ex.Message, null);
+        }
+    }
+
+    /// <inheritdoc/>
+    public async Task<CertTrustResult> ListAsync(
+        string siteIdentifier,
+        CancellationToken cancellationToken = default)
+    {
+        // D7: listing trusted certs is read-only, so the lower Designer bar applies
+        // (an Administrator also satisfies this because admins hold every role claim
+        // by convention). Same CentralUI-side guard rationale as TrustAsync.
+        if (!await HasRoleAsync(Roles.Designer))
+        {
+            return new CertTrustResult(false, "Not authorized.", null);
+        }
+
+        try
+        {
+            return await _communication.ListServerCertsAsync(
+                siteIdentifier, new ListServerCertsCommand(), cancellationToken);
+        }
+        catch (TimeoutException ex)
+        {
+            return new CertTrustResult(false, ex.Message, null);
+        }
+        catch (OperationCanceledException)
+        {
+            throw;
+        }
+        catch (Exception ex)
+        {
+            return new CertTrustResult(false, ex.Message, null);
+        }
+    }
+
+    /// <inheritdoc/>
+    public async Task<CertTrustResult> RemoveAsync(
+        string siteIdentifier,
+        string thumbprint,
+        CancellationToken cancellationToken = default)
+    {
+        // D7: removing trust mutates every site node's PKI store, so it is an
+        // Administrator-only action — same gate as TrustAsync.
+        if (!await HasRoleAsync(Roles.Administrator))
+        {
+            return new CertTrustResult(false, "Not authorized.", null);
+        }
+
+        try
+        {
+            return await _communication.RemoveServerCertAsync(
+                siteIdentifier, new RemoveServerCertCommand(thumbprint), cancellationToken);
+        }
+        catch (TimeoutException ex)
+        {
+            return new CertTrustResult(false, ex.Message, null);
+        }
+        catch (OperationCanceledException)
+        {
+            throw;
+        }
+        catch (Exception ex)
+        {
+            return new CertTrustResult(false, ex.Message, null);
+        }
+    }
+
+    private async Task<bool> HasRoleAsync(string role)
+    {
+        var state = await _auth.GetAuthenticationStateAsync();
+        return state.User.HasClaim(JwtTokenService.RoleClaimType, role);
+    }
+}

src/ZB.MOM.WW.ScadaBridge.CentralUI/Services/ICertManagementService.cs

@@ -0,0 +1,74 @@
+using ZB.MOM.WW.ScadaBridge.Commons.Messages.Management;
+
+namespace ZB.MOM.WW.ScadaBridge.CentralUI.Services;
+
+/// <summary>
+/// CentralUI facade over the central-to-site OPC UA server-certificate trust
+/// commands (T17 / D6). Backs the "Trust certificate" affordance on the OPC UA
+/// endpoint editor and the dedicated connection-certificates management page: it
+/// forwards <see cref="TrustServerCertCommand"/> / <see cref="ListServerCertsCommand"/>
+/// / <see cref="RemoveServerCertCommand"/> to the owning site via
+/// <see cref="ZB.MOM.WW.ScadaBridge.Communication.CommunicationService"/>, which routes
+/// them to the site Deployment Manager singleton.
+/// </summary>
+/// <remarks>
+/// The service is the trust boundary for the cert-management capability: site-side
+/// actors do not unwrap the central trust envelope, so the role check MUST run here
+/// before any cross-cluster traffic is generated (mirrors <see cref="IBrowseService"/>
+/// and <see cref="IEndpointVerificationService"/>). Per Decision D7: Trust + Remove
+/// require the <c>Administrator</c> role; List requires the <c>Designer</c> role.
+/// Transport failures (timeouts, unreachable sites) are translated into a typed
+/// <see cref="CertTrustResult"/> so callers can render an inline outcome rather than
+/// throwing.
+///
+/// <para>
+/// The trusted-peer store is NODE-WIDE per site node (not per connection); a
+/// trust/remove decision is broadcast by the site Deployment Manager to every site
+/// node's <c>CertStoreActor</c>, and a list answers from the singleton's own node.
+/// </para>
+/// </remarks>
+public interface ICertManagementService
+{
+    /// <summary>
+    /// Trusts an OPC UA server certificate at every node of the owning site
+    /// (Administrator-gated). The captured DER bytes are written into each node's
+    /// trusted-peer PKI store under the thumbprint filename key.
+    /// </summary>
+    /// <param name="siteIdentifier">The target site identifier (the machine-readable <c>SiteIdentifier</c> used in Akka addresses, NOT the numeric primary key).</param>
+    /// <param name="connectionName">The data connection the certificate was captured from (diagnostics / correlation only).</param>
+    /// <param name="derBase64">The server certificate's DER encoding, base64-encoded.</param>
+    /// <param name="thumbprint">The certificate thumbprint — used as the store filename key.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>A task that resolves to a <see cref="CertTrustResult"/> — success, or a classified failure (unauthorized / timeout / transport error).</returns>
+    Task<CertTrustResult> TrustAsync(
+        string siteIdentifier,
+        string connectionName,
+        string derBase64,
+        string thumbprint,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Lists the certificates currently present in the owning site's trusted-peer
+    /// and rejected PKI stores (Designer-gated). Answered from the site Deployment
+    /// Manager singleton's own node.
+    /// </summary>
+    /// <param name="siteIdentifier">The target site identifier.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>A task that resolves to a <see cref="CertTrustResult"/> carrying the listed certificates on success.</returns>
+    Task<CertTrustResult> ListAsync(
+        string siteIdentifier,
+        CancellationToken cancellationToken = default);
+
+    /// <summary>
+    /// Removes a previously-trusted OPC UA server certificate from every node of
+    /// the owning site (Administrator-gated), identified by thumbprint.
+    /// </summary>
+    /// <param name="siteIdentifier">The target site identifier.</param>
+    /// <param name="thumbprint">The thumbprint of the certificate to remove.</param>
+    /// <param name="cancellationToken">Cancellation token.</param>
+    /// <returns>A task that resolves to a <see cref="CertTrustResult"/> — success, or a classified failure.</returns>
+    Task<CertTrustResult> RemoveAsync(
+        string siteIdentifier,
+        string thumbprint,
+        CancellationToken cancellationToken = default);
+}