feat(auth)!: ScadaBridge canonical roles + SoD collapse (Audit→Administrator, AuditReadOnly→Viewer) + config-DB migration (Task 1.7)

Standardize role string VALUES on the canonical vocabulary (Administrator/Designer/Deployer/Viewer; Operator/Engineer unused here): Admin -> Administrator Design -> Designer Deployment -> Deployer Audit -> Administrator (COLLAPSE; accepted privilege escalation) AuditReadOnly-> Viewer (COLLAPSE; keeps audit-read, no export) SoD: OperationalAuditRoles = { Administrator, Viewer }, AuditExportRoles = { Administrator } so Viewer reads the audit log + nav but cannot bulk-export, while Administrator does both + holds the full admin surface (the documented, accepted auditor/admin SoD collapse). Atomic move across every enforcement site: - Roles constants; AuthorizationPolicies (RequireClaim values + SoD arrays + honest XML-doc); RoleMapper Deployer check. - ManagementActor.GetRequiredRole switch + the hard-coded site-scope admin-bypass (now Roles.Administrator at all 6 sites). Site-scoping logic is otherwise unchanged. - DebugStreamHub Administrator/Deployer gates (Deployer kept case-sensitive). - CentralUI BrowseService/BindingTester Designer guards; LdapMappingForm dropdown now offers canonical values (incl. Viewer). - Config-DB seed (LdapGroupMappings Id 1-4) + EF migration CanonicalizeRoles: Id-keyed UpdateData for seed rows + idempotent raw catch-all UPDATEs for operator-added rows. Down is lossy on the collapse (documented in-file). No pending model changes. Tests reworked to the collapsed model across Security/CentralUI/ ManagementService/ConfigurationDatabase/Integration suites, incl. explicit Viewer-reads-not-exports and former-Audit-now-Administrator-escalation cases. CHANGELOG: BREAKING security note documenting the canonicalization + SoD collapse.
2026-06-02 08:00:47 -04:00
parent 6ae605160c
commit b104760b3a
52 changed files with 2388 additions and 402 deletions
@@ -81,7 +81,7 @@ public class ExecutionTreePageTests : BunitContext
                Node(child, root),
            }));

-        var cut = RenderPage($"executionId={child}", "Admin");
+        var cut = RenderPage($"executionId={child}", "Administrator");

        cut.WaitForAssertion(() =>
        {
@@ -96,7 +96,7 @@ public class ExecutionTreePageTests : BunitContext
    {
        _queryService = Substitute.For<IAuditLogQueryService>();

-        var cut = RenderPage(query: null, "Admin");
+        var cut = RenderPage(query: null, "Administrator");

        cut.WaitForAssertion(() => Assert.Contains("Execution Chain", cut.Markup));
        _queryService.DidNotReceive().GetExecutionTreeAsync(Arg.Any<Guid>(), Arg.Any<CancellationToken>());
@@ -107,7 +107,7 @@ public class ExecutionTreePageTests : BunitContext
    {
        _queryService = Substitute.For<IAuditLogQueryService>();

-        var cut = RenderPage("executionId=not-a-guid", "Admin");
+        var cut = RenderPage("executionId=not-a-guid", "Administrator");

        cut.WaitForAssertion(() => Assert.Contains("Execution Chain", cut.Markup));
        _queryService.DidNotReceive().GetExecutionTreeAsync(Arg.Any<Guid>(), Arg.Any<CancellationToken>());
@@ -131,7 +131,7 @@ public class ExecutionTreePageTests : BunitContext
        // AuditEventDetail (reachable from the modal) owns a clipboard interop call.
        JSInterop.Mode = JSRuntimeMode.Loose;

-        var cut = RenderPage($"executionId={child}", "Admin");
+        var cut = RenderPage($"executionId={child}", "Administrator");

        // The modal is absent until a node is activated.
        Assert.Empty(cut.FindAll("[data-test=\"execution-detail-modal\"]"));
@@ -163,7 +163,7 @@ public class ExecutionTreePageTests : BunitContext
            .Returns(Task.FromResult<IReadOnlyList<AuditEvent>>(Array.Empty<AuditEvent>()));
        JSInterop.Mode = JSRuntimeMode.Loose;

-        var cut = RenderPage($"executionId={child}", "Admin");
+        var cut = RenderPage($"executionId={child}", "Administrator");

        cut.Find($"[data-test=\"tree-node-{child}\"] .execution-tree-body").DoubleClick();
        cut.WaitForAssertion(() =>