Joseph Doherty
327e9c5f94
Server-031: re-triaged. The recommended gateway-side "skip-while-command-in-flight" guard is already in place at WorkerClient.HeartbeatLoopAsync via WorkerClientOptions.HeartbeatStuckCeiling (default 75s = 5× HeartbeatGrace). Two regression tests pin the behaviour. Recommendation #1 (decouple worker-side _writeLock) is a Worker-module concern (Worker-017 / Worker-023) and out of scope here. Server-032: re-triaged. Recommendation #2 (rich diagnostic) is already in EnqueueWorkerEventAsync, with #3 (overflow grace) absorbed by the TryWrite → WriteAsync-with-timeout fall-through. Test EnqueueWorkerEvent_WhenChannelFullPastTimeout_FaultsWithRichDiagnostic pins the diagnostic string. Recommendation #1 (prose contract in gateway.md / docs) is deferred — outside this pass's edit scope. Server-038 (Security): EventsHub.SubscribeSession's missing per-session ACL is documented with a TODO(per-session-acl) and a <remarks> block explaining the v1 acceptance (any dashboard role can subscribe to any session — non-secret metadata, redacted value logging). The per-session ACL design lands in a follow-up once a session-scoped role exists. Server-039 (Error handling): HubTokenService.Validate now rejects a deserialized payload where both Name and NameIdentifier are null/empty. New test file HubTokenServiceTests.cs covers the regression and five sanity cases. TDD confirmed. Server-040 (Conventions): MapGroupsToRoles gains a precedence comment explaining "full literal match first, leading-RDN fallback; OrdinalIgnoreCase via DashboardOptions.GroupToRole". Documentation-only. Server-041 (Design adherence): EventStreamService.ProduceEventsAsync wraps the broadcaster.Publish call in try/catch (Exception). The producer loop and gRPC stream are no longer at the mercy of the broadcaster's never-throw discipline. New regression test StreamEventsAsync_WhenDashboardBroadcasterThrows_StillYieldsEventsAndDoesNotFaultSession. Server-042 (Performance): DashboardSnapshotPublisher.ExecuteAsync now mirrors AlarmsHubPublisher's reconnect loop — wraps the await foreach in a while-not-cancelled, catches general exceptions, and Task.Delays 5s before retrying. An internal ctor accepts a shorter delay for the test. New test file DashboardSnapshotPublisherTests.cs covers the throw-then-yield reconnect path and the normal-completion case. Server-043 (Documentation): HubTokenService class XML doc gains a <remarks> describing the singleton lifetime, the two consumer scopes (DashboardHubConnectionFactory scoped, HubTokenAuthenticationHandler transient), and the thread-safety contract. Verification: dotnet build src/ZB.MOM.WW.MxGateway.slnx clean (0 warnings / 0 errors); src/ZB.MOM.WW.MxGateway.Tests 486/486 passing. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
104 lines
4.1 KiB
C#
104 lines
4.1 KiB
C#
using System.Security.Claims;
|
|
using System.Security.Cryptography;
|
|
using System.Text.Json;
|
|
using Microsoft.AspNetCore.DataProtection;
|
|
|
|
namespace ZB.MOM.WW.MxGateway.Server.Dashboard;
|
|
|
|
/// <summary>
|
|
/// Mints and validates short-lived bearer tokens for SignalR hub connections.
|
|
/// The token is a data-protected JSON payload containing the user's name and
|
|
/// role claims. Validity is enforced by the data-protection time-limited
|
|
/// protector; no separate signing keys are configured.
|
|
/// </summary>
|
|
/// <remarks>
|
|
/// Server-043: this service is registered as a singleton in
|
|
/// <see cref="DashboardServiceCollectionExtensions.AddGatewayDashboard"/> and
|
|
/// is shared by two consumer scopes: <c>DashboardHubConnectionFactory</c>
|
|
/// (scoped, per-circuit; calls <see cref="Issue"/> from the cookie-authenticated
|
|
/// dashboard) and <c>HubTokenAuthenticationHandler</c> (transient, per-request;
|
|
/// calls <see cref="Validate"/> from the SignalR negotiate / connection path).
|
|
/// The underlying <see cref="ITimeLimitedDataProtector"/> is thread-safe, so
|
|
/// minting and validating concurrently from any number of callers is safe;
|
|
/// future maintainers should preserve the singleton lifetime to keep the
|
|
/// protector instance stable.
|
|
/// </remarks>
|
|
public sealed class HubTokenService
|
|
{
|
|
private const string ProtectorPurpose = "ZB.MOM.WW.MxGateway.Dashboard.HubToken.v1";
|
|
private static readonly TimeSpan TokenLifetime = TimeSpan.FromMinutes(30);
|
|
|
|
private readonly ITimeLimitedDataProtector _protector;
|
|
|
|
public HubTokenService(IDataProtectionProvider dataProtection)
|
|
{
|
|
ArgumentNullException.ThrowIfNull(dataProtection);
|
|
_protector = dataProtection.CreateProtector(ProtectorPurpose).ToTimeLimitedDataProtector();
|
|
}
|
|
|
|
/// <summary>Issue a bearer token carrying the user's identity and roles.</summary>
|
|
public string Issue(ClaimsPrincipal user)
|
|
{
|
|
ArgumentNullException.ThrowIfNull(user);
|
|
HubTokenPayload payload = new(
|
|
user.Identity?.Name,
|
|
user.FindFirstValue(ClaimTypes.NameIdentifier),
|
|
[.. user.FindAll(ClaimTypes.Role).Select(c => c.Value)]);
|
|
return _protector.Protect(JsonSerializer.Serialize(payload), TokenLifetime);
|
|
}
|
|
|
|
/// <summary>Validate a token and return the equivalent <see cref="ClaimsPrincipal"/>; null when invalid or expired.</summary>
|
|
public ClaimsPrincipal? Validate(string? token)
|
|
{
|
|
if (string.IsNullOrEmpty(token))
|
|
{
|
|
return null;
|
|
}
|
|
|
|
try
|
|
{
|
|
HubTokenPayload? payload = JsonSerializer.Deserialize<HubTokenPayload>(_protector.Unprotect(token));
|
|
if (payload is null)
|
|
{
|
|
return null;
|
|
}
|
|
|
|
// Server-039: reject a token whose payload carries no caller
|
|
// identity. A null/empty Name AND NameIdentifier would otherwise
|
|
// produce a principal that satisfies IsAuthenticated and IsInRole
|
|
// checks without any associated user, because the AuthenticationType
|
|
// (the HubToken scheme) is non-empty.
|
|
if (string.IsNullOrEmpty(payload.Name) && string.IsNullOrEmpty(payload.NameIdentifier))
|
|
{
|
|
return null;
|
|
}
|
|
|
|
List<Claim> claims = [];
|
|
if (!string.IsNullOrEmpty(payload.Name))
|
|
{
|
|
claims.Add(new Claim(ClaimTypes.Name, payload.Name));
|
|
}
|
|
|
|
if (!string.IsNullOrEmpty(payload.NameIdentifier))
|
|
{
|
|
claims.Add(new Claim(ClaimTypes.NameIdentifier, payload.NameIdentifier));
|
|
}
|
|
|
|
claims.AddRange((payload.Roles ?? []).Select(r => new Claim(ClaimTypes.Role, r)));
|
|
|
|
ClaimsIdentity identity = new(
|
|
claims,
|
|
DashboardAuthenticationDefaults.HubAuthenticationScheme,
|
|
ClaimTypes.Name,
|
|
ClaimTypes.Role);
|
|
return new ClaimsPrincipal(identity);
|
|
}
|
|
catch (Exception ex) when (ex is CryptographicException or JsonException)
|
|
{
|
|
return null;
|
|
}
|
|
}
|
|
|
|
private sealed record HubTokenPayload(string? Name, string? NameIdentifier, string[]? Roles);
|
|
}
|