fix(central-ui): resolve CentralUI-002/003/004 — site-scope enforcement, per-circuit console capture, cached auth state

src/ScadaLink.CentralUI/Auth/SiteScopeService.cs

@@ -0,0 +1,93 @@
+using Microsoft.AspNetCore.Components.Authorization;
+using ScadaLink.Commons.Entities.Sites;
+using ScadaLink.Security;
+
+namespace ScadaLink.CentralUI.Auth;
+
+/// <summary>
+/// Resolves the set of sites the current user is permitted to operate on, from
+/// the <c>SiteId</c> claims attached at login (CentralUI-002).
+/// <para>
+/// The design (Component-CentralUI, CLAUDE.md "Security &amp; Auth") makes the
+/// Deployment role site-scoped: a Deployment user mapped through an LDAP group
+/// with site-scope rules carries one <see cref="JwtTokenService.SiteIdClaimType"/>
+/// claim per permitted site (the claim value is the integer <c>Site.Id</c>).
+/// A Deployment user with no <c>SiteId</c> claim — and any Admin/Design user — is
+/// system-wide.
+/// </para>
+/// <para>
+/// Deployment and Monitoring pages must filter every site/instance list through
+/// <see cref="FilterSitesAsync"/> and re-check <see cref="IsSiteAllowedAsync"/>
+/// before any cross-site command, so a scoped user cannot view or act on sites
+/// outside their grant.
+/// </para>
+/// </summary>
+public sealed class SiteScopeService
+{
+    private readonly AuthenticationStateProvider _authStateProvider;
+    private (bool IsSystemWide, IReadOnlySet<int> Sites)? _cached;
+
+    public SiteScopeService(AuthenticationStateProvider authStateProvider)
+    {
+        _authStateProvider = authStateProvider;
+    }
+
+    /// <summary>
+    /// True when the user is not restricted to a site subset (no <c>SiteId</c>
+    /// claims). System-wide users see and act on every site.
+    /// </summary>
+    public async Task<bool> IsSystemWideAsync()
+        => (await ResolveAsync()).IsSystemWide;
+
+    /// <summary>
+    /// The set of <c>Site.Id</c> values the user may operate on. Empty for a
+    /// system-wide user (callers should consult <see cref="IsSystemWideAsync"/>
+    /// or use the filter/allowed helpers, which already account for that).
+    /// </summary>
+    public async Task<IReadOnlySet<int>> PermittedSiteIdsAsync()
+        => (await ResolveAsync()).Sites;
+
+    /// <summary>
+    /// Returns the subset of <paramref name="sites"/> the user is permitted to
+    /// see. A system-wide user gets the full list back unchanged.
+    /// </summary>
+    public async Task<List<Site>> FilterSitesAsync(IEnumerable<Site> sites)
+    {
+        var (isSystemWide, allowed) = await ResolveAsync();
+        if (isSystemWide)
+            return sites.ToList();
+        return sites.Where(s => allowed.Contains(s.Id)).ToList();
+    }
+
+    /// <summary>
+    /// True when the user may operate on the site with the given <c>Site.Id</c>.
+    /// Must be re-checked server-side before any mutating cross-site command.
+    /// </summary>
+    public async Task<bool> IsSiteAllowedAsync(int siteId)
+    {
+        var (isSystemWide, allowed) = await ResolveAsync();
+        return isSystemWide || allowed.Contains(siteId);
+    }
+
+    private async Task<(bool IsSystemWide, IReadOnlySet<int> Sites)> ResolveAsync()
+    {
+        if (_cached is { } cached)
+            return cached;
+
+        var state = await _authStateProvider.GetAuthenticationStateAsync();
+        var siteClaims = state.User.FindAll(JwtTokenService.SiteIdClaimType);
+
+        var ids = new HashSet<int>();
+        foreach (var claim in siteClaims)
+        {
+            if (int.TryParse(claim.Value, out var id))
+                ids.Add(id);
+        }
+
+        // No SiteId claims => system-wide. This mirrors SiteScopeAuthorizationHandler:
+        // absence of scope rules means an unrestricted deployer.
+        var result = (IsSystemWide: ids.Count == 0, Sites: (IReadOnlySet<int>)ids);
+        _cached = result;
+        return result;
+    }
+}