From 6dea84cd283b0eced3ff617e41daf06a9fbe5018 Mon Sep 17 00:00:00 2001 From: Joseph Doherty Date: Wed, 20 May 2026 21:09:42 -0400 Subject: [PATCH] feat(security): OperationalAudit + AuditExport permissions for Audit Log surface (#23 M7) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Bundle G (#23 M7-T15): replace the temporary Admin-only gate on the Audit Log surface with two new permission policies — OperationalAudit (read) and AuditExport (bulk-export) — so the read path and the forensic-export path can be delegated independently. ScadaLink.Security - AuthorizationPolicies: add OperationalAudit + AuditExport policy constants; register them via RequireClaim with an explicit role allow-list (OperationalAuditRoles, AuditExportRoles) so the role-to-permission mapping is documented in one place. - Default mapping: Admin and Audit roles grant both policies; AuditReadOnly grants OperationalAudit only (read access without bulk export); Design and Deployment grant neither. ScadaLink.CentralUI - AuditLogPage: switch the page-level [Authorize] to the OperationalAudit policy and wrap the Export-CSV button in an AuthorizeView gated on AuditExport so an OperationalAudit-only operator still sees the page + filters but cannot trigger the CSV pull. - ConfigurationAuditLog: switch from RequireAdmin to OperationalAudit so both pages under the Audit nav group share the same gate. - NavMenu: the Audit nav group now gates on OperationalAudit so the section header + both child links match the per-page policies. - AuditExportEndpoints: switch RequireAuthorization from RequireAdmin to AuditExport — this is the authoritative gate; the AuthorizeView on the button is just a UX affordance. Tests - New AuditLogPagePermissionTests covers the 5 brief-mandated cases plus defence-in-depth for Admin-alone and AuditReadOnly users on the endpoint. - SecurityTests: add policy-level coverage for the new role→permission matrix (Theory rows pin every role/policy combination). - AuditExportEndpointsTests: switch to AddScadaLinkAuthorization() so the test host exercises the real production wiring under the new gate. - AuditLogPageScaffoldTests: wrap the page render in a CascadingAuthenticationState so the new in-page AuthorizeView resolves the principal. --- .../Audit/AuditExportEndpoints.cs | 11 +- .../Components/Layout/NavMenu.razor | 14 +- .../Components/Pages/Audit/AuditLogPage.razor | 33 +- .../Pages/Audit/ConfigurationAuditLog.razor | 2 +- .../AuthorizationPolicies.cs | 99 ++++++ .../Audit/AuditExportEndpointsTests.cs | 22 +- .../Pages/AuditLogPagePermissionTests.cs | 323 ++++++++++++++++++ .../Pages/AuditLogPageScaffoldTests.cs | 14 +- .../ScadaLink.Security.Tests/SecurityTests.cs | 53 +++ 9 files changed, 538 insertions(+), 33 deletions(-) create mode 100644 tests/ScadaLink.CentralUI.Tests/Pages/AuditLogPagePermissionTests.cs diff --git a/src/ScadaLink.CentralUI/Audit/AuditExportEndpoints.cs b/src/ScadaLink.CentralUI/Audit/AuditExportEndpoints.cs index 66ed746..fdf34f6 100644 --- a/src/ScadaLink.CentralUI/Audit/AuditExportEndpoints.cs +++ b/src/ScadaLink.CentralUI/Audit/AuditExportEndpoints.cs @@ -23,9 +23,12 @@ namespace ScadaLink.CentralUI.Audit; /// /// /// -/// The route is admin-gated to mirror the NavMenu (RequireAdmin wraps -/// the Audit section). The query-string parser silently drops unrecognised -/// values to match the page-level parser in +/// The route is gated on the +/// policy (#23 M7-T15 / Bundle G) so only roles with the bulk-export +/// permission can pull a CSV — the page-level +/// gate is read-only +/// and intentionally narrower. The query-string parser silently drops +/// unrecognised values to match the page-level parser in /// AuditLogPage.ApplyQueryStringFilters — an unknown enum value yields /// the same "no constraint" outcome rather than a 400. /// @@ -43,7 +46,7 @@ public static class AuditExportEndpoints public static IEndpointRouteBuilder MapAuditExportEndpoints(this IEndpointRouteBuilder endpoints) { endpoints.MapGet("/api/centralui/audit/export", HandleExportAsync) - .RequireAuthorization(AuthorizationPolicies.RequireAdmin); + .RequireAuthorization(AuthorizationPolicies.AuditExport); return endpoints; } diff --git a/src/ScadaLink.CentralUI/Components/Layout/NavMenu.razor b/src/ScadaLink.CentralUI/Components/Layout/NavMenu.razor index 798d306..1c05b7e 100644 --- a/src/ScadaLink.CentralUI/Components/Layout/NavMenu.razor +++ b/src/ScadaLink.CentralUI/Components/Layout/NavMenu.razor @@ -108,11 +108,15 @@ - @* Audit — Admin only. Hosts the new Audit Log page (#23 M7) - and the renamed Configuration Audit Log (IAuditService - config-change viewer). Both items are Admin-gated, so - the section header sits inside the same policy block. *@ - + @* Audit — gated on the OperationalAudit policy (#23 M7-T15 + / Bundle G). Hosts the new Audit Log page (#23 M7) and + the renamed Configuration Audit Log (IAuditService + config-change viewer). Both items share the same gate, + so the section header sits inside the same policy block: + a non-audit user does not even see the heading. + OperationalAudit is satisfied by the Admin, Audit, and + AuditReadOnly roles. *@ +
  • diff --git a/src/ScadaLink.CentralUI/Components/Pages/Audit/AuditLogPage.razor b/src/ScadaLink.CentralUI/Components/Pages/Audit/AuditLogPage.razor index 2b48fa0..2e8a64e 100644 --- a/src/ScadaLink.CentralUI/Components/Pages/Audit/AuditLogPage.razor +++ b/src/ScadaLink.CentralUI/Components/Pages/Audit/AuditLogPage.razor @@ -1,9 +1,10 @@ @page "/audit/log" -@attribute [Authorize] +@attribute [Authorize(Policy = AuthorizationPolicies.OperationalAudit)] @using ScadaLink.CentralUI.Components.Audit @using ScadaLink.CentralUI.Services @using ScadaLink.Commons.Entities.Audit @using ScadaLink.Commons.Types.Audit +@using ScadaLink.Security @inject IAuditLogQueryService AuditLogQueryService Audit Log @@ -24,16 +25,26 @@ SignalR-driven download because the request can stream 100k rows directly to the response body without buffering through the Blazor circuit. The href reflects the most recently applied filter; before Apply is clicked, - an unconstrained export is exposed. *@ -
    - - Export CSV - -
    + an unconstrained export is exposed. + + Bundle G (#23 M7-T15) gates the button on the AuditExport policy so an + OperationalAudit-only operator (read access without bulk export) sees the + page + filters but cannot trigger the CSV pull. The endpoint itself is + gated separately, so a hand-crafted URL still 403s — the AuthorizeView + here is the user-facing affordance, not the authoritative check. *@ + + +
    + + Export CSV + +
    +     +     @* Results grid (Bundle B / M7-T3). Row clicks emit OnRowSelected for Bundle C's drilldown drawer; the grid stays in "no events" mode until the user applies a diff --git a/src/ScadaLink.CentralUI/Components/Pages/Audit/ConfigurationAuditLog.razor b/src/ScadaLink.CentralUI/Components/Pages/Audit/ConfigurationAuditLog.razor index df5e58c..e7d76f4 100644 --- a/src/ScadaLink.CentralUI/Components/Pages/Audit/ConfigurationAuditLog.razor +++ b/src/ScadaLink.CentralUI/Components/Pages/Audit/ConfigurationAuditLog.razor @@ -3,7 +3,7 @@ @using ScadaLink.CentralUI.Components @using ScadaLink.Commons.Entities.Audit @using ScadaLink.Commons.Interfaces.Repositories -@attribute [Authorize(Policy = AuthorizationPolicies.RequireAdmin)] +@attribute [Authorize(Policy = AuthorizationPolicies.OperationalAudit)] @inject ICentralUiRepository CentralUiRepository @inject IJSRuntime JS diff --git a/src/ScadaLink.Security/AuthorizationPolicies.cs b/src/ScadaLink.Security/AuthorizationPolicies.cs index c426b74..200c778 100644 --- a/src/ScadaLink.Security/AuthorizationPolicies.cs +++ b/src/ScadaLink.Security/AuthorizationPolicies.cs @@ -3,12 +3,98 @@ using Microsoft.Extensions.DependencyInjection; namespace ScadaLink.Security; +/// +/// Centralised authorization policy names + the role→permission mapping +/// that defines them. +/// +/// +/// The codebase uses a thin role-claim model: each policy expresses a +/// permission, satisfied when the principal carries any role claim +/// () that maps to that +/// permission. Role names are free strings configured via +/// rows +/// (see ) — there is no permission claim, just a +/// fan-out from role to allowed policies. +/// +/// +/// +/// Default role → permission mapping (#23 M7-T15 / Bundle G): +/// +/// +/// Role +/// Policies granted +/// +/// +/// Admin +/// , +/// , — admins hold +/// every permission by convention so an Admin-only user never loses +/// access to a new surface. +/// +/// +/// Design +/// +/// +/// +/// Deployment +/// +/// +/// +/// Audit +/// , +/// — the full audit surface (read + bulk +/// export) per Component-AuditLog.md §"Authorization". +/// +/// +/// AuditReadOnly +/// only — operators who +/// should see the Audit Log + drill in to incidents but not pull bulk +/// CSV exports. Use this when delegating triage without granting +/// forensic-export capability. +/// +/// +/// LDAP group → role mapping is configured via the central UI Admin → LDAP +/// Mappings page (rows in LdapGroupMappings); the same code path +/// reads them whether the role is one of the four built-ins above or any +/// future addition. Adding a role here means adding the LDAP mapping row in +/// the deployment; no schema migration is needed. +/// +/// public static class AuthorizationPolicies { public const string RequireAdmin = "RequireAdmin"; public const string RequireDesign = "RequireDesign"; public const string RequireDeployment = "RequireDeployment"; + /// + /// Read access to the Audit Log #23 surface (Audit Log page, + /// Configuration Audit Log page, Audit nav group). Granted to the + /// Audit role, the AuditReadOnly role, and the + /// Admin role. + /// + public const string OperationalAudit = "OperationalAudit"; + + /// + /// Permission to pull a bulk CSV export of the Audit Log. Separate from + /// so a triage operator can read the + /// table without being able to exfiltrate it in bulk. Granted to the + /// Audit role and the Admin role. + /// + public const string AuditExport = "AuditExport"; + + /// + /// Roles that satisfy . Held in one place + /// so the seed/docs and the policy stay in lockstep. + /// + internal static readonly string[] OperationalAuditRoles = { "Admin", "Audit", "AuditReadOnly" }; + + /// + /// Roles that satisfy . A strict subset of + /// — read access does NOT imply + /// export permission. + /// + internal static readonly string[] AuditExportRoles = { "Admin", "Audit" }; + public static IServiceCollection AddScadaLinkAuthorization(this IServiceCollection services) { services.AddAuthorization(options => @@ -21,6 +107,19 @@ public static class AuthorizationPolicies options.AddPolicy(RequireDeployment, policy => policy.RequireClaim(JwtTokenService.RoleClaimType, "Deployment")); + + // Multi-role permission policies — the policy succeeds when the + // principal holds ANY of the mapped roles. RequireClaim with + // multiple allowed values is the right primitive: it checks + // whether *any* role claim's value is in the allowed set, so a + // user with role=Admin (and nothing else) satisfies the + // OperationalAudit policy without needing a separate Audit + // role claim. + options.AddPolicy(OperationalAudit, policy => + policy.RequireClaim(JwtTokenService.RoleClaimType, OperationalAuditRoles)); + + options.AddPolicy(AuditExport, policy => + policy.RequireClaim(JwtTokenService.RoleClaimType, AuditExportRoles)); }); services.AddSingleton(); diff --git a/tests/ScadaLink.CentralUI.Tests/Audit/AuditExportEndpointsTests.cs b/tests/ScadaLink.CentralUI.Tests/Audit/AuditExportEndpointsTests.cs index fcb01f4..286198b 100644 --- a/tests/ScadaLink.CentralUI.Tests/Audit/AuditExportEndpointsTests.cs +++ b/tests/ScadaLink.CentralUI.Tests/Audit/AuditExportEndpointsTests.cs @@ -71,18 +71,18 @@ public class AuditExportEndpointsTests web.ConfigureServices(services => { services.AddRouting(); - // The endpoint is admin-gated; the tests run as - // pre-authenticated principals built by FakeAuthHandler - // (everyone has the Admin role) so the RequireAdmin policy - // succeeds. + // The endpoint is AuditExport-gated (#23 M7-T15 Bundle G); + // the tests run as pre-authenticated principals built by + // FakeAuthHandler (everyone has the Admin role), which is + // one of AuditExportRoles, so the policy succeeds. services.AddAuthentication(FakeAuthHandler.SchemeName) .AddScheme( FakeAuthHandler.SchemeName, _ => { }); - services.AddAuthorization(options => - { - options.AddPolicy(AuthorizationPolicies.RequireAdmin, policy => - policy.RequireClaim(JwtTokenService.RoleClaimType, "Admin")); - }); + // Use the real production policy wiring so the endpoint's + // updated AuditExport gate (#23 M7-T15 Bundle G) is what + // the tests exercise. The fake principal carries the + // "Admin" role, which AuditExportRoles permits. + services.AddScadaLinkAuthorization(); services.AddSingleton(repo); services.AddScoped(); }); @@ -224,8 +224,8 @@ public class AuditExportEndpointsTests /// /// Test-only authentication handler that signs every request in as an Admin. - /// Lets the endpoint's RequireAdmin policy pass without spinning up - /// the real cookie + LDAP pipeline. + /// Admin is in AuditExportRoles, so the endpoint's AuditExport policy + /// passes without spinning up the real cookie + LDAP pipeline. /// private sealed class FakeAuthHandler : AuthenticationHandler { diff --git a/tests/ScadaLink.CentralUI.Tests/Pages/AuditLogPagePermissionTests.cs b/tests/ScadaLink.CentralUI.Tests/Pages/AuditLogPagePermissionTests.cs new file mode 100644 index 0000000..e3a754d --- /dev/null +++ b/tests/ScadaLink.CentralUI.Tests/Pages/AuditLogPagePermissionTests.cs @@ -0,0 +1,323 @@ +using System.Net; +using System.Security.Claims; +using System.Text.Encodings.Web; +using Bunit; +using Microsoft.AspNetCore.Authentication; +using Microsoft.AspNetCore.Authorization; +using Microsoft.AspNetCore.Builder; +using Microsoft.AspNetCore.Components; +using Microsoft.AspNetCore.Components.Authorization; +using Microsoft.AspNetCore.Hosting; +using Microsoft.AspNetCore.Http; +using Microsoft.AspNetCore.Routing; +using Microsoft.AspNetCore.TestHost; +using Microsoft.Extensions.DependencyInjection; +using Microsoft.Extensions.Hosting; +using Microsoft.Extensions.Logging; +using Microsoft.Extensions.Options; +using NSubstitute; +using ScadaLink.CentralUI.Audit; +using ScadaLink.CentralUI.Services; +using ScadaLink.Commons.Entities.Audit; +using ScadaLink.Commons.Interfaces.Repositories; +using ScadaLink.Commons.Types.Audit; +using ScadaLink.Commons.Types.Enums; +using ScadaLink.Security; +using AuditLogPage = ScadaLink.CentralUI.Components.Pages.Audit.AuditLogPage; + +namespace ScadaLink.CentralUI.Tests.Pages; + +/// +/// Permission-gating tests for the Audit Log surface (#23 M7-T15 / Bundle G). +/// +/// +/// Bundle G introduces two new policies: +/// +/// OperationalAudit — read access to the Audit Log page + +/// Configuration Audit Log page + nav group. +/// AuditExport — additional gate on the Export-CSV button and +/// the streaming export endpoint. +/// +/// Both policies are satisfied by the Audit role and (defence in depth) +/// the Admin role — admins see everything by convention in this +/// codebase. The tests pin both the page-level + endpoint-level enforcement, +/// and the Export-button visibility split. +/// +/// +public class AuditLogPagePermissionTests : BunitContext +{ + private static ClaimsPrincipal BuildPrincipal(params string[] roles) + { + var claims = new List { new("Username", "tester") }; + claims.AddRange(roles.Select(r => new Claim(JwtTokenService.RoleClaimType, r))); + return new ClaimsPrincipal(new ClaimsIdentity(claims, "TestAuth")); + } + + private void WireUpPageDependencies() + { + // The page hosts AuditFilterBar + AuditResultsGrid which depend on + // ISiteRepository and IAuditLogQueryService — provide stand-ins so + // a permitted render is exercised end-to-end. + Services.AddSingleton(Substitute.For()); + Services.AddSingleton(Substitute.For()); + } + + private IRenderedComponent RenderAuditLogPage(params string[] roles) + { + var user = BuildPrincipal(roles); + Services.AddSingleton(new TestAuthStateProvider(user)); + Services.AddAuthorizationCore(); + AuthorizationPolicies.AddScadaLinkAuthorization(Services); + Services.AddSingleton(); + WireUpPageDependencies(); + + // Page-level [Authorize(Policy=...)] is enforced by the router in a + // live app. bUnit renders the component directly, so we wrap the + // page in a CascadingAuthenticationState so the in-page + // AuthorizeView for the Export button can read the principal. + var host = Render(parameters => parameters + .Add(p => p.ChildContent, (RenderFragment)(builder => + { + builder.OpenComponent(0); + builder.CloseComponent(); + }))); + + return host.FindComponent(); + } + + // ───────────────────────────────────────────────────────────────────── + // Test 1: WithoutOperationalAudit_PageReturns403_OrHidden + // ───────────────────────────────────────────────────────────────────── + // + // Page-level enforcement is the [Authorize(Policy = "OperationalAudit")] + // attribute on the .razor page. We can't easily smoke-test routing here, + // so we verify the attribute is present + the policy denies a principal + // that holds none of the permitting roles. + + [Fact] + public async Task WithoutOperationalAudit_PolicyDenies() + { + // A Design-only user (no Audit, no Admin) must NOT satisfy the + // OperationalAudit policy. + var services = new ServiceCollection(); + services.AddLogging(); + services.AddScadaLinkAuthorization(); + using var provider = services.BuildServiceProvider(); + var authService = provider.GetRequiredService(); + + var principal = BuildPrincipal("Design"); + var result = await authService.AuthorizeAsync( + principal, null, AuthorizationPolicies.OperationalAudit); + + Assert.False(result.Succeeded); + } + + [Fact] + public void AuditLogPage_HasOperationalAuditAuthorizeAttribute() + { + // Sanity-pin the attribute so the page-level gate can't regress to + // [Authorize] (any-authenticated) by accident. + var attributes = typeof(AuditLogPage) + .GetCustomAttributes(typeof(AuthorizeAttribute), inherit: true) + .Cast() + .ToList(); + + Assert.Contains(attributes, a => a.Policy == AuthorizationPolicies.OperationalAudit); + } + + [Fact] + public void ConfigurationAuditLogPage_HasOperationalAuditAuthorizeAttribute() + { + // ConfigurationAuditLog mirrors the gate — both Audit-group pages + // share the OperationalAudit permission so the nav-group policy + // remains coherent with the per-page gates. + var configType = typeof(ScadaLink.CentralUI.Components.Pages.Audit.ConfigurationAuditLog); + var attributes = configType + .GetCustomAttributes(typeof(AuthorizeAttribute), inherit: true) + .Cast() + .ToList(); + + Assert.Contains(attributes, a => a.Policy == AuthorizationPolicies.OperationalAudit); + } + + // ───────────────────────────────────────────────────────────────────── + // Test 2 + 3: Export button visibility split. + // ───────────────────────────────────────────────────────────────────── + + [Fact] + public void WithOperationalAudit_NoAuditExport_PageRenders_ExportButtonHidden() + { + // The "Audit" role grants OperationalAudit + AuditExport in the + // default mapping, so we test the split by handing the user ONLY + // an extra-narrow role that we map ONLY to OperationalAudit: a + // fresh "AuditReadOnly" role (see AuthorizationPolicies). + var cut = RenderAuditLogPage("AuditReadOnly"); + + cut.WaitForAssertion(() => + { + // The page rendered (heading + container present) but the + // Export-CSV anchor is gone because AuditExport is denied. + Assert.Contains("Audit Log", cut.Markup); + Assert.DoesNotContain("Export CSV", cut.Markup); + }); + } + + [Fact] + public void WithOperationalAudit_AndAuditExport_PageRenders_ExportButtonVisible() + { + var cut = RenderAuditLogPage("Audit"); + + cut.WaitForAssertion(() => + { + Assert.Contains("Audit Log", cut.Markup); + Assert.Contains("Export CSV", cut.Markup); + }); + } + + [Fact] + public void AdminUser_SeesPage_AndExportButton() + { + // Admin holds every permission by convention — both policies must + // succeed for a plain Admin user. + var cut = RenderAuditLogPage("Admin"); + + cut.WaitForAssertion(() => + { + Assert.Contains("Audit Log", cut.Markup); + Assert.Contains("Export CSV", cut.Markup); + }); + } + + // ───────────────────────────────────────────────────────────────────── + // Test 4 + 5: Endpoint-level enforcement. + // ───────────────────────────────────────────────────────────────────── + + [Fact] + public async Task AuditExportEndpoint_WithoutAuditExport_Returns403() + { + // A user holding only Design must NOT be able to call the export + // endpoint. Live wiring re-uses AuthorizationPolicies.AuditExport. + var (client, _, host) = await BuildEndpointHostAsync(roles: new[] { "Design" }); + using (host) + { + var response = await client.GetAsync("/api/centralui/audit/export"); + Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode); + } + } + + [Fact] + public async Task AuditExportEndpoint_WithAuditExport_Returns200() + { + var (client, _, host) = await BuildEndpointHostAsync(roles: new[] { "Audit" }); + using (host) + { + var response = await client.GetAsync("/api/centralui/audit/export"); + Assert.Equal(HttpStatusCode.OK, response.StatusCode); + } + } + + [Fact] + public async Task AuditExportEndpoint_AdminAlone_Returns200() + { + // Admin alone (no Audit role) must still pass — defence in depth. + var (client, _, host) = await BuildEndpointHostAsync(roles: new[] { "Admin" }); + using (host) + { + var response = await client.GetAsync("/api/centralui/audit/export"); + Assert.Equal(HttpStatusCode.OK, response.StatusCode); + } + } + + [Fact] + public async Task AuditExportEndpoint_AuditReadOnly_Returns403() + { + // AuditReadOnly grants OperationalAudit but NOT AuditExport, so the + // endpoint must refuse — the page is readable but the bulk export + // path is gated separately. + var (client, _, host) = await BuildEndpointHostAsync(roles: new[] { "AuditReadOnly" }); + using (host) + { + var response = await client.GetAsync("/api/centralui/audit/export"); + Assert.Equal(HttpStatusCode.Forbidden, response.StatusCode); + } + } + + // ───────────────────────────────────────────────────────────────────── + // Helper: tiny in-process host with the real AuthorizationPolicies. + // ───────────────────────────────────────────────────────────────────── + + private static async Task<(HttpClient Client, IAuditLogRepository Repo, IHost Host)> BuildEndpointHostAsync( + string[] roles) + { + var repo = Substitute.For(); + repo.QueryAsync(Arg.Any(), Arg.Any(), Arg.Any()) + .Returns( + Task.FromResult>(Array.Empty()), + Task.FromResult>(Array.Empty())); + + var hostBuilder = new HostBuilder() + .ConfigureWebHost(web => + { + web.UseTestServer(); + web.ConfigureServices(services => + { + services.AddRouting(); + services.AddAuthentication(FakeAuthHandler.SchemeName) + .AddScheme( + FakeAuthHandler.SchemeName, opts => opts.Roles = roles); + // Real policies — the whole point of these tests is to + // exercise the production AddScadaLinkAuthorization wiring. + services.AddScadaLinkAuthorization(); + services.AddSingleton(repo); + services.AddScoped(); + }); + web.Configure(app => + { + app.UseRouting(); + app.UseAuthentication(); + app.UseAuthorization(); + app.UseEndpoints(endpoints => + { + endpoints.MapAuditExportEndpoints(); + }); + }); + }); + + var host = await hostBuilder.StartAsync(); + var client = host.GetTestClient(); + return (client, repo, host); + } + + /// + /// Test-only authentication handler that signs every request in with + /// the configured set of roles. + /// + private sealed class FakeAuthHandler : AuthenticationHandler + { + public const string SchemeName = "FakeAuth"; + + public FakeAuthHandler( + IOptionsMonitor options, + ILoggerFactory logger, + UrlEncoder encoder) + : base(options, logger, encoder) { } + + protected override Task HandleAuthenticateAsync() + { + var claims = new List { new(ClaimTypes.Name, "test-user") }; + foreach (var role in Options.Roles) + { + claims.Add(new Claim(JwtTokenService.RoleClaimType, role)); + } + var identity = new ClaimsIdentity(claims, SchemeName); + var principal = new ClaimsPrincipal(identity); + var ticket = new AuthenticationTicket(principal, SchemeName); + return Task.FromResult(AuthenticateResult.Success(ticket)); + } + } + + private sealed class FakeAuthHandlerOptions : AuthenticationSchemeOptions + { + public string[] Roles { get; set; } = Array.Empty(); + } +} diff --git a/tests/ScadaLink.CentralUI.Tests/Pages/AuditLogPageScaffoldTests.cs b/tests/ScadaLink.CentralUI.Tests/Pages/AuditLogPageScaffoldTests.cs index 01de979..955c314 100644 --- a/tests/ScadaLink.CentralUI.Tests/Pages/AuditLogPageScaffoldTests.cs +++ b/tests/ScadaLink.CentralUI.Tests/Pages/AuditLogPageScaffoldTests.cs @@ -61,7 +61,19 @@ public class AuditLogPageScaffoldTests : BunitContext nav.NavigateTo($"/audit/log?{query}"); } - return Render(); + // Bundle G (#23 M7-T15): the page now hosts an in-component + // AuthorizeView around the Export-CSV button, so the page MUST + // render inside a CascadingAuthenticationState. The router supplies + // this in production; bUnit hosts the page directly so we wrap it + // here. + var host = Render(parameters => parameters + .Add(p => p.ChildContent, (RenderFragment)(builder => + { + builder.OpenComponent(0); + builder.CloseComponent(); + }))); + + return host.FindComponent(); } private IRenderedComponent RenderNavMenu(params string[] roles) diff --git a/tests/ScadaLink.Security.Tests/SecurityTests.cs b/tests/ScadaLink.Security.Tests/SecurityTests.cs index 4abc7af..2550b48 100644 --- a/tests/ScadaLink.Security.Tests/SecurityTests.cs +++ b/tests/ScadaLink.Security.Tests/SecurityTests.cs @@ -1077,6 +1077,59 @@ public class AuthorizationPolicyTests Assert.False(await EvaluatePolicy(AuthorizationPolicies.RequireAdmin, principal)); Assert.False(await EvaluatePolicy(AuthorizationPolicies.RequireDesign, principal)); Assert.False(await EvaluatePolicy(AuthorizationPolicies.RequireDeployment, principal)); + Assert.False(await EvaluatePolicy(AuthorizationPolicies.OperationalAudit, principal)); + Assert.False(await EvaluatePolicy(AuthorizationPolicies.AuditExport, principal)); + } + + // ───────────────────────────────────────────────────────────────────── + // Audit Log #23 — OperationalAudit + AuditExport policies (M7-T15). + // Default mapping (see AuthorizationPolicies XML doc): + // Admin → OperationalAudit + AuditExport + // Audit → OperationalAudit + AuditExport + // AuditReadOnly → OperationalAudit only + // Design → neither + // Deployment → neither + // ───────────────────────────────────────────────────────────────────── + + [Theory] + [InlineData("Admin")] + [InlineData("Audit")] + [InlineData("AuditReadOnly")] + public async Task OperationalAuditPolicy_GrantedRoles_Succeed(string role) + { + var principal = CreatePrincipal(new[] { role }); + Assert.True(await EvaluatePolicy(AuthorizationPolicies.OperationalAudit, principal)); + } + + [Theory] + [InlineData("Design")] + [InlineData("Deployment")] + public async Task OperationalAuditPolicy_UngrantedRoles_Fail(string role) + { + var principal = CreatePrincipal(new[] { role }); + Assert.False(await EvaluatePolicy(AuthorizationPolicies.OperationalAudit, principal)); + } + + [Theory] + [InlineData("Admin")] + [InlineData("Audit")] + public async Task AuditExportPolicy_GrantedRoles_Succeed(string role) + { + var principal = CreatePrincipal(new[] { role }); + Assert.True(await EvaluatePolicy(AuthorizationPolicies.AuditExport, principal)); + } + + [Theory] + [InlineData("AuditReadOnly")] + [InlineData("Design")] + [InlineData("Deployment")] + public async Task AuditExportPolicy_UngrantedRoles_Fail(string role) + { + // AuditReadOnly is the load-bearing case: it grants OperationalAudit + // (read) but NOT AuditExport (bulk export) — the split that lets a + // triage operator drill in without exfiltrating the table. + var principal = CreatePrincipal(new[] { role }); + Assert.False(await EvaluatePolicy(AuthorizationPolicies.AuditExport, principal)); } [Fact]