fix(security): close auth & site-scoping gaps across 8 findings

Resolves the auth-theme batch from the 2026-05-28 baseline review (8 findings across Security/CentralUI/ManagementService/CLI). The most consequential gaps: NotificationReport + SiteCallsReport now route through SiteScopeService so a site-scoped Deployment user cannot see or act on other sites' rows (CUI-028); QueryAuditLogCommand is no longer "any authenticated user" — gated Admin-only to match /api/audit/query's strictness (MS-018); RoleMapper preserves the broader grant when a user is in both an unscoped and scoped Deployment LDAP group, instead of silently narrowing to the scoped set (Sec-016); and the dead SiteScopeRequirement/Handler are deleted so SiteScopeService is unambiguously the sole site-scoping mechanism (Sec-017). Pending findings: 172 → 164.
2026-05-28 03:35:29 -04:00
parent f93b7b99bb
commit e536178323
28 changed files with 814 additions and 196 deletions
@@ -212,6 +212,58 @@ public class AuditExportCommandTests
        }
    }

+    [Fact]
+    public async Task RunExport_Http403_ReturnsExitCode2()
+    {
+        // CLI-018: an HTTP 403 on /api/audit/export must produce exit code 2 per the
+        // documented CLI contract — the legacy bare-1 return masked auth failures
+        // as generic command failures.
+        var path = Path.Combine(Path.GetTempPath(), $"audit-export-403-{Guid.NewGuid():N}.csv");
+        try
+        {
+            var handler = new BodyHandler(HttpStatusCode.Forbidden,
+                () => new StringContent("{\"error\":\"nope\",\"code\":\"UNAUTHORIZED\"}", Encoding.UTF8, "application/json"));
+            var client = new ManagementHttpClient(new HttpClient(handler), "http://localhost:9001", "u", "p");
+            var output = new StringWriter();
+
+            var exit = await AuditExportHelpers.RunExportAsync(
+                client,
+                new AuditExportArgs { Since = "1h", Until = "0h", Format = "csv", Output = path },
+                output, DateTimeOffset.UtcNow);
+
+            Assert.Equal(2, exit);
+            Assert.False(File.Exists(path));
+        }
+        finally
+        {
+            if (File.Exists(path)) File.Delete(path);
+        }
+    }
+
+    [Fact]
+    public async Task RunExport_UnauthorizedCodeOnNon403_ReturnsExitCode2()
+    {
+        var path = Path.Combine(Path.GetTempPath(), $"audit-export-401-{Guid.NewGuid():N}.csv");
+        try
+        {
+            var handler = new BodyHandler(HttpStatusCode.BadRequest,
+                () => new StringContent("{\"error\":\"nope\",\"code\":\"FORBIDDEN\"}", Encoding.UTF8, "application/json"));
+            var client = new ManagementHttpClient(new HttpClient(handler), "http://localhost:9001", "u", "p");
+            var output = new StringWriter();
+
+            var exit = await AuditExportHelpers.RunExportAsync(
+                client,
+                new AuditExportArgs { Since = "1h", Until = "0h", Format = "csv", Output = path },
+                output, DateTimeOffset.UtcNow);
+
+            Assert.Equal(2, exit);
+        }
+        finally
+        {
+            if (File.Exists(path)) File.Delete(path);
+        }
+    }
+
    [Fact]
    public async Task RunExport_Parquet501_PrintsServerMessageAndReturnsNonZero()
    {