mxaccessgw

dohertj2/mxaccessgw

Fork 0

Commit Graph

Author	SHA1	Message	Date
Joseph Doherty	615b487a77	docs+ui: backfill XML doc comments and finish dashboard layout pass Adds missing <summary>/<param> XML docs across 99 server, worker, and test files so CommentChecker reports zero issues (TreatWarningsAsErrors needs the analyzer clean). Bundles in WIP dashboard work: NavSection extraction, MainLayout/site.css/js styling alignment, and DashboardOptions/Auth tweaks.	2026-05-27 14:20:10 -04:00
Joseph Doherty	327e9c5f94	Resolve Server-031..032 (re-triaged) + Server-038..043 Server-031: re-triaged. The recommended gateway-side "skip-while-command-in-flight" guard is already in place at WorkerClient.HeartbeatLoopAsync via WorkerClientOptions.HeartbeatStuckCeiling (default 75s = 5× HeartbeatGrace). Two regression tests pin the behaviour. Recommendation #1 (decouple worker-side _writeLock) is a Worker-module concern (Worker-017 / Worker-023) and out of scope here. Server-032: re-triaged. Recommendation #2 (rich diagnostic) is already in EnqueueWorkerEventAsync, with #3 (overflow grace) absorbed by the TryWrite → WriteAsync-with-timeout fall-through. Test EnqueueWorkerEvent_WhenChannelFullPastTimeout_FaultsWithRichDiagnostic pins the diagnostic string. Recommendation #1 (prose contract in gateway.md / docs) is deferred — outside this pass's edit scope. Server-038 (Security): EventsHub.SubscribeSession's missing per-session ACL is documented with a TODO(per-session-acl) and a <remarks> block explaining the v1 acceptance (any dashboard role can subscribe to any session — non-secret metadata, redacted value logging). The per-session ACL design lands in a follow-up once a session-scoped role exists. Server-039 (Error handling): HubTokenService.Validate now rejects a deserialized payload where both Name and NameIdentifier are null/empty. New test file HubTokenServiceTests.cs covers the regression and five sanity cases. TDD confirmed. Server-040 (Conventions): MapGroupsToRoles gains a precedence comment explaining "full literal match first, leading-RDN fallback; OrdinalIgnoreCase via DashboardOptions.GroupToRole". Documentation-only. Server-041 (Design adherence): EventStreamService.ProduceEventsAsync wraps the broadcaster.Publish call in try/catch (Exception). The producer loop and gRPC stream are no longer at the mercy of the broadcaster's never-throw discipline. New regression test StreamEventsAsync_WhenDashboardBroadcasterThrows_StillYieldsEventsAndDoesNotFaultSession. Server-042 (Performance): DashboardSnapshotPublisher.ExecuteAsync now mirrors AlarmsHubPublisher's reconnect loop — wraps the await foreach in a while-not-cancelled, catches general exceptions, and Task.Delays 5s before retrying. An internal ctor accepts a shorter delay for the test. New test file DashboardSnapshotPublisherTests.cs covers the throw-then-yield reconnect path and the normal-completion case. Server-043 (Documentation): HubTokenService class XML doc gains a <remarks> describing the singleton lifetime, the two consumer scopes (DashboardHubConnectionFactory scoped, HubTokenAuthenticationHandler transient), and the thread-safety contract. Verification: dotnet build src/ZB.MOM.WW.MxGateway.slnx clean (0 warnings / 0 errors); src/ZB.MOM.WW.MxGateway.Tests 486/486 passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 03:18:52 -04:00
Joseph Doherty	27ed65114e	dashboard: role-based LDAP auth + hub bearer scheme, drop PathBase Restructure dashboard auth around LDAP-driven Admin/Viewer roles, add a bearer scheme so SignalR hubs (next commit) can authenticate without forwarding the HttpOnly browser cookie, and mount the dashboard at the host root instead of a configurable `/dashboard` prefix. Configuration changes (breaking): - `MxGateway:Dashboard:PathBase` removed — the dashboard now serves at `/`. - `MxGateway:Dashboard:RequireAdminScope` removed — role checks replace the single admin-scope claim. - `MxGateway:Ldap:RequiredGroup` removed — replaced by `MxGateway:Dashboard:GroupToRole`, a map from LDAP group name to dashboard role. Legal role values: `Admin` and `Viewer`. Users whose LDAP groups don't intersect this map are rejected at login (the existing fail-closed contract). - appsettings.json ships a default mapping `{ GwAdmin: Admin, GwReader: Viewer }`. Auth model: - DashboardRoles: new static class with `Admin` and `Viewer` constants. - DashboardAuthenticator.AuthenticateAsync: after LDAP bind, maps the user's groups through `DashboardOptions.GroupToRole` and emits one `ClaimTypes.Role` claim per resolved role. Empty result → login fails. - DashboardAuthorizationRequirement now carries `RequiredRoles`; static presets `AnyDashboardRole` (Viewer ∨ Admin) and `AdminOnly`. - DashboardAuthorizationHandler checks `IsInRole` against the requirement's role list instead of the old scope claim. The `AuthenticationMode.Disabled` and `AllowAnonymousLocalhost` bypasses are preserved. - DashboardApiKeyAuthorization.CanManage now requires the `Admin` role (was: required LDAP group membership). The constructor's IOptions parameter is gone. Policies / schemes: - DashboardAuthenticationDefaults gains `ViewerPolicy`, `AdminPolicy`, `HubClientsPolicy`, and `HubAuthenticationScheme`. The legacy `AuthorizationPolicy` and `ScopeClaimType` constants are removed. - DashboardServiceCollectionExtensions registers all three policies, adds the cookie scheme and the HubToken bearer scheme side by side, calls `AddSignalR()`, and hard-codes the cookie's login/logout/denied paths to root-relative `/login` etc. Hub bearer infrastructure (no hubs wired yet — next commit): - HubTokenService: mints time-limited data-protected JSON tokens carrying the user's name, NameIdentifier, and roles. 30-minute lifetime, purpose `ZB.MOM.WW.MxGateway.Dashboard.HubToken.v1`. - HubTokenAuthenticationHandler: validates the token from `Authorization: Bearer …` or `?access_token=…` (WebSocket upgrade query string) and rebuilds the principal. Endpoint mapping: - DashboardEndpointRouteBuilderExtensions drops the `MapGroup(pathBase)` wrapper. Login/logout/denied and Razor component routes are now mounted at `/`. The login form posts to `/login`. Razor components require the new `ViewerPolicy`. - All page `@page "/dashboard/X"` dual-route directives are removed — pages live at their canonical roots (`@page "/"`, `@page "/sessions"`, …). - App.razor and DashboardLayout.razor drop their PathBase computations. EffectiveLdapConfiguration drops `RequiredGroup`; EffectiveDashboardConfiguration drops `PathBase`/`RequireAdminScope` and gains `GroupToRole`. SettingsPage renders the role mapping in place of the retired fields. Tests updated: - DashboardAuthenticatorTests: covers the new GroupToRole mapping (short name + DN + multi-role). - DashboardAuthorizationHandlerTests: split into Viewer-policy and Admin-policy cases. - DashboardApiKeyAuthorizationTests, DashboardApiKeyManagementServiceTests: authorized principal now carries the `Admin` role claim. - DashboardCookieOptionsTests: expects root-relative login/logout paths. - GatewayApplicationTests: dashboard component routes registered at `/`, `/sessions`, … and gated by `ViewerPolicy`. Filter on `ComponentTypeMetadata` to ignore minimal-API endpoints sharing `/`. - GatewayOptionsTests + Validator: drop PathBase / RequireAdminScope / RequiredGroup assertions; add a `GroupToRole` value-validation case. - DashboardLdapLiveTests: provides the default `GwAdmin` → `Admin` mapping so the live LDAP bind resolves to a role. Verification: 473 server tests, 275 worker tests (+9 dev-rig skips), 18 integration tests (live MxAccess + LDAP + Galaxy) all pass. This commit is intentionally UI-neutral. The sidebar layout and the SignalR hubs that consume the new HubToken scheme land in a follow-up. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>	2026-05-24 01:38:33 -04:00

Author

SHA1

Message

Date

Joseph Doherty

615b487a77

docs+ui: backfill XML doc comments and finish dashboard layout pass

Adds missing <summary>/<param> XML docs across 99 server, worker, and test
files so CommentChecker reports zero issues (TreatWarningsAsErrors needs the
analyzer clean). Bundles in WIP dashboard work: NavSection extraction,
MainLayout/site.css/js styling alignment, and DashboardOptions/Auth tweaks.

2026-05-27 14:20:10 -04:00

Joseph Doherty

327e9c5f94

Resolve Server-031..032 (re-triaged) + Server-038..043

Server-031: re-triaged. The recommended gateway-side
"skip-while-command-in-flight" guard is already in place at
WorkerClient.HeartbeatLoopAsync via WorkerClientOptions.HeartbeatStuckCeiling
(default 75s = 5× HeartbeatGrace). Two regression tests pin the
behaviour. Recommendation #1 (decouple worker-side _writeLock) is a
Worker-module concern (Worker-017 / Worker-023) and out of scope here.

Server-032: re-triaged. Recommendation #2 (rich diagnostic) is already
in EnqueueWorkerEventAsync, with #3 (overflow grace) absorbed by the
TryWrite → WriteAsync-with-timeout fall-through. Test
EnqueueWorkerEvent_WhenChannelFullPastTimeout_FaultsWithRichDiagnostic
pins the diagnostic string. Recommendation #1 (prose contract in
gateway.md / docs) is deferred — outside this pass's edit scope.

Server-038 (Security): EventsHub.SubscribeSession's missing per-session
ACL is documented with a TODO(per-session-acl) and a <remarks> block
explaining the v1 acceptance (any dashboard role can subscribe to any
session — non-secret metadata, redacted value logging). The per-session
ACL design lands in a follow-up once a session-scoped role exists.

Server-039 (Error handling): HubTokenService.Validate now rejects a
deserialized payload where both Name and NameIdentifier are null/empty.
New test file HubTokenServiceTests.cs covers the regression and five
sanity cases. TDD confirmed.

Server-040 (Conventions): MapGroupsToRoles gains a precedence comment
explaining "full literal match first, leading-RDN fallback;
OrdinalIgnoreCase via DashboardOptions.GroupToRole". Documentation-only.

Server-041 (Design adherence): EventStreamService.ProduceEventsAsync
wraps the broadcaster.Publish call in try/catch (Exception). The
producer loop and gRPC stream are no longer at the mercy of the
broadcaster's never-throw discipline. New regression test
StreamEventsAsync_WhenDashboardBroadcasterThrows_StillYieldsEventsAndDoesNotFaultSession.

Server-042 (Performance): DashboardSnapshotPublisher.ExecuteAsync now
mirrors AlarmsHubPublisher's reconnect loop — wraps the await foreach
in a while-not-cancelled, catches general exceptions, and Task.Delays
5s before retrying. An internal ctor accepts a shorter delay for the
test. New test file DashboardSnapshotPublisherTests.cs covers the
throw-then-yield reconnect path and the normal-completion case.

Server-043 (Documentation): HubTokenService class XML doc gains a
<remarks> describing the singleton lifetime, the two consumer scopes
(DashboardHubConnectionFactory scoped, HubTokenAuthenticationHandler
transient), and the thread-safety contract.

Verification: dotnet build src/ZB.MOM.WW.MxGateway.slnx clean
(0 warnings / 0 errors); src/ZB.MOM.WW.MxGateway.Tests 486/486 passing.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-24 03:18:52 -04:00

Joseph Doherty

27ed65114e

dashboard: role-based LDAP auth + hub bearer scheme, drop PathBase

Restructure dashboard auth around LDAP-driven Admin/Viewer roles, add a
bearer scheme so SignalR hubs (next commit) can authenticate without
forwarding the HttpOnly browser cookie, and mount the dashboard at the
host root instead of a configurable `/dashboard` prefix.

Configuration changes (breaking):
- `MxGateway:Dashboard:PathBase` removed — the dashboard now serves at `/`.
- `MxGateway:Dashboard:RequireAdminScope` removed — role checks replace
the single admin-scope claim.
- `MxGateway:Ldap:RequiredGroup` removed — replaced by `MxGateway:Dashboard:GroupToRole`,
a map from LDAP group name to dashboard role. Legal role values:
`Admin` and `Viewer`. Users whose LDAP groups don't intersect this
map are rejected at login (the existing fail-closed contract).
- appsettings.json ships a default mapping `{ GwAdmin: Admin, GwReader: Viewer }`.

Auth model:
- DashboardRoles: new static class with `Admin` and `Viewer` constants.
- DashboardAuthenticator.AuthenticateAsync: after LDAP bind, maps the
user's groups through `DashboardOptions.GroupToRole` and emits one
`ClaimTypes.Role` claim per resolved role. Empty result → login fails.
- DashboardAuthorizationRequirement now carries `RequiredRoles`; static
presets `AnyDashboardRole` (Viewer ∨ Admin) and `AdminOnly`.
- DashboardAuthorizationHandler checks `IsInRole` against the
requirement's role list instead of the old scope claim. The
`AuthenticationMode.Disabled` and `AllowAnonymousLocalhost` bypasses
are preserved.
- DashboardApiKeyAuthorization.CanManage now requires the `Admin` role
(was: required LDAP group membership). The constructor's IOptions
parameter is gone.

Policies / schemes:
- DashboardAuthenticationDefaults gains `ViewerPolicy`, `AdminPolicy`,
`HubClientsPolicy`, and `HubAuthenticationScheme`. The legacy
`AuthorizationPolicy` and `ScopeClaimType` constants are removed.
- DashboardServiceCollectionExtensions registers all three policies,
adds the cookie scheme and the HubToken bearer scheme side by side,
calls `AddSignalR()`, and hard-codes the cookie's login/logout/denied
paths to root-relative `/login` etc.

Hub bearer infrastructure (no hubs wired yet — next commit):
- HubTokenService: mints time-limited data-protected JSON tokens
carrying the user's name, NameIdentifier, and roles. 30-minute
lifetime, purpose `ZB.MOM.WW.MxGateway.Dashboard.HubToken.v1`.
- HubTokenAuthenticationHandler: validates the token from
`Authorization: Bearer …` or `?access_token=…` (WebSocket upgrade
query string) and rebuilds the principal.

Endpoint mapping:
- DashboardEndpointRouteBuilderExtensions drops the `MapGroup(pathBase)`
wrapper. Login/logout/denied and Razor component routes are now
mounted at `/`. The login form posts to `/login`. Razor components
require the new `ViewerPolicy`.
- All page `@page "/dashboard/X"` dual-route directives are removed —
pages live at their canonical roots (`@page "/"`, `@page "/sessions"`, …).
- App.razor and DashboardLayout.razor drop their PathBase computations.

EffectiveLdapConfiguration drops `RequiredGroup`; EffectiveDashboardConfiguration
drops `PathBase`/`RequireAdminScope` and gains `GroupToRole`. SettingsPage
renders the role mapping in place of the retired fields.

Tests updated:
- DashboardAuthenticatorTests: covers the new GroupToRole mapping
(short name + DN + multi-role).
- DashboardAuthorizationHandlerTests: split into Viewer-policy and
Admin-policy cases.
- DashboardApiKeyAuthorizationTests, DashboardApiKeyManagementServiceTests:
authorized principal now carries the `Admin` role claim.
- DashboardCookieOptionsTests: expects root-relative login/logout paths.
- GatewayApplicationTests: dashboard component routes registered at `/`,
`/sessions`, … and gated by `ViewerPolicy`. Filter on
`ComponentTypeMetadata` to ignore minimal-API endpoints sharing `/`.
- GatewayOptionsTests + Validator: drop PathBase / RequireAdminScope /
RequiredGroup assertions; add a `GroupToRole` value-validation case.
- DashboardLdapLiveTests: provides the default `GwAdmin` → `Admin`
mapping so the live LDAP bind resolves to a role.

Verification: 473 server tests, 275 worker tests (+9 dev-rig skips), 18
integration tests (live MxAccess + LDAP + Galaxy) all pass.

This commit is intentionally UI-neutral. The sidebar layout and the
SignalR hubs that consume the new HubToken scheme land in a follow-up.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

2026-05-24 01:38:33 -04:00

3 Commits