diff --git a/src/ScadaLink.CentralUI/Audit/AuditExportEndpoints.cs b/src/ScadaLink.CentralUI/Audit/AuditExportEndpoints.cs
index 66ed746..fdf34f6 100644
--- a/src/ScadaLink.CentralUI/Audit/AuditExportEndpoints.cs
+++ b/src/ScadaLink.CentralUI/Audit/AuditExportEndpoints.cs
@@ -23,9 +23,12 @@ namespace ScadaLink.CentralUI.Audit;
///
///
///
-/// The route is admin-gated to mirror the NavMenu (RequireAdmin wraps
-/// the Audit section). The query-string parser silently drops unrecognised
-/// values to match the page-level parser in
+/// The route is gated on the
+/// policy (#23 M7-T15 / Bundle G) so only roles with the bulk-export
+/// permission can pull a CSV — the page-level
+/// gate is read-only
+/// and intentionally narrower. The query-string parser silently drops
+/// unrecognised values to match the page-level parser in
/// AuditLogPage.ApplyQueryStringFilters — an unknown enum value yields
/// the same "no constraint" outcome rather than a 400.
///
@@ -43,7 +46,7 @@ public static class AuditExportEndpoints
public static IEndpointRouteBuilder MapAuditExportEndpoints(this IEndpointRouteBuilder endpoints)
{
endpoints.MapGet("/api/centralui/audit/export", HandleExportAsync)
- .RequireAuthorization(AuthorizationPolicies.RequireAdmin);
+ .RequireAuthorization(AuthorizationPolicies.AuditExport);
return endpoints;
}
diff --git a/src/ScadaLink.CentralUI/Components/Layout/NavMenu.razor b/src/ScadaLink.CentralUI/Components/Layout/NavMenu.razor
index 798d306..1c05b7e 100644
--- a/src/ScadaLink.CentralUI/Components/Layout/NavMenu.razor
+++ b/src/ScadaLink.CentralUI/Components/Layout/NavMenu.razor
@@ -108,11 +108,15 @@
- @* Audit — Admin only. Hosts the new Audit Log page (#23 M7)
- and the renamed Configuration Audit Log (IAuditService
- config-change viewer). Both items are Admin-gated, so
- the section header sits inside the same policy block. *@
-
+ @* Audit — gated on the OperationalAudit policy (#23 M7-T15
+ / Bundle G). Hosts the new Audit Log page (#23 M7) and
+ the renamed Configuration Audit Log (IAuditService
+ config-change viewer). Both items share the same gate,
+ so the section header sits inside the same policy block:
+ a non-audit user does not even see the heading.
+ OperationalAudit is satisfied by the Admin, Audit, and
+ AuditReadOnly roles. *@
+
diff --git a/src/ScadaLink.CentralUI/Components/Pages/Audit/AuditLogPage.razor b/src/ScadaLink.CentralUI/Components/Pages/Audit/AuditLogPage.razor
index 2b48fa0..2e8a64e 100644
--- a/src/ScadaLink.CentralUI/Components/Pages/Audit/AuditLogPage.razor
+++ b/src/ScadaLink.CentralUI/Components/Pages/Audit/AuditLogPage.razor
@@ -1,9 +1,10 @@
@page "/audit/log"
-@attribute [Authorize]
+@attribute [Authorize(Policy = AuthorizationPolicies.OperationalAudit)]
@using ScadaLink.CentralUI.Components.Audit
@using ScadaLink.CentralUI.Services
@using ScadaLink.Commons.Entities.Audit
@using ScadaLink.Commons.Types.Audit
+@using ScadaLink.Security
@inject IAuditLogQueryService AuditLogQueryService
Audit Log
@@ -24,16 +25,26 @@
SignalR-driven download because the request can stream 100k rows directly
to the response body without buffering through the Blazor circuit. The
href reflects the most recently applied filter; before Apply is clicked,
- an unconstrained export is exposed. *@
-
+ an unconstrained export is exposed.
+
+ Bundle G (#23 M7-T15) gates the button on the AuditExport policy so an
+ OperationalAudit-only operator (read access without bulk export) sees the
+ page + filters but cannot trigger the CSV pull. The endpoint itself is
+ gated separately, so a hand-crafted URL still 403s — the AuthorizeView
+ here is the user-facing affordance, not the authoritative check. *@
+
+
+
+
+
@* Results grid (Bundle B / M7-T3). Row clicks emit OnRowSelected for Bundle C's
drilldown drawer; the grid stays in "no events" mode until the user applies a
diff --git a/src/ScadaLink.CentralUI/Components/Pages/Audit/ConfigurationAuditLog.razor b/src/ScadaLink.CentralUI/Components/Pages/Audit/ConfigurationAuditLog.razor
index df5e58c..e7d76f4 100644
--- a/src/ScadaLink.CentralUI/Components/Pages/Audit/ConfigurationAuditLog.razor
+++ b/src/ScadaLink.CentralUI/Components/Pages/Audit/ConfigurationAuditLog.razor
@@ -3,7 +3,7 @@
@using ScadaLink.CentralUI.Components
@using ScadaLink.Commons.Entities.Audit
@using ScadaLink.Commons.Interfaces.Repositories
-@attribute [Authorize(Policy = AuthorizationPolicies.RequireAdmin)]
+@attribute [Authorize(Policy = AuthorizationPolicies.OperationalAudit)]
@inject ICentralUiRepository CentralUiRepository
@inject IJSRuntime JS
diff --git a/src/ScadaLink.Security/AuthorizationPolicies.cs b/src/ScadaLink.Security/AuthorizationPolicies.cs
index c426b74..200c778 100644
--- a/src/ScadaLink.Security/AuthorizationPolicies.cs
+++ b/src/ScadaLink.Security/AuthorizationPolicies.cs
@@ -3,12 +3,98 @@ using Microsoft.Extensions.DependencyInjection;
namespace ScadaLink.Security;
+///
+/// Centralised authorization policy names + the role→permission mapping
+/// that defines them.
+///
+///
+/// The codebase uses a thin role-claim model: each policy expresses a
+/// permission, satisfied when the principal carries any role claim
+/// () that maps to that
+/// permission. Role names are free strings configured via
+/// rows
+/// (see ) — there is no permission claim, just a
+/// fan-out from role to allowed policies.
+///
+///
+///
+/// Default role → permission mapping (#23 M7-T15 / Bundle G):
+///
+///
+/// Role
+/// Policies granted
+///
+/// -
+/// Admin
+/// ,
+/// , — admins hold
+/// every permission by convention so an Admin-only user never loses
+/// access to a new surface.
+///
+/// -
+/// Design
+///
+///
+/// -
+/// Deployment
+///
+///
+/// -
+/// Audit
+/// ,
+/// — the full audit surface (read + bulk
+/// export) per Component-AuditLog.md §"Authorization".
+///
+/// -
+/// AuditReadOnly
+/// only — operators who
+/// should see the Audit Log + drill in to incidents but not pull bulk
+/// CSV exports. Use this when delegating triage without granting
+/// forensic-export capability.
+///
+///
+/// LDAP group → role mapping is configured via the central UI Admin → LDAP
+/// Mappings page (rows in LdapGroupMappings); the same code path
+/// reads them whether the role is one of the four built-ins above or any
+/// future addition. Adding a role here means adding the LDAP mapping row in
+/// the deployment; no schema migration is needed.
+///
+///
public static class AuthorizationPolicies
{
public const string RequireAdmin = "RequireAdmin";
public const string RequireDesign = "RequireDesign";
public const string RequireDeployment = "RequireDeployment";
+ ///
+ /// Read access to the Audit Log #23 surface (Audit Log page,
+ /// Configuration Audit Log page, Audit nav group). Granted to the
+ /// Audit role, the AuditReadOnly role, and the
+ /// Admin role.
+ ///
+ public const string OperationalAudit = "OperationalAudit";
+
+ ///
+ /// Permission to pull a bulk CSV export of the Audit Log. Separate from
+ /// so a triage operator can read the
+ /// table without being able to exfiltrate it in bulk. Granted to the
+ /// Audit role and the Admin role.
+ ///
+ public const string AuditExport = "AuditExport";
+
+ ///
+ /// Roles that satisfy . Held in one place
+ /// so the seed/docs and the policy stay in lockstep.
+ ///
+ internal static readonly string[] OperationalAuditRoles = { "Admin", "Audit", "AuditReadOnly" };
+
+ ///
+ /// Roles that satisfy . A strict subset of
+ /// — read access does NOT imply
+ /// export permission.
+ ///
+ internal static readonly string[] AuditExportRoles = { "Admin", "Audit" };
+
public static IServiceCollection AddScadaLinkAuthorization(this IServiceCollection services)
{
services.AddAuthorization(options =>
@@ -21,6 +107,19 @@ public static class AuthorizationPolicies
options.AddPolicy(RequireDeployment, policy =>
policy.RequireClaim(JwtTokenService.RoleClaimType, "Deployment"));
+
+ // Multi-role permission policies — the policy succeeds when the
+ // principal holds ANY of the mapped roles. RequireClaim with
+ // multiple allowed values is the right primitive: it checks
+ // whether *any* role claim's value is in the allowed set, so a
+ // user with role=Admin (and nothing else) satisfies the
+ // OperationalAudit policy without needing a separate Audit
+ // role claim.
+ options.AddPolicy(OperationalAudit, policy =>
+ policy.RequireClaim(JwtTokenService.RoleClaimType, OperationalAuditRoles));
+
+ options.AddPolicy(AuditExport, policy =>
+ policy.RequireClaim(JwtTokenService.RoleClaimType, AuditExportRoles));
});
services.AddSingleton();
diff --git a/tests/ScadaLink.CentralUI.Tests/Audit/AuditExportEndpointsTests.cs b/tests/ScadaLink.CentralUI.Tests/Audit/AuditExportEndpointsTests.cs
index fcb01f4..286198b 100644
--- a/tests/ScadaLink.CentralUI.Tests/Audit/AuditExportEndpointsTests.cs
+++ b/tests/ScadaLink.CentralUI.Tests/Audit/AuditExportEndpointsTests.cs
@@ -71,18 +71,18 @@ public class AuditExportEndpointsTests
web.ConfigureServices(services =>
{
services.AddRouting();
- // The endpoint is admin-gated; the tests run as
- // pre-authenticated principals built by FakeAuthHandler
- // (everyone has the Admin role) so the RequireAdmin policy
- // succeeds.
+ // The endpoint is AuditExport-gated (#23 M7-T15 Bundle G);
+ // the tests run as pre-authenticated principals built by
+ // FakeAuthHandler (everyone has the Admin role), which is
+ // one of AuditExportRoles, so the policy succeeds.
services.AddAuthentication(FakeAuthHandler.SchemeName)
.AddScheme(
FakeAuthHandler.SchemeName, _ => { });
- services.AddAuthorization(options =>
- {
- options.AddPolicy(AuthorizationPolicies.RequireAdmin, policy =>
- policy.RequireClaim(JwtTokenService.RoleClaimType, "Admin"));
- });
+ // Use the real production policy wiring so the endpoint's
+ // updated AuditExport gate (#23 M7-T15 Bundle G) is what
+ // the tests exercise. The fake principal carries the
+ // "Admin" role, which AuditExportRoles permits.
+ services.AddScadaLinkAuthorization();
services.AddSingleton(repo);
services.AddScoped();
});
@@ -224,8 +224,8 @@ public class AuditExportEndpointsTests
///
/// Test-only authentication handler that signs every request in as an Admin.
- /// Lets the endpoint's RequireAdmin policy pass without spinning up
- /// the real cookie + LDAP pipeline.
+ /// Admin is in AuditExportRoles, so the endpoint's AuditExport policy
+ /// passes without spinning up the real cookie + LDAP pipeline.
///
private sealed class FakeAuthHandler : AuthenticationHandler
{
diff --git a/tests/ScadaLink.CentralUI.Tests/Pages/AuditLogPagePermissionTests.cs b/tests/ScadaLink.CentralUI.Tests/Pages/AuditLogPagePermissionTests.cs
new file mode 100644
index 0000000..e3a754d
--- /dev/null
+++ b/tests/ScadaLink.CentralUI.Tests/Pages/AuditLogPagePermissionTests.cs
@@ -0,0 +1,323 @@
+using System.Net;
+using System.Security.Claims;
+using System.Text.Encodings.Web;
+using Bunit;
+using Microsoft.AspNetCore.Authentication;
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.AspNetCore.Builder;
+using Microsoft.AspNetCore.Components;
+using Microsoft.AspNetCore.Components.Authorization;
+using Microsoft.AspNetCore.Hosting;
+using Microsoft.AspNetCore.Http;
+using Microsoft.AspNetCore.Routing;
+using Microsoft.AspNetCore.TestHost;
+using Microsoft.Extensions.DependencyInjection;
+using Microsoft.Extensions.Hosting;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using NSubstitute;
+using ScadaLink.CentralUI.Audit;
+using ScadaLink.CentralUI.Services;
+using ScadaLink.Commons.Entities.Audit;
+using ScadaLink.Commons.Interfaces.Repositories;
+using ScadaLink.Commons.Types.Audit;
+using ScadaLink.Commons.Types.Enums;
+using ScadaLink.Security;
+using AuditLogPage = ScadaLink.CentralUI.Components.Pages.Audit.AuditLogPage;
+
+namespace ScadaLink.CentralUI.Tests.Pages;
+
+///
+/// Permission-gating tests for the Audit Log surface (#23 M7-T15 / Bundle G).
+///
+///
+/// Bundle G introduces two new policies:
+///
+/// - OperationalAudit — read access to the Audit Log page +
+/// Configuration Audit Log page + nav group.
+/// - AuditExport — additional gate on the Export-CSV button and
+/// the streaming export endpoint.
+///
+/// Both policies are satisfied by the Audit role and (defence in depth)
+/// the Admin role — admins see everything by convention in this
+/// codebase. The tests pin both the page-level + endpoint-level enforcement,
+/// and the Export-button visibility split.
+///
+///
+public class AuditLogPagePermissionTests : BunitContext
+{
+ private static ClaimsPrincipal BuildPrincipal(params string[] roles)
+ {
+ var claims = new List { new("Username", "tester") };
+ claims.AddRange(roles.Select(r => new Claim(JwtTokenService.RoleClaimType, r)));
+ return new ClaimsPrincipal(new ClaimsIdentity(claims, "TestAuth"));
+ }
+
+ private void WireUpPageDependencies()
+ {
+ // The page hosts AuditFilterBar + AuditResultsGrid which depend on
+ // ISiteRepository and IAuditLogQueryService — provide stand-ins so
+ // a permitted render is exercised end-to-end.
+ Services.AddSingleton(Substitute.For());
+ Services.AddSingleton(Substitute.For());
+ }
+
+ private IRenderedComponent RenderAuditLogPage(params string[] roles)
+ {
+ var user = BuildPrincipal(roles);
+ Services.AddSingleton(new TestAuthStateProvider(user));
+ Services.AddAuthorizationCore();
+ AuthorizationPolicies.AddScadaLinkAuthorization(Services);
+ Services.AddSingleton();
+ WireUpPageDependencies();
+
+ // Page-level [Authorize(Policy=...)] is enforced by the router in a
+ // live app. bUnit renders the component directly, so we wrap the
+ // page in a CascadingAuthenticationState so the in-page
+ // AuthorizeView for the Export button can read the principal.
+ var host = Render(parameters => parameters
+ .Add(p => p.ChildContent, (RenderFragment)(builder =>
+ {
+ builder.OpenComponent(0);
+ builder.CloseComponent();
+ })));
+
+ return host.FindComponent();
+ }
+
+ // ─────────────────────────────────────────────────────────────────────
+ // Test 1: WithoutOperationalAudit_PageReturns403_OrHidden
+ // ─────────────────────────────────────────────────────────────────────
+ //
+ // Page-level enforcement is the [Authorize(Policy = "OperationalAudit")]
+ // attribute on the .razor page. We can't easily smoke-test routing here,
+ // so we verify the attribute is present + the policy denies a principal
+ // that holds none of the permitting roles.
+
+ [Fact]
+ public async Task WithoutOperationalAudit_PolicyDenies()
+ {
+ // A Design-only user (no Audit, no Admin) must NOT satisfy the
+ // OperationalAudit policy.
+ var services = new ServiceCollection();
+ services.AddLogging();
+ services.AddScadaLinkAuthorization();
+ using var provider = services.BuildServiceProvider();
+ var authService = provider.GetRequiredService();
+
+ var principal = BuildPrincipal("Design");
+ var result = await authService.AuthorizeAsync(
+ principal, null, AuthorizationPolicies.OperationalAudit);
+
+ Assert.False(result.Succeeded);
+ }
+
+ [Fact]
+ public void AuditLogPage_HasOperationalAuditAuthorizeAttribute()
+ {
+ // Sanity-pin the attribute so the page-level gate can't regress to
+ // [Authorize] (any-authenticated) by accident.
+ var attributes = typeof(AuditLogPage)
+ .GetCustomAttributes(typeof(AuthorizeAttribute), inherit: true)
+ .Cast()
+ .ToList();
+
+ Assert.Contains(attributes, a => a.Policy == AuthorizationPolicies.OperationalAudit);
+ }
+
+ [Fact]
+ public void ConfigurationAuditLogPage_HasOperationalAuditAuthorizeAttribute()
+ {
+ // ConfigurationAuditLog mirrors the gate — both Audit-group pages
+ // share the OperationalAudit permission so the nav-group policy
+ // remains coherent with the per-page gates.
+ var configType = typeof(ScadaLink.CentralUI.Components.Pages.Audit.ConfigurationAuditLog);
+ var attributes = configType
+ .GetCustomAttributes(typeof(AuthorizeAttribute), inherit: true)
+ .Cast()
+ .ToList();
+
+ Assert.Contains(attributes, a => a.Policy == AuthorizationPolicies.OperationalAudit);
+ }
+
+ // ─────────────────────────────────────────────────────────────────────
+ // Test 2 + 3: Export button visibility split.
+ // ─────────────────────────────────────────────────────────────────────
+
+ [Fact]
+ public void WithOperationalAudit_NoAuditExport_PageRenders_ExportButtonHidden()
+ {
+ // The "Audit" role grants OperationalAudit + AuditExport in the
+ // default mapping, so we test the split by handing the user ONLY
+ // an extra-narrow role that we map ONLY to OperationalAudit: a
+ // fresh "AuditReadOnly" role (see AuthorizationPolicies).
+ var cut = RenderAuditLogPage("AuditReadOnly");
+
+ cut.WaitForAssertion(() =>
+ {
+ // The page rendered (heading + container present) but the
+ // Export-CSV anchor is gone because AuditExport is denied.
+ Assert.Contains("Audit Log", cut.Markup);
+ Assert.DoesNotContain("Export CSV", cut.Markup);
+ });
+ }
+
+ [Fact]
+ public void WithOperationalAudit_AndAuditExport_PageRenders_ExportButtonVisible()
+ {
+ var cut = RenderAuditLogPage("Audit");
+
+ cut.WaitForAssertion(() =>
+ {
+ Assert.Contains("Audit Log", cut.Markup);
+ Assert.Contains("Export CSV", cut.Markup);
+ });
+ }
+
+ [Fact]
+ public void AdminUser_SeesPage_AndExportButton()
+ {
+ // Admin holds every permission by convention — both policies must
+ // succeed for a plain Admin user.
+ var cut = RenderAuditLogPage("Admin");
+
+ cut.WaitForAssertion(() =>
+ {
+ Assert.Contains("Audit Log", cut.Markup);
+ Assert.Contains("Export CSV", cut.Markup);
+ });
+ }
+
+ // ─────────────────────────────────────────────────────────────────────
+ // Test 4 + 5: Endpoint-level enforcement.
+ // ─────────────────────────────────────────────────────────────────────
+
+ [Fact]
+ public async Task AuditExportEndpoint_WithoutAuditExport_Returns403()
+ {
+ // A user holding only Design must NOT be able to call the export
+ // endpoint. Live wiring re-uses AuthorizationPolicies.AuditExport.
+ var (client, _, host) = await BuildEndpointHostAsync(roles: new[] { "Design" });
+ using (host)
+ {
+ var response = await client.GetAsync("/api/centralui/audit/export");
+ Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
+ }
+ }
+
+ [Fact]
+ public async Task AuditExportEndpoint_WithAuditExport_Returns200()
+ {
+ var (client, _, host) = await BuildEndpointHostAsync(roles: new[] { "Audit" });
+ using (host)
+ {
+ var response = await client.GetAsync("/api/centralui/audit/export");
+ Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+ }
+ }
+
+ [Fact]
+ public async Task AuditExportEndpoint_AdminAlone_Returns200()
+ {
+ // Admin alone (no Audit role) must still pass — defence in depth.
+ var (client, _, host) = await BuildEndpointHostAsync(roles: new[] { "Admin" });
+ using (host)
+ {
+ var response = await client.GetAsync("/api/centralui/audit/export");
+ Assert.Equal(HttpStatusCode.OK, response.StatusCode);
+ }
+ }
+
+ [Fact]
+ public async Task AuditExportEndpoint_AuditReadOnly_Returns403()
+ {
+ // AuditReadOnly grants OperationalAudit but NOT AuditExport, so the
+ // endpoint must refuse — the page is readable but the bulk export
+ // path is gated separately.
+ var (client, _, host) = await BuildEndpointHostAsync(roles: new[] { "AuditReadOnly" });
+ using (host)
+ {
+ var response = await client.GetAsync("/api/centralui/audit/export");
+ Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode);
+ }
+ }
+
+ // ─────────────────────────────────────────────────────────────────────
+ // Helper: tiny in-process host with the real AuthorizationPolicies.
+ // ─────────────────────────────────────────────────────────────────────
+
+ private static async Task<(HttpClient Client, IAuditLogRepository Repo, IHost Host)> BuildEndpointHostAsync(
+ string[] roles)
+ {
+ var repo = Substitute.For();
+ repo.QueryAsync(Arg.Any(), Arg.Any(), Arg.Any())
+ .Returns(
+ Task.FromResult>(Array.Empty()),
+ Task.FromResult>(Array.Empty()));
+
+ var hostBuilder = new HostBuilder()
+ .ConfigureWebHost(web =>
+ {
+ web.UseTestServer();
+ web.ConfigureServices(services =>
+ {
+ services.AddRouting();
+ services.AddAuthentication(FakeAuthHandler.SchemeName)
+ .AddScheme(
+ FakeAuthHandler.SchemeName, opts => opts.Roles = roles);
+ // Real policies — the whole point of these tests is to
+ // exercise the production AddScadaLinkAuthorization wiring.
+ services.AddScadaLinkAuthorization();
+ services.AddSingleton(repo);
+ services.AddScoped();
+ });
+ web.Configure(app =>
+ {
+ app.UseRouting();
+ app.UseAuthentication();
+ app.UseAuthorization();
+ app.UseEndpoints(endpoints =>
+ {
+ endpoints.MapAuditExportEndpoints();
+ });
+ });
+ });
+
+ var host = await hostBuilder.StartAsync();
+ var client = host.GetTestClient();
+ return (client, repo, host);
+ }
+
+ ///
+ /// Test-only authentication handler that signs every request in with
+ /// the configured set of roles.
+ ///
+ private sealed class FakeAuthHandler : AuthenticationHandler
+ {
+ public const string SchemeName = "FakeAuth";
+
+ public FakeAuthHandler(
+ IOptionsMonitor options,
+ ILoggerFactory logger,
+ UrlEncoder encoder)
+ : base(options, logger, encoder) { }
+
+ protected override Task HandleAuthenticateAsync()
+ {
+ var claims = new List { new(ClaimTypes.Name, "test-user") };
+ foreach (var role in Options.Roles)
+ {
+ claims.Add(new Claim(JwtTokenService.RoleClaimType, role));
+ }
+ var identity = new ClaimsIdentity(claims, SchemeName);
+ var principal = new ClaimsPrincipal(identity);
+ var ticket = new AuthenticationTicket(principal, SchemeName);
+ return Task.FromResult(AuthenticateResult.Success(ticket));
+ }
+ }
+
+ private sealed class FakeAuthHandlerOptions : AuthenticationSchemeOptions
+ {
+ public string[] Roles { get; set; } = Array.Empty();
+ }
+}
diff --git a/tests/ScadaLink.CentralUI.Tests/Pages/AuditLogPageScaffoldTests.cs b/tests/ScadaLink.CentralUI.Tests/Pages/AuditLogPageScaffoldTests.cs
index 01de979..955c314 100644
--- a/tests/ScadaLink.CentralUI.Tests/Pages/AuditLogPageScaffoldTests.cs
+++ b/tests/ScadaLink.CentralUI.Tests/Pages/AuditLogPageScaffoldTests.cs
@@ -61,7 +61,19 @@ public class AuditLogPageScaffoldTests : BunitContext
nav.NavigateTo($"/audit/log?{query}");
}
- return Render();
+ // Bundle G (#23 M7-T15): the page now hosts an in-component
+ // AuthorizeView around the Export-CSV button, so the page MUST
+ // render inside a CascadingAuthenticationState. The router supplies
+ // this in production; bUnit hosts the page directly so we wrap it
+ // here.
+ var host = Render(parameters => parameters
+ .Add(p => p.ChildContent, (RenderFragment)(builder =>
+ {
+ builder.OpenComponent(0);
+ builder.CloseComponent();
+ })));
+
+ return host.FindComponent();
}
private IRenderedComponent RenderNavMenu(params string[] roles)
diff --git a/tests/ScadaLink.Security.Tests/SecurityTests.cs b/tests/ScadaLink.Security.Tests/SecurityTests.cs
index 4abc7af..2550b48 100644
--- a/tests/ScadaLink.Security.Tests/SecurityTests.cs
+++ b/tests/ScadaLink.Security.Tests/SecurityTests.cs
@@ -1077,6 +1077,59 @@ public class AuthorizationPolicyTests
Assert.False(await EvaluatePolicy(AuthorizationPolicies.RequireAdmin, principal));
Assert.False(await EvaluatePolicy(AuthorizationPolicies.RequireDesign, principal));
Assert.False(await EvaluatePolicy(AuthorizationPolicies.RequireDeployment, principal));
+ Assert.False(await EvaluatePolicy(AuthorizationPolicies.OperationalAudit, principal));
+ Assert.False(await EvaluatePolicy(AuthorizationPolicies.AuditExport, principal));
+ }
+
+ // ─────────────────────────────────────────────────────────────────────
+ // Audit Log #23 — OperationalAudit + AuditExport policies (M7-T15).
+ // Default mapping (see AuthorizationPolicies XML doc):
+ // Admin → OperationalAudit + AuditExport
+ // Audit → OperationalAudit + AuditExport
+ // AuditReadOnly → OperationalAudit only
+ // Design → neither
+ // Deployment → neither
+ // ─────────────────────────────────────────────────────────────────────
+
+ [Theory]
+ [InlineData("Admin")]
+ [InlineData("Audit")]
+ [InlineData("AuditReadOnly")]
+ public async Task OperationalAuditPolicy_GrantedRoles_Succeed(string role)
+ {
+ var principal = CreatePrincipal(new[] { role });
+ Assert.True(await EvaluatePolicy(AuthorizationPolicies.OperationalAudit, principal));
+ }
+
+ [Theory]
+ [InlineData("Design")]
+ [InlineData("Deployment")]
+ public async Task OperationalAuditPolicy_UngrantedRoles_Fail(string role)
+ {
+ var principal = CreatePrincipal(new[] { role });
+ Assert.False(await EvaluatePolicy(AuthorizationPolicies.OperationalAudit, principal));
+ }
+
+ [Theory]
+ [InlineData("Admin")]
+ [InlineData("Audit")]
+ public async Task AuditExportPolicy_GrantedRoles_Succeed(string role)
+ {
+ var principal = CreatePrincipal(new[] { role });
+ Assert.True(await EvaluatePolicy(AuthorizationPolicies.AuditExport, principal));
+ }
+
+ [Theory]
+ [InlineData("AuditReadOnly")]
+ [InlineData("Design")]
+ [InlineData("Deployment")]
+ public async Task AuditExportPolicy_UngrantedRoles_Fail(string role)
+ {
+ // AuditReadOnly is the load-bearing case: it grants OperationalAudit
+ // (read) but NOT AuditExport (bulk export) — the split that lets a
+ // triage operator drill in without exfiltrating the table.
+ var principal = CreatePrincipal(new[] { role });
+ Assert.False(await EvaluatePolicy(AuthorizationPolicies.AuditExport, principal));
}
[Fact]