dohertj2/ScadaBridge
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(auth)!: ScadaBridge canonical roles + SoD collapse (Audit→Administrator, AuditReadOnly→Viewer) + config-DB migration (Task 1.7)

Browse Source 
Standardize role string VALUES on the canonical vocabulary
(Administrator/Designer/Deployer/Viewer; Operator/Engineer unused here):
  Admin        -> Administrator
  Design       -> Designer
  Deployment   -> Deployer
  Audit        -> Administrator   (COLLAPSE; accepted privilege escalation)
  AuditReadOnly-> Viewer          (COLLAPSE; keeps audit-read, no export)

SoD: OperationalAuditRoles = { Administrator, Viewer },
     AuditExportRoles      = { Administrator }
so Viewer reads the audit log + nav but cannot bulk-export, while
Administrator does both + holds the full admin surface (the documented,
accepted auditor/admin SoD collapse).

Atomic move across every enforcement site:
- Roles constants; AuthorizationPolicies (RequireClaim values + SoD arrays +
  honest XML-doc); RoleMapper Deployer check.
- ManagementActor.GetRequiredRole switch + the hard-coded site-scope
  admin-bypass (now Roles.Administrator at all 6 sites). Site-scoping logic
  is otherwise unchanged.
- DebugStreamHub Administrator/Deployer gates (Deployer kept case-sensitive).
- CentralUI BrowseService/BindingTester Designer guards; LdapMappingForm
  dropdown now offers canonical values (incl. Viewer).
- Config-DB seed (LdapGroupMappings Id 1-4) + EF migration CanonicalizeRoles:
  Id-keyed UpdateData for seed rows + idempotent raw catch-all UPDATEs for
  operator-added rows. Down is lossy on the collapse (documented in-file).
  No pending model changes.

Tests reworked to the collapsed model across Security/CentralUI/
ManagementService/ConfigurationDatabase/Integration suites, incl. explicit
Viewer-reads-not-exports and former-Audit-now-Administrator-escalation cases.

CHANGELOG: BREAKING security note documenting the canonicalization + SoD
collapse.
This commit is contained in:
Joseph Doherty
2026-06-02 08:00:47 -04:00
parent 6ae605160c
commit b104760b3a
52 changed files with 2388 additions and 402 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/ZB.MOM.WW.ScadaBridge.IntegrationTests/AuditTransactionTests.cs
+3 -3
View File
@@ -28,7 +28,7 @@ public class AuditTransactionTests : IClassFixture<ScadaBridgeWebApplicationFact
var dbContext = scope.ServiceProvider.GetRequiredService<ScadaBridgeDbContext>();
// Add a mapping and an audit log entry in the same unit of work
var mapping = new LdapGroupMapping("test-group-audit", "Admin");
var mapping = new LdapGroupMapping("test-group-audit", "Administrator");
await securityRepo.AddMappingAsync(mapping);
await auditService.LogAsync(
@@ -37,7 +37,7 @@ public class AuditTransactionTests : IClassFixture<ScadaBridgeWebApplicationFact
entityType: "LdapGroupMapping",
entityId: "0", // ID not yet assigned
entityName: "test-group-audit",
afterState: new { Group = "test-group-audit", Role = "Admin" });
afterState: new { Group = "test-group-audit", Role = "Administrator" });
// Both should be in the change tracker before saving
var trackedEntities = dbContext.ChangeTracker.Entries().Count(e => e.State == EntityState.Added);
@@ -63,7 +63,7 @@ public class AuditTransactionTests : IClassFixture<ScadaBridgeWebApplicationFact
var auditService = scope1.ServiceProvider.GetRequiredService<IAuditService>();
// Add entity + audit but do NOT call SaveChangesAsync
var mapping = new LdapGroupMapping("orphan-group", "Design");
var mapping = new LdapGroupMapping("orphan-group", "Designer");
await securityRepo.AddMappingAsync(mapping);
await auditService.LogAsync("test", "Create", "LdapGroupMapping", "0", "orphan-group", null);
tests/ZB.MOM.WW.ScadaBridge.IntegrationTests/AuthFlowTests.cs
+4 -4
View File
@@ -64,7 +64,7 @@ public class AuthFlowTests : IClassFixture<ScadaBridgeWebApplicationFactory>
var token = jwtService.GenerateToken(
displayName: "Test User",
username: "testuser",
roles: new[] { "Admin", "Design" },
roles: new[] { "Administrator", "Designer" },
permittedSiteIds: null);
Assert.NotNull(token);
@@ -78,8 +78,8 @@ public class AuthFlowTests : IClassFixture<ScadaBridgeWebApplicationFactory>
Assert.Equal("Test User", displayName);
Assert.Equal("testuser", username);
Assert.Contains("Admin", roles);
Assert.Contains("Design", roles);
Assert.Contains("Administrator", roles);
Assert.Contains("Designer", roles);
}
[Fact]
@@ -91,7 +91,7 @@ public class AuthFlowTests : IClassFixture<ScadaBridgeWebApplicationFactory>
var token = jwtService.GenerateToken(
displayName: "Deployer",
username: "deployer1",
roles: new[] { "Deployment" },
roles: new[] { "Deployer" },
permittedSiteIds: new[] { "1", "3" });
var principal = jwtService.ValidateToken(token);
tests/ZB.MOM.WW.ScadaBridge.IntegrationTests/CentralFailoverTests.cs
+5 -5
View File
@@ -33,7 +33,7 @@ public class CentralFailoverTests
var token = jwtServiceA.GenerateToken(
displayName: "Failover User",
username: "failover_test",
roles: new[] { "Admin" },
roles: new[] { "Administrator" },
permittedSiteIds: null);
// Validate with a second instance (same signing key = simulated failover)
@@ -54,7 +54,7 @@ public class CentralFailoverTests
var token = jwtService.GenerateToken(
displayName: "Scoped User",
username: "scoped_user",
roles: new[] { "Deployment" },
roles: new[] { "Deployer" },
permittedSiteIds: new[] { "site-1", "site-2", "site-5" });
var principal = jwtService.ValidateToken(token);
@@ -77,7 +77,7 @@ public class CentralFailoverTests
var token = jwtServiceA.GenerateToken(
displayName: "User",
username: "user",
roles: new[] { "Admin" },
roles: new[] { "Administrator" },
permittedSiteIds: null);
// Token from A should NOT validate on B (different key)
@@ -109,7 +109,7 @@ public class CentralFailoverTests
var token = jwtService.GenerateToken(
displayName: "Expired User",
username: "expired_user",
roles: new[] { "Admin" },
roles: new[] { "Administrator" },
permittedSiteIds: null);
var principal = jwtService.ValidateToken(token);
@@ -145,7 +145,7 @@ public class CentralFailoverTests
var token = jwtService.GenerateToken(
displayName: "User",
username: "user",
roles: new[] { "Admin" },
roles: new[] { "Administrator" },
permittedSiteIds: null);
var principal = jwtService.ValidateToken(token);
tests/ZB.MOM.WW.ScadaBridge.IntegrationTests/SecurityHardeningTests.cs
+5 -5
View File
@@ -48,7 +48,7 @@ public class SecurityHardeningTests
var token = jwtService.GenerateToken(
displayName: "Test",
username: "test",
roles: new[] { "Admin" },
roles: new[] { "Administrator" },
permittedSiteIds: null);
Assert.NotNull(token);
@@ -96,7 +96,7 @@ public class SecurityHardeningTests
var token = jwtService.GenerateToken(
displayName: "Test",
username: "test",
roles: new[] { "Admin" },
roles: new[] { "Administrator" },
permittedSiteIds: null);
// JWT tokens are base64-encoded; the signing key should not appear in the payload
@@ -121,7 +121,7 @@ public class SecurityHardeningTests
var token = jwtService.GenerateToken(
displayName: "User",
username: "user",
roles: new[] { "Admin" },
roles: new[] { "Administrator" },
permittedSiteIds: null);
// Tamper with the token payload (second segment)
@@ -150,7 +150,7 @@ public class SecurityHardeningTests
var originalToken = jwtService.GenerateToken(
displayName: "Original User",
username: "orig_user",
roles: new[] { "Admin", "Design" },
roles: new[] { "Administrator", "Designer" },
permittedSiteIds: new[] { "site-1" });
var principal = jwtService.ValidateToken(originalToken);
@@ -159,7 +159,7 @@ public class SecurityHardeningTests
// Refresh the token
var refreshedToken = jwtService.RefreshToken(
principal!,
new[] { "Admin", "Design" },
new[] { "Administrator", "Designer" },
new[] { "site-1" });
Assert.NotNull(refreshedToken);