Dashboard: admin-only Close session / Kill worker

Add IDashboardSessionAdminService (Admin-role gate, friendly errors,
audit logging) wrapping a new ISessionManager.KillWorkerAsync that
skips graceful shutdown and cleans up registry/metrics. Sessions,
Workers, and SessionDetails pages render Close / Kill buttons only
when CanManage; the service re-checks the role on every call so
forged clicks return Unauthenticated.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

src/ZB.MOM.WW.MxGateway.Tests/Gateway/Dashboard/DashboardSessionAdminServiceTests.cs

@@ -0,0 +1,223 @@
+using System.Diagnostics.CodeAnalysis;
+using System.Security.Claims;
+using Microsoft.AspNetCore.Http;
+using ZB.MOM.WW.MxGateway.Contracts.Proto;
+using ZB.MOM.WW.MxGateway.Server.Dashboard;
+using ZB.MOM.WW.MxGateway.Server.Sessions;
+
+namespace ZB.MOM.WW.MxGateway.Tests.Gateway.Dashboard;
+
+public sealed class DashboardSessionAdminServiceTests
+{
+    [Fact]
+    public async Task CloseSessionAsync_ViewerCannotManage()
+    {
+        FakeSessionManager sessionManager = new();
+        DashboardSessionAdminService service = CreateService(sessionManager);
+
+        DashboardSessionAdminResult result = await service.CloseSessionAsync(
+            CreateUser(DashboardRoles.Viewer),
+            "session-1",
+            CancellationToken.None);
+
+        Assert.False(result.Succeeded);
+        Assert.Equal(0, sessionManager.CloseCount);
+    }
+
+    [Fact]
+    public async Task CloseSessionAsync_AdminClosesSession()
+    {
+        FakeSessionManager sessionManager = new();
+        DashboardSessionAdminService service = CreateService(sessionManager);
+
+        DashboardSessionAdminResult result = await service.CloseSessionAsync(
+            CreateUser(DashboardRoles.Admin),
+            "session-1",
+            CancellationToken.None);
+
+        Assert.True(result.Succeeded);
+        Assert.Equal(1, sessionManager.CloseCount);
+        Assert.Equal("session-1", sessionManager.LastClosedSessionId);
+    }
+
+    [Fact]
+    public async Task CloseSessionAsync_WhenSessionMissing_ReportsFriendlyError()
+    {
+        FakeSessionManager sessionManager = new()
+        {
+            CloseThrowsNotFound = true,
+        };
+        DashboardSessionAdminService service = CreateService(sessionManager);
+
+        DashboardSessionAdminResult result = await service.CloseSessionAsync(
+            CreateUser(DashboardRoles.Admin),
+            "session-missing",
+            CancellationToken.None);
+
+        Assert.False(result.Succeeded);
+        Assert.Contains("not found", result.Message, StringComparison.OrdinalIgnoreCase);
+    }
+
+    [Fact]
+    public async Task KillWorkerAsync_ViewerCannotManage()
+    {
+        FakeSessionManager sessionManager = new();
+        DashboardSessionAdminService service = CreateService(sessionManager);
+
+        DashboardSessionAdminResult result = await service.KillWorkerAsync(
+            CreateUser(DashboardRoles.Viewer),
+            "session-1",
+            CancellationToken.None);
+
+        Assert.False(result.Succeeded);
+        Assert.Equal(0, sessionManager.KillCount);
+    }
+
+    [Fact]
+    public async Task KillWorkerAsync_AdminKillsWorker()
+    {
+        FakeSessionManager sessionManager = new();
+        DashboardSessionAdminService service = CreateService(sessionManager);
+
+        DashboardSessionAdminResult result = await service.KillWorkerAsync(
+            CreateUser(DashboardRoles.Admin),
+            "session-1",
+            CancellationToken.None);
+
+        Assert.True(result.Succeeded);
+        Assert.Equal(1, sessionManager.KillCount);
+        Assert.Equal("session-1", sessionManager.LastKilledSessionId);
+        Assert.False(string.IsNullOrWhiteSpace(sessionManager.LastKillReason));
+    }
+
+    [Fact]
+    public async Task KillWorkerAsync_BlankSessionId_ReturnsFailure()
+    {
+        FakeSessionManager sessionManager = new();
+        DashboardSessionAdminService service = CreateService(sessionManager);
+
+        DashboardSessionAdminResult result = await service.KillWorkerAsync(
+            CreateUser(DashboardRoles.Admin),
+            "   ",
+            CancellationToken.None);
+
+        Assert.False(result.Succeeded);
+        Assert.Equal(0, sessionManager.KillCount);
+    }
+
+    [Fact]
+    public void CanManage_RejectsUnauthenticatedAndViewer()
+    {
+        DashboardSessionAdminService service = CreateService(new FakeSessionManager());
+
+        Assert.False(service.CanManage(new ClaimsPrincipal(new ClaimsIdentity())));
+        Assert.False(service.CanManage(CreateUser(DashboardRoles.Viewer)));
+        Assert.True(service.CanManage(CreateUser(DashboardRoles.Admin)));
+    }
+
+    private static DashboardSessionAdminService CreateService(ISessionManager sessionManager)
+    {
+        DefaultHttpContext httpContext = new();
+        httpContext.Connection.RemoteIpAddress = System.Net.IPAddress.Loopback;
+
+        return new DashboardSessionAdminService(
+            sessionManager,
+            new HttpContextAccessor { HttpContext = httpContext });
+    }
+
+    private static ClaimsPrincipal CreateUser(string role)
+    {
+        ClaimsIdentity identity = new(
+            [new Claim(ClaimTypes.Name, "tester"), new Claim(ClaimTypes.Role, role)],
+            DashboardAuthenticationDefaults.AuthenticationScheme,
+            ClaimTypes.Name,
+            ClaimTypes.Role);
+
+        return new ClaimsPrincipal(identity);
+    }
+
+    private sealed class FakeSessionManager : ISessionManager
+    {
+        public int CloseCount { get; private set; }
+
+        public int KillCount { get; private set; }
+
+        public string? LastClosedSessionId { get; private set; }
+
+        public string? LastKilledSessionId { get; private set; }
+
+        public string? LastKillReason { get; private set; }
+
+        public bool CloseThrowsNotFound { get; init; }
+
+        public Task<GatewaySession> OpenSessionAsync(
+            SessionOpenRequest request,
+            string? clientIdentity,
+            CancellationToken cancellationToken)
+        {
+            throw new NotSupportedException();
+        }
+
+        public bool TryGetSession(
+            string sessionId,
+            [MaybeNullWhen(false)] out GatewaySession session)
+        {
+            session = null;
+            return false;
+        }
+
+        public Task<WorkerCommandReply> InvokeAsync(
+            string sessionId,
+            WorkerCommand command,
+            CancellationToken cancellationToken)
+        {
+            throw new NotSupportedException();
+        }
+
+        public IAsyncEnumerable<WorkerEvent> ReadEventsAsync(
+            string sessionId,
+            CancellationToken cancellationToken)
+        {
+            throw new NotSupportedException();
+        }
+
+        public Task<SessionCloseResult> CloseSessionAsync(
+            string sessionId,
+            CancellationToken cancellationToken)
+        {
+            CloseCount++;
+            LastClosedSessionId = sessionId;
+            if (CloseThrowsNotFound)
+            {
+                throw new SessionManagerException(
+                    SessionManagerErrorCode.SessionNotFound,
+                    $"Session {sessionId} was not found.");
+            }
+
+            return Task.FromResult(new SessionCloseResult(sessionId, SessionState.Closed, AlreadyClosed: false));
+        }
+
+        public Task<SessionCloseResult> KillWorkerAsync(
+            string sessionId,
+            string reason,
+            CancellationToken cancellationToken)
+        {
+            KillCount++;
+            LastKilledSessionId = sessionId;
+            LastKillReason = reason;
+            return Task.FromResult(new SessionCloseResult(sessionId, SessionState.Closed, AlreadyClosed: false));
+        }
+
+        public Task<int> CloseExpiredLeasesAsync(
+            DateTimeOffset now,
+            CancellationToken cancellationToken)
+        {
+            return Task.FromResult(0);
+        }
+
+        public Task ShutdownAsync(CancellationToken cancellationToken)
+        {
+            return Task.CompletedTask;
+        }
+    }
+}

src/ZB.MOM.WW.MxGateway.Tests/Gateway/Grpc/EventStreamServiceTests.cs

@@ -505,6 +505,15 @@ public sealed class EventStreamServiceTests
             return Task.FromResult(new SessionCloseResult(sessionId, SessionState.Closed, AlreadyClosed: false));
         }
 
+        /// <inheritdoc />
+        public Task<SessionCloseResult> KillWorkerAsync(
+            string sessionId,
+            string reason,
+            CancellationToken cancellationToken)
+        {
+            return Task.FromResult(new SessionCloseResult(sessionId, SessionState.Closed, AlreadyClosed: false));
+        }
+
         /// <inheritdoc />
         public Task<int> CloseExpiredLeasesAsync(
             DateTimeOffset now,

src/ZB.MOM.WW.MxGateway.Tests/Gateway/Grpc/MxAccessGatewayServiceConstraintTests.cs

@@ -898,6 +898,12 @@ public sealed class MxAccessGatewayServiceConstraintTests
             CancellationToken cancellationToken) =>
             Task.FromResult(new SessionCloseResult(sessionId, SessionState.Closed, AlreadyClosed: false));
 
+        public Task<SessionCloseResult> KillWorkerAsync(
+            string sessionId,
+            string reason,
+            CancellationToken cancellationToken) =>
+            Task.FromResult(new SessionCloseResult(sessionId, SessionState.Closed, AlreadyClosed: false));
+
         public Task<int> CloseExpiredLeasesAsync(
             DateTimeOffset now,
             CancellationToken cancellationToken) => Task.FromResult(0);

src/ZB.MOM.WW.MxGateway.Tests/Gateway/Grpc/MxAccessGatewayServiceTests.cs

@@ -539,6 +539,15 @@ public sealed class MxAccessGatewayServiceTests
             return Task.FromResult(new SessionCloseResult(sessionId, SessionState.Closed, AlreadyClosed: false));
         }
 
+        /// <inheritdoc />
+        public Task<SessionCloseResult> KillWorkerAsync(
+            string sessionId,
+            string reason,
+            CancellationToken cancellationToken)
+        {
+            return Task.FromResult(new SessionCloseResult(sessionId, SessionState.Closed, AlreadyClosed: false));
+        }
+
         /// <inheritdoc />
         public Task<int> CloseExpiredLeasesAsync(
             DateTimeOffset now,

src/ZB.MOM.WW.MxGateway.Tests/Gateway/Sessions/SessionManagerTests.cs

@@ -463,6 +463,38 @@ public sealed class SessionManagerTests
         Assert.Equal(0, metrics.GetSnapshot().OpenSessions);
     }
 
+    /// <summary>Verifies that killing a worker removes the session from the registry without calling shutdown.</summary>
+    [Fact]
+    public async Task KillWorkerAsync_KillsWorkerAndRemovesSession()
+    {
+        FakeWorkerClient workerClient = new();
+        using GatewayMetrics metrics = new();
+        SessionManager manager = CreateManager(new FakeSessionWorkerClientFactory(workerClient), metrics: metrics);
+        GatewaySession session = await manager.OpenSessionAsync(CreateOpenRequest(), "client-1", CancellationToken.None);
+
+        SessionCloseResult result = await manager.KillWorkerAsync(session.SessionId, "test-kill", CancellationToken.None);
+
+        Assert.False(result.AlreadyClosed);
+        Assert.Equal(SessionState.Closed, result.FinalState);
+        Assert.Equal(1, workerClient.KillCount);
+        Assert.Equal(0, workerClient.ShutdownCount);
+        Assert.False(manager.TryGetSession(session.SessionId, out _));
+        Assert.Equal(1, metrics.GetSnapshot().SessionsClosed);
+        Assert.Equal(0, metrics.GetSnapshot().OpenSessions);
+    }
+
+    /// <summary>Verifies that killing the worker for an unknown session raises SessionNotFound.</summary>
+    [Fact]
+    public async Task KillWorkerAsync_WhenSessionMissing_ThrowsSessionNotFound()
+    {
+        SessionManager manager = CreateManager(new FakeSessionWorkerClientFactory(new FakeWorkerClient()));
+
+        SessionManagerException exception = await Assert.ThrowsAsync<SessionManagerException>(
+            async () => await manager.KillWorkerAsync("session-missing", "test-kill", CancellationToken.None));
+
+        Assert.Equal(SessionManagerErrorCode.SessionNotFound, exception.ErrorCode);
+    }
+
     /// <summary>Verifies that when worker creation fails, the session is removed from the registry.</summary>
     [Fact]
     public async Task OpenSessionAsync_WhenWorkerCreationFails_RemovesSessionFromRegistry()

src/ZB.MOM.WW.MxGateway.Tests/Security/Authorization/GatewayGrpcAuthorizationInterceptorTests.cs

@@ -458,6 +458,15 @@ public sealed class GatewayGrpcAuthorizationInterceptorTests
             return Task.FromResult(new SessionCloseResult(sessionId, SessionState.Closed, AlreadyClosed: false));
         }
 
+        /// <inheritdoc />
+        public Task<SessionCloseResult> KillWorkerAsync(
+            string sessionId,
+            string reason,
+            CancellationToken cancellationToken)
+        {
+            return Task.FromResult(new SessionCloseResult(sessionId, SessionState.Closed, AlreadyClosed: false));
+        }
+
         /// <inheritdoc />
         public Task<int> CloseExpiredLeasesAsync(
             DateTimeOffset now,