fix(host): resolve Host-003,004 — replace plaintext secrets with env placeholders, validate site seed-node ports; re-triage Host-002

tests/ScadaLink.Host.Tests/ConfigSecretsTests.cs

@@ -0,0 +1,89 @@
+using System.Reflection;
+using System.Text.Json;
+
+namespace ScadaLink.Host.Tests;
+
+/// <summary>
+/// Host-003 regression: secrets must not be committed in plaintext in the
+/// shipped <c>appsettings.Central.json</c>. Connection-string passwords, the LDAP
+/// service-account password and the JWT signing key must be supplied via
+/// environment variables (or another secret store) at deployment time — the
+/// committed file may only carry non-sensitive structural defaults or
+/// placeholder values.
+/// </summary>
+public class ConfigSecretsTests
+{
+    private static string FindHostProjectDirectory()
+    {
+        var assemblyDir = Path.GetDirectoryName(Assembly.GetExecutingAssembly().Location)!;
+        var dir = new DirectoryInfo(assemblyDir);
+        while (dir != null)
+        {
+            var hostPath = Path.Combine(dir.FullName, "src", "ScadaLink.Host");
+            if (Directory.Exists(hostPath))
+                return hostPath;
+            dir = dir.Parent;
+        }
+        throw new DirectoryNotFoundException("Could not locate src/ScadaLink.Host");
+    }
+
+    private static JsonElement ScadaLinkSection()
+    {
+        var path = Path.Combine(FindHostProjectDirectory(), "appsettings.Central.json");
+        var json = File.ReadAllText(path);
+        using var doc = JsonDocument.Parse(json);
+        return doc.RootElement.GetProperty("ScadaLink").Clone();
+    }
+
+    [Fact]
+    public void CentralConfig_ConnectionStrings_ContainNoPlaintextPassword()
+    {
+        var db = ScadaLinkSection().GetProperty("Database");
+        foreach (var prop in db.EnumerateObject())
+        {
+            var value = prop.Value.GetString() ?? string.Empty;
+            // A committed connection string must not carry a literal Password= value.
+            // Either the password is delivered via an environment variable or the
+            // whole connection string is. A placeholder reference is acceptable.
+            var idx = value.IndexOf("Password=", StringComparison.OrdinalIgnoreCase);
+            if (idx >= 0)
+            {
+                var after = value[(idx + "Password=".Length)..];
+                var literal = after.Split(';')[0];
+                Assert.True(
+                    literal.Length == 0 || literal.Contains('{') || literal.Contains('$'),
+                    $"appsettings.Central.json '{prop.Name}' contains a plaintext Password value '{literal}'. " +
+                    "Move the secret to an environment variable.");
+            }
+        }
+    }
+
+    [Fact]
+    public void CentralConfig_LdapServiceAccountPassword_IsNotCommitted()
+    {
+        var security = ScadaLinkSection().GetProperty("Security");
+        if (security.TryGetProperty("LdapServiceAccountPassword", out var pw))
+        {
+            var value = pw.GetString() ?? string.Empty;
+            Assert.True(
+                value.Length == 0 || value.Contains('{') || value.Contains('$'),
+                $"appsettings.Central.json carries a plaintext LdapServiceAccountPassword '{value}'. " +
+                "Move it to an environment variable.");
+        }
+    }
+
+    [Fact]
+    public void CentralConfig_JwtSigningKey_IsNotCommitted()
+    {
+        var security = ScadaLinkSection().GetProperty("Security");
+        if (security.TryGetProperty("JwtSigningKey", out var key))
+        {
+            var value = key.GetString() ?? string.Empty;
+            Assert.True(
+                value.Length == 0 || value.Contains('{') || value.Contains('$'),
+                $"appsettings.Central.json carries a committed JwtSigningKey '{value}'. " +
+                "A committed signing key lets anyone with repo access forge session tokens. " +
+                "Move it to an environment variable.");
+        }
+    }
+}