fix(auth): move AddZbLdapAuth to Host composition root so component-lib AddSecurity() drops IConfiguration param (satisfy OptionsTests arch rule; fix pre-existing ac34dac red); behaviour-preserving

2026-06-02 03:50:16 -04:00
parent 7e25efa790
commit 55099b19f6
3 changed files with 55 additions and 34 deletions
@@ -1,4 +1,5 @@
 using ZB.MOM.WW.Auth.ApiKeys.DependencyInjection;
+using ZB.MOM.WW.Auth.AspNetCore;
 using ZB.MOM.WW.Health;
 using ZB.MOM.WW.Health.Akka;
 using ZB.MOM.WW.Health.EntityFrameworkCore;
@@ -104,7 +105,16 @@ try
        builder.Services.AddSiteCallAudit();
        builder.Services.AddTemplateEngine();
        builder.Services.AddDeploymentManager();
-        builder.Services.AddSecurity(builder.Configuration);
+        // Host is the composition root and owns config-coupled wiring: register the
+        // shared LDAP auth (binds LdapOptions + IValidateOptions<LdapOptions> with
+        // ValidateOnStart + ILdapAuthService singleton) here, then AddSecurity() for the
+        // config-free remainder. AddSecurity is a component library and takes no
+        // IConfiguration (Options pattern only). Behaviour-preserving: identical
+        // registrations to the previous AddSecurity(builder.Configuration) call.
+        builder.Services.AddZbLdapAuth(
+            builder.Configuration,
+            ZB.MOM.WW.ScadaBridge.Security.ServiceCollectionExtensions.LdapSectionPath);
+        builder.Services.AddSecurity();
        builder.Services.AddCentralUI();
        builder.Services.AddInboundAPI();

@@ -1,5 +1,4 @@
 using Microsoft.AspNetCore.Authentication.Cookies;
-using Microsoft.Extensions.Configuration;
 using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
@@ -15,29 +14,37 @@ public static class ServiceCollectionExtensions
    /// under the existing <c>ScadaBridge:Security</c> section as a <c>Ldap</c> sub-section
    /// (Task 1.4 config rename) so the non-LDAP <see cref="SecurityOptions"/> fields stay
    /// where they are while the LDAP connection settings bind to the shared library.
+    /// The Host composition root references this constant to register the shared LDAP
+    /// auth (<c>AddZbLdapAuth</c>) before calling <see cref="AddSecurity"/>.
    /// </summary>
    public const string LdapSectionPath = "ScadaBridge:Security:Ldap";

    /// <summary>
-    /// Registers LDAP authentication (shared <c>ZB.MOM.WW.Auth.Ldap</c>), JWT token service,
-    /// role mapper, cookie authentication, and authorization policies.
+    /// Registers the JWT token service, role mapper, cookie authentication, and
+    /// authorization policies. This is a component library and therefore takes no
+    /// <c>IConfiguration</c> (Options pattern only).
    /// </summary>
+    /// <remarks>
+    /// LDAP authentication (shared <c>ZB.MOM.WW.Auth.Ldap</c> via <c>AddZbLdapAuth</c>) is
+    /// registered by the Host composition root — which calls <c>AddZbLdapAuth</c> with the
+    /// nested <see cref="LdapSectionPath"/> <em>before</em> this method — because that
+    /// registration is config-coupled (it binds <c>LdapOptions</c> from
+    /// <c>IConfiguration</c>) and component libraries must not accept <c>IConfiguration</c>.
+    /// </remarks>
    /// <param name="services">The service collection to register into.</param>
-    /// <param name="configuration">
-    /// Application configuration, read for the nested <see cref="LdapSectionPath"/> LDAP
-    /// options bound + validated by <c>AddZbLdapAuth</c>.
-    /// </param>
-    public static IServiceCollection AddSecurity(this IServiceCollection services, IConfiguration configuration)
+    public static IServiceCollection AddSecurity(this IServiceCollection services)
    {
-        // Task 1.2 cutover: replace ScadaBridge's bespoke LdapAuthService with the shared
-        // ZB.MOM.WW.Auth.Ldap implementation (ScadaBridge was the donor for its hardened
-        // bind-then-search / escaping / fail-closed semantics, so this is a behaviour-
-        // equivalent re-point). AddZbLdapAuth binds LdapOptions from the nested Ldap
-        // sub-section, registers IValidateOptions<LdapOptions> with ValidateOnStart (so a
-        // misconfigured directory fails fast at boot — superseding the old
-        // SecurityOptionsValidator LDAP checks), and registers ILdapAuthService as a
-        // stateless singleton.
-        services.AddZbLdapAuth(configuration, LdapSectionPath);
+        // Task 1.2 cutover: ScadaBridge's bespoke LdapAuthService was replaced by the
+        // shared ZB.MOM.WW.Auth.Ldap implementation (ScadaBridge was the donor for its
+        // hardened bind-then-search / escaping / fail-closed semantics, so this was a
+        // behaviour-equivalent re-point). That registration — AddZbLdapAuth, which binds
+        // LdapOptions from the nested Ldap sub-section, registers IValidateOptions<LdapOptions>
+        // with ValidateOnStart (so a misconfigured directory fails fast at boot —
+        // superseding the old SecurityOptionsValidator LDAP checks), and registers
+        // ILdapAuthService as a stateless singleton — now lives at the Host composition
+        // root (which calls AddZbLdapAuth(configuration, LdapSectionPath) immediately
+        // before AddSecurity()), because it is config-coupled and this is a component
+        // library.

        services.AddScoped<JwtTokenService>();
        services.AddScoped<RoleMapper>();
@@ -6,6 +6,7 @@ using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Logging.Abstractions;
 using Microsoft.Extensions.Options;
 using ZB.MOM.WW.Auth.Abstractions.Ldap;
+using ZB.MOM.WW.Auth.AspNetCore;
 using ZB.MOM.WW.Auth.Ldap;
 using ZB.MOM.WW.ScadaBridge.Commons.Entities.Security;
 using ZB.MOM.WW.ScadaBridge.Commons.Entities.Sites;
@@ -441,7 +442,7 @@ public class SecurityReviewRegressionTests
        var services = new ServiceCollection();
        services.AddLogging();
        services.AddDataProtection();
-        services.AddSecurity(EmptyConfig());
+        services.AddSecurity();

        using var provider = services.BuildServiceProvider();
        var cookieOptions = provider
@@ -454,16 +455,6 @@ public class SecurityReviewRegressionTests
        Assert.True(cookieOptions.Cookie.HttpOnly);
    }

-    /// <summary>
-    /// Task 1.2: an empty <see cref="Microsoft.Extensions.Configuration.IConfiguration"/>
-    /// for <c>AddSecurity(config)</c>. The cookie PostConfigure under test reads only the
-    /// non-LDAP <see cref="SecurityOptions"/> fields (idle timeout / HTTPS-cookie policy),
-    /// and the library's <c>LdapOptions</c> ValidateOnStart only fires at host start (not on
-    /// <c>BuildServiceProvider</c>), so no LDAP config is needed to resolve the cookie wiring.
-    /// </summary>
-    private static Microsoft.Extensions.Configuration.IConfiguration EmptyConfig() =>
-        new Microsoft.Extensions.Configuration.ConfigurationBuilder().Build();
-
    // --- CentralUI-005: cookie auth must use a sliding session window ---
    // Documented policy (CLAUDE.md Security & Auth): sliding refresh with a
    // 30-minute idle timeout. The cookie middleware must enable SlidingExpiration
@@ -475,7 +466,7 @@ public class SecurityReviewRegressionTests
        var services = new ServiceCollection();
        services.AddLogging();
        services.AddDataProtection();
-        services.AddSecurity(EmptyConfig());
+        services.AddSecurity();

        using var provider = services.BuildServiceProvider();
        var cookieOptions = provider
@@ -491,7 +482,7 @@ public class SecurityReviewRegressionTests
        var services = new ServiceCollection();
        services.AddLogging();
        services.AddDataProtection();
-        services.AddSecurity(EmptyConfig());
+        services.AddSecurity();
        // The idle timeout drives the cookie's expiry window.
        services.Configure<SecurityOptions>(o => o.IdleTimeoutMinutes = 30);

@@ -509,7 +500,7 @@ public class SecurityReviewRegressionTests
        var services = new ServiceCollection();
        services.AddLogging();
        services.AddDataProtection();
-        services.AddSecurity(EmptyConfig());
+        services.AddSecurity();
        services.Configure<SecurityOptions>(o => o.IdleTimeoutMinutes = 45);

        using var provider = services.BuildServiceProvider();
@@ -1179,14 +1170,27 @@ public class SecurityOptionsValidatorTests
        Assert.Contains(nameof(LdapOptions.ServiceAccountDn), result.FailureMessage);
    }

+    /// <summary>
+    /// Verifies the security composition the Host performs at its composition root —
+    /// <c>AddZbLdapAuth(configuration, LdapSectionPath)</c> followed by <c>AddSecurity()</c> —
+    /// wires the shared <see cref="LdapOptionsValidator"/> as an
+    /// <see cref="IValidateOptions{TOptions}"/> for <c>LdapOptions</c> (which is what makes
+    /// <c>ValidateOnStart()</c> fire). The LDAP registration moved to the Host because it is
+    /// config-coupled; <c>AddSecurity()</c> is a component library and no longer takes
+    /// <c>IConfiguration</c>.
+    /// </summary>
    [Fact]
    public void AddSecurity_RegistersLdapOptionsValidator_WithValidateOnStart()
    {
        var services = new ServiceCollection();
        services.AddLogging();
        services.AddDataProtection();
-        services.AddSecurity(
-            new Microsoft.Extensions.Configuration.ConfigurationBuilder().Build());
+        // Mirror the Host composition order: shared LDAP auth (config-coupled) first,
+        // then the config-free AddSecurity().
+        services.AddZbLdapAuth(
+            new Microsoft.Extensions.Configuration.ConfigurationBuilder().Build(),
+            ZB.MOM.WW.ScadaBridge.Security.ServiceCollectionExtensions.LdapSectionPath);
+        services.AddSecurity();

        using var provider = services.BuildServiceProvider();