fix(archreview): security authz+hub cluster (SEC-07/05/08/11) + validation hardening
SEC-07: add QueryActiveAlarmsRequest -> events:read scope arm; fix two tests that
constructed StreamAlarmsRequest instead of QueryActiveAlarmsRequest.
SEC-05: shorten hub-token lifetime 30m -> 5m; document that the ?access_token= query
carriage must never be request-logged.
SEC-08: gateway-side CachingApiKeyVerifier (short TTL, keyed on a hash of the presented
secret) skips the per-call store read+last_used write; CoalescingMarkApiKeyStore bounds
last_used writes to <=1/key/min; identity constraints are cached. Invalidation is wired
at the gateway admin sites (revoke/rotate/delete); short TTL backstops out-of-process CLI.
SEC-11: fixed-window rate limit on POST /auth/login + a per-peer (key-id) failure limiter
checked before VerifyAsync; new MxGateway:Security options bound + validated.
Also fixes regressions from the SEC-01/04/06 commit (c185f62) that a narrow test filter
missed (all now covered by a full-suite checkpoint):
- Rooting check is cross-platform: accepts Windows C:\/UNC forms on Unix so the shipped
appsettings path validates on the macOS dev box, still rejecting bare filenames.
- AddGatewayConfiguration TryAdds a non-production IHostEnvironment fallback so the validator
resolves in minimal test/tooling containers; the real host + apikey CLI register the actual
environment first (TryAdd no-op there).
- Test assembly defaults ASPNETCORE_ENVIRONMENT=Development (ModuleInitializer) so full-host
tests exercise wiring instead of tripping the SEC-04/06 production guards.
- GatewayOptionsTests asserts the SEC-01 CommonApplicationData-derived default (platform-correct).
archreview: SEC-07/05/08/11 (P1). Verified: NonWindows build clean; full gateway suite
747 passed / 42 failed, where all 42 are the pre-existing macOS named-pipe-harness failures
(Unix-socket path limit) and 0 are validation/regression failures.
This commit is contained in:
@@ -486,9 +486,13 @@ dashboard mints short-lived bearer tokens for the connection:
|
||||
and role claims to JSON, encrypts with the ASP.NET Core data-protection
|
||||
time-limited protector under purpose
|
||||
`ZB.MOM.WW.MxGateway.Dashboard.HubToken.v1`, and returns the protected
|
||||
string. Lifetime is 30 minutes.
|
||||
string. Lifetime is **5 minutes**.
|
||||
3. The SignalR client passes the token as either `Authorization: Bearer …` or
|
||||
`?access_token=…` (WebSocket upgrade query string).
|
||||
`?access_token=…` (WebSocket upgrade query string). The query-string form is
|
||||
the standard SignalR carriage for WebSocket upgrades, which cannot attach a
|
||||
custom header; because it is easy to capture (proxy logs, browser history),
|
||||
it must never be request-logged (see the remarks on
|
||||
`HubTokenAuthenticationHandler`).
|
||||
4. `HubTokenAuthenticationHandler` validates the protected payload and
|
||||
rebuilds the `ClaimsPrincipal` with the carried roles.
|
||||
5. The hubs' `[Authorize(Policy = HubClientsPolicy)]` accepts the resulting
|
||||
@@ -496,7 +500,17 @@ dashboard mints short-lived bearer tokens for the connection:
|
||||
|
||||
`DashboardHubConnectionFactory` (scoped to the Blazor circuit) wraps the
|
||||
HubConnectionBuilder and supplies a fresh token via `AccessTokenProvider` on
|
||||
every (re)connect.
|
||||
every (re)connect, so the short 5-minute lifetime is transparent to clients.
|
||||
|
||||
Caveat — logout does not revoke outstanding tokens. Logout clears the dashboard
|
||||
cookie, but hub bearer tokens are self-contained, data-protection-encrypted, and
|
||||
carry no server-side revocation state (no jti denylist). A token captured before
|
||||
logout remains valid until it expires, and a role change or key revocation does
|
||||
not take effect on an already-issued token until then. The 5-minute lifetime is
|
||||
the deliberate mitigation: it bounds that exposure window without the cost of a
|
||||
revocation store. Server-side revocation is deferred until per-session hub ACLs
|
||||
land (see the per-session-ACL note), at which point tokens gain session/role
|
||||
binding and a denylist becomes worthwhile.
|
||||
|
||||
## Configuration
|
||||
|
||||
|
||||
Reference in New Issue
Block a user