fix(configuration-database): resolve ConfigurationDatabase-002..007 — remove hardcoded sa creds, fail-fast no-arg DI, encrypt secret columns, resilient audit serialization

2026-05-16 21:11:24 -04:00
parent 8fc04d43c2
commit 0c82ffcbe6
17 changed files with 2029 additions and 40 deletions
--- a/tests/ScadaLink.ConfigurationDatabase.Tests/SecretEncryptionTests.cs
+++ b/tests/ScadaLink.ConfigurationDatabase.Tests/SecretEncryptionTests.cs
@@ -0,0 +1,129 @@
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.EntityFrameworkCore.Diagnostics;
+using ScadaLink.Commons.Entities.ExternalSystems;
+using ScadaLink.Commons.Entities.Notifications;
+using ScadaLink.ConfigurationDatabase;
+
+namespace ScadaLink.ConfigurationDatabase.Tests;
+
+/// <summary>
+/// Regression guard for ConfigurationDatabase-004: secret-bearing columns
+/// (SMTP credentials, external-system auth config, database connection strings)
+/// must be encrypted at rest, not persisted verbatim.
+/// </summary>
+public class SecretEncryptionTests : IDisposable
+{
+    private readonly ScadaLinkDbContext _context;
+    private readonly IDataProtectionProvider _protectionProvider;
+
+    public SecretEncryptionTests()
+    {
+        _protectionProvider = new EphemeralDataProtectionProvider();
+
+        var options = new DbContextOptionsBuilder<ScadaLinkDbContext>()
+            .UseSqlite("DataSource=:memory:")
+            .ConfigureWarnings(w => w.Ignore(RelationalEventId.PendingModelChangesWarning))
+            .Options;
+
+        _context = new ScadaLinkDbContext(options, _protectionProvider);
+        _context.Database.OpenConnection();
+        _context.Database.EnsureCreated();
+    }
+
+    public void Dispose()
+    {
+        _context.Database.CloseConnection();
+        _context.Dispose();
+    }
+
+    [Fact]
+    public async Task DatabaseConnectionDefinition_ConnectionString_StoredEncrypted_RoundTrips()
+    {
+        const string secret = "Server=db;Database=X;User Id=svc;Password=SuperSecret123!";
+        var def = new DatabaseConnectionDefinition("PrimaryDb", secret);
+        _context.DatabaseConnectionDefinitions.Add(def);
+        await _context.SaveChangesAsync();
+        _context.ChangeTracker.Clear();
+
+        // Raw column value must not be the plaintext secret.
+        var raw = await ReadRawColumnAsync("DatabaseConnectionDefinitions", "ConnectionString", def.Id);
+        Assert.NotNull(raw);
+        Assert.NotEqual(secret, raw);
+        Assert.DoesNotContain("SuperSecret123!", raw);
+
+        // Reading back through EF must transparently decrypt.
+        var loaded = await _context.DatabaseConnectionDefinitions.SingleAsync(d => d.Id == def.Id);
+        Assert.Equal(secret, loaded.ConnectionString);
+    }
+
+    [Fact]
+    public async Task SmtpConfiguration_Credentials_StoredEncrypted_RoundTrips()
+    {
+        const string secret = "client_secret=oauth2-abc-very-secret";
+        var smtp = new SmtpConfiguration("smtp.example.com", "OAuth2", "noreply@example.com")
+        {
+            Credentials = secret
+        };
+        _context.SmtpConfigurations.Add(smtp);
+        await _context.SaveChangesAsync();
+        _context.ChangeTracker.Clear();
+
+        var raw = await ReadRawColumnAsync("SmtpConfigurations", "Credentials", smtp.Id);
+        Assert.NotNull(raw);
+        Assert.NotEqual(secret, raw);
+        Assert.DoesNotContain("oauth2-abc-very-secret", raw);
+
+        var loaded = await _context.SmtpConfigurations.SingleAsync(s => s.Id == smtp.Id);
+        Assert.Equal(secret, loaded.Credentials);
+    }
+
+    [Fact]
+    public async Task ExternalSystemDefinition_AuthConfiguration_StoredEncrypted_RoundTrips()
+    {
+        const string secret = "{\"apiKey\":\"live-key-do-not-leak\"}";
+        var ext = new ExternalSystemDefinition("Erp", "https://erp.example.com", "ApiKey")
+        {
+            AuthConfiguration = secret
+        };
+        _context.ExternalSystemDefinitions.Add(ext);
+        await _context.SaveChangesAsync();
+        _context.ChangeTracker.Clear();
+
+        var raw = await ReadRawColumnAsync("ExternalSystemDefinitions", "AuthConfiguration", ext.Id);
+        Assert.NotNull(raw);
+        Assert.NotEqual(secret, raw);
+        Assert.DoesNotContain("live-key-do-not-leak", raw);
+
+        var loaded = await _context.ExternalSystemDefinitions.SingleAsync(e => e.Id == ext.Id);
+        Assert.Equal(secret, loaded.AuthConfiguration);
+    }
+
+    [Fact]
+    public async Task SmtpConfiguration_NullCredentials_RoundTripsAsNull()
+    {
+        var smtp = new SmtpConfiguration("smtp.example.com", "None", "noreply@example.com")
+        {
+            Credentials = null
+        };
+        _context.SmtpConfigurations.Add(smtp);
+        await _context.SaveChangesAsync();
+        _context.ChangeTracker.Clear();
+
+        var loaded = await _context.SmtpConfigurations.SingleAsync(s => s.Id == smtp.Id);
+        Assert.Null(loaded.Credentials);
+    }
+
+    private async Task<string?> ReadRawColumnAsync(string table, string column, int id)
+    {
+        var connection = _context.Database.GetDbConnection();
+        await using var cmd = connection.CreateCommand();
+        cmd.CommandText = $"SELECT \"{column}\" FROM \"{table}\" WHERE \"Id\" = $id";
+        var p = cmd.CreateParameter();
+        p.ParameterName = "$id";
+        p.Value = id;
+        cmd.Parameters.Add(p);
+        var result = await cmd.ExecuteScalarAsync();
+        return result == null || result == DBNull.Value ? null : (string)result;
+    }
+}