fix(review): full code-review remediation — 5 High + Medium/Low across 16 modules
Remediation from the full per-module code review at 4307c381 (findings recorded
separately in code-reviews/).
Highs fixed:
- DeploymentManager-025/SiteRuntime-031: stop broadcasting notification lists + SMTP
configs (incl. credentials) to sites; site purges already-persisted rows on apply
(enforces the central-only delivery design; clears plaintext SMTP creds at rest).
- DataConnectionLayer-023: guard the native-alarm subscribe path against the
mid-flight-unsubscribe adapter-feed leak (mirrors the DCL-021 tag-path fix).
- SiteEventLogging-024: normalize From/To query bounds to UTC (the -016 fix the
audit trail claimed but never committed).
- KpiHistory-001: add an in-flight guard to the recorder sample tick.
- ScriptAnalysis-001: harden the trust analyzer's TPA-absent fallback (resolve
forbidden anchors in the minimal reference set; warn on degraded mode) — anchors
added to validation references only, never the compile gate.
(InboundAPI-026 left to the feat/ipsen-movein effort per owner decision.)
Medium/Low: DM-026 deterministic deploy-status tiebreaker; SR-027/028/029/030
native-alarm leak/phantom-active/delete-during-redeploy fixes; AL-013/014/016;
TE-024 (folder-mutation audit rows now persisted)/025; SF-025 gauge-provider
clear-on-stop; ESG-025/026; SEC-023/024/025; SCA-007/008/009; plus doc/test
accuracy COM-023/024, HOST-025/026, HM-024/025, NS-027/028.
Full-solution build 0 warnings; ~3560 tests across 18 touched suites green.
This commit is contained in:
Joseph Doherty
@@ -1887,8 +1887,26 @@ public class ManagementActor : ReceiveActor
|
||||
return await repo.GetAllMappingsAsync();
|
||||
}
|
||||
|
||||
// Security-023 (membership half): an LDAP-group mapping's Role is a free string on the
|
||||
// wire (CLI/API), so reject anything outside the canonical Roles.All set at the single
|
||||
// server-side write path. A non-canonical role never functioned (no policy or authz
|
||||
// check matches it), so rejecting it removes a silent-misconfiguration footgun rather
|
||||
// than changing behaviour. Membership is checked case-insensitively to match the rest
|
||||
// of the actor's role comparisons; the existing case-sensitivity asymmetry between the
|
||||
// UI RequireClaim policies and the ManagementActor check is a separately-deferred change
|
||||
// and is deliberately NOT altered here — the stored value's verbatim casing is preserved.
|
||||
private static void ValidateMappingRole(string role)
|
||||
{
|
||||
if (!Roles.All.Contains(role, StringComparer.OrdinalIgnoreCase))
|
||||
{
|
||||
throw new ManagementCommandException(
|
||||
$"Role '{role}' is not a recognized role. Valid roles are: {string.Join(", ", Roles.All)}.");
|
||||
}
|
||||
}
|
||||
|
||||
private static async Task<object?> HandleCreateRoleMapping(IServiceProvider sp, CreateRoleMappingCommand cmd, string user)
|
||||
{
|
||||
ValidateMappingRole(cmd.Role);
|
||||
var repo = sp.GetRequiredService<ISecurityRepository>();
|
||||
var mapping = new LdapGroupMapping(cmd.LdapGroupName, cmd.Role);
|
||||
await repo.AddMappingAsync(mapping);
|
||||
@@ -1899,6 +1917,7 @@ public class ManagementActor : ReceiveActor
|
||||
|
||||
private static async Task<object?> HandleUpdateRoleMapping(IServiceProvider sp, UpdateRoleMappingCommand cmd, string user)
|
||||
{
|
||||
ValidateMappingRole(cmd.Role);
|
||||
var repo = sp.GetRequiredService<ISecurityRepository>();
|
||||
var mapping = await repo.GetMappingByIdAsync(cmd.MappingId)
|
||||
?? throw new ManagementCommandException($"RoleMapping with ID {cmd.MappingId} not found.");
|
||||
|
||||
Reference in New Issue
Block a user