Joseph Doherty
361 lines
18 KiB
C#
361 lines
18 KiB
C#
using Microsoft.AspNetCore.DataProtection;
|
|
using Microsoft.AspNetCore.DataProtection.EntityFrameworkCore;
|
|
using Microsoft.EntityFrameworkCore;
|
|
using Microsoft.EntityFrameworkCore.Infrastructure;
|
|
using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
|
|
using ZB.MOM.WW.ScadaBridge.Commons.Entities.Audit;
|
|
using ZB.MOM.WW.ScadaBridge.Commons.Entities.Deployment;
|
|
using ZB.MOM.WW.ScadaBridge.Commons.Entities.ExternalSystems;
|
|
using ZB.MOM.WW.ScadaBridge.Commons.Entities.InboundApi;
|
|
using ZB.MOM.WW.ScadaBridge.Commons.Entities.Instances;
|
|
using ZB.MOM.WW.ScadaBridge.Commons.Entities.Notifications;
|
|
using ZB.MOM.WW.ScadaBridge.Commons.Entities.Scripts;
|
|
using ZB.MOM.WW.ScadaBridge.Commons.Entities.Security;
|
|
using ZB.MOM.WW.ScadaBridge.Commons.Entities.Sites;
|
|
using ZB.MOM.WW.ScadaBridge.Commons.Entities.Templates;
|
|
using ZB.MOM.WW.ScadaBridge.ConfigurationDatabase.Entities;
|
|
|
|
namespace ZB.MOM.WW.ScadaBridge.ConfigurationDatabase;
|
|
|
|
public class ScadaBridgeDbContext : DbContext, IDataProtectionKeyContext
|
|
{
|
|
private readonly IDataProtectionProvider? _dataProtectionProvider;
|
|
|
|
/// <summary>
|
|
/// Initializes a new instance of the <see cref="ScadaBridgeDbContext"/> class for schema-only access (design-time).
|
|
/// </summary>
|
|
/// <param name="options">Database context options.</param>
|
|
public ScadaBridgeDbContext(DbContextOptions<ScadaBridgeDbContext> options) : base(options)
|
|
{
|
|
}
|
|
|
|
/// <summary>
|
|
/// Creates a context with an explicit Data Protection provider used to encrypt
|
|
/// secret-bearing configuration columns at rest. The runtime resolves this overload
|
|
/// via DI; design-time tooling uses the single-argument overload.
|
|
/// </summary>
|
|
/// <param name="options">Database context options.</param>
|
|
/// <param name="dataProtectionProvider">Data Protection provider for encrypting secrets at rest.</param>
|
|
public ScadaBridgeDbContext(DbContextOptions<ScadaBridgeDbContext> options, IDataProtectionProvider dataProtectionProvider)
|
|
: base(options)
|
|
{
|
|
_dataProtectionProvider = dataProtectionProvider
|
|
?? throw new ArgumentNullException(nameof(dataProtectionProvider));
|
|
}
|
|
|
|
// Templates
|
|
/// <summary>Gets the set of templates.</summary>
|
|
public DbSet<Template> Templates => Set<Template>();
|
|
/// <summary>Gets the set of template attributes.</summary>
|
|
public DbSet<TemplateAttribute> TemplateAttributes => Set<TemplateAttribute>();
|
|
/// <summary>Gets the set of template alarms.</summary>
|
|
public DbSet<TemplateAlarm> TemplateAlarms => Set<TemplateAlarm>();
|
|
/// <summary>Gets the set of template scripts.</summary>
|
|
public DbSet<TemplateScript> TemplateScripts => Set<TemplateScript>();
|
|
/// <summary>Gets the set of template compositions.</summary>
|
|
public DbSet<TemplateComposition> TemplateCompositions => Set<TemplateComposition>();
|
|
/// <summary>Gets the set of template folders.</summary>
|
|
public DbSet<TemplateFolder> TemplateFolders => Set<TemplateFolder>();
|
|
/// <summary>Gets the set of template native alarm source bindings.</summary>
|
|
public DbSet<TemplateNativeAlarmSource> TemplateNativeAlarmSources => Set<TemplateNativeAlarmSource>();
|
|
|
|
// Instances
|
|
/// <summary>Gets the set of instances.</summary>
|
|
public DbSet<Instance> Instances => Set<Instance>();
|
|
/// <summary>Gets the set of instance attribute overrides.</summary>
|
|
public DbSet<InstanceAttributeOverride> InstanceAttributeOverrides => Set<InstanceAttributeOverride>();
|
|
/// <summary>Gets the set of instance alarm overrides.</summary>
|
|
public DbSet<InstanceAlarmOverride> InstanceAlarmOverrides => Set<InstanceAlarmOverride>();
|
|
/// <summary>Gets the set of instance connection bindings.</summary>
|
|
public DbSet<InstanceConnectionBinding> InstanceConnectionBindings => Set<InstanceConnectionBinding>();
|
|
/// <summary>Gets the set of instance native alarm source overrides.</summary>
|
|
public DbSet<InstanceNativeAlarmSourceOverride> InstanceNativeAlarmSourceOverrides => Set<InstanceNativeAlarmSourceOverride>();
|
|
/// <summary>Gets the set of areas.</summary>
|
|
public DbSet<Area> Areas => Set<Area>();
|
|
|
|
// Sites
|
|
/// <summary>Gets the set of sites.</summary>
|
|
public DbSet<Site> Sites => Set<Site>();
|
|
/// <summary>Gets the set of data connections.</summary>
|
|
public DbSet<DataConnection> DataConnections => Set<DataConnection>();
|
|
|
|
// Deployment
|
|
/// <summary>Gets the set of deployment records.</summary>
|
|
public DbSet<DeploymentRecord> DeploymentRecords => Set<DeploymentRecord>();
|
|
/// <summary>Gets the set of system artifact deployment records.</summary>
|
|
public DbSet<SystemArtifactDeploymentRecord> SystemArtifactDeploymentRecords => Set<SystemArtifactDeploymentRecord>();
|
|
/// <summary>Gets the set of deployed configuration snapshots.</summary>
|
|
public DbSet<DeployedConfigSnapshot> DeployedConfigSnapshots => Set<DeployedConfigSnapshot>();
|
|
|
|
// External Systems
|
|
/// <summary>Gets the set of external system definitions.</summary>
|
|
public DbSet<ExternalSystemDefinition> ExternalSystemDefinitions => Set<ExternalSystemDefinition>();
|
|
/// <summary>Gets the set of external system methods.</summary>
|
|
public DbSet<ExternalSystemMethod> ExternalSystemMethods => Set<ExternalSystemMethod>();
|
|
/// <summary>Gets the set of database connection definitions.</summary>
|
|
public DbSet<DatabaseConnectionDefinition> DatabaseConnectionDefinitions => Set<DatabaseConnectionDefinition>();
|
|
|
|
// Notifications
|
|
/// <summary>Gets the set of notification lists.</summary>
|
|
public DbSet<NotificationList> NotificationLists => Set<NotificationList>();
|
|
/// <summary>Gets the set of notification recipients.</summary>
|
|
public DbSet<NotificationRecipient> NotificationRecipients => Set<NotificationRecipient>();
|
|
/// <summary>Gets the set of SMTP configurations.</summary>
|
|
public DbSet<SmtpConfiguration> SmtpConfigurations => Set<SmtpConfiguration>();
|
|
/// <summary>Gets the set of notifications.</summary>
|
|
public DbSet<Notification> Notifications => Set<Notification>();
|
|
|
|
// Scripts
|
|
/// <summary>Gets the set of shared scripts.</summary>
|
|
public DbSet<SharedScript> SharedScripts => Set<SharedScript>();
|
|
|
|
// Security
|
|
/// <summary>Gets the set of LDAP group mappings.</summary>
|
|
public DbSet<LdapGroupMapping> LdapGroupMappings => Set<LdapGroupMapping>();
|
|
/// <summary>Gets the set of site scope rules.</summary>
|
|
public DbSet<SiteScopeRule> SiteScopeRules => Set<SiteScopeRule>();
|
|
|
|
// Inbound API
|
|
// Auth re-arch (C5): the SQL Server ApiKeys DbSet was retired — inbound API keys
|
|
// now live in the shared ZB.MOM.WW.Auth.ApiKeys SQLite store. Only the method
|
|
// catalogue remains in the configuration database.
|
|
/// <summary>Gets the set of API methods.</summary>
|
|
public DbSet<ApiMethod> ApiMethods => Set<ApiMethod>();
|
|
|
|
// Audit
|
|
/// <summary>Gets the set of audit log entries.</summary>
|
|
public DbSet<AuditLogEntry> AuditLogEntries => Set<AuditLogEntry>();
|
|
/// <summary>Gets the set of audit log rows (central <c>dbo.AuditLog</c> persistence shape; mapped to/from the canonical record at the repository boundary).</summary>
|
|
public DbSet<AuditLogRow> AuditLogs => Set<AuditLogRow>();
|
|
/// <summary>Gets the set of site calls.</summary>
|
|
public DbSet<SiteCall> SiteCalls => Set<SiteCall>();
|
|
|
|
// Data Protection Keys (for shared ASP.NET Data Protection across nodes)
|
|
/// <summary>Gets the set of data protection keys.</summary>
|
|
public DbSet<DataProtectionKey> DataProtectionKeys => Set<DataProtectionKey>();
|
|
|
|
/// <inheritdoc />
|
|
protected override void OnConfiguring(DbContextOptionsBuilder optionsBuilder)
|
|
{
|
|
base.OnConfiguring(optionsBuilder);
|
|
|
|
// The secret-column converter built in OnModelCreating differs depending on whether
|
|
// a real Data Protection provider was supplied (encrypting converter) or not
|
|
// (schema-only converter). EF Core's default model cache keys only on context type,
|
|
// so a provider-bearing and a schema-only context sharing the same options type
|
|
// would otherwise share one cached model — and whichever was built first would win.
|
|
// Distinguish them so each gets its own model.
|
|
optionsBuilder.ReplaceService<IModelCacheKeyFactory, SecretAwareModelCacheKeyFactory>();
|
|
}
|
|
|
|
/// <inheritdoc />
|
|
protected override void OnModelCreating(ModelBuilder modelBuilder)
|
|
{
|
|
modelBuilder.ApplyConfigurationsFromAssembly(typeof(ScadaBridgeDbContext).Assembly);
|
|
|
|
ApplySecretColumnEncryption(modelBuilder);
|
|
|
|
NeutralizeSqlServerComputedColumnsForNonSqlServerProviders(modelBuilder);
|
|
}
|
|
|
|
/// <summary>
|
|
/// C5 (Task 2.5): the central <c>dbo.AuditLog</c> persisted computed columns use
|
|
/// SQL Server's <c>JSON_VALUE</c> expression, which only SQL Server can evaluate.
|
|
/// On a non-SQL-Server provider (the SQLite test contexts) emitting that SQL in a
|
|
/// <c>CREATE TABLE</c> fails ("no such function: JSON_VALUE"). Strip the
|
|
/// computed-column SQL for any non-SQL-Server provider so those columns degrade to
|
|
/// plain (always-null on the test provider) nullable columns; SQL Server keeps the
|
|
/// real <c>… AS JSON_VALUE(...) PERSISTED</c> definitions. This is a model-shape
|
|
/// adaptation only — it never runs under the design-time SQL Server provider, so the
|
|
/// migration / model-snapshot remain the canonical SQL Server shape.
|
|
/// </summary>
|
|
private void NeutralizeSqlServerComputedColumnsForNonSqlServerProviders(ModelBuilder modelBuilder)
|
|
{
|
|
// Database.IsSqlServer() reads the configured provider — true for production and
|
|
// for the design-time factory (UseSqlServer), false for the SQLite test contexts.
|
|
if (Database.IsSqlServer())
|
|
{
|
|
return;
|
|
}
|
|
|
|
foreach (var entityType in modelBuilder.Model.GetEntityTypes())
|
|
{
|
|
foreach (var property in entityType.GetProperties())
|
|
{
|
|
if (property.GetComputedColumnSql() is not null)
|
|
{
|
|
property.SetComputedColumnSql(null);
|
|
property.SetColumnType(null);
|
|
property.ValueGenerated = Microsoft.EntityFrameworkCore.Metadata.ValueGenerated.Never;
|
|
property.SetAfterSaveBehavior(Microsoft.EntityFrameworkCore.Metadata.PropertySaveBehavior.Save);
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
/// <inheritdoc />
|
|
public override int SaveChanges(bool acceptAllChangesOnSuccess)
|
|
{
|
|
GuardSecretWritesHaveAKeyRing();
|
|
return base.SaveChanges(acceptAllChangesOnSuccess);
|
|
}
|
|
|
|
/// <inheritdoc />
|
|
public override Task<int> SaveChangesAsync(
|
|
bool acceptAllChangesOnSuccess, CancellationToken cancellationToken = default)
|
|
{
|
|
GuardSecretWritesHaveAKeyRing();
|
|
return base.SaveChangesAsync(acceptAllChangesOnSuccess, cancellationToken);
|
|
}
|
|
|
|
/// <summary>True when this context was constructed with a real Data Protection provider.</summary>
|
|
internal bool HasSecretEncryptionProvider => _dataProtectionProvider is not null;
|
|
|
|
/// <summary>
|
|
/// Fails fast — before any database round-trip — if a context built without a real
|
|
/// Data Protection key ring (the schema-only single-argument constructor) is about to
|
|
/// persist a non-null secret-bearing column. Without this guard the schema-only
|
|
/// protector would still throw, but only deep inside EF's update pipeline wrapped in a
|
|
/// <c>DbUpdateException</c>/<c>CryptographicException</c>; surfacing a clear
|
|
/// <see cref="InvalidOperationException"/> here makes the misconfiguration obvious.
|
|
/// </summary>
|
|
private void GuardSecretWritesHaveAKeyRing()
|
|
{
|
|
if (_dataProtectionProvider is not null)
|
|
return;
|
|
|
|
foreach (var entry in ChangeTracker.Entries())
|
|
{
|
|
if (entry.State is not (EntityState.Added or EntityState.Modified))
|
|
continue;
|
|
|
|
string? secretProperty = entry.Entity switch
|
|
{
|
|
SmtpConfiguration => nameof(SmtpConfiguration.Credentials),
|
|
ExternalSystemDefinition => nameof(ExternalSystemDefinition.AuthConfiguration),
|
|
DatabaseConnectionDefinition => nameof(DatabaseConnectionDefinition.ConnectionString),
|
|
_ => null
|
|
};
|
|
if (secretProperty is null)
|
|
continue;
|
|
|
|
if (entry.Property(secretProperty).CurrentValue is not null)
|
|
{
|
|
throw new InvalidOperationException(
|
|
"This ScadaBridgeDbContext was constructed without a Data Protection key " +
|
|
"ring (the single-argument, schema-only constructor). It cannot persist " +
|
|
$"the secret-bearing column '{entry.Entity.GetType().Name}.{secretProperty}'. " +
|
|
"Construct the context with the DI-registered IDataProtectionProvider " +
|
|
"(AddConfigurationDatabase wires this up).");
|
|
}
|
|
}
|
|
}
|
|
|
|
/// <summary>
|
|
/// Model cache key factory that folds <see cref="HasSecretEncryptionProvider"/> into the
|
|
/// cache key, so a write-capable (provider-bearing) context and a schema-only context do
|
|
/// not share a cached model.
|
|
/// </summary>
|
|
private sealed class SecretAwareModelCacheKeyFactory : IModelCacheKeyFactory
|
|
{
|
|
/// <summary>
|
|
/// Creates a model cache key that includes the Data Protection provider state.
|
|
/// </summary>
|
|
/// <param name="context">The database context.</param>
|
|
/// <param name="designTime">Whether the model is being created at design-time.</param>
|
|
/// <returns>A cache key tuple.</returns>
|
|
public object Create(DbContext context, bool designTime)
|
|
=> (context.GetType(),
|
|
designTime,
|
|
(context as ScadaBridgeDbContext)?.HasSecretEncryptionProvider ?? false);
|
|
|
|
/// <summary>
|
|
/// Creates a model cache key for run-time contexts.
|
|
/// </summary>
|
|
/// <param name="context">The database context.</param>
|
|
/// <returns>A cache key tuple.</returns>
|
|
public object Create(DbContext context) => Create(context, false);
|
|
}
|
|
|
|
/// <summary>
|
|
/// Applies encryption-at-rest to columns that hold authentication secrets
|
|
/// (SMTP credentials, external-system auth config, database connection strings)
|
|
/// so they are never persisted as plaintext.
|
|
/// </summary>
|
|
/// <remarks>
|
|
/// When no Data Protection provider is supplied — design-time <c>dotnet ef</c> tooling,
|
|
/// which only emits schema and never reads or writes secret data — a schema-only
|
|
/// protector is used. It produces an identical <c>nvarchar</c> schema, but throws a
|
|
/// clear <see cref="InvalidOperationException"/> if a secret column is ever read or
|
|
/// written through it. This deliberately does NOT silently substitute an ephemeral
|
|
/// (in-memory, process-lifetime) key: encrypting a runtime write with a throwaway key
|
|
/// would persist ciphertext that becomes permanently undecryptable on the next process
|
|
/// restart, with no error. A write-capable context must be constructed with the
|
|
/// DI-registered provider whose keys are persisted to this database.
|
|
/// </remarks>
|
|
private void ApplySecretColumnEncryption(ModelBuilder modelBuilder)
|
|
{
|
|
IDataProtector protector = _dataProtectionProvider is { } provider
|
|
? provider.CreateProtector(EncryptedStringConverter.ProtectorPurpose)
|
|
: SchemaOnlyDataProtector.Instance;
|
|
|
|
// Held as the non-generic ValueConverter base so all three HasConversion calls
|
|
// read identically. The converter's CLR type is string?->string?; binding it to
|
|
// the non-nullable DatabaseConnectionDefinition.ConnectionString property would
|
|
// otherwise raise a CS8620 nullability mismatch — the non-generic reference is
|
|
// the supported way to apply one converter uniformly across nullable and
|
|
// non-nullable string columns.
|
|
ValueConverter converter = new EncryptedStringConverter(protector);
|
|
|
|
modelBuilder.Entity<SmtpConfiguration>()
|
|
.Property(s => s.Credentials)
|
|
.HasConversion(converter);
|
|
|
|
modelBuilder.Entity<ExternalSystemDefinition>()
|
|
.Property(e => e.AuthConfiguration)
|
|
.HasConversion(converter);
|
|
|
|
modelBuilder.Entity<DatabaseConnectionDefinition>()
|
|
.Property(d => d.ConnectionString)
|
|
.HasConversion(converter);
|
|
}
|
|
|
|
/// <summary>
|
|
/// An <see cref="IDataProtector"/> for contexts built without a real Data Protection
|
|
/// provider (design-time / schema-only). It satisfies model building but fails fast
|
|
/// with a clear message if a secret column is actually read or written, rather than
|
|
/// silently producing throwaway ciphertext that cannot be decrypted after a restart.
|
|
/// </summary>
|
|
private sealed class SchemaOnlyDataProtector : IDataProtector
|
|
{
|
|
internal static readonly SchemaOnlyDataProtector Instance = new();
|
|
|
|
private const string Message =
|
|
"This ScadaBridgeDbContext was constructed without a Data Protection key ring " +
|
|
"(the single-argument, schema-only constructor). Secret-bearing configuration " +
|
|
"columns cannot be read or written through it. Construct the context with the " +
|
|
"DI-registered IDataProtectionProvider (AddConfigurationDatabase wires this up).";
|
|
|
|
/// <summary>
|
|
/// Creates a schema-only protector that raises when called.
|
|
/// </summary>
|
|
/// <param name="purpose">The protector purpose string.</param>
|
|
/// <returns>This instance.</returns>
|
|
public IDataProtector CreateProtector(string purpose) => this;
|
|
|
|
/// <summary>
|
|
/// Protects plaintext (schema-only version always throws).
|
|
/// </summary>
|
|
/// <param name="plaintext">The data to protect.</param>
|
|
/// <returns>Never returns.</returns>
|
|
public byte[] Protect(byte[] plaintext) => throw new InvalidOperationException(Message);
|
|
|
|
/// <summary>
|
|
/// Unprotects ciphertext (schema-only version always throws).
|
|
/// </summary>
|
|
/// <param name="protectedData">The protected data.</param>
|
|
/// <returns>Never returns.</returns>
|
|
public byte[] Unprotect(byte[] protectedData) => throw new InvalidOperationException(Message);
|
|
}
|
|
}
|