dohertj2/ScadaBridge
1
0
Fork 0
Code Issues Pull Requests 2 Actions Packages Projects Releases Wiki Activity

feat(auth)!: ScadaBridge canonical roles + SoD collapse (Audit→Administrator, AuditReadOnly→Viewer) + config-DB migration (Task 1.7)

Browse Source 
Standardize role string VALUES on the canonical vocabulary
(Administrator/Designer/Deployer/Viewer; Operator/Engineer unused here):
  Admin        -> Administrator
  Design       -> Designer
  Deployment   -> Deployer
  Audit        -> Administrator   (COLLAPSE; accepted privilege escalation)
  AuditReadOnly-> Viewer          (COLLAPSE; keeps audit-read, no export)

SoD: OperationalAuditRoles = { Administrator, Viewer },
     AuditExportRoles      = { Administrator }
so Viewer reads the audit log + nav but cannot bulk-export, while
Administrator does both + holds the full admin surface (the documented,
accepted auditor/admin SoD collapse).

Atomic move across every enforcement site:
- Roles constants; AuthorizationPolicies (RequireClaim values + SoD arrays +
  honest XML-doc); RoleMapper Deployer check.
- ManagementActor.GetRequiredRole switch + the hard-coded site-scope
  admin-bypass (now Roles.Administrator at all 6 sites). Site-scoping logic
  is otherwise unchanged.
- DebugStreamHub Administrator/Deployer gates (Deployer kept case-sensitive).
- CentralUI BrowseService/BindingTester Designer guards; LdapMappingForm
  dropdown now offers canonical values (incl. Viewer).
- Config-DB seed (LdapGroupMappings Id 1-4) + EF migration CanonicalizeRoles:
  Id-keyed UpdateData for seed rows + idempotent raw catch-all UPDATEs for
  operator-added rows. Down is lossy on the collapse (documented in-file).
  No pending model changes.

Tests reworked to the collapsed model across Security/CentralUI/
ManagementService/ConfigurationDatabase/Integration suites, incl. explicit
Viewer-reads-not-exports and former-Audit-now-Administrator-escalation cases.

CHANGELOG: BREAKING security note documenting the canonicalization + SoD
collapse.
This commit is contained in:
Joseph Doherty
2026-06-02 08:00:47 -04:00
parent 6ae605160c
commit b104760b3a
52 changed files with 2388 additions and 402 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/ZB.MOM.WW.ScadaBridge.CentralUI.Tests/Pages/AuditLogPagePermissionTests.cs
+30 -26
View File
@@ -38,10 +38,12 @@ namespace ZB.MOM.WW.ScadaBridge.CentralUI.Tests.Pages;
/// <item><c>AuditExport</c> — additional gate on the Export-CSV button and
/// the streaming export endpoint.</item>
/// </list>
/// Both policies are satisfied by the <c>Audit</c> role and (defence in depth)
/// the <c>Admin</c> role — admins see everything by convention in this
/// codebase. The tests pin both the page-level + endpoint-level enforcement,
/// and the Export-button visibility split.
/// Post Task 1.7: <c>AuditExport</c> is satisfied only by the
/// <c>Administrator</c> role (which absorbed the former <c>Audit</c> role);
/// <c>OperationalAudit</c> is additionally satisfied by the <c>Viewer</c> role
/// (the home of the former <c>AuditReadOnly</c> role) — Viewer reads but cannot
/// export. The tests pin both the page-level + endpoint-level enforcement, and
/// the Export-button visibility split.
/// </para>
/// </summary>
public class AuditLogPagePermissionTests : BunitContext
@@ -106,15 +108,15 @@ public class AuditLogPagePermissionTests : BunitContext
[Fact]
public async Task WithoutOperationalAudit_PolicyDenies()
{
// A Design-only user (no Audit, no Admin) must NOT satisfy the
// OperationalAudit policy.
// A Designer-only user (not Administrator, not Viewer) must NOT satisfy
// the OperationalAudit policy.
var services = new ServiceCollection();
services.AddLogging();
services.AddScadaBridgeAuthorization();
using var provider = services.BuildServiceProvider();
var authService = provider.GetRequiredService<IAuthorizationService>();
var principal = BuildPrincipal("Design");
var principal = BuildPrincipal("Designer");
var result = await authService.AuthorizeAsync(
principal, null, AuthorizationPolicies.OperationalAudit);
@@ -156,11 +158,12 @@ public class AuditLogPagePermissionTests : BunitContext
[Fact]
public void WithOperationalAudit_NoAuditExport_PageRenders_ExportButtonHidden()
{
// The "Audit" role grants OperationalAudit + AuditExport in the
// default mapping, so we test the split by handing the user ONLY
// an extra-narrow role that we map ONLY to OperationalAudit: a
// fresh "AuditReadOnly" role (see AuthorizationPolicies).
var cut = RenderAuditLogPage("AuditReadOnly");
// The "Administrator" role grants OperationalAudit + AuditExport, so we
// test the split by handing the user ONLY the "Viewer" role, which maps
// to OperationalAudit (read) but NOT AuditExport — the preserved
// half-SoD after the Task 1.7 AuditReadOnly→Viewer collapse
// (see AuthorizationPolicies).
var cut = RenderAuditLogPage("Viewer");
cut.WaitForAssertion(() =>
{
@@ -174,7 +177,7 @@ public class AuditLogPagePermissionTests : BunitContext
[Fact]
public void WithOperationalAudit_AndAuditExport_PageRenders_ExportButtonVisible()
{
var cut = RenderAuditLogPage("Audit");
var cut = RenderAuditLogPage("Administrator");
cut.WaitForAssertion(() =>
{
@@ -186,9 +189,9 @@ public class AuditLogPagePermissionTests : BunitContext
[Fact]
public void AdminUser_SeesPage_AndExportButton()
{
// Admin holds every permission by convention — both policies must
// succeed for a plain Admin user.
var cut = RenderAuditLogPage("Admin");
// Administrator holds every permission by convention — both policies must
// succeed for a plain Administrator user.
var cut = RenderAuditLogPage("Administrator");
cut.WaitForAssertion(() =>
{
@@ -204,9 +207,9 @@ public class AuditLogPagePermissionTests : BunitContext
[Fact]
public async Task AuditExportEndpoint_WithoutAuditExport_Returns403()
{
// A user holding only Design must NOT be able to call the export
// A user holding only Designer must NOT be able to call the export
// endpoint. Live wiring re-uses AuthorizationPolicies.AuditExport.
var (client, _, host) = await BuildEndpointHostAsync(roles: new[] { "Design" });
var (client, _, host) = await BuildEndpointHostAsync(roles: new[] { "Designer" });
using (host)
{
var response = await client.GetAsync("/api/centralui/audit/export");
@@ -217,7 +220,7 @@ public class AuditLogPagePermissionTests : BunitContext
[Fact]
public async Task AuditExportEndpoint_WithAuditExport_Returns200()
{
var (client, _, host) = await BuildEndpointHostAsync(roles: new[] { "Audit" });
var (client, _, host) = await BuildEndpointHostAsync(roles: new[] { "Administrator" });
using (host)
{
var response = await client.GetAsync("/api/centralui/audit/export");
@@ -228,8 +231,9 @@ public class AuditLogPagePermissionTests : BunitContext
[Fact]
public async Task AuditExportEndpoint_AdminAlone_Returns200()
{
// Admin alone (no Audit role) must still pass — defence in depth.
var (client, _, host) = await BuildEndpointHostAsync(roles: new[] { "Admin" });
// Administrator alone must pass — it absorbed the former Audit role and
// holds AuditExport by convention (defence in depth).
var (client, _, host) = await BuildEndpointHostAsync(roles: new[] { "Administrator" });
using (host)
{
var response = await client.GetAsync("/api/centralui/audit/export");
@@ -238,12 +242,12 @@ public class AuditLogPagePermissionTests : BunitContext
}
[Fact]
public async Task AuditExportEndpoint_AuditReadOnly_Returns403()
public async Task AuditExportEndpoint_Viewer_Returns403()
{
// AuditReadOnly grants OperationalAudit but NOT AuditExport, so the
// endpoint must refuse — the page is readable but the bulk export
// path is gated separately.
var (client, _, host) = await BuildEndpointHostAsync(roles: new[] { "AuditReadOnly" });
// Viewer (former AuditReadOnly) grants OperationalAudit but NOT
// AuditExport, so the endpoint must refuse — the page is readable but
// the bulk export path is gated separately (preserved half-SoD).
var (client, _, host) = await BuildEndpointHostAsync(roles: new[] { "Viewer" });
using (host)
{
var response = await client.GetAsync("/api/centralui/audit/export");