fix(central-ui): resolve CentralUI-002/003/004 — site-scope enforcement, per-circuit console capture, cached auth state

tests/ScadaLink.CentralUI.Tests/Auth/SiteScopeServiceTests.cs

@@ -0,0 +1,93 @@
+using System.Security.Claims;
+using Microsoft.AspNetCore.Components.Authorization;
+using ScadaLink.CentralUI.Auth;
+using ScadaLink.Commons.Entities.Sites;
+using ScadaLink.Security;
+
+namespace ScadaLink.CentralUI.Tests.Auth;
+
+/// <summary>
+/// Regression tests for CentralUI-002. Site-scoped Deployment permissions are
+/// written as <c>SiteId</c> claims at login but were never read — Deployment
+/// pages listed and acted on every site. <see cref="SiteScopeService"/> is the
+/// shared helper that reads those claims; these tests pin its behaviour.
+/// </summary>
+public class SiteScopeServiceTests
+{
+    private sealed class StubAuthStateProvider : AuthenticationStateProvider
+    {
+        private readonly ClaimsPrincipal _user;
+        public StubAuthStateProvider(ClaimsPrincipal user) => _user = user;
+        public override Task<AuthenticationState> GetAuthenticationStateAsync()
+            => Task.FromResult(new AuthenticationState(_user));
+    }
+
+    private static SiteScopeService ForUser(params Claim[] claims)
+    {
+        var identity = new ClaimsIdentity(claims, authenticationType: "TestCookie");
+        return new SiteScopeService(new StubAuthStateProvider(new ClaimsPrincipal(identity)));
+    }
+
+    private static Claim Role(string role) => new(JwtTokenService.RoleClaimType, role);
+    private static Claim SiteClaim(int id) => new(JwtTokenService.SiteIdClaimType, id.ToString());
+
+    private static List<Site> Sites(params int[] ids)
+        => ids.Select(id => new Site($"Site{id}", $"SITE-{id}") { Id = id }).ToList();
+
+    [Fact]
+    public async Task DeploymentUserWithNoSiteClaims_IsSystemWide()
+    {
+        var svc = ForUser(Role("Deployment"));
+
+        Assert.True(await svc.IsSystemWideAsync());
+        Assert.Empty(await svc.PermittedSiteIdsAsync());
+    }
+
+    [Fact]
+    public async Task SystemWideUser_FilterSites_ReturnsAllSites()
+    {
+        var svc = ForUser(Role("Deployment"));
+
+        var filtered = await svc.FilterSitesAsync(Sites(1, 2, 3));
+
+        Assert.Equal(new[] { 1, 2, 3 }, filtered.Select(s => s.Id));
+    }
+
+    [Fact]
+    public async Task ScopedUser_FilterSites_ReturnsOnlyPermittedSites()
+    {
+        // Regression: a Deployment user scoped to sites 1 and 3 must NOT see site 2.
+        var svc = ForUser(Role("Deployment"), SiteClaim(1), SiteClaim(3));
+
+        var filtered = await svc.FilterSitesAsync(Sites(1, 2, 3, 4));
+
+        Assert.Equal(new[] { 1, 3 }, filtered.Select(s => s.Id).OrderBy(x => x));
+    }
+
+    [Fact]
+    public async Task ScopedUser_IsSiteAllowed_OnlyForGrantedSites()
+    {
+        var svc = ForUser(Role("Deployment"), SiteClaim(5));
+
+        Assert.True(await svc.IsSiteAllowedAsync(5));
+        Assert.False(await svc.IsSiteAllowedAsync(6));
+    }
+
+    [Fact]
+    public async Task ScopedUser_IsNotSystemWide_AndReportsItsPermittedIds()
+    {
+        var svc = ForUser(Role("Deployment"), SiteClaim(7), SiteClaim(9));
+
+        Assert.False(await svc.IsSystemWideAsync());
+        Assert.Equal(new[] { 7, 9 }, (await svc.PermittedSiteIdsAsync()).OrderBy(x => x));
+    }
+
+    [Fact]
+    public async Task SystemWideUser_IsSiteAllowed_ForAnySite()
+    {
+        var svc = ForUser(Role("Deployment"));
+
+        Assert.True(await svc.IsSiteAllowedAsync(1));
+        Assert.True(await svc.IsSiteAllowedAsync(999));
+    }
+}