feat(audit): M5.6 SourceNode sentinel backfill (purge-role) + CLI + runbook note (T5)

2026-06-16 22:02:21 -04:00
parent de2968b03d
commit 55630b48b6
12 changed files with 1399 additions and 10 deletions
@@ -785,4 +785,191 @@ public class AuditEndpointsTests
            Assert.Equal(HttpStatusCode.OK, response.StatusCode);
        }
    }
+
+    // ─────────────────────────────────────────────────────────────────────
+    // POST /api/audit/backfill-source-node (M5.6 T5)
+    // ─────────────────────────────────────────────────────────────────────
+
+    private static async Task<(HttpClient Client, IAuditLogRepository Repo, IHost Host)> BuildHostWithBackfillAsync(
+        string[] roles,
+        long backfillResult = 42L,
+        bool ldapSucceeds = true)
+    {
+        var repo = Substitute.For<IAuditLogRepository>();
+        repo.QueryAsync(Arg.Any<AuditLogQueryFilter>(), Arg.Any<AuditLogPaging>(), Arg.Any<CancellationToken>())
+            .Returns(Task.FromResult<IReadOnlyList<AuditEvent>>(Array.Empty<AuditEvent>()));
+        repo.BackfillSourceNodeAsync(
+                Arg.Any<string>(), Arg.Any<DateTime>(), Arg.Any<int>(), Arg.Any<CancellationToken>())
+            .Returns(Task.FromResult(backfillResult));
+        repo.GetExecutionTreeAsync(Arg.Any<Guid>(), Arg.Any<CancellationToken>())
+            .Returns(Task.FromResult<IReadOnlyList<ZB.MOM.WW.ScadaBridge.Commons.Types.Audit.ExecutionTreeNode>>(
+                Array.Empty<ZB.MOM.WW.ScadaBridge.Commons.Types.Audit.ExecutionTreeNode>()));
+
+        var ldap = Substitute.For<ILdapAuthService>();
+        ldap.AuthenticateAsync(Arg.Any<string>(), Arg.Any<string>(), Arg.Any<CancellationToken>())
+            .Returns(ldapSucceeds
+                ? LdapAuthResult.Success("auditor", "Auditor", new[] { "audit" })
+                : LdapAuthResult.Fail(LdapAuthFailure.BadCredentials));
+
+        var roleMapper = Substitute.For<RoleMapper>(Substitute.For<ISecurityRepository>());
+        roleMapper.MapGroupsToRolesAsync(Arg.Any<IReadOnlyList<string>>(), Arg.Any<CancellationToken>())
+            .Returns(new RoleMappingResult(roles, Array.Empty<string>(), IsSystemWideDeployment: true));
+
+        var hostBuilder = new HostBuilder()
+            .ConfigureWebHost(web =>
+            {
+                web.UseTestServer();
+                web.ConfigureServices(services =>
+                {
+                    services.AddRouting();
+                    services.AddSingleton(repo);
+                    services.AddSingleton(ldap);
+                    services.AddSingleton(roleMapper);
+                });
+                web.Configure(app =>
+                {
+                    app.UseRouting();
+                    app.UseEndpoints(endpoints => endpoints.MapAuditAPI());
+                });
+            });
+
+        var host = await hostBuilder.StartAsync();
+        return (host.GetTestClient(), repo, host);
+    }
+
+    private static HttpRequestMessage Post(string url, string body, string credential = BasicCredential)
+    {
+        var request = new HttpRequestMessage(HttpMethod.Post, url)
+        {
+            Content = new StringContent(body, Encoding.UTF8, "application/json"),
+        };
+        if (credential.Length > 0)
+        {
+            request.Headers.Authorization = new AuthenticationHeaderValue(
+                "Basic", Convert.ToBase64String(Encoding.UTF8.GetBytes(credential)));
+        }
+        return request;
+    }
+
+    [Fact]
+    public async Task BackfillSourceNode_AdminRole_Returns200WithRowCount()
+    {
+        var (client, _, host) = await BuildHostWithBackfillAsync(
+            roles: new[] { "Administrator" }, backfillResult: 12345L);
+        using (host)
+        {
+            var response = await client.SendAsync(Post(
+                "/api/audit/backfill-source-node",
+                "{\"sentinel\":\"unknown\",\"before\":\"2026-01-01T00:00:00Z\"}"));
+
+            Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+
+            using var doc = JsonDocument.Parse(await response.Content.ReadAsStringAsync());
+            var root = doc.RootElement;
+            Assert.Equal(12345L, root.GetProperty("rowsUpdated").GetInt64());
+            Assert.Equal("unknown", root.GetProperty("sentinel").GetString());
+        }
+    }
+
+    [Fact]
+    public async Task BackfillSourceNode_ViewerRole_Returns403()
+    {
+        // Viewer has OperationalAudit but NOT the Admin-only backfill permission.
+        var (client, _, host) = await BuildHostWithBackfillAsync(roles: new[] { "Viewer" });
+        using (host)
+        {
+            var response = await client.SendAsync(Post(
+                "/api/audit/backfill-source-node",
+                "{\"sentinel\":\"unknown\",\"before\":\"2026-01-01T00:00:00Z\"}"));
+
+            Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
+        }
+    }
+
+    [Fact]
+    public async Task BackfillSourceNode_NoCredentials_Returns401()
+    {
+        var (client, _, host) = await BuildHostWithBackfillAsync(roles: new[] { "Administrator" });
+        using (host)
+        {
+            var response = await client.SendAsync(Post(
+                "/api/audit/backfill-source-node",
+                "{\"sentinel\":\"unknown\",\"before\":\"2026-01-01T00:00:00Z\"}",
+                credential: ""));
+
+            Assert.Equal(HttpStatusCode.Unauthorized, response.StatusCode);
+        }
+    }
+
+    [Fact]
+    public async Task BackfillSourceNode_MissingBefore_Returns400()
+    {
+        var (client, _, host) = await BuildHostWithBackfillAsync(roles: new[] { "Administrator" });
+        using (host)
+        {
+            // No "before" field — required.
+            var response = await client.SendAsync(Post(
+                "/api/audit/backfill-source-node",
+                "{\"sentinel\":\"unknown\"}"));
+
+            Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
+        }
+    }
+
+    [Fact]
+    public async Task BackfillSourceNode_InvalidBeforeDate_Returns400()
+    {
+        var (client, _, host) = await BuildHostWithBackfillAsync(roles: new[] { "Administrator" });
+        using (host)
+        {
+            var response = await client.SendAsync(Post(
+                "/api/audit/backfill-source-node",
+                "{\"sentinel\":\"unknown\",\"before\":\"not-a-date\"}"));
+
+            Assert.Equal(HttpStatusCode.BadRequest, response.StatusCode);
+        }
+    }
+
+    [Fact]
+    public async Task BackfillSourceNode_CustomSentinelAndBatch_PassedToRepo()
+    {
+        var (client, repo, host) = await BuildHostWithBackfillAsync(
+            roles: new[] { "Administrator" }, backfillResult: 7L);
+        using (host)
+        {
+            var response = await client.SendAsync(Post(
+                "/api/audit/backfill-source-node",
+                "{\"sentinel\":\"pre-feature\",\"before\":\"2026-01-01T00:00:00Z\",\"batchSize\":2000}"));
+
+            Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+
+            await repo.Received(1).BackfillSourceNodeAsync(
+                "pre-feature",
+                Arg.Is<DateTime>(d => d.Year == 2026 && d.Month == 1 && d.Day == 1),
+                2000,
+                Arg.Any<CancellationToken>());
+        }
+    }
+
+    [Fact]
+    public async Task BackfillSourceNode_DefaultSentinel_IsUnknown_WhenOmitted()
+    {
+        var (client, repo, host) = await BuildHostWithBackfillAsync(
+            roles: new[] { "Administrator" }, backfillResult: 0L);
+        using (host)
+        {
+            // Omit "sentinel" — endpoint defaults to "unknown".
+            var response = await client.SendAsync(Post(
+                "/api/audit/backfill-source-node",
+                "{\"before\":\"2026-01-01T00:00:00Z\"}"));
+
+            Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+
+            await repo.Received(1).BackfillSourceNodeAsync(
+                "unknown",
+                Arg.Any<DateTime>(),
+                Arg.Any<int>(),
+                Arg.Any<CancellationToken>());
+        }
+    }
 }