dashboard: role-based LDAP auth + hub bearer scheme, drop PathBase

Restructure dashboard auth around LDAP-driven Admin/Viewer roles, add a bearer scheme so SignalR hubs (next commit) can authenticate without forwarding the HttpOnly browser cookie, and mount the dashboard at the host root instead of a configurable `/dashboard` prefix. Configuration changes (breaking): - `MxGateway:Dashboard:PathBase` removed — the dashboard now serves at `/`. - `MxGateway:Dashboard:RequireAdminScope` removed — role checks replace the single admin-scope claim. - `MxGateway:Ldap:RequiredGroup` removed — replaced by `MxGateway:Dashboard:GroupToRole`, a map from LDAP group name to dashboard role. Legal role values: `Admin` and `Viewer`. Users whose LDAP groups don't intersect this map are rejected at login (the existing fail-closed contract). - appsettings.json ships a default mapping `{ GwAdmin: Admin, GwReader: Viewer }`. Auth model: - DashboardRoles: new static class with `Admin` and `Viewer` constants. - DashboardAuthenticator.AuthenticateAsync: after LDAP bind, maps the user's groups through `DashboardOptions.GroupToRole` and emits one `ClaimTypes.Role` claim per resolved role. Empty result → login fails. - DashboardAuthorizationRequirement now carries `RequiredRoles`; static presets `AnyDashboardRole` (Viewer ∨ Admin) and `AdminOnly`. - DashboardAuthorizationHandler checks `IsInRole` against the requirement's role list instead of the old scope claim. The `AuthenticationMode.Disabled` and `AllowAnonymousLocalhost` bypasses are preserved. - DashboardApiKeyAuthorization.CanManage now requires the `Admin` role (was: required LDAP group membership). The constructor's IOptions parameter is gone. Policies / schemes: - DashboardAuthenticationDefaults gains `ViewerPolicy`, `AdminPolicy`, `HubClientsPolicy`, and `HubAuthenticationScheme`. The legacy `AuthorizationPolicy` and `ScopeClaimType` constants are removed. - DashboardServiceCollectionExtensions registers all three policies, adds the cookie scheme and the HubToken bearer scheme side by side, calls `AddSignalR()`, and hard-codes the cookie's login/logout/denied paths to root-relative `/login` etc. Hub bearer infrastructure (no hubs wired yet — next commit): - HubTokenService: mints time-limited data-protected JSON tokens carrying the user's name, NameIdentifier, and roles. 30-minute lifetime, purpose `ZB.MOM.WW.MxGateway.Dashboard.HubToken.v1`. - HubTokenAuthenticationHandler: validates the token from `Authorization: Bearer …` or `?access_token=…` (WebSocket upgrade query string) and rebuilds the principal. Endpoint mapping: - DashboardEndpointRouteBuilderExtensions drops the `MapGroup(pathBase)` wrapper. Login/logout/denied and Razor component routes are now mounted at `/`. The login form posts to `/login`. Razor components require the new `ViewerPolicy`. - All page `@page "/dashboard/X"` dual-route directives are removed — pages live at their canonical roots (`@page "/"`, `@page "/sessions"`, …). - App.razor and DashboardLayout.razor drop their PathBase computations. EffectiveLdapConfiguration drops `RequiredGroup`; EffectiveDashboardConfiguration drops `PathBase`/`RequireAdminScope` and gains `GroupToRole`. SettingsPage renders the role mapping in place of the retired fields. Tests updated: - DashboardAuthenticatorTests: covers the new GroupToRole mapping (short name + DN + multi-role). - DashboardAuthorizationHandlerTests: split into Viewer-policy and Admin-policy cases. - DashboardApiKeyAuthorizationTests, DashboardApiKeyManagementServiceTests: authorized principal now carries the `Admin` role claim. - DashboardCookieOptionsTests: expects root-relative login/logout paths. - GatewayApplicationTests: dashboard component routes registered at `/`, `/sessions`, … and gated by `ViewerPolicy`. Filter on `ComponentTypeMetadata` to ignore minimal-API endpoints sharing `/`. - GatewayOptionsTests + Validator: drop PathBase / RequireAdminScope / RequiredGroup assertions; add a `GroupToRole` value-validation case. - DashboardLdapLiveTests: provides the default `GwAdmin` → `Admin` mapping so the live LDAP bind resolves to a role. Verification: 473 server tests, 275 worker tests (+9 dev-rig skips), 18 integration tests (live MxAccess + LDAP + Galaxy) all pass. This commit is intentionally UI-neutral. The sidebar layout and the SignalR hubs that consume the new HubToken scheme land in a follow-up. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-24 01:38:33 -04:00
parent 397d3c5c4f
commit 27ed65114e
37 changed files with 509 additions and 340 deletions
@@ -24,73 +24,64 @@ public static class DashboardEndpointRouteBuilderExtensions
            return endpoints;
        }

-        string pathBase = NormalizePathBase(dashboardSection["PathBase"] ?? new DashboardOptions().PathBase);
-        RouteGroupBuilder dashboard = endpoints.MapGroup(pathBase);
-
-        dashboard.MapGet(
+        endpoints.MapGet(
                "/login",
-                (HttpContext httpContext, IAntiforgery antiforgery) => GetLoginAsync(httpContext, antiforgery, pathBase))
+                (HttpContext httpContext, IAntiforgery antiforgery) => GetLoginAsync(httpContext, antiforgery))
            .AllowAnonymous()
            .WithName("DashboardLogin");

-        dashboard.MapPost(
+        endpoints.MapPost(
                "/login",
                (HttpContext httpContext, IAntiforgery antiforgery, IDashboardAuthenticator authenticator) =>
-                    PostLoginAsync(httpContext, antiforgery, authenticator, pathBase))
+                    PostLoginAsync(httpContext, antiforgery, authenticator))
            .AllowAnonymous()
            .WithName("DashboardLoginPost");

-        dashboard.MapPost(
+        endpoints.MapPost(
                "/logout",
-                (HttpContext httpContext, IAntiforgery antiforgery) => PostLogoutAsync(httpContext, antiforgery, pathBase))
+                (HttpContext httpContext, IAntiforgery antiforgery) => PostLogoutAsync(httpContext, antiforgery))
            .AllowAnonymous()
            .WithName("DashboardLogout");

-        dashboard.MapGet("/denied", () => Results.Content(
+        endpoints.MapGet("/denied", () => Results.Content(
                RenderPage("Access denied", "<p>The signed-in user is not authorized for dashboard access.</p>"),
                "text/html"))
            .AllowAnonymous()
            .WithName("DashboardAccessDenied");

-        // Every dashboard Razor component requires an authorized session. The
+        // Every dashboard Razor component requires a viewer-or-admin role. The
        // login/logout/denied endpoints above opt out via AllowAnonymous(); an
        // unauthenticated request to a component route is challenged by the
-        // cookie scheme and redirected to the login page.
-        dashboard.MapRazorComponents<App>()
+        // cookie scheme and redirected to /login.
+        endpoints.MapRazorComponents<App>()
            .AddInteractiveServerRenderMode()
-            .RequireAuthorization(DashboardAuthenticationDefaults.AuthorizationPolicy);
+            .RequireAuthorization(DashboardAuthenticationDefaults.ViewerPolicy);

        return endpoints;
    }

    private static Task<ContentHttpResult> GetLoginAsync(
        HttpContext httpContext,
-        IAntiforgery antiforgery,
-        string pathBase)
+        IAntiforgery antiforgery)
    {
-        string returnUrl = SanitizeReturnUrl(
-            httpContext.Request.Query["returnUrl"].ToString(),
-            pathBase);
+        string returnUrl = SanitizeReturnUrl(httpContext.Request.Query["returnUrl"].ToString());

        return Task.FromResult(TypedResults.Content(
-            RenderLoginPage(httpContext, antiforgery, returnUrl, pathBase, failureMessage: null),
+            RenderLoginPage(httpContext, antiforgery, returnUrl, failureMessage: null),
            "text/html"));
    }

    private static async Task<IResult> PostLoginAsync(
        HttpContext httpContext,
        IAntiforgery antiforgery,
-        IDashboardAuthenticator authenticator,
-        string pathBase)
+        IDashboardAuthenticator authenticator)
    {
        await antiforgery.ValidateRequestAsync(httpContext).ConfigureAwait(false);

        IFormCollection form = await httpContext.Request
            .ReadFormAsync(httpContext.RequestAborted)
            .ConfigureAwait(false);
-        string returnUrl = SanitizeReturnUrl(
-            form["returnUrl"].ToString(),
-            pathBase);
+        string returnUrl = SanitizeReturnUrl(form["returnUrl"].ToString());

        DashboardAuthenticationResult result = await authenticator
            .AuthenticateAsync(
@@ -102,7 +93,7 @@ public static class DashboardEndpointRouteBuilderExtensions
        if (!result.Succeeded || result.Principal is null)
        {
            return TypedResults.Content(
-                RenderLoginPage(httpContext, antiforgery, returnUrl, pathBase, result.FailureMessage),
+                RenderLoginPage(httpContext, antiforgery, returnUrl, result.FailureMessage),
                "text/html",
                statusCode: StatusCodes.Status401Unauthorized);
        }
@@ -116,22 +107,20 @@ public static class DashboardEndpointRouteBuilderExtensions

    private static async Task<IResult> PostLogoutAsync(
        HttpContext httpContext,
-        IAntiforgery antiforgery,
-        string pathBase)
+        IAntiforgery antiforgery)
    {
        await antiforgery.ValidateRequestAsync(httpContext).ConfigureAwait(false);
        await httpContext
            .SignOutAsync(DashboardAuthenticationDefaults.AuthenticationScheme)
            .ConfigureAwait(false);

-        return Results.LocalRedirect($"{pathBase}/login");
+        return Results.LocalRedirect("/login");
    }

    private static string RenderLoginPage(
        HttpContext httpContext,
        IAntiforgery antiforgery,
        string returnUrl,
-        string pathBase,
        string? failureMessage)
    {
        AntiforgeryTokenSet tokens = antiforgery.GetAndStoreTokens(httpContext);
@@ -143,7 +132,7 @@ public static class DashboardEndpointRouteBuilderExtensions
        string body = $"""
            <section class="dashboard-login">
                {alert}
-                <form method="post" action="{HtmlEncoder.Default.Encode(pathBase + "/login")}" class="card login-card">
+                <form method="post" action="/login" class="card login-card">
                    <div class="card-body">
                        <input name="{tokens.FormFieldName}" type="hidden" value="{HtmlEncoder.Default.Encode(requestToken)}" />
                        <input name="returnUrl" type="hidden" value="{HtmlEncoder.Default.Encode(returnUrl)}" />
@@ -193,24 +182,14 @@ public static class DashboardEndpointRouteBuilderExtensions
            """;
    }

-    private static string NormalizePathBase(string pathBase)
-    {
-        string normalized = pathBase.TrimEnd('/');
-
-        return string.IsNullOrWhiteSpace(normalized) || !normalized.StartsWith("/", StringComparison.Ordinal)
-            ? "/dashboard"
-            : normalized;
-    }
-
-    private static string SanitizeReturnUrl(string? returnUrl, string pathBase)
+    private static string SanitizeReturnUrl(string? returnUrl)
    {
        if (string.IsNullOrWhiteSpace(returnUrl)
            || !returnUrl.StartsWith("/", StringComparison.Ordinal)
            || returnUrl.StartsWith("//", StringComparison.Ordinal)
-            || !returnUrl.StartsWith(pathBase, StringComparison.OrdinalIgnoreCase)
            || Uri.TryCreate(returnUrl, UriKind.Absolute, out _))
        {
-            return pathBase;
+            return "/";
        }

        return returnUrl;