feat(security): OperationalAudit + AuditExport permissions for Audit Log surface (#23 M7)

Bundle G (#23 M7-T15): replace the temporary Admin-only gate on the Audit Log surface with two new permission policies — OperationalAudit (read) and AuditExport (bulk-export) — so the read path and the forensic-export path can be delegated independently. ScadaLink.Security - AuthorizationPolicies: add OperationalAudit + AuditExport policy constants; register them via RequireClaim with an explicit role allow-list (OperationalAuditRoles, AuditExportRoles) so the role-to-permission mapping is documented in one place. - Default mapping: Admin and Audit roles grant both policies; AuditReadOnly grants OperationalAudit only (read access without bulk export); Design and Deployment grant neither. ScadaLink.CentralUI - AuditLogPage: switch the page-level [Authorize] to the OperationalAudit policy and wrap the Export-CSV button in an AuthorizeView gated on AuditExport so an OperationalAudit-only operator still sees the page + filters but cannot trigger the CSV pull. - ConfigurationAuditLog: switch from RequireAdmin to OperationalAudit so both pages under the Audit nav group share the same gate. - NavMenu: the Audit nav group now gates on OperationalAudit so the section header + both child links match the per-page policies. - AuditExportEndpoints: switch RequireAuthorization from RequireAdmin to AuditExport — this is the authoritative gate; the AuthorizeView on the button is just a UX affordance. Tests - New AuditLogPagePermissionTests covers the 5 brief-mandated cases plus defence-in-depth for Admin-alone and AuditReadOnly users on the endpoint. - SecurityTests: add policy-level coverage for the new role→permission matrix (Theory rows pin every role/policy combination). - AuditExportEndpointsTests: switch to AddScadaLinkAuthorization() so the test host exercises the real production wiring under the new gate. - AuditLogPageScaffoldTests: wrap the page render in a CascadingAuthenticationState so the new in-page AuthorizeView resolves the principal.
2026-05-20 21:09:42 -04:00
parent 8744630adb
commit 6dea84cd28
9 changed files with 538 additions and 33 deletions
--- a/src/ScadaLink.CentralUI/Components/Layout/NavMenu.razor
+++ b/src/ScadaLink.CentralUI/Components/Layout/NavMenu.razor
@@ -108,11 +108,15 @@
                        </Authorized>
                    </AuthorizeView>

-                    @* Audit — Admin only. Hosts the new Audit Log page (#23 M7)
-                       and the renamed Configuration Audit Log (IAuditService
-                       config-change viewer). Both items are Admin-gated, so
-                       the section header sits inside the same policy block. *@
-                    <AuthorizeView Policy="@AuthorizationPolicies.RequireAdmin">
+                    @* Audit — gated on the OperationalAudit policy (#23 M7-T15
+                       / Bundle G). Hosts the new Audit Log page (#23 M7) and
+                       the renamed Configuration Audit Log (IAuditService
+                       config-change viewer). Both items share the same gate,
+                       so the section header sits inside the same policy block:
+                       a non-audit user does not even see the heading.
+                       OperationalAudit is satisfied by the Admin, Audit, and
+                       AuditReadOnly roles. *@
+                    <AuthorizeView Policy="@AuthorizationPolicies.OperationalAudit">
                        <Authorized Context="auditContext">
                            <div role="presentation" class="nav-section-header">Audit</div>
                            <li class="nav-item">