feat(secrets): mount /admin/secrets + register secrets authz in CentralUI (ScadaBridge G-6 T7)
This commit is contained in:
@@ -18,6 +18,7 @@
|
|||||||
<NavRailItem Href="/admin/ldap-mappings" Text="LDAP Mappings" />
|
<NavRailItem Href="/admin/ldap-mappings" Text="LDAP Mappings" />
|
||||||
<NavRailItem Href="/admin/sites" Text="Sites" />
|
<NavRailItem Href="/admin/sites" Text="Sites" />
|
||||||
<NavRailItem Href="/admin/api-keys" Text="API Keys" />
|
<NavRailItem Href="/admin/api-keys" Text="API Keys" />
|
||||||
|
<NavRailItem Href="/admin/secrets" Text="Secrets" />
|
||||||
@* Import Bundle requires Administrator only — Designer role is not sufficient.
|
@* Import Bundle requires Administrator only — Designer role is not sufficient.
|
||||||
Export Bundle lives in the Design section (RequireDesign). *@
|
Export Bundle lives in the Design section (RequireDesign). *@
|
||||||
<NavRailItem Href="/design/transport/import" Text="Import Bundle" />
|
<NavRailItem Href="/design/transport/import" Text="Import Bundle" />
|
||||||
|
|||||||
@@ -25,7 +25,9 @@ public static class EndpointExtensions
|
|||||||
|
|
||||||
endpoints.MapRazorComponents<TApp>()
|
endpoints.MapRazorComponents<TApp>()
|
||||||
.AddInteractiveServerRenderMode()
|
.AddInteractiveServerRenderMode()
|
||||||
.AddAdditionalAssemblies(typeof(MainLayout).Assembly);
|
.AddAdditionalAssemblies(
|
||||||
|
typeof(MainLayout).Assembly,
|
||||||
|
typeof(ZB.MOM.WW.Secrets.Ui.SecretsPage).Assembly);
|
||||||
|
|
||||||
return endpoints;
|
return endpoints;
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -19,6 +19,7 @@
|
|||||||
<PackageReference Include="Microsoft.CodeAnalysis.CSharp.Scripting" />
|
<PackageReference Include="Microsoft.CodeAnalysis.CSharp.Scripting" />
|
||||||
<PackageReference Include="Microsoft.CodeAnalysis.CSharp.Workspaces" />
|
<PackageReference Include="Microsoft.CodeAnalysis.CSharp.Workspaces" />
|
||||||
<PackageReference Include="ZB.MOM.WW.Theme" />
|
<PackageReference Include="ZB.MOM.WW.Theme" />
|
||||||
|
<PackageReference Include="ZB.MOM.WW.Secrets.Ui" />
|
||||||
</ItemGroup>
|
</ItemGroup>
|
||||||
|
|
||||||
<ItemGroup>
|
<ItemGroup>
|
||||||
|
|||||||
@@ -1,6 +1,6 @@
|
|||||||
<CascadingAuthenticationState>
|
<CascadingAuthenticationState>
|
||||||
<Router AppAssembly="typeof(Routes).Assembly"
|
<Router AppAssembly="typeof(Routes).Assembly"
|
||||||
AdditionalAssemblies="new[] { typeof(ZB.MOM.WW.ScadaBridge.CentralUI.Components.Layout.MainLayout).Assembly }">
|
AdditionalAssemblies="new[] { typeof(ZB.MOM.WW.ScadaBridge.CentralUI.Components.Layout.MainLayout).Assembly, typeof(ZB.MOM.WW.Secrets.Ui.SecretsPage).Assembly }">
|
||||||
<Found Context="routeData">
|
<Found Context="routeData">
|
||||||
<AuthorizeRouteView RouteData="routeData" DefaultLayout="typeof(ZB.MOM.WW.ScadaBridge.CentralUI.Components.Layout.MainLayout)">
|
<AuthorizeRouteView RouteData="routeData" DefaultLayout="typeof(ZB.MOM.WW.ScadaBridge.CentralUI.Components.Layout.MainLayout)">
|
||||||
<NotAuthorized>
|
<NotAuthorized>
|
||||||
|
|||||||
@@ -1,3 +1,4 @@
|
|||||||
|
using Microsoft.AspNetCore.Authorization;
|
||||||
using Microsoft.Extensions.DependencyInjection;
|
using Microsoft.Extensions.DependencyInjection;
|
||||||
using Microsoft.Extensions.DependencyInjection.Extensions;
|
using Microsoft.Extensions.DependencyInjection.Extensions;
|
||||||
using Microsoft.Extensions.Options;
|
using Microsoft.Extensions.Options;
|
||||||
@@ -31,6 +32,7 @@ using ZB.MOM.WW.Secrets.Abstractions;
|
|||||||
using ZB.MOM.WW.Secrets.Configuration;
|
using ZB.MOM.WW.Secrets.Configuration;
|
||||||
using ZB.MOM.WW.Secrets.DependencyInjection;
|
using ZB.MOM.WW.Secrets.DependencyInjection;
|
||||||
using ZB.MOM.WW.Secrets.Sqlite;
|
using ZB.MOM.WW.Secrets.Sqlite;
|
||||||
|
using ZB.MOM.WW.Secrets.Ui;
|
||||||
using ZB.MOM.WW.Telemetry;
|
using ZB.MOM.WW.Telemetry;
|
||||||
using Serilog;
|
using Serilog;
|
||||||
|
|
||||||
@@ -178,6 +180,14 @@ try
|
|||||||
builder.Services.AddSecurity(disableLogin);
|
builder.Services.AddSecurity(disableLogin);
|
||||||
builder.Services.AddCentralUI();
|
builder.Services.AddCentralUI();
|
||||||
builder.Services.AddZbSecrets(builder.Configuration, "Secrets");
|
builder.Services.AddZbSecrets(builder.Configuration, "Secrets");
|
||||||
|
// Secrets UI authorization: adds the named policies secrets:manage + secrets:reveal
|
||||||
|
// (role-based) consumed by the /admin/secrets page. AddSecretsAuthorization only ADDS
|
||||||
|
// these two policies via Configure<AuthorizationOptions> — it composes additively with
|
||||||
|
// AddScadaBridgeAuthorization (invoked inside AddSecurity above) without clobbering.
|
||||||
|
// The library's AdminRole ("Administrator") satisfies both policies, and ScadaBridge
|
||||||
|
// builds identities with RoleClaimType = ZbClaimTypes.Role, so an Administrator is
|
||||||
|
// authorized for both manage + reveal. Done Host-side to keep Secrets.Ui out of Security.
|
||||||
|
builder.Services.Configure<AuthorizationOptions>(o => o.AddSecretsAuthorization());
|
||||||
builder.Services.AddInboundAPI();
|
builder.Services.AddInboundAPI();
|
||||||
|
|
||||||
// Inbound-API auth re-arch: the shared ZB.MOM.WW.Auth.ApiKeys verifier +
|
// Inbound-API auth re-arch: the shared ZB.MOM.WW.Auth.ApiKeys verifier +
|
||||||
|
|||||||
@@ -0,0 +1,92 @@
|
|||||||
|
using System.Security.Claims;
|
||||||
|
using Microsoft.AspNetCore.Authorization;
|
||||||
|
using Microsoft.Extensions.DependencyInjection;
|
||||||
|
using ZB.MOM.WW.ScadaBridge.Security;
|
||||||
|
using ZB.MOM.WW.Secrets.Ui;
|
||||||
|
|
||||||
|
namespace ZB.MOM.WW.ScadaBridge.Host.Tests;
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// G-6 (Task 7) offline behavioral proof: composing the Secrets.Ui authorization
|
||||||
|
/// (<c>Configure<AuthorizationOptions>(o => o.AddSecretsAuthorization())</c>) on top of
|
||||||
|
/// ScadaBridge's own <see cref="AuthorizationPolicies.AddScadaBridgeAuthorization"/> yields the
|
||||||
|
/// two named policies <c>secrets:manage</c> + <c>secrets:reveal</c>, and — because ScadaBridge
|
||||||
|
/// builds identities with <c>RoleClaimType = ZbClaimTypes.Role</c> and the library's admin role is
|
||||||
|
/// literally <c>"Administrator"</c> — an <c>Administrator</c> principal is authorized for BOTH,
|
||||||
|
/// while a non-admin / anonymous principal is denied BOTH. This is the offline evidence for the
|
||||||
|
/// Task-6 "no app-specific policy remap needed" decision, exercised against the real
|
||||||
|
/// <see cref="IAuthorizationService"/> rather than mere registration.
|
||||||
|
/// </summary>
|
||||||
|
public class SecretsAuthorizationTests
|
||||||
|
{
|
||||||
|
private const string ManagePolicy = "secrets:manage";
|
||||||
|
private const string RevealPolicy = "secrets:reveal";
|
||||||
|
|
||||||
|
private static IServiceProvider BuildProvider()
|
||||||
|
{
|
||||||
|
var services = new ServiceCollection();
|
||||||
|
services.AddLogging();
|
||||||
|
// Mirror the Central composition: ScadaBridge's own authorization first
|
||||||
|
// (registers the core authorization services + ScadaBridge policies via
|
||||||
|
// AddAuthorization), then the additive Secrets.Ui policy configuration.
|
||||||
|
services.AddScadaBridgeAuthorization();
|
||||||
|
services.Configure<AuthorizationOptions>(o => o.AddSecretsAuthorization());
|
||||||
|
return services.BuildServiceProvider();
|
||||||
|
}
|
||||||
|
|
||||||
|
private static ClaimsPrincipal PrincipalWithRole(string role)
|
||||||
|
{
|
||||||
|
// Build the identity EXACTLY as ScadaBridge does: role claims under
|
||||||
|
// JwtTokenService.RoleClaimType (== ZbClaimTypes.Role == ClaimTypes.Role) and
|
||||||
|
// roleType set to the same, so IsInRole (used by the library's RequireRole) resolves.
|
||||||
|
var identity = new ClaimsIdentity(
|
||||||
|
new[] { new Claim(JwtTokenService.RoleClaimType, role) },
|
||||||
|
authenticationType: "Test",
|
||||||
|
nameType: JwtTokenService.UsernameClaimType,
|
||||||
|
roleType: JwtTokenService.RoleClaimType);
|
||||||
|
return new ClaimsPrincipal(identity);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Fact]
|
||||||
|
public async Task BothSecretsPolicies_AreRegistered()
|
||||||
|
{
|
||||||
|
var provider = BuildProvider();
|
||||||
|
var policyProvider = provider.GetRequiredService<IAuthorizationPolicyProvider>();
|
||||||
|
|
||||||
|
Assert.NotNull(await policyProvider.GetPolicyAsync(ManagePolicy));
|
||||||
|
Assert.NotNull(await policyProvider.GetPolicyAsync(RevealPolicy));
|
||||||
|
}
|
||||||
|
|
||||||
|
[Fact]
|
||||||
|
public async Task Administrator_IsAuthorized_ForBothManageAndReveal()
|
||||||
|
{
|
||||||
|
var provider = BuildProvider();
|
||||||
|
var authService = provider.GetRequiredService<IAuthorizationService>();
|
||||||
|
var admin = PrincipalWithRole(Roles.Administrator);
|
||||||
|
|
||||||
|
Assert.True((await authService.AuthorizeAsync(admin, ManagePolicy)).Succeeded);
|
||||||
|
Assert.True((await authService.AuthorizeAsync(admin, RevealPolicy)).Succeeded);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Fact]
|
||||||
|
public async Task NonAdministratorRole_IsDenied_ForBothManageAndReveal()
|
||||||
|
{
|
||||||
|
var provider = BuildProvider();
|
||||||
|
var authService = provider.GetRequiredService<IAuthorizationService>();
|
||||||
|
var viewer = PrincipalWithRole(Roles.Viewer);
|
||||||
|
|
||||||
|
Assert.False((await authService.AuthorizeAsync(viewer, ManagePolicy)).Succeeded);
|
||||||
|
Assert.False((await authService.AuthorizeAsync(viewer, RevealPolicy)).Succeeded);
|
||||||
|
}
|
||||||
|
|
||||||
|
[Fact]
|
||||||
|
public async Task AnonymousPrincipal_IsDenied_ForBothManageAndReveal()
|
||||||
|
{
|
||||||
|
var provider = BuildProvider();
|
||||||
|
var authService = provider.GetRequiredService<IAuthorizationService>();
|
||||||
|
var anonymous = new ClaimsPrincipal(new ClaimsIdentity());
|
||||||
|
|
||||||
|
Assert.False((await authService.AuthorizeAsync(anonymous, ManagePolicy)).Succeeded);
|
||||||
|
Assert.False((await authService.AuthorizeAsync(anonymous, RevealPolicy)).Succeeded);
|
||||||
|
}
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user