fix(configuration-database): resolve ConfigurationDatabase-002..007 — remove hardcoded sa creds, fail-fast no-arg DI, encrypt secret columns, resilient audit serialization

tests/ScadaLink.ConfigurationDatabase.Tests/AuditServiceTests.cs

@@ -124,4 +124,35 @@ public class AuditServiceTests : IDisposable
         Assert.DoesNotContain(methods, m => m.Name.Contains("Update", StringComparison.OrdinalIgnoreCase));
         Assert.DoesNotContain(methods, m => m.Name.Contains("Delete", StringComparison.OrdinalIgnoreCase));
     }
+
+    // Self-referential POCO used to reproduce a reference cycle in afterState.
+    private sealed class CyclicNode
+    {
+        public string Name { get; set; } = "node";
+        public CyclicNode? Self { get; set; }
+    }
+
+    [Fact]
+    public async Task LogAsync_AfterStateWithReferenceCycle_DoesNotThrow_AndDoesNotRollBackOperation()
+    {
+        // Regression guard for ConfigurationDatabase-007: serializing an afterState
+        // object that contains a reference cycle must not throw a JsonException —
+        // that would roll back the entire business operation it is auditing.
+        var node = new CyclicNode();
+        node.Self = node; // reference cycle
+
+        var template = new Template("CyclicAuditTemplate");
+        _context.Templates.Add(template);
+
+        // Must not throw.
+        await _auditService.LogAsync("admin", "Create", "Template", "1", "CyclicAuditTemplate", node);
+
+        // The audited business operation must still commit successfully.
+        await _context.SaveChangesAsync();
+
+        var audit = await _context.AuditLogEntries.SingleAsync();
+        Assert.NotNull(audit.AfterStateJson);
+        Assert.Contains("node", audit.AfterStateJson);
+        Assert.Single(await _context.Templates.Where(t => t.Name == "CyclicAuditTemplate").ToListAsync());
+    }
 }

tests/ScadaLink.ConfigurationDatabase.Tests/DesignTimeDbContextFactoryTests.cs

@@ -0,0 +1,61 @@
+using ScadaLink.ConfigurationDatabase;
+
+namespace ScadaLink.ConfigurationDatabase.Tests;
+
+public class DesignTimeDbContextFactoryTests : IDisposable
+{
+    private const string EnvVar = "SCADALINK_DESIGNTIME_CONNECTIONSTRING";
+    private readonly string? _originalEnv;
+
+    public DesignTimeDbContextFactoryTests()
+    {
+        _originalEnv = Environment.GetEnvironmentVariable(EnvVar);
+    }
+
+    public void Dispose()
+    {
+        Environment.SetEnvironmentVariable(EnvVar, _originalEnv);
+    }
+
+    [Fact]
+    public void CreateDbContext_NoConnectionStringConfigured_ThrowsClearException()
+    {
+        // Regression guard for ConfigurationDatabase-002: the factory must not fall back
+        // to a hardcoded `sa`/password literal. With nothing configured it must fail loudly
+        // with an actionable message instead of silently pointing tooling at a guessed DB.
+        Environment.SetEnvironmentVariable(EnvVar, null);
+        var factory = new DesignTimeDbContextFactory();
+
+        var ex = Assert.Throws<InvalidOperationException>(() => factory.CreateDbContext(Array.Empty<string>()));
+
+        Assert.Contains("connection string", ex.Message, StringComparison.OrdinalIgnoreCase);
+        // The message must not leak / suggest a hardcoded `sa` credential.
+        Assert.DoesNotContain("sa", ex.Message.Split(' '), StringComparer.OrdinalIgnoreCase);
+    }
+
+    [Fact]
+    public void CreateDbContext_ConnectionStringFromEnvironmentVariable_IsUsed()
+    {
+        // The design-time connection string may be supplied via an environment variable
+        // rather than a source literal.
+        Environment.SetEnvironmentVariable(EnvVar,
+            "Server=localhost,1433;Database=ScadaLink_Config;Trusted_Connection=True;TrustServerCertificate=True");
+        var factory = new DesignTimeDbContextFactory();
+
+        using var context = factory.CreateDbContext(Array.Empty<string>());
+
+        Assert.NotNull(context);
+    }
+
+    [Fact]
+    public void DesignTimeDbContextFactory_SourceContainsNoHardcodedSaCredential()
+    {
+        // Belt-and-braces: assert no `sa`/password literal exists in the compiled type's
+        // behaviour by confirming the no-config path throws rather than connecting.
+        Environment.SetEnvironmentVariable(EnvVar, null);
+        var factory = new DesignTimeDbContextFactory();
+
+        var ex = Assert.Throws<InvalidOperationException>(() => factory.CreateDbContext(Array.Empty<string>()));
+        Assert.DoesNotContain("YourPassword", ex.Message);
+    }
+}

tests/ScadaLink.ConfigurationDatabase.Tests/SecretEncryptionTests.cs

@@ -0,0 +1,129 @@
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Diagnostics;
+using ScadaLink.Commons.Entities.ExternalSystems;
+using ScadaLink.Commons.Entities.Notifications;
+using ScadaLink.ConfigurationDatabase;
+
+namespace ScadaLink.ConfigurationDatabase.Tests;
+
+/// <summary>
+/// Regression guard for ConfigurationDatabase-004: secret-bearing columns
+/// (SMTP credentials, external-system auth config, database connection strings)
+/// must be encrypted at rest, not persisted verbatim.
+/// </summary>
+public class SecretEncryptionTests : IDisposable
+{
+    private readonly ScadaLinkDbContext _context;
+    private readonly IDataProtectionProvider _protectionProvider;
+
+    public SecretEncryptionTests()
+    {
+        _protectionProvider = new EphemeralDataProtectionProvider();
+
+        var options = new DbContextOptionsBuilder<ScadaLinkDbContext>()
+            .UseSqlite("DataSource=:memory:")
+            .ConfigureWarnings(w => w.Ignore(RelationalEventId.PendingModelChangesWarning))
+            .Options;
+
+        _context = new ScadaLinkDbContext(options, _protectionProvider);
+        _context.Database.OpenConnection();
+        _context.Database.EnsureCreated();
+    }
+
+    public void Dispose()
+    {
+        _context.Database.CloseConnection();
+        _context.Dispose();
+    }
+
+    [Fact]
+    public async Task DatabaseConnectionDefinition_ConnectionString_StoredEncrypted_RoundTrips()
+    {
+        const string secret = "Server=db;Database=X;User Id=svc;Password=SuperSecret123!";
+        var def = new DatabaseConnectionDefinition("PrimaryDb", secret);
+        _context.DatabaseConnectionDefinitions.Add(def);
+        await _context.SaveChangesAsync();
+        _context.ChangeTracker.Clear();
+
+        // Raw column value must not be the plaintext secret.
+        var raw = await ReadRawColumnAsync("DatabaseConnectionDefinitions", "ConnectionString", def.Id);
+        Assert.NotNull(raw);
+        Assert.NotEqual(secret, raw);
+        Assert.DoesNotContain("SuperSecret123!", raw);
+
+        // Reading back through EF must transparently decrypt.
+        var loaded = await _context.DatabaseConnectionDefinitions.SingleAsync(d => d.Id == def.Id);
+        Assert.Equal(secret, loaded.ConnectionString);
+    }
+
+    [Fact]
+    public async Task SmtpConfiguration_Credentials_StoredEncrypted_RoundTrips()
+    {
+        const string secret = "client_secret=oauth2-abc-very-secret";
+        var smtp = new SmtpConfiguration("smtp.example.com", "OAuth2", "noreply@example.com")
+        {
+            Credentials = secret
+        };
+        _context.SmtpConfigurations.Add(smtp);
+        await _context.SaveChangesAsync();
+        _context.ChangeTracker.Clear();
+
+        var raw = await ReadRawColumnAsync("SmtpConfigurations", "Credentials", smtp.Id);
+        Assert.NotNull(raw);
+        Assert.NotEqual(secret, raw);
+        Assert.DoesNotContain("oauth2-abc-very-secret", raw);
+
+        var loaded = await _context.SmtpConfigurations.SingleAsync(s => s.Id == smtp.Id);
+        Assert.Equal(secret, loaded.Credentials);
+    }
+
+    [Fact]
+    public async Task ExternalSystemDefinition_AuthConfiguration_StoredEncrypted_RoundTrips()
+    {
+        const string secret = "{\"apiKey\":\"live-key-do-not-leak\"}";
+        var ext = new ExternalSystemDefinition("Erp", "https://erp.example.com", "ApiKey")
+        {
+            AuthConfiguration = secret
+        };
+        _context.ExternalSystemDefinitions.Add(ext);
+        await _context.SaveChangesAsync();
+        _context.ChangeTracker.Clear();
+
+        var raw = await ReadRawColumnAsync("ExternalSystemDefinitions", "AuthConfiguration", ext.Id);
+        Assert.NotNull(raw);
+        Assert.NotEqual(secret, raw);
+        Assert.DoesNotContain("live-key-do-not-leak", raw);
+
+        var loaded = await _context.ExternalSystemDefinitions.SingleAsync(e => e.Id == ext.Id);
+        Assert.Equal(secret, loaded.AuthConfiguration);
+    }
+
+    [Fact]
+    public async Task SmtpConfiguration_NullCredentials_RoundTripsAsNull()
+    {
+        var smtp = new SmtpConfiguration("smtp.example.com", "None", "noreply@example.com")
+        {
+            Credentials = null
+        };
+        _context.SmtpConfigurations.Add(smtp);
+        await _context.SaveChangesAsync();
+        _context.ChangeTracker.Clear();
+
+        var loaded = await _context.SmtpConfigurations.SingleAsync(s => s.Id == smtp.Id);
+        Assert.Null(loaded.Credentials);
+    }
+
+    private async Task<string?> ReadRawColumnAsync(string table, string column, int id)
+    {
+        var connection = _context.Database.GetDbConnection();
+        await using var cmd = connection.CreateCommand();
+        cmd.CommandText = $"SELECT \"{column}\" FROM \"{table}\" WHERE \"Id\" = $id";
+        var p = cmd.CreateParameter();
+        p.ParameterName = "$id";
+        p.Value = id;
+        cmd.Parameters.Add(p);
+        var result = await cmd.ExecuteScalarAsync();
+        return result == null || result == DBNull.Value ? null : (string)result;
+    }
+}

tests/ScadaLink.ConfigurationDatabase.Tests/ServiceCollectionExtensionsTests.cs

@@ -0,0 +1,57 @@
+using System.Reflection;
+using Microsoft.Extensions.DependencyInjection;
+using ScadaLink.Commons.Interfaces.Repositories;
+using ScadaLink.Commons.Interfaces.Services;
+using ScadaLink.ConfigurationDatabase;
+
+namespace ScadaLink.ConfigurationDatabase.Tests;
+
+public class ServiceCollectionExtensionsTests
+{
+    [Fact]
+    public void AddConfigurationDatabase_WithConnectionString_RegistersRepositoriesAndServices()
+    {
+        var services = new ServiceCollection();
+
+        services.AddConfigurationDatabase("DataSource=:memory:");
+
+        Assert.Contains(services, d => d.ServiceType == typeof(ITemplateEngineRepository));
+        Assert.Contains(services, d => d.ServiceType == typeof(IAuditService));
+        Assert.Contains(services, d => d.ServiceType == typeof(IInstanceLocator));
+    }
+
+    // The no-arg overload is [Obsolete(error: true)], so it cannot be referenced directly
+    // from source — that is the compile-time guard. Invoke it via reflection to verify the
+    // runtime defence-in-depth behaviour.
+    private static MethodInfo NoArgOverload =>
+        typeof(ServiceCollectionExtensions).GetMethod(
+            nameof(ServiceCollectionExtensions.AddConfigurationDatabase),
+            BindingFlags.Public | BindingFlags.Static,
+            binder: null,
+            types: new[] { typeof(IServiceCollection) },
+            modifiers: null)!;
+
+    [Fact]
+    public void AddConfigurationDatabase_NoArgOverload_FailsFastWithClearMessage()
+    {
+        // Regression guard for ConfigurationDatabase-003: the parameterless overload must not
+        // silently register nothing. Misuse must surface immediately at wire-up time with an
+        // actionable message — not later as an opaque DI resolution failure.
+        var services = new ServiceCollection();
+
+        var invocation = Assert.Throws<TargetInvocationException>(
+            () => NoArgOverload.Invoke(null, new object[] { services }));
+
+        var ex = Assert.IsType<InvalidOperationException>(invocation.InnerException);
+        Assert.Contains("connection string", ex.Message, StringComparison.OrdinalIgnoreCase);
+    }
+
+    [Fact]
+    public void AddConfigurationDatabase_NoArgOverload_IsMarkedObsoleteAsError()
+    {
+        // The no-op overload must be flagged so misuse is caught at compile time.
+        var obsolete = NoArgOverload.GetCustomAttribute<ObsoleteAttribute>();
+        Assert.NotNull(obsolete);
+        Assert.True(obsolete!.IsError);
+    }
+}

tests/ScadaLink.ConfigurationDatabase.Tests/UnitTest1.cs

@@ -372,15 +372,24 @@ public class ServiceRegistrationTests
     }
 
     [Fact]
-    public void AddConfigurationDatabase_NoArgs_DoesNotThrow()
+    public void AddConfigurationDatabase_NoArgs_FailsFast()
     {
+        // ConfigurationDatabase-003: the no-arg overload previously silently registered
+        // nothing, which deferred a misconfiguration into an opaque DI failure later.
+        // It is now [Obsolete(error: true)] (compile-time guard) and throws at runtime.
+        // Invoked via reflection because the obsolete-error overload cannot be called
+        // directly from source.
+        var method = typeof(ServiceCollectionExtensions).GetMethod(
+            nameof(ServiceCollectionExtensions.AddConfigurationDatabase),
+            System.Reflection.BindingFlags.Public | System.Reflection.BindingFlags.Static,
+            binder: null,
+            types: new[] { typeof(IServiceCollection) },
+            modifiers: null)!;
         var services = new ServiceCollection();
-        services.AddConfigurationDatabase();
 
-        // Should not register DbContext (no-op for backward compatibility)
-        var provider = services.BuildServiceProvider();
-        var context = provider.GetService<ScadaLinkDbContext>();
-        Assert.Null(context);
+        var invocation = Assert.Throws<System.Reflection.TargetInvocationException>(
+            () => method.Invoke(null, new object[] { services }));
+        Assert.IsType<InvalidOperationException>(invocation.InnerException);
     }
 }