ScadaBridge/tests/ZB.MOM.WW.ScadaBridge.CentralUI.Tests/Monitoring/MonitoringAuthorizationTests.cs

using Microsoft.AspNetCore.Authorization;
using ZB.MOM.WW.ScadaBridge.CentralUI.Components.Pages.Monitoring;
using ZB.MOM.WW.ScadaBridge.Security;

namespace ZB.MOM.WW.ScadaBridge.CentralUI.Tests.Monitoring;

/// <summary>
/// Regression tests for CentralUI-007. The design doc classifies the Site Event
/// Log Viewer and Parked Message Management as <b>Deployment Role</b>, but both
/// pages were annotated only <c>[Authorize]</c> (any authenticated user) — a
/// non-Deployment user who followed the nav link could query event logs and
/// retry/discard parked messages. The Health Dashboard is intentionally
/// all-roles per the design.
/// </summary>
public class MonitoringAuthorizationTests
{
    private static AuthorizeAttribute? AuthorizeOf<TPage>()
        => typeof(TPage)
            .GetCustomAttributes(typeof(AuthorizeAttribute), true)
            .Cast<AuthorizeAttribute>()
            .FirstOrDefault();

    [Fact]
    public void EventLogsPage_RequiresDeploymentPolicy()
    {
        var attr = AuthorizeOf<EventLogs>();

        Assert.NotNull(attr);
        Assert.Equal(AuthorizationPolicies.RequireDeployment, attr!.Policy);
    }

    [Fact]
    public void ParkedMessagesPage_RequiresDeploymentPolicy()
    {
        var attr = AuthorizeOf<ParkedMessages>();

        Assert.NotNull(attr);
        Assert.Equal(AuthorizationPolicies.RequireDeployment, attr!.Policy);
    }

    [Fact]
    public void HealthDashboard_IsIntentionallyAllAuthenticatedRoles()
    {
        // Health Dashboard stays all-roles (no policy) per the design doc.
        var attr = AuthorizeOf<Health>();

        Assert.NotNull(attr);
        Assert.Null(attr!.Policy);
    }
}