fix(management-service): resolve ManagementService-001/002/003 — enforce site scope on query/snapshot handlers and DebugStreamHub

2026-05-16 19:47:17 -04:00
parent 6f4efdfa2e
commit b249ca3bf7
5 changed files with 404 additions and 28 deletions
--- a/tests/ScadaLink.ManagementService.Tests/DebugStreamHubTests.cs
+++ b/tests/ScadaLink.ManagementService.Tests/DebugStreamHubTests.cs
@@ -0,0 +1,66 @@
+using ScadaLink.ManagementService;
+
+namespace ScadaLink.ManagementService.Tests;
+
+/// <summary>
+/// Tests for <see cref="DebugStreamHub"/> per-instance site-scope authorization
+/// (finding ManagementService-003).
+/// </summary>
+public class DebugStreamHubTests
+{
+    [Fact]
+    public void IsInstanceAccessAllowed_SiteScopedUser_InScopeInstance_Allowed()
+    {
+        var allowed = DebugStreamHub.IsInstanceAccessAllowed(
+            roles: new[] { "Deployment" },
+            permittedSiteIds: new[] { "1", "2" },
+            instanceSiteId: 2);
+
+        Assert.True(allowed);
+    }
+
+    [Fact]
+    public void IsInstanceAccessAllowed_SiteScopedUser_OutOfScopeInstance_Denied()
+    {
+        var allowed = DebugStreamHub.IsInstanceAccessAllowed(
+            roles: new[] { "Deployment" },
+            permittedSiteIds: new[] { "1", "2" },
+            instanceSiteId: 99);
+
+        Assert.False(allowed);
+    }
+
+    [Fact]
+    public void IsInstanceAccessAllowed_SystemWideDeployment_AnySiteAllowed()
+    {
+        // Empty permitted set == system-wide Deployment.
+        var allowed = DebugStreamHub.IsInstanceAccessAllowed(
+            roles: new[] { "Deployment" },
+            permittedSiteIds: Array.Empty<string>(),
+            instanceSiteId: 99);
+
+        Assert.True(allowed);
+    }
+
+    [Fact]
+    public void IsInstanceAccessAllowed_AdminRole_BypassesSiteScope()
+    {
+        var allowed = DebugStreamHub.IsInstanceAccessAllowed(
+            roles: new[] { "Admin", "Deployment" },
+            permittedSiteIds: new[] { "1" },
+            instanceSiteId: 99);
+
+        Assert.True(allowed);
+    }
+
+    [Fact]
+    public void IsInstanceAccessAllowed_AdminRoleCheck_IsCaseInsensitive()
+    {
+        var allowed = DebugStreamHub.IsInstanceAccessAllowed(
+            roles: new[] { "admin" },
+            permittedSiteIds: new[] { "1" },
+            instanceSiteId: 99);
+
+        Assert.True(allowed);
+    }
+}