feat(transport): BundleExporter with audit logging

2026-05-24 04:30:18 -04:00
parent 901d9affdf
commit 7c70ce0dbf
3 changed files with 454 additions and 0 deletions
--- a/src/ScadaLink.Transport/Export/BundleExporter.cs
+++ b/src/ScadaLink.Transport/Export/BundleExporter.cs
@@ -0,0 +1,160 @@
+using System.Security.Cryptography;
+using Microsoft.Extensions.Options;
+using ScadaLink.Commons.Interfaces.Services;
+using ScadaLink.Commons.Interfaces.Transport;
+using ScadaLink.Commons.Types.Transport;
+using ScadaLink.ConfigurationDatabase;
+using ScadaLink.Transport.Encryption;
+using ScadaLink.Transport.Serialization;
+
+namespace ScadaLink.Transport.Export;
+
+/// <summary>
+/// Ties together the resolver, serializer, encryptor, manifest builder, and audit
+/// service into a single export pipeline. Produces a ZIP-formatted bundle stream
+/// and emits one append-only audit row per export — distinguishing encrypted vs
+/// unencrypted runs via the <c>Action</c> column. The returned stream is positioned
+/// at <c>0</c> so callers can immediately copy to a response/file.
+/// </summary>
+public sealed class BundleExporter : IBundleExporter
+{
+    private readonly DependencyResolver _resolver;
+    private readonly EntitySerializer _entitySerializer;
+    private readonly ManifestBuilder _manifestBuilder;
+    private readonly BundleSecretEncryptor _encryptor;
+    private readonly BundleSerializer _bundleSerializer;
+    private readonly IAuditService _auditService;
+    private readonly ScadaLinkDbContext _dbContext;
+    private readonly IOptions<TransportOptions> _options;
+
+    public BundleExporter(
+        DependencyResolver resolver,
+        EntitySerializer entitySerializer,
+        ManifestBuilder manifestBuilder,
+        BundleSecretEncryptor encryptor,
+        BundleSerializer bundleSerializer,
+        IAuditService auditService,
+        ScadaLinkDbContext dbContext,
+        IOptions<TransportOptions> options)
+    {
+        _resolver = resolver ?? throw new ArgumentNullException(nameof(resolver));
+        _entitySerializer = entitySerializer ?? throw new ArgumentNullException(nameof(entitySerializer));
+        _manifestBuilder = manifestBuilder ?? throw new ArgumentNullException(nameof(manifestBuilder));
+        _encryptor = encryptor ?? throw new ArgumentNullException(nameof(encryptor));
+        _bundleSerializer = bundleSerializer ?? throw new ArgumentNullException(nameof(bundleSerializer));
+        _auditService = auditService ?? throw new ArgumentNullException(nameof(auditService));
+        _dbContext = dbContext ?? throw new ArgumentNullException(nameof(dbContext));
+        _options = options ?? throw new ArgumentNullException(nameof(options));
+    }
+
+    public async Task<Stream> ExportAsync(
+        ExportSelection selection,
+        string user,
+        string sourceEnvironment,
+        string? passphrase,
+        CancellationToken cancellationToken = default)
+    {
+        ArgumentNullException.ThrowIfNull(selection);
+        ArgumentNullException.ThrowIfNull(user);
+        ArgumentNullException.ThrowIfNull(sourceEnvironment);
+
+        // 1. Resolve dependencies → ResolvedExport (topologically sorted templates,
+        //    folder chain, transitive shared-scripts/external-systems if requested).
+        var resolved = await _resolver.ResolveAsync(selection, cancellationToken).ConfigureAwait(false);
+
+        // 2. Convert to the wire-shaped DTO (strips EF identity, refs-by-name).
+        var aggregate = new EntityAggregate(
+            TemplateFolders: resolved.TemplateFolders,
+            Templates: resolved.Templates,
+            SharedScripts: resolved.SharedScripts,
+            ExternalSystems: resolved.ExternalSystems,
+            ExternalSystemMethods: resolved.ExternalSystemMethods,
+            DatabaseConnections: resolved.DatabaseConnections,
+            NotificationLists: resolved.NotificationLists,
+            SmtpConfigurations: resolved.SmtpConfigs,
+            ApiKeys: resolved.ApiKeys,
+            ApiMethods: resolved.ApiMethods);
+        var contentDto = _entitySerializer.ToBundleContent(aggregate);
+
+        // 3. Per-category summary counts — used for fast humanly-readable preview at import.
+        var summary = new BundleSummary(
+            Templates: resolved.Templates.Count,
+            TemplateFolders: resolved.TemplateFolders.Count,
+            SharedScripts: resolved.SharedScripts.Count,
+            ExternalSystems: resolved.ExternalSystems.Count,
+            DbConnections: resolved.DatabaseConnections.Count,
+            NotificationLists: resolved.NotificationLists.Count,
+            SmtpConfigs: resolved.SmtpConfigs.Count,
+            ApiKeys: resolved.ApiKeys.Count,
+            ApiMethods: resolved.ApiMethods.Count);
+
+        // 4. Build a TEMPLATE manifest. BundleSerializer.Pack re-stamps both
+        //    ContentHash and EncryptionMetadata against the bytes it actually
+        //    writes, so we only need to seed EncryptionMetadata.Iterations when
+        //    a passphrase is supplied — Pack rebuilds salt/iv/hash internally.
+        var assemblyVersion = typeof(BundleExporter).Assembly.GetName().Version?.ToString() ?? "0.0.0";
+        EncryptionMetadata? encryptionSeed = passphrase is null
+            ? null
+            : new EncryptionMetadata(
+                Algorithm: "AES-256-GCM",
+                Kdf: "PBKDF2-SHA256",
+                Iterations: _options.Value.Pbkdf2Iterations,
+                SaltB64: string.Empty,
+                IvB64: string.Empty);
+
+        var templateManifest = _manifestBuilder.Build(
+            sourceEnvironment: sourceEnvironment,
+            exportedBy: user,
+            scadaLinkVersion: assemblyVersion,
+            encryption: encryptionSeed,
+            summary: summary,
+            contents: resolved.ContentManifest,
+            // Pack re-stamps ContentHash against the bytes it actually writes
+            // (either fresh ciphertext or the JSON it just serialized), so the
+            // upstream hash here only matters for the plaintext path — Pack
+            // trusts the supplied hash and the serializer is deterministic.
+            contentBytes: _bundleSerializer.SerializeContentBytes(contentDto));
+
+        // 5. Pack the zip; with a passphrase, Pack re-encrypts and re-stamps
+        //    EncryptionMetadata (fresh salt/iv) + ContentHash.
+        var zipStream = _bundleSerializer.Pack(contentDto, templateManifest, passphrase, _encryptor);
+
+        // 6. Audit — entityId is the bundle's overall SHA-256 over the zip bytes
+        //    (opaque to caller but uniquely identifies this export). Action
+        //    discriminates encrypted vs unencrypted runs.
+        var bundleHash = ComputeStreamSha256(zipStream);
+        await _auditService.LogAsync(
+            user: user,
+            action: passphrase is null ? "UnencryptedBundleExport" : "BundleExported",
+            entityType: "Bundle",
+            entityId: bundleHash,
+            entityName: sourceEnvironment,
+            afterState: new
+            {
+                SourceEnvironment = sourceEnvironment,
+                Encrypted = passphrase is not null,
+                ArtifactCount = resolved.ContentManifest.Count,
+                Summary = summary,
+            },
+            cancellationToken: cancellationToken).ConfigureAwait(false);
+
+        await _dbContext.SaveChangesAsync(cancellationToken).ConfigureAwait(false);
+
+        zipStream.Position = 0;
+        return zipStream;
+    }
+
+    /// <summary>
+    /// Hashes the zip stream's bytes (resets position before + after) so the audit
+    /// row's <c>EntityId</c> uniquely identifies this exact bundle without leaking
+    /// any of the manifest's internal hashes (which describe content, not the zip).
+    /// </summary>
+    private static string ComputeStreamSha256(Stream stream)
+    {
+        stream.Position = 0;
+        using var sha = SHA256.Create();
+        var hash = sha.ComputeHash(stream);
+        stream.Position = 0;
+        return "sha256:" + Convert.ToHexString(hash).ToLowerInvariant();
+    }
+}
--- a/src/ScadaLink.Transport/ServiceCollectionExtensions.cs
+++ b/src/ScadaLink.Transport/ServiceCollectionExtensions.cs
@@ -2,8 +2,10 @@ using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Options;
 using ScadaLink.Commons.Interfaces.Transport;
+using ScadaLink.Transport.Encryption;
 using ScadaLink.Transport.Export;
 using ScadaLink.Transport.Import;
+using ScadaLink.Transport.Serialization;

 namespace ScadaLink.Transport;

@@ -16,7 +18,17 @@ public static class ServiceCollectionExtensions
        ArgumentNullException.ThrowIfNull(services);
        services.AddOptions<TransportOptions>().BindConfiguration(OptionsSection);
        services.TryAddSingleton(TimeProvider.System);
+
+        // Pipeline building blocks: stateless services live as singletons; the
+        // resolver and exporter are scoped because they reach into per-request
+        // repository scopes and the scoped DbContext.
+        services.AddSingleton<BundleSecretEncryptor>();
+        services.AddSingleton<ManifestBuilder>();
+        services.AddSingleton<ManifestValidator>();
+        services.AddSingleton<BundleSerializer>();
+        services.AddSingleton<EntitySerializer>();
        services.AddScoped<DependencyResolver>();
+        services.AddScoped<IBundleExporter, BundleExporter>();
        services.AddSingleton<IBundleSessionStore, BundleSessionStore>();
        // Remaining concrete services added in later tasks.
        return services;