Joseph Doherty
b104760b3a
Standardize role string VALUES on the canonical vocabulary
(Administrator/Designer/Deployer/Viewer; Operator/Engineer unused here):
Admin -> Administrator
Design -> Designer
Deployment -> Deployer
Audit -> Administrator (COLLAPSE; accepted privilege escalation)
AuditReadOnly-> Viewer (COLLAPSE; keeps audit-read, no export)
SoD: OperationalAuditRoles = { Administrator, Viewer },
AuditExportRoles = { Administrator }
so Viewer reads the audit log + nav but cannot bulk-export, while
Administrator does both + holds the full admin surface (the documented,
accepted auditor/admin SoD collapse).
Atomic move across every enforcement site:
- Roles constants; AuthorizationPolicies (RequireClaim values + SoD arrays +
honest XML-doc); RoleMapper Deployer check.
- ManagementActor.GetRequiredRole switch + the hard-coded site-scope
admin-bypass (now Roles.Administrator at all 6 sites). Site-scoping logic
is otherwise unchanged.
- DebugStreamHub Administrator/Deployer gates (Deployer kept case-sensitive).
- CentralUI BrowseService/BindingTester Designer guards; LdapMappingForm
dropdown now offers canonical values (incl. Viewer).
- Config-DB seed (LdapGroupMappings Id 1-4) + EF migration CanonicalizeRoles:
Id-keyed UpdateData for seed rows + idempotent raw catch-all UPDATEs for
operator-added rows. Down is lossy on the collapse (documented in-file).
No pending model changes.
Tests reworked to the collapsed model across Security/CentralUI/
ManagementService/ConfigurationDatabase/Integration suites, incl. explicit
Viewer-reads-not-exports and former-Audit-now-Administrator-escalation cases.
CHANGELOG: BREAKING security note documenting the canonicalization + SoD
collapse.
85 lines
3.8 KiB
C#
85 lines
3.8 KiB
C#
using Microsoft.EntityFrameworkCore;
|
|
using Microsoft.Extensions.DependencyInjection;
|
|
using ZB.MOM.WW.ScadaBridge.Commons.Entities.Security;
|
|
using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Repositories;
|
|
using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Services;
|
|
using ZB.MOM.WW.ScadaBridge.ConfigurationDatabase;
|
|
|
|
namespace ZB.MOM.WW.ScadaBridge.IntegrationTests;
|
|
|
|
/// <summary>
|
|
/// WP-22: Audit transactional guarantee — entity change + audit log in same transaction.
|
|
/// </summary>
|
|
public class AuditTransactionTests : IClassFixture<ScadaBridgeWebApplicationFactory>
|
|
{
|
|
private readonly ScadaBridgeWebApplicationFactory _factory;
|
|
|
|
public AuditTransactionTests(ScadaBridgeWebApplicationFactory factory)
|
|
{
|
|
_factory = factory;
|
|
}
|
|
|
|
[Fact]
|
|
public async Task AuditLog_IsCommittedWithEntityChange_InSameTransaction()
|
|
{
|
|
using var scope = _factory.Services.CreateScope();
|
|
var securityRepo = scope.ServiceProvider.GetRequiredService<ISecurityRepository>();
|
|
var auditService = scope.ServiceProvider.GetRequiredService<IAuditService>();
|
|
var dbContext = scope.ServiceProvider.GetRequiredService<ScadaBridgeDbContext>();
|
|
|
|
// Add a mapping and an audit log entry in the same unit of work
|
|
var mapping = new LdapGroupMapping("test-group-audit", "Administrator");
|
|
await securityRepo.AddMappingAsync(mapping);
|
|
|
|
await auditService.LogAsync(
|
|
user: "test-user",
|
|
action: "Create",
|
|
entityType: "LdapGroupMapping",
|
|
entityId: "0", // ID not yet assigned
|
|
entityName: "test-group-audit",
|
|
afterState: new { Group = "test-group-audit", Role = "Administrator" });
|
|
|
|
// Both should be in the change tracker before saving
|
|
var trackedEntities = dbContext.ChangeTracker.Entries().Count(e => e.State == EntityState.Added);
|
|
Assert.True(trackedEntities >= 2, "Both entity and audit log should be tracked before SaveChanges");
|
|
|
|
// Single SaveChangesAsync commits both
|
|
await securityRepo.SaveChangesAsync();
|
|
|
|
// Verify both were persisted
|
|
var mappings = await securityRepo.GetAllMappingsAsync();
|
|
Assert.Contains(mappings, m => m.LdapGroupName == "test-group-audit");
|
|
|
|
var auditEntries = await dbContext.AuditLogEntries.ToListAsync();
|
|
Assert.Contains(auditEntries, a => a.EntityName == "test-group-audit" && a.Action == "Create");
|
|
}
|
|
|
|
[Fact]
|
|
public async Task AuditLog_IsNotPersistedWhenSaveNotCalled()
|
|
{
|
|
// Create a separate scope so we have a fresh DbContext
|
|
using var scope1 = _factory.Services.CreateScope();
|
|
var securityRepo = scope1.ServiceProvider.GetRequiredService<ISecurityRepository>();
|
|
var auditService = scope1.ServiceProvider.GetRequiredService<IAuditService>();
|
|
|
|
// Add entity + audit but do NOT call SaveChangesAsync
|
|
var mapping = new LdapGroupMapping("orphan-group", "Designer");
|
|
await securityRepo.AddMappingAsync(mapping);
|
|
await auditService.LogAsync("test", "Create", "LdapGroupMapping", "0", "orphan-group", null);
|
|
|
|
// Dispose scope without saving — simulates a failed transaction
|
|
scope1.Dispose();
|
|
|
|
// In a new scope, verify nothing was persisted
|
|
using var scope2 = _factory.Services.CreateScope();
|
|
var securityRepo2 = scope2.ServiceProvider.GetRequiredService<ISecurityRepository>();
|
|
var dbContext2 = scope2.ServiceProvider.GetRequiredService<ScadaBridgeDbContext>();
|
|
|
|
var mappings = await securityRepo2.GetAllMappingsAsync();
|
|
Assert.DoesNotContain(mappings, m => m.LdapGroupName == "orphan-group");
|
|
|
|
var auditEntries = await dbContext2.AuditLogEntries.ToListAsync();
|
|
Assert.DoesNotContain(auditEntries, a => a.EntityName == "orphan-group");
|
|
}
|
|
}
|