feat(auth)!: ScadaBridge canonical roles + SoD collapse (Audit→Administrator, AuditReadOnly→Viewer) + config-DB migration (Task 1.7)
Standardize role string VALUES on the canonical vocabulary
(Administrator/Designer/Deployer/Viewer; Operator/Engineer unused here):
Admin -> Administrator
Design -> Designer
Deployment -> Deployer
Audit -> Administrator (COLLAPSE; accepted privilege escalation)
AuditReadOnly-> Viewer (COLLAPSE; keeps audit-read, no export)
SoD: OperationalAuditRoles = { Administrator, Viewer },
AuditExportRoles = { Administrator }
so Viewer reads the audit log + nav but cannot bulk-export, while
Administrator does both + holds the full admin surface (the documented,
accepted auditor/admin SoD collapse).
Atomic move across every enforcement site:
- Roles constants; AuthorizationPolicies (RequireClaim values + SoD arrays +
honest XML-doc); RoleMapper Deployer check.
- ManagementActor.GetRequiredRole switch + the hard-coded site-scope
admin-bypass (now Roles.Administrator at all 6 sites). Site-scoping logic
is otherwise unchanged.
- DebugStreamHub Administrator/Deployer gates (Deployer kept case-sensitive).
- CentralUI BrowseService/BindingTester Designer guards; LdapMappingForm
dropdown now offers canonical values (incl. Viewer).
- Config-DB seed (LdapGroupMappings Id 1-4) + EF migration CanonicalizeRoles:
Id-keyed UpdateData for seed rows + idempotent raw catch-all UPDATEs for
operator-added rows. Down is lossy on the collapse (documented in-file).
No pending model changes.
Tests reworked to the collapsed model across Security/CentralUI/
ManagementService/ConfigurationDatabase/Integration suites, incl. explicit
Viewer-reads-not-exports and former-Audit-now-Administrator-escalation cases.
CHANGELOG: BREAKING security note documenting the canonicalization + SoD
collapse.
This commit is contained in:
Joseph Doherty
@@ -48,7 +48,7 @@ public class SecurityHardeningTests
|
||||
var token = jwtService.GenerateToken(
|
||||
displayName: "Test",
|
||||
username: "test",
|
||||
roles: new[] { "Admin" },
|
||||
roles: new[] { "Administrator" },
|
||||
permittedSiteIds: null);
|
||||
|
||||
Assert.NotNull(token);
|
||||
@@ -96,7 +96,7 @@ public class SecurityHardeningTests
|
||||
var token = jwtService.GenerateToken(
|
||||
displayName: "Test",
|
||||
username: "test",
|
||||
roles: new[] { "Admin" },
|
||||
roles: new[] { "Administrator" },
|
||||
permittedSiteIds: null);
|
||||
|
||||
// JWT tokens are base64-encoded; the signing key should not appear in the payload
|
||||
@@ -121,7 +121,7 @@ public class SecurityHardeningTests
|
||||
var token = jwtService.GenerateToken(
|
||||
displayName: "User",
|
||||
username: "user",
|
||||
roles: new[] { "Admin" },
|
||||
roles: new[] { "Administrator" },
|
||||
permittedSiteIds: null);
|
||||
|
||||
// Tamper with the token payload (second segment)
|
||||
@@ -150,7 +150,7 @@ public class SecurityHardeningTests
|
||||
var originalToken = jwtService.GenerateToken(
|
||||
displayName: "Original User",
|
||||
username: "orig_user",
|
||||
roles: new[] { "Admin", "Design" },
|
||||
roles: new[] { "Administrator", "Designer" },
|
||||
permittedSiteIds: new[] { "site-1" });
|
||||
|
||||
var principal = jwtService.ValidateToken(originalToken);
|
||||
@@ -159,7 +159,7 @@ public class SecurityHardeningTests
|
||||
// Refresh the token
|
||||
var refreshedToken = jwtService.RefreshToken(
|
||||
principal!,
|
||||
new[] { "Admin", "Design" },
|
||||
new[] { "Administrator", "Designer" },
|
||||
new[] { "site-1" });
|
||||
|
||||
Assert.NotNull(refreshedToken);
|
||||
|
||||
Reference in New Issue
Block a user