dashboard: role-based LDAP auth + hub bearer scheme, drop PathBase

Restructure dashboard auth around LDAP-driven Admin/Viewer roles, add a bearer scheme so SignalR hubs (next commit) can authenticate without forwarding the HttpOnly browser cookie, and mount the dashboard at the host root instead of a configurable `/dashboard` prefix. Configuration changes (breaking): - `MxGateway:Dashboard:PathBase` removed — the dashboard now serves at `/`. - `MxGateway:Dashboard:RequireAdminScope` removed — role checks replace the single admin-scope claim. - `MxGateway:Ldap:RequiredGroup` removed — replaced by `MxGateway:Dashboard:GroupToRole`, a map from LDAP group name to dashboard role. Legal role values: `Admin` and `Viewer`. Users whose LDAP groups don't intersect this map are rejected at login (the existing fail-closed contract). - appsettings.json ships a default mapping `{ GwAdmin: Admin, GwReader: Viewer }`. Auth model: - DashboardRoles: new static class with `Admin` and `Viewer` constants. - DashboardAuthenticator.AuthenticateAsync: after LDAP bind, maps the user's groups through `DashboardOptions.GroupToRole` and emits one `ClaimTypes.Role` claim per resolved role. Empty result → login fails. - DashboardAuthorizationRequirement now carries `RequiredRoles`; static presets `AnyDashboardRole` (Viewer ∨ Admin) and `AdminOnly`. - DashboardAuthorizationHandler checks `IsInRole` against the requirement's role list instead of the old scope claim. The `AuthenticationMode.Disabled` and `AllowAnonymousLocalhost` bypasses are preserved. - DashboardApiKeyAuthorization.CanManage now requires the `Admin` role (was: required LDAP group membership). The constructor's IOptions parameter is gone. Policies / schemes: - DashboardAuthenticationDefaults gains `ViewerPolicy`, `AdminPolicy`, `HubClientsPolicy`, and `HubAuthenticationScheme`. The legacy `AuthorizationPolicy` and `ScopeClaimType` constants are removed. - DashboardServiceCollectionExtensions registers all three policies, adds the cookie scheme and the HubToken bearer scheme side by side, calls `AddSignalR()`, and hard-codes the cookie's login/logout/denied paths to root-relative `/login` etc. Hub bearer infrastructure (no hubs wired yet — next commit): - HubTokenService: mints time-limited data-protected JSON tokens carrying the user's name, NameIdentifier, and roles. 30-minute lifetime, purpose `ZB.MOM.WW.MxGateway.Dashboard.HubToken.v1`. - HubTokenAuthenticationHandler: validates the token from `Authorization: Bearer …` or `?access_token=…` (WebSocket upgrade query string) and rebuilds the principal. Endpoint mapping: - DashboardEndpointRouteBuilderExtensions drops the `MapGroup(pathBase)` wrapper. Login/logout/denied and Razor component routes are now mounted at `/`. The login form posts to `/login`. Razor components require the new `ViewerPolicy`. - All page `@page "/dashboard/X"` dual-route directives are removed — pages live at their canonical roots (`@page "/"`, `@page "/sessions"`, …). - App.razor and DashboardLayout.razor drop their PathBase computations. EffectiveLdapConfiguration drops `RequiredGroup`; EffectiveDashboardConfiguration drops `PathBase`/`RequireAdminScope` and gains `GroupToRole`. SettingsPage renders the role mapping in place of the retired fields. Tests updated: - DashboardAuthenticatorTests: covers the new GroupToRole mapping (short name + DN + multi-role). - DashboardAuthorizationHandlerTests: split into Viewer-policy and Admin-policy cases. - DashboardApiKeyAuthorizationTests, DashboardApiKeyManagementServiceTests: authorized principal now carries the `Admin` role claim. - DashboardCookieOptionsTests: expects root-relative login/logout paths. - GatewayApplicationTests: dashboard component routes registered at `/`, `/sessions`, … and gated by `ViewerPolicy`. Filter on `ComponentTypeMetadata` to ignore minimal-API endpoints sharing `/`. - GatewayOptionsTests + Validator: drop PathBase / RequireAdminScope / RequiredGroup assertions; add a `GroupToRole` value-validation case. - DashboardLdapLiveTests: provides the default `GwAdmin` → `Admin` mapping so the live LDAP bind resolves to a role. Verification: 473 server tests, 275 worker tests (+9 dev-rig skips), 18 integration tests (live MxAccess + LDAP + Galaxy) all pass. This commit is intentionally UI-neutral. The sidebar layout and the SignalR hubs that consume the new HubToken scheme land in a follow-up. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-24 01:38:33 -04:00
parent 397d3c5c4f
commit 27ed65114e
37 changed files with 509 additions and 340 deletions
@@ -1,6 +1,4 @@
 using System.Security.Claims;
-using Microsoft.Extensions.Options;
-using ZB.MOM.WW.MxGateway.Server.Configuration;
 using ZB.MOM.WW.MxGateway.Server.Dashboard;

 namespace ZB.MOM.WW.MxGateway.Tests.Gateway.Dashboard;
@@ -8,19 +6,10 @@ namespace ZB.MOM.WW.MxGateway.Tests.Gateway.Dashboard;
 public sealed class DashboardApiKeyAuthorizationTests
 {
    [Fact]
-    public void CanManage_AuthenticatedUserWithShortRequiredGroupClaim_ReturnsTrue()
+    public void CanManage_AuthenticatedAdmin_ReturnsTrue()
    {
-        DashboardApiKeyAuthorization authorization = CreateAuthorization();
-        ClaimsPrincipal user = CreatePrincipal("GwAdmin");
-
-        Assert.True(authorization.CanManage(user));
-    }
-
-    [Fact]
-    public void CanManage_AuthenticatedUserWithRequiredGroupDnClaim_ReturnsTrue()
-    {
-        DashboardApiKeyAuthorization authorization = CreateAuthorization();
-        ClaimsPrincipal user = CreatePrincipal("ou=GwAdmin,ou=groups,dc=lmxopcua,dc=local");
+        DashboardApiKeyAuthorization authorization = new();
+        ClaimsPrincipal user = CreatePrincipal(DashboardRoles.Admin);

        Assert.True(authorization.CanManage(user));
    }
@@ -28,37 +17,28 @@ public sealed class DashboardApiKeyAuthorizationTests
    [Fact]
    public void CanManage_AnonymousUser_ReturnsFalse()
    {
-        DashboardApiKeyAuthorization authorization = CreateAuthorization();
+        DashboardApiKeyAuthorization authorization = new();
        ClaimsPrincipal user = new(new ClaimsIdentity());

        Assert.False(authorization.CanManage(user));
    }

    [Fact]
-    public void CanManage_AuthenticatedUserWithoutRequiredGroup_ReturnsFalse()
+    public void CanManage_AuthenticatedViewer_ReturnsFalse()
    {
-        DashboardApiKeyAuthorization authorization = CreateAuthorization();
-        ClaimsPrincipal user = CreatePrincipal("ReadOnly");
+        DashboardApiKeyAuthorization authorization = new();
+        ClaimsPrincipal user = CreatePrincipal(DashboardRoles.Viewer);

        Assert.False(authorization.CanManage(user));
    }

-    private static DashboardApiKeyAuthorization CreateAuthorization()
-    {
-        return new DashboardApiKeyAuthorization(Options.Create(new GatewayOptions
-        {
-            Ldap = new LdapOptions
-            {
-                RequiredGroup = "GwAdmin",
-            },
-        }));
-    }
-
-    private static ClaimsPrincipal CreatePrincipal(string group)
+    private static ClaimsPrincipal CreatePrincipal(string role)
    {
        ClaimsIdentity identity = new(
-            [new Claim(DashboardAuthenticationDefaults.LdapGroupClaimType, group)],
-            DashboardAuthenticationDefaults.AuthenticationScheme);
+            [new Claim(ClaimTypes.Role, role)],
+            DashboardAuthenticationDefaults.AuthenticationScheme,
+            ClaimTypes.Name,
+            ClaimTypes.Role);

        return new ClaimsPrincipal(identity);
    }
@@ -144,19 +144,11 @@ public sealed class DashboardApiKeyManagementServiceTests
        FakeApiKeyAuditStore? auditStore = null,
        FakeApiKeySecretHasher? hasher = null)
    {
-        GatewayOptions options = new()
-        {
-            Ldap = new LdapOptions
-            {
-                RequiredGroup = "GwAdmin",
-            },
-        };
-
        DefaultHttpContext httpContext = new();
        httpContext.Connection.RemoteIpAddress = System.Net.IPAddress.Loopback;

        return new DashboardApiKeyManagementService(
-            new DashboardApiKeyAuthorization(Options.Create(options)),
+            new DashboardApiKeyAuthorization(),
            adminStore ?? new FakeApiKeyAdminStore(),
            auditStore ?? new FakeApiKeyAuditStore(),
            hasher ?? new FakeApiKeySecretHasher(),
@@ -178,8 +170,10 @@ public sealed class DashboardApiKeyManagementServiceTests
    private static ClaimsPrincipal CreateAuthorizedUser()
    {
        ClaimsIdentity identity = new(
-            [new Claim(DashboardAuthenticationDefaults.LdapGroupClaimType, "GwAdmin")],
-            DashboardAuthenticationDefaults.AuthenticationScheme);
+            [new Claim(ClaimTypes.Role, DashboardRoles.Admin)],
+            DashboardAuthenticationDefaults.AuthenticationScheme,
+            ClaimTypes.Name,
+            ClaimTypes.Role);

        return new ClaimsPrincipal(identity);
    }
@@ -16,23 +16,47 @@ public sealed class DashboardAuthenticatorTests
    }

    [Theory]
-    [InlineData("GwAdmin", true)]
-    [InlineData("gwadmin", true)]
-    [InlineData("ou=GwAdmin,ou=groups,dc=lmxopcua,dc=local", true)]
-    [InlineData("OtherGroup", false)]
-    public void IsMemberOfRequiredGroup_MatchesShortNameAndDistinguishedName(
-        string requiredGroup,
-        bool expected)
+    [InlineData("GwAdmin", DashboardRoles.Admin)]
+    [InlineData("gwadmin", DashboardRoles.Admin)]
+    [InlineData("ou=GwAdmin,ou=groups,dc=lmxopcua,dc=local", DashboardRoles.Admin)]
+    [InlineData("OtherGroup", null)]
+    public void MapGroupsToRoles_ResolvesByShortNameAndDistinguishedName(
+        string ldapGroup,
+        string? expectedRole)
    {
-        string[] groups =
-        [
-            "ou=ReadOnly,ou=groups,dc=lmxopcua,dc=local",
-            "ou=GwAdmin,ou=groups,dc=lmxopcua,dc=local"
-        ];
+        Dictionary<string, string> mapping = new(StringComparer.OrdinalIgnoreCase)
+        {
+            ["GwAdmin"] = DashboardRoles.Admin,
+            ["GwReader"] = DashboardRoles.Viewer,
+        };

-        bool result = DashboardAuthenticator.IsMemberOfRequiredGroup(groups, requiredGroup);
+        IReadOnlyList<string> roles = DashboardAuthenticator.MapGroupsToRoles([ldapGroup], mapping);

-        Assert.Equal(expected, result);
+        if (expectedRole is null)
+        {
+            Assert.Empty(roles);
+        }
+        else
+        {
+            Assert.Equal(expectedRole, Assert.Single(roles));
+        }
+    }
+
+    [Fact]
+    public void MapGroupsToRoles_AdminPlusViewer_BothRolesEmitted()
+    {
+        Dictionary<string, string> mapping = new(StringComparer.OrdinalIgnoreCase)
+        {
+            ["GwAdmin"] = DashboardRoles.Admin,
+            ["GwReader"] = DashboardRoles.Viewer,
+        };
+
+        IReadOnlyList<string> roles = DashboardAuthenticator.MapGroupsToRoles(
+            ["GwAdmin", "GwReader"],
+            mapping);
+
+        Assert.Contains(DashboardRoles.Admin, roles);
+        Assert.Contains(DashboardRoles.Viewer, roles);
    }

    [Fact]
@@ -5,7 +5,6 @@ using Microsoft.AspNetCore.Http;
 using Microsoft.Extensions.Options;
 using ZB.MOM.WW.MxGateway.Server.Configuration;
 using ZB.MOM.WW.MxGateway.Server.Dashboard;
-using ZB.MOM.WW.MxGateway.Server.Security.Authorization;

 namespace ZB.MOM.WW.MxGateway.Tests.Gateway.Dashboard;

@@ -18,7 +17,8 @@ public sealed class DashboardAuthorizationHandlerTests
        AuthorizationHandlerContext context = await AuthorizeAsync(
            new ClaimsPrincipal(new ClaimsIdentity()),
            IPAddress.Parse("10.0.0.5"),
-            allowAnonymousLocalhost: false);
+            allowAnonymousLocalhost: false,
+            DashboardAuthorizationRequirement.AnyDashboardRole);

        Assert.False(context.HasSucceeded);
    }
@@ -30,7 +30,8 @@ public sealed class DashboardAuthorizationHandlerTests
        AuthorizationHandlerContext context = await AuthorizeAsync(
            new ClaimsPrincipal(new ClaimsIdentity()),
            IPAddress.Loopback,
-            allowAnonymousLocalhost: true);
+            allowAnonymousLocalhost: true,
+            DashboardAuthorizationRequirement.AnyDashboardRole);

        Assert.True(context.HasSucceeded);
    }
@@ -45,7 +46,8 @@ public sealed class DashboardAuthorizationHandlerTests
        AuthorizationHandlerContext context = await AuthorizeAsync(
            new ClaimsPrincipal(new ClaimsIdentity()),
            IPAddress.Loopback,
-            allowAnonymousLocalhost: false);
+            allowAnonymousLocalhost: false,
+            DashboardAuthorizationRequirement.AnyDashboardRole);

        Assert.False(context.HasSucceeded);
    }
@@ -60,41 +62,70 @@ public sealed class DashboardAuthorizationHandlerTests
        AuthorizationHandlerContext context = await AuthorizeAsync(
            new ClaimsPrincipal(new ClaimsIdentity()),
            IPAddress.Parse("10.0.0.5"),
-            allowAnonymousLocalhost: true);
+            allowAnonymousLocalhost: true,
+            DashboardAuthorizationRequirement.AnyDashboardRole);

        Assert.False(context.HasSucceeded);
    }

-    /// <summary>Verifies that authenticated users without admin scope fail authorization.</summary>
+    /// <summary>Verifies that an authenticated user without any dashboard role fails the viewer requirement.</summary>
    [Fact]
-    public async Task HandleAsync_AuthenticatedWithoutAdminScope_DoesNotSucceed()
+    public async Task HandleAsync_AuthenticatedWithoutDashboardRole_DoesNotSucceed()
    {
        AuthorizationHandlerContext context = await AuthorizeAsync(
-            CreatePrincipal(GatewayScopes.EventsRead),
+            CreatePrincipal("SomeOtherRole"),
            IPAddress.Loopback,
-            allowAnonymousLocalhost: false);
+            allowAnonymousLocalhost: false,
+            DashboardAuthorizationRequirement.AnyDashboardRole);

        Assert.False(context.HasSucceeded);
    }

-    /// <summary>Verifies that authenticated users with admin scope succeed.</summary>
+    /// <summary>Verifies that a Viewer satisfies the viewer-or-admin requirement.</summary>
    [Fact]
-    public async Task HandleAsync_AuthenticatedWithAdminScope_Succeeds()
+    public async Task HandleAsync_ViewerRole_SatisfiesViewerPolicy()
    {
        AuthorizationHandlerContext context = await AuthorizeAsync(
-            CreatePrincipal(GatewayScopes.Admin),
+            CreatePrincipal(DashboardRoles.Viewer),
            IPAddress.Parse("10.0.0.5"),
-            allowAnonymousLocalhost: false);
+            allowAnonymousLocalhost: false,
+            DashboardAuthorizationRequirement.AnyDashboardRole);

        Assert.True(context.HasSucceeded);
    }

+    /// <summary>Verifies that an Admin satisfies the admin-only requirement.</summary>
+    [Fact]
+    public async Task HandleAsync_AdminRole_SatisfiesAdminPolicy()
+    {
+        AuthorizationHandlerContext context = await AuthorizeAsync(
+            CreatePrincipal(DashboardRoles.Admin),
+            IPAddress.Parse("10.0.0.5"),
+            allowAnonymousLocalhost: false,
+            DashboardAuthorizationRequirement.AdminOnly);
+
+        Assert.True(context.HasSucceeded);
+    }
+
+    /// <summary>Verifies that a Viewer does NOT satisfy the admin-only requirement.</summary>
+    [Fact]
+    public async Task HandleAsync_ViewerRole_DoesNotSatisfyAdminPolicy()
+    {
+        AuthorizationHandlerContext context = await AuthorizeAsync(
+            CreatePrincipal(DashboardRoles.Viewer),
+            IPAddress.Parse("10.0.0.5"),
+            allowAnonymousLocalhost: false,
+            DashboardAuthorizationRequirement.AdminOnly);
+
+        Assert.False(context.HasSucceeded);
+    }
+
    private static async Task<AuthorizationHandlerContext> AuthorizeAsync(
        ClaimsPrincipal principal,
        IPAddress remoteAddress,
-        bool allowAnonymousLocalhost)
+        bool allowAnonymousLocalhost,
+        DashboardAuthorizationRequirement requirement)
    {
-        DashboardAuthorizationRequirement requirement = new();
        DefaultHttpContext httpContext = new();
        httpContext.Connection.RemoteIpAddress = remoteAddress;
        DashboardAuthorizationHandler handler = new(
@@ -104,7 +135,6 @@ public sealed class DashboardAuthorizationHandlerTests
                Dashboard = new DashboardOptions
                {
                    AllowAnonymousLocalhost = allowAnonymousLocalhost,
-                    RequireAdminScope = true
                }
            }));
        AuthorizationHandlerContext context = new([requirement], principal, httpContext);
@@ -114,11 +144,13 @@ public sealed class DashboardAuthorizationHandlerTests
        return context;
    }

-    private static ClaimsPrincipal CreatePrincipal(string scope)
+    private static ClaimsPrincipal CreatePrincipal(string role)
    {
        ClaimsIdentity identity = new(
-            [new Claim(DashboardAuthenticationDefaults.ScopeClaimType, scope)],
-            DashboardAuthenticationDefaults.AuthenticationScheme);
+            [new Claim(ClaimTypes.Role, role)],
+            DashboardAuthenticationDefaults.AuthenticationScheme,
+            ClaimTypes.Name,
+            ClaimTypes.Role);

        return new ClaimsPrincipal(identity);
    }
@@ -26,8 +26,8 @@ public sealed class DashboardCookieOptionsTests
        Assert.Equal(CookieSecurePolicy.Always, options.Cookie.SecurePolicy);
        Assert.Equal(SameSiteMode.Strict, options.Cookie.SameSite);
        Assert.Equal("/", options.Cookie.Path);
-        Assert.Equal("/dashboard/login", options.LoginPath);
-        Assert.Equal("/dashboard/logout", options.LogoutPath);
-        Assert.Equal("/dashboard/denied", options.AccessDeniedPath);
+        Assert.Equal("/login", options.LoginPath);
+        Assert.Equal("/logout", options.LogoutPath);
+        Assert.Equal("/denied", options.AccessDeniedPath);
    }
 }