feat(audit): ScadaBridge IAuditActorAccessor + wire audit Actor from Auth principal at authenticated emit sites (Phase 3)

2026-06-02 15:33:01 -04:00
parent bc0e5bfd37
commit b3de8408fa
9 changed files with 463 additions and 30 deletions
@@ -0,0 +1,31 @@
+namespace ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Services;
+
+/// <summary>
+/// Resolves the <c>Actor</c> for an audit row from the current authenticated
+/// principal (Phase 3 of the audit re-architecture). User-facing emit sites
+/// (the inbound API middleware on a cookie/LDAP-authenticated request) read
+/// <see cref="CurrentActor"/> so the canonical <c>AuditEvent.Actor</c> records
+/// the real authenticated user, rather than a generic system/identity fallback.
+/// </summary>
+/// <remarks>
+/// <para>The seam is deliberately ASP.NET-free (a plain <c>string?</c>) so it can
+/// live in Commons and be consumed by any project without pulling an HTTP
+/// dependency. The HTTP-backed implementation
+/// (<c>ZB.MOM.WW.ScadaBridge.Security.HttpAuditActorAccessor</c>) reads the
+/// authenticated principal off <c>IHttpContextAccessor.HttpContext?.User</c>.</para>
+/// <para>This seam is for the <em>authenticated, interactive</em> actor only.
+/// System-originated emitters (script/notification/db-outbound) keep their own
+/// system actor/fallback and do NOT consult this accessor — there is no
+/// interactive principal to read in those flows.</para>
+/// </remarks>
+public interface IAuditActorAccessor
+{
+    /// <summary>
+    /// The actor string for the currently authenticated principal, or
+    /// <c>null</c> when there is no authenticated interactive user (no ambient
+    /// request, or an unauthenticated / auth-failure request). A null result
+    /// signals the caller to fall back to its existing actor (API-key name,
+    /// "system", etc.) — an unauthenticated principal is never echoed back.
+    /// </summary>
+    string? CurrentActor { get; }
+}
@@ -33,14 +33,18 @@ namespace ZB.MOM.WW.ScadaBridge.InboundAPI.Middleware;
 /// </para>
 ///
 /// <para>
-/// <b>Actor resolution.</b> Inbound API auth runs inside the endpoint handler
+/// <b>Actor resolution.</b> The API-key auth path runs inside the endpoint handler
 /// (no <c>UseAuthentication</c>-backed scheme populates <see cref="HttpContext.User"/>
-/// for X-API-Key callers), so the handler stashes the resolved API key name on
+/// for Bearer API-key callers), so the handler stashes the resolved API key name on
 /// <see cref="HttpContext.Items"/> under <see cref="AuditActorItemKey"/> after
 /// <c>IApiKeyVerifier.VerifyAsync</c> succeeds. The middleware reads it in
-/// its <c>finally</c> block — on auth failures the key remains absent and
-/// <see cref="AuditEvent.Actor"/> stays null (we never echo back an
-/// unauthenticated principal).
+/// its <c>finally</c> block. Phase 3: when no API-key name is stashed, the actor is
+/// sourced from the authenticated <em>interactive</em> principal via
+/// <see cref="IAuditActorAccessor"/> (a cookie/LDAP-authenticated inbound user,
+/// keyed off the canonical username claim). On auth failures (401/403) the actor is
+/// forced null before resolution runs, and the accessor itself returns null for an
+/// unauthenticated principal — so <see cref="AuditEvent.Actor"/> stays null and we
+/// never echo back an unauthenticated principal.
 /// </para>
 ///
 /// <para>
@@ -90,6 +94,7 @@ public sealed class AuditWriteMiddleware
    private readonly ICentralAuditWriter _auditWriter;
    private readonly ILogger<AuditWriteMiddleware> _logger;
    private readonly IOptionsMonitor<AuditLogOptions> _options;
+    private readonly IAuditActorAccessor? _actorAccessor;

    /// <summary>
    /// Initializes the middleware with its required dependencies.
@@ -98,16 +103,25 @@ public sealed class AuditWriteMiddleware
    /// <param name="auditWriter">Central audit writer used to persist inbound API audit events.</param>
    /// <param name="logger">Logger for this middleware.</param>
    /// <param name="options">Live-reloadable audit log options, read per-request.</param>
+    /// <param name="actorAccessor">
+    /// Phase 3 (optional): resolves the audit <see cref="AuditEvent.Actor"/> from the
+    /// authenticated principal on a cookie/LDAP-authenticated inbound request. Optional
+    /// so existing tests (and any composition without the accessor registered) still
+    /// construct the middleware; when absent, actor resolution falls back to the
+    /// stashed API-key name only.
+    /// </param>
    public AuditWriteMiddleware(
        RequestDelegate next,
        ICentralAuditWriter auditWriter,
        ILogger<AuditWriteMiddleware> logger,
-        IOptionsMonitor<AuditLogOptions> options)
+        IOptionsMonitor<AuditLogOptions> options,
+        IAuditActorAccessor? actorAccessor = null)
    {
        _next = next ?? throw new ArgumentNullException(nameof(next));
        _auditWriter = auditWriter ?? throw new ArgumentNullException(nameof(auditWriter));
        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
        _options = options ?? throw new ArgumentNullException(nameof(options));
+        _actorAccessor = actorAccessor;
    }

    /// <summary>
@@ -472,13 +486,24 @@ public sealed class AuditWriteMiddleware
    }

    /// <summary>
-    /// Reads the API key name the endpoint handler stashed on
-    /// <see cref="HttpContext.Items"/> after successful auth. Falls back to
-    /// the authenticated user name when an ASP.NET scheme has populated
-    /// <see cref="HttpContext.User"/> (defensive — currently unused for inbound
-    /// API but cheap and forward-compatible).
+    /// Resolves the audit <see cref="AuditEvent.Actor"/> for a non-auth-failure
+    /// inbound request:
+    /// <list type="number">
+    /// <item><description>the API key name the endpoint handler stashed on
+    /// <see cref="HttpContext.Items"/> after successful key auth (the
+    /// key-authenticated path — the canonical identity of an API-key caller);</description></item>
+    /// <item><description>otherwise the authenticated <em>interactive</em> principal
+    /// resolved through <see cref="IAuditActorAccessor"/> (Phase 3 — a
+    /// cookie/LDAP-authenticated inbound user, sourced from the canonical username
+    /// claim). The accessor reads the ambient <see cref="HttpContext.User"/>, so the
+    /// fall-through here only fires when no API-key name was stashed;</description></item>
+    /// <item><description>otherwise <c>null</c> — never echo an unauthenticated
+    /// principal back as an actor.</description></item>
+    /// </list>
+    /// The accessor is optional (constructor default <c>null</c>); when absent only
+    /// the stashed API-key name is consulted, preserving the pre-Phase-3 behaviour.
    /// </summary>
-    private static string? ResolveActor(HttpContext ctx)
+    private string? ResolveActor(HttpContext ctx)
    {
        if (ctx.Items.TryGetValue(AuditActorItemKey, out var stashed)
            && stashed is string name
@@ -487,13 +512,11 @@ public sealed class AuditWriteMiddleware
            return name;
        }

-        var user = ctx.User;
-        if (user?.Identity is { IsAuthenticated: true, Name: { Length: > 0 } userName })
-        {
-            return userName;
-        }
-
-        return null;
+        // Phase 3: an interactive cookie/LDAP-authenticated inbound user records
+        // their real identity as Actor. Returns null for the key-authenticated
+        // and auth-failure paths (no authenticated interactive principal), so the
+        // existing API-key/auth-failure behaviour is preserved.
+        return _actorAccessor?.CurrentActor;
    }

    /// <summary>
@@ -0,0 +1,65 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Http;
+using ZB.MOM.WW.Auth.AspNetCore;
+using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Services;
+
+namespace ZB.MOM.WW.ScadaBridge.Security;
+
+/// <summary>
+/// HTTP-backed <see cref="IAuditActorAccessor"/> (Phase 3): resolves the audit
+/// <c>Actor</c> from the authenticated principal on the ambient
+/// <see cref="IHttpContextAccessor.HttpContext"/>. Used by the user-facing
+/// inbound API audit path so a cookie/LDAP-authenticated request records the
+/// real user as <c>AuditEvent.Actor</c>.
+/// </summary>
+/// <remarks>
+/// <para>The username is sourced from the canonical
+/// <see cref="ZbClaimTypes.Username"/> claim (= <see cref="JwtTokenService.UsernameClaimType"/>,
+/// minted by <see cref="JwtTokenService"/> and by the cookie login path), falling
+/// back to <see cref="System.Security.Principal.IIdentity.Name"/> (which
+/// <see cref="JwtTokenService"/> pins to <see cref="ZbClaimTypes.Name"/> via its
+/// token-validation <c>NameClaimType</c>).
+/// When there is no ambient request, the principal is unauthenticated, or no
+/// usable name claim is present, <see cref="CurrentActor"/> returns <c>null</c> so
+/// the caller keeps its existing actor/fallback — an unauthenticated principal is
+/// never echoed back as an actor.</para>
+/// </remarks>
+public sealed class HttpAuditActorAccessor : IAuditActorAccessor
+{
+    private readonly IHttpContextAccessor _httpContextAccessor;
+
+    /// <summary>Initializes a new instance of <see cref="HttpAuditActorAccessor"/>.</summary>
+    /// <param name="httpContextAccessor">Accessor for the ambient HTTP context.</param>
+    public HttpAuditActorAccessor(IHttpContextAccessor httpContextAccessor)
+    {
+        _httpContextAccessor = httpContextAccessor
+            ?? throw new ArgumentNullException(nameof(httpContextAccessor));
+    }
+
+    /// <inheritdoc />
+    public string? CurrentActor
+    {
+        get
+        {
+            var user = _httpContextAccessor.HttpContext?.User;
+            if (user?.Identity is not { IsAuthenticated: true })
+            {
+                // No ambient request, or the principal is unauthenticated — never
+                // echo an unauthenticated identity back as an actor.
+                return null;
+            }
+
+            // Prefer the canonical username claim (the value JwtTokenService and
+            // the cookie login path mint); fall back to Identity.Name (pinned to
+            // ZbClaimTypes.Name by JwtTokenService.NameClaimType).
+            var username = user.FindFirst(JwtTokenService.UsernameClaimType)?.Value;
+            if (!string.IsNullOrWhiteSpace(username))
+            {
+                return username;
+            }
+
+            var name = user.Identity?.Name;
+            return string.IsNullOrWhiteSpace(name) ? null : name;
+        }
+    }
+}
@@ -4,6 +4,7 @@ using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
 using ZB.MOM.WW.Auth.Abstractions.Roles;
 using ZB.MOM.WW.Auth.AspNetCore;
+using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Services;

 namespace ZB.MOM.WW.ScadaBridge.Security;

@@ -49,6 +50,18 @@ public static class ServiceCollectionExtensions
        services.AddScoped<JwtTokenService>();
        services.AddScoped<RoleMapper>();

+        // Audit Actor wiring (Phase 3): the user-facing inbound API audit path
+        // sources AuditEvent.Actor from the authenticated principal via this
+        // seam. HttpAuditActorAccessor reads IHttpContextAccessor.HttpContext?.User
+        // (canonical username claim, Identity.Name fallback) and returns null when
+        // there is no authenticated interactive user — so the caller keeps its
+        // existing actor/fallback (API-key name, "system"). Registered as a
+        // singleton (it is stateless and only dereferences the ambient request);
+        // AddHttpContextAccessor is idempotent (TryAdd-based) so calling it here
+        // is safe even though the Host's AddCentralUI also registers it.
+        services.AddHttpContextAccessor();
+        services.AddSingleton<IAuditActorAccessor, HttpAuditActorAccessor>();
+
        // Auth-adoption Task 1.1: register the shared IGroupRoleMapper<string>
        // seam additively, wrapping RoleMapper to reuse its DB-backed mapping +
        // site-scope union semantics. Scoped to match RoleMapper's lifetime (it
@@ -8,10 +8,15 @@
  </PropertyGroup>

  <ItemGroup>
-    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" />
-    <PackageReference Include="Microsoft.Extensions.Options" />
-    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" />
-    <PackageReference Include="Microsoft.AspNetCore.Authorization" />
+    <!-- HttpAuditActorAccessor (Phase 3) + AddHttpContextAccessor read the
+         authenticated principal off IHttpContextAccessor.HttpContext.User to
+         source the audit Actor. The cookie-auth wiring in AddSecurity already
+         lives here, so this is the natural home for the HTTP-backed
+         principal-to-actor seam. The shared framework supplies IHttpContextAccessor
+         / HttpContext (and the AddHttpContextAccessor DI helper); it also supplies
+         the Extensions.* + AspNetCore.Authentication/Authorization assemblies that
+         were previously listed as PackageReferences (now pruned — NU1510). -->
+    <FrameworkReference Include="Microsoft.AspNetCore.App" />
    <PackageReference Include="System.IdentityModel.Tokens.Jwt" />
    <PackageReference Include="Novell.Directory.Ldap.NETStandard" />
    <PackageReference Include="ZB.MOM.WW.Auth.Abstractions" />