feat(auth)!: ScadaBridge retire SQL Server ApiKey entity + ApprovedApiKeyIds + legacy hashing; EF migration RetireInboundApiKeyStore; re-issue runbook + CHANGELOG (re-arch C5/E) — BREAKING: X-API-Key -> Bearer sbk_, keys re-issued
This commit is contained in:
Joseph Doherty
@@ -118,10 +118,11 @@ public class CentralCompositionRootTests : IDisposable
|
||||
["ScadaBridge:Security:Ldap:AllowInsecure"] = "true",
|
||||
["ScadaBridge:Security:Ldap:SearchBase"] = "dc=scadabridge,dc=local",
|
||||
["ScadaBridge:Security:Ldap:ServiceAccountDn"] = "cn=admin,dc=scadabridge,dc=local",
|
||||
// ConfigurationDatabase-012: inbound-API keys are hashed
|
||||
// with a server-side HMAC pepper; ApiKeyHasher fails fast
|
||||
// if it is missing or weak, so resolving ApiKeyValidator
|
||||
// requires a configured pepper.
|
||||
// Auth re-arch (C5): inbound-API keys live in the shared
|
||||
// ZB.MOM.WW.Auth.ApiKeys SQLite store. The verifier reuses
|
||||
// this same config key as its pepper secret (PepperSecretName),
|
||||
// and AddZbApiKeyAuth fails fast if it is missing/weak — so a
|
||||
// configured pepper is still required for the host to start.
|
||||
["ScadaBridge:InboundApi:ApiKeyPepper"] = "test-inbound-api-key-pepper-at-least-32-chars!",
|
||||
});
|
||||
});
|
||||
@@ -211,8 +212,8 @@ public class CentralCompositionRootTests : IDisposable
|
||||
// Security (ILdapAuthService is now a singleton — see CentralSingletonServices)
|
||||
new object[] { typeof(JwtTokenService) },
|
||||
new object[] { typeof(RoleMapper) },
|
||||
// InboundAPI
|
||||
new object[] { typeof(ApiKeyValidator) },
|
||||
// InboundAPI — auth re-arch (C5): the legacy ApiKeyValidator was retired;
|
||||
// inbound auth runs through the shared ZB.MOM.WW.Auth.ApiKeys verifier.
|
||||
new object[] { typeof(RouteHelper) },
|
||||
// ExternalSystemGateway
|
||||
new object[] { typeof(ExternalSystemClient) },
|
||||
|
||||
Reference in New Issue
Block a user