Phase 1 WP-2–10: Repositories, audit service, security & auth (LDAP, JWT, roles, policies, data protection)

- WP-2: SecurityRepository + CentralUiRepository with audit log queries - WP-3: AuditService with transactional guarantee (same SaveChangesAsync) - WP-4: Optimistic concurrency tests (deployment records vs template last-write-wins) - WP-5: Seed data (SCADA-Admins → Admin role mapping) - WP-6: LdapAuthService (direct bind, TLS enforcement, group query) - WP-7: JwtTokenService (HMAC-SHA256, 15-min refresh, 30-min idle timeout) - WP-8: RoleMapper (LDAP groups → roles with site-scoped deployment) - WP-9: Authorization policies (Admin/Design/Deployment + site scope handler) - WP-10: Shared Data Protection keys via EF Core 141 tests pass, zero warnings.
2026-03-16 19:32:43 -04:00
parent 1996b21961
commit cafb7d2006
31 changed files with 3356 additions and 8 deletions
--- a/src/ScadaLink.Commons/Entities/Security/LdapGroupMapping.cs
+++ b/src/ScadaLink.Commons/Entities/Security/LdapGroupMapping.cs
@@ -6,6 +6,9 @@ public class LdapGroupMapping
    public string LdapGroupName { get; set; }
    public string Role { get; set; }

+    // Parameterless constructor for EF Core seed data
+    private LdapGroupMapping() { LdapGroupName = null!; Role = null!; }
+
    public LdapGroupMapping(string ldapGroupName, string role)
    {
        LdapGroupName = ldapGroupName ?? throw new ArgumentNullException(nameof(ldapGroupName));
--- a/src/ScadaLink.Commons/Interfaces/Repositories/ICentralUiRepository.cs
+++ b/src/ScadaLink.Commons/Interfaces/Repositories/ICentralUiRepository.cs
@@ -1,3 +1,4 @@
+using ScadaLink.Commons.Entities.Audit;
 using ScadaLink.Commons.Entities.Deployment;
 using ScadaLink.Commons.Entities.Instances;
 using ScadaLink.Commons.Entities.Sites;
@@ -15,5 +16,18 @@ public interface ICentralUiRepository
    Task<IReadOnlyList<DeploymentRecord>> GetRecentDeploymentsAsync(int count, CancellationToken cancellationToken = default);
    Task<IReadOnlyList<Area>> GetAreaTreeBySiteIdAsync(int siteId, CancellationToken cancellationToken = default);

+    // Audit log queries
+    Task<(IReadOnlyList<AuditLogEntry> Entries, int TotalCount)> GetAuditLogEntriesAsync(
+        string? user = null,
+        string? entityType = null,
+        string? action = null,
+        DateTimeOffset? from = null,
+        DateTimeOffset? to = null,
+        string? entityId = null,
+        string? entityName = null,
+        int page = 1,
+        int pageSize = 50,
+        CancellationToken cancellationToken = default);
+
    Task<int> SaveChangesAsync(CancellationToken cancellationToken = default);
 }
--- a/src/ScadaLink.ConfigurationDatabase/Configurations/SecurityConfiguration.cs
+++ b/src/ScadaLink.ConfigurationDatabase/Configurations/SecurityConfiguration.cs
@@ -20,6 +20,9 @@ public class LdapGroupMappingConfiguration : IEntityTypeConfiguration<LdapGroupM
            .HasMaxLength(100);

        builder.HasIndex(m => m.LdapGroupName).IsUnique();
+
+        // Seed default admin mapping
+        builder.HasData(new LdapGroupMapping("SCADA-Admins", "Admin") { Id = 1 });
    }
 }

--- a/src/ScadaLink.ConfigurationDatabase/Migrations/20260316231942_SeedData.Designer.cs
+++ b/src/ScadaLink.ConfigurationDatabase/Migrations/20260316231942_SeedData.Designer.cs
--- a/src/ScadaLink.ConfigurationDatabase/Migrations/20260316231942_SeedData.cs
+++ b/src/ScadaLink.ConfigurationDatabase/Migrations/20260316231942_SeedData.cs
@@ -0,0 +1,28 @@
+using Microsoft.EntityFrameworkCore.Migrations;
+
+#nullable disable
+
+namespace ScadaLink.ConfigurationDatabase.Migrations
+{
+    /// <inheritdoc />
+    public partial class SeedData : Migration
+    {
+        /// <inheritdoc />
+        protected override void Up(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.InsertData(
+                table: "LdapGroupMappings",
+                columns: new[] { "Id", "LdapGroupName", "Role" },
+                values: new object[] { 1, "SCADA-Admins", "Admin" });
+        }
+
+        /// <inheritdoc />
+        protected override void Down(MigrationBuilder migrationBuilder)
+        {
+            migrationBuilder.DeleteData(
+                table: "LdapGroupMappings",
+                keyColumn: "Id",
+                keyValue: 1);
+        }
+    }
+}
--- a/src/ScadaLink.ConfigurationDatabase/Migrations/ScadaLinkDbContextModelSnapshot.cs
+++ b/src/ScadaLink.ConfigurationDatabase/Migrations/ScadaLinkDbContextModelSnapshot.cs
@@ -631,6 +631,14 @@ namespace ScadaLink.ConfigurationDatabase.Migrations
                        .IsUnique();

                    b.ToTable("LdapGroupMappings");
+
+                    b.HasData(
+                        new
+                        {
+                            Id = 1,
+                            LdapGroupName = "SCADA-Admins",
+                            Role = "Admin"
+                        });
                });

            modelBuilder.Entity("ScadaLink.Commons.Entities.Security.SiteScopeRule", b =>
--- a/src/ScadaLink.ConfigurationDatabase/Repositories/CentralUiRepository.cs
+++ b/src/ScadaLink.ConfigurationDatabase/Repositories/CentralUiRepository.cs
@@ -0,0 +1,147 @@
+using Microsoft.EntityFrameworkCore;
+using ScadaLink.Commons.Entities.Audit;
+using ScadaLink.Commons.Entities.Deployment;
+using ScadaLink.Commons.Entities.Instances;
+using ScadaLink.Commons.Entities.Sites;
+using ScadaLink.Commons.Entities.Templates;
+using ScadaLink.Commons.Interfaces.Repositories;
+
+namespace ScadaLink.ConfigurationDatabase.Repositories;
+
+public class CentralUiRepository : ICentralUiRepository
+{
+    private readonly ScadaLinkDbContext _context;
+
+    public CentralUiRepository(ScadaLinkDbContext context)
+    {
+        _context = context ?? throw new ArgumentNullException(nameof(context));
+    }
+
+    public async Task<IReadOnlyList<Site>> GetAllSitesAsync(CancellationToken cancellationToken = default)
+    {
+        return await _context.Sites
+            .AsNoTracking()
+            .OrderBy(s => s.Name)
+            .ToListAsync(cancellationToken);
+    }
+
+    public async Task<IReadOnlyList<DataConnection>> GetDataConnectionsBySiteIdAsync(int siteId, CancellationToken cancellationToken = default)
+    {
+        return await _context.SiteDataConnectionAssignments
+            .AsNoTracking()
+            .Where(a => a.SiteId == siteId)
+            .Join(_context.DataConnections, a => a.DataConnectionId, d => d.Id, (_, d) => d)
+            .ToListAsync(cancellationToken);
+    }
+
+    public async Task<IReadOnlyList<SiteDataConnectionAssignment>> GetAllSiteDataConnectionAssignmentsAsync(CancellationToken cancellationToken = default)
+    {
+        return await _context.SiteDataConnectionAssignments
+            .AsNoTracking()
+            .ToListAsync(cancellationToken);
+    }
+
+    public async Task<IReadOnlyList<Template>> GetTemplateTreeAsync(CancellationToken cancellationToken = default)
+    {
+        return await _context.Templates
+            .AsNoTracking()
+            .Include(t => t.Attributes)
+            .Include(t => t.Alarms)
+            .Include(t => t.Scripts)
+            .Include(t => t.Compositions)
+            .OrderBy(t => t.Name)
+            .ToListAsync(cancellationToken);
+    }
+
+    public async Task<IReadOnlyList<Instance>> GetInstancesFilteredAsync(
+        int? siteId = null,
+        int? templateId = null,
+        string? searchTerm = null,
+        CancellationToken cancellationToken = default)
+    {
+        var query = _context.Instances.AsNoTracking().AsQueryable();
+
+        if (siteId.HasValue)
+            query = query.Where(i => i.SiteId == siteId.Value);
+
+        if (templateId.HasValue)
+            query = query.Where(i => i.TemplateId == templateId.Value);
+
+        if (!string.IsNullOrWhiteSpace(searchTerm))
+            query = query.Where(i => i.UniqueName.Contains(searchTerm));
+
+        return await query
+            .OrderBy(i => i.UniqueName)
+            .ToListAsync(cancellationToken);
+    }
+
+    public async Task<IReadOnlyList<DeploymentRecord>> GetRecentDeploymentsAsync(int count, CancellationToken cancellationToken = default)
+    {
+        return await _context.DeploymentRecords
+            .AsNoTracking()
+            .OrderByDescending(d => d.DeployedAt)
+            .Take(count)
+            .ToListAsync(cancellationToken);
+    }
+
+    public async Task<IReadOnlyList<Area>> GetAreaTreeBySiteIdAsync(int siteId, CancellationToken cancellationToken = default)
+    {
+        return await _context.Areas
+            .AsNoTracking()
+            .Where(a => a.SiteId == siteId)
+            .Include(a => a.Children)
+            .OrderBy(a => a.Name)
+            .ToListAsync(cancellationToken);
+    }
+
+    public async Task<(IReadOnlyList<AuditLogEntry> Entries, int TotalCount)> GetAuditLogEntriesAsync(
+        string? user = null,
+        string? entityType = null,
+        string? action = null,
+        DateTimeOffset? from = null,
+        DateTimeOffset? to = null,
+        string? entityId = null,
+        string? entityName = null,
+        int page = 1,
+        int pageSize = 50,
+        CancellationToken cancellationToken = default)
+    {
+        var query = _context.AuditLogEntries.AsNoTracking().AsQueryable();
+
+        if (!string.IsNullOrWhiteSpace(user))
+            query = query.Where(a => a.User == user);
+
+        if (!string.IsNullOrWhiteSpace(entityType))
+            query = query.Where(a => a.EntityType == entityType);
+
+        if (!string.IsNullOrWhiteSpace(action))
+            query = query.Where(a => a.Action == action);
+
+        if (from.HasValue)
+            query = query.Where(a => a.Timestamp >= from.Value);
+
+        if (to.HasValue)
+            query = query.Where(a => a.Timestamp <= to.Value);
+
+        if (!string.IsNullOrWhiteSpace(entityId))
+            query = query.Where(a => a.EntityId == entityId);
+
+        if (!string.IsNullOrWhiteSpace(entityName))
+            query = query.Where(a => a.EntityName.Contains(entityName));
+
+        var totalCount = await query.CountAsync(cancellationToken);
+
+        var entries = await query
+            .OrderByDescending(a => a.Timestamp)
+            .Skip((page - 1) * pageSize)
+            .Take(pageSize)
+            .ToListAsync(cancellationToken);
+
+        return (entries, totalCount);
+    }
+
+    public async Task<int> SaveChangesAsync(CancellationToken cancellationToken = default)
+    {
+        return await _context.SaveChangesAsync(cancellationToken);
+    }
+}
--- a/src/ScadaLink.ConfigurationDatabase/Repositories/SecurityRepository.cs
+++ b/src/ScadaLink.ConfigurationDatabase/Repositories/SecurityRepository.cs
@@ -0,0 +1,93 @@
+using Microsoft.EntityFrameworkCore;
+using ScadaLink.Commons.Entities.Security;
+using ScadaLink.Commons.Interfaces.Repositories;
+
+namespace ScadaLink.ConfigurationDatabase.Repositories;
+
+public class SecurityRepository : ISecurityRepository
+{
+    private readonly ScadaLinkDbContext _context;
+
+    public SecurityRepository(ScadaLinkDbContext context)
+    {
+        _context = context ?? throw new ArgumentNullException(nameof(context));
+    }
+
+    // LdapGroupMapping
+
+    public async Task<LdapGroupMapping?> GetMappingByIdAsync(int id, CancellationToken cancellationToken = default)
+    {
+        return await _context.LdapGroupMappings.FindAsync(new object[] { id }, cancellationToken);
+    }
+
+    public async Task<IReadOnlyList<LdapGroupMapping>> GetAllMappingsAsync(CancellationToken cancellationToken = default)
+    {
+        return await _context.LdapGroupMappings.ToListAsync(cancellationToken);
+    }
+
+    public async Task<IReadOnlyList<LdapGroupMapping>> GetMappingsByRoleAsync(string role, CancellationToken cancellationToken = default)
+    {
+        return await _context.LdapGroupMappings
+            .Where(m => m.Role == role)
+            .ToListAsync(cancellationToken);
+    }
+
+    public async Task AddMappingAsync(LdapGroupMapping mapping, CancellationToken cancellationToken = default)
+    {
+        await _context.LdapGroupMappings.AddAsync(mapping, cancellationToken);
+    }
+
+    public Task UpdateMappingAsync(LdapGroupMapping mapping, CancellationToken cancellationToken = default)
+    {
+        _context.LdapGroupMappings.Update(mapping);
+        return Task.CompletedTask;
+    }
+
+    public async Task DeleteMappingAsync(int id, CancellationToken cancellationToken = default)
+    {
+        var mapping = await _context.LdapGroupMappings.FindAsync(new object[] { id }, cancellationToken);
+        if (mapping != null)
+        {
+            _context.LdapGroupMappings.Remove(mapping);
+        }
+    }
+
+    // SiteScopeRule
+
+    public async Task<SiteScopeRule?> GetScopeRuleByIdAsync(int id, CancellationToken cancellationToken = default)
+    {
+        return await _context.SiteScopeRules.FindAsync(new object[] { id }, cancellationToken);
+    }
+
+    public async Task<IReadOnlyList<SiteScopeRule>> GetScopeRulesForMappingAsync(int ldapGroupMappingId, CancellationToken cancellationToken = default)
+    {
+        return await _context.SiteScopeRules
+            .Where(r => r.LdapGroupMappingId == ldapGroupMappingId)
+            .ToListAsync(cancellationToken);
+    }
+
+    public async Task AddScopeRuleAsync(SiteScopeRule rule, CancellationToken cancellationToken = default)
+    {
+        await _context.SiteScopeRules.AddAsync(rule, cancellationToken);
+    }
+
+    public Task UpdateScopeRuleAsync(SiteScopeRule rule, CancellationToken cancellationToken = default)
+    {
+        _context.SiteScopeRules.Update(rule);
+        return Task.CompletedTask;
+    }
+
+    public async Task DeleteScopeRuleAsync(int id, CancellationToken cancellationToken = default)
+    {
+        var rule = await _context.SiteScopeRules.FindAsync(new object[] { id }, cancellationToken);
+        if (rule != null)
+        {
+            _context.SiteScopeRules.Remove(rule);
+        }
+    }
+
+    public async Task<int> SaveChangesAsync(CancellationToken cancellationToken = default)
+    {
+        return await _context.SaveChangesAsync(cancellationToken);
+    }
+}
--- a/src/ScadaLink.ConfigurationDatabase/ScadaLink.ConfigurationDatabase.csproj
+++ b/src/ScadaLink.ConfigurationDatabase/ScadaLink.ConfigurationDatabase.csproj
@@ -17,6 +17,7 @@
    <PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="10.0.5" />
    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.5" />
    <PackageReference Include="Microsoft.Extensions.Options" Version="10.0.5" />
+    <PackageReference Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="10.0.5" />
  </ItemGroup>

  <ItemGroup>
--- a/src/ScadaLink.ConfigurationDatabase/ScadaLinkDbContext.cs
+++ b/src/ScadaLink.ConfigurationDatabase/ScadaLinkDbContext.cs
@@ -1,3 +1,4 @@
+using Microsoft.AspNetCore.DataProtection.EntityFrameworkCore;
 using Microsoft.EntityFrameworkCore;
 using ScadaLink.Commons.Entities.Audit;
 using ScadaLink.Commons.Entities.Deployment;
@@ -12,7 +13,7 @@ using ScadaLink.Commons.Entities.Templates;

 namespace ScadaLink.ConfigurationDatabase;

-public class ScadaLinkDbContext : DbContext
+public class ScadaLinkDbContext : DbContext, IDataProtectionKeyContext
 {
    public ScadaLinkDbContext(DbContextOptions<ScadaLinkDbContext> options) : base(options)
    {
@@ -64,6 +65,9 @@ public class ScadaLinkDbContext : DbContext
    // Audit
    public DbSet<AuditLogEntry> AuditLogEntries => Set<AuditLogEntry>();

+    // Data Protection Keys (for shared ASP.NET Data Protection across nodes)
+    public DbSet<DataProtectionKey> DataProtectionKeys => Set<DataProtectionKey>();
+
    protected override void OnModelCreating(ModelBuilder modelBuilder)
    {
        modelBuilder.ApplyConfigurationsFromAssembly(typeof(ScadaLinkDbContext).Assembly);
--- a/src/ScadaLink.ConfigurationDatabase/ServiceCollectionExtensions.cs
+++ b/src/ScadaLink.ConfigurationDatabase/ServiceCollectionExtensions.cs
@@ -1,5 +1,10 @@
+using Microsoft.AspNetCore.DataProtection;
 using Microsoft.EntityFrameworkCore;
 using Microsoft.Extensions.DependencyInjection;
+using ScadaLink.Commons.Interfaces.Repositories;
+using ScadaLink.Commons.Interfaces.Services;
+using ScadaLink.ConfigurationDatabase.Repositories;
+using ScadaLink.ConfigurationDatabase.Services;

 namespace ScadaLink.ConfigurationDatabase;

@@ -13,6 +18,13 @@ public static class ServiceCollectionExtensions
        services.AddDbContext<ScadaLinkDbContext>(options =>
            options.UseSqlServer(connectionString));

+        services.AddScoped<ISecurityRepository, SecurityRepository>();
+        services.AddScoped<ICentralUiRepository, CentralUiRepository>();
+        services.AddScoped<IAuditService, AuditService>();
+
+        services.AddDataProtection()
+            .PersistKeysToDbContext<ScadaLinkDbContext>();
+
        return services;
    }

--- a/src/ScadaLink.ConfigurationDatabase/Services/AuditService.cs
+++ b/src/ScadaLink.ConfigurationDatabase/Services/AuditService.cs
@@ -0,0 +1,37 @@
+using System.Text.Json;
+using ScadaLink.Commons.Entities.Audit;
+using ScadaLink.Commons.Interfaces.Services;
+
+namespace ScadaLink.ConfigurationDatabase.Services;
+
+public class AuditService : IAuditService
+{
+    private readonly ScadaLinkDbContext _context;
+
+    public AuditService(ScadaLinkDbContext context)
+    {
+        _context = context ?? throw new ArgumentNullException(nameof(context));
+    }
+
+    public async Task LogAsync(
+        string user,
+        string action,
+        string entityType,
+        string entityId,
+        string entityName,
+        object? afterState,
+        CancellationToken cancellationToken = default)
+    {
+        var entry = new AuditLogEntry(user, action, entityType, entityId, entityName)
+        {
+            Timestamp = DateTimeOffset.UtcNow,
+            AfterStateJson = afterState != null
+                ? JsonSerializer.Serialize(afterState)
+                : null
+        };
+
+        // Add to change tracker only — caller is responsible for calling SaveChangesAsync
+        // to ensure atomicity with the entity change.
+        await _context.AuditLogEntries.AddAsync(entry, cancellationToken);
+    }
+}
--- a/src/ScadaLink.Security/AuthorizationPolicies.cs
+++ b/src/ScadaLink.Security/AuthorizationPolicies.cs
@@ -0,0 +1,30 @@
+using Microsoft.AspNetCore.Authorization;
+using Microsoft.Extensions.DependencyInjection;
+
+namespace ScadaLink.Security;
+
+public static class AuthorizationPolicies
+{
+    public const string RequireAdmin = "RequireAdmin";
+    public const string RequireDesign = "RequireDesign";
+    public const string RequireDeployment = "RequireDeployment";
+
+    public static IServiceCollection AddScadaLinkAuthorization(this IServiceCollection services)
+    {
+        services.AddAuthorization(options =>
+        {
+            options.AddPolicy(RequireAdmin, policy =>
+                policy.RequireClaim(JwtTokenService.RoleClaimType, "Admin"));
+
+            options.AddPolicy(RequireDesign, policy =>
+                policy.RequireClaim(JwtTokenService.RoleClaimType, "Design"));
+
+            options.AddPolicy(RequireDeployment, policy =>
+                policy.RequireClaim(JwtTokenService.RoleClaimType, "Deployment"));
+        });
+
+        services.AddSingleton<IAuthorizationHandler, SiteScopeAuthorizationHandler>();
+
+        return services;
+    }
+}
--- a/src/ScadaLink.Security/JwtTokenService.cs
+++ b/src/ScadaLink.Security/JwtTokenService.cs
@@ -0,0 +1,124 @@
+using System.IdentityModel.Tokens.Jwt;
+using System.Security.Claims;
+using System.Text;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Microsoft.IdentityModel.Tokens;
+
+namespace ScadaLink.Security;
+
+public class JwtTokenService
+{
+    private readonly SecurityOptions _options;
+    private readonly ILogger<JwtTokenService> _logger;
+
+    public const string DisplayNameClaimType = "DisplayName";
+    public const string UsernameClaimType = "Username";
+    public const string RoleClaimType = "Role";
+    public const string SiteIdClaimType = "SiteId";
+    public const string LastActivityClaimType = "LastActivity";
+
+    public JwtTokenService(IOptions<SecurityOptions> options, ILogger<JwtTokenService> logger)
+    {
+        _options = options?.Value ?? throw new ArgumentNullException(nameof(options));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    public string GenerateToken(
+        string displayName,
+        string username,
+        IReadOnlyList<string> roles,
+        IReadOnlyList<string>? permittedSiteIds)
+    {
+        var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_options.JwtSigningKey));
+        var credentials = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
+
+        var claims = new List<Claim>
+        {
+            new(DisplayNameClaimType, displayName),
+            new(UsernameClaimType, username),
+            new(LastActivityClaimType, DateTimeOffset.UtcNow.ToString("o"))
+        };
+
+        foreach (var role in roles)
+        {
+            claims.Add(new Claim(RoleClaimType, role));
+        }
+
+        if (permittedSiteIds != null)
+        {
+            foreach (var siteId in permittedSiteIds)
+            {
+                claims.Add(new Claim(SiteIdClaimType, siteId));
+            }
+        }
+
+        var token = new JwtSecurityToken(
+            claims: claims,
+            expires: DateTime.UtcNow.AddMinutes(_options.JwtExpiryMinutes),
+            signingCredentials: credentials);
+
+        return new JwtSecurityTokenHandler().WriteToken(token);
+    }
+
+    public ClaimsPrincipal? ValidateToken(string token)
+    {
+        var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_options.JwtSigningKey));
+        var validationParameters = new TokenValidationParameters
+        {
+            ValidateIssuer = false,
+            ValidateAudience = false,
+            ValidateLifetime = true,
+            ValidateIssuerSigningKey = true,
+            IssuerSigningKey = key,
+            ClockSkew = TimeSpan.Zero
+        };
+
+        try
+        {
+            var handler = new JwtSecurityTokenHandler();
+            var principal = handler.ValidateToken(token, validationParameters, out _);
+            return principal;
+        }
+        catch (Exception ex) when (ex is SecurityTokenException or ArgumentException)
+        {
+            _logger.LogDebug(ex, "Token validation failed");
+            return null;
+        }
+    }
+
+    public bool ShouldRefresh(ClaimsPrincipal principal)
+    {
+        var expClaim = principal.FindFirst("exp");
+        if (expClaim == null || !long.TryParse(expClaim.Value, out var expUnix))
+            return false;
+
+        var expiry = DateTimeOffset.FromUnixTimeSeconds(expUnix);
+        var remaining = expiry - DateTimeOffset.UtcNow;
+
+        return remaining.TotalMinutes < _options.JwtRefreshThresholdMinutes;
+    }
+
+    public bool IsIdleTimedOut(ClaimsPrincipal principal)
+    {
+        var lastActivityClaim = principal.FindFirst(LastActivityClaimType);
+        if (lastActivityClaim == null || !DateTimeOffset.TryParse(lastActivityClaim.Value, out var lastActivity))
+            return true;
+
+        return (DateTimeOffset.UtcNow - lastActivity).TotalMinutes > _options.IdleTimeoutMinutes;
+    }
+
+    public string? RefreshToken(ClaimsPrincipal currentPrincipal, IReadOnlyList<string> currentRoles, IReadOnlyList<string>? permittedSiteIds)
+    {
+        var displayName = currentPrincipal.FindFirst(DisplayNameClaimType)?.Value;
+        var username = currentPrincipal.FindFirst(UsernameClaimType)?.Value;
+
+        if (displayName == null || username == null)
+        {
+            _logger.LogWarning("Cannot refresh token: missing DisplayName or Username claims");
+            return null;
+        }
+
+        return GenerateToken(displayName, username, currentRoles, permittedSiteIds);
+    }
+}
--- a/src/ScadaLink.Security/LdapAuthResult.cs
+++ b/src/ScadaLink.Security/LdapAuthResult.cs
@@ -0,0 +1,8 @@
+namespace ScadaLink.Security;
+
+public record LdapAuthResult(
+    bool Success,
+    string? DisplayName,
+    string? Username,
+    IReadOnlyList<string>? Groups,
+    string? ErrorMessage);
--- a/src/ScadaLink.Security/LdapAuthService.cs
+++ b/src/ScadaLink.Security/LdapAuthService.cs
@@ -0,0 +1,148 @@
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Options;
+using Novell.Directory.Ldap;
+
+namespace ScadaLink.Security;
+
+public class LdapAuthService
+{
+    private readonly SecurityOptions _options;
+    private readonly ILogger<LdapAuthService> _logger;
+
+    public LdapAuthService(IOptions<SecurityOptions> options, ILogger<LdapAuthService> logger)
+    {
+        _options = options?.Value ?? throw new ArgumentNullException(nameof(options));
+        _logger = logger ?? throw new ArgumentNullException(nameof(logger));
+    }
+
+    public async Task<LdapAuthResult> AuthenticateAsync(string username, string password, CancellationToken ct = default)
+    {
+        if (string.IsNullOrWhiteSpace(username))
+            return new LdapAuthResult(false, null, null, null, "Username is required.");
+
+        if (string.IsNullOrWhiteSpace(password))
+            return new LdapAuthResult(false, null, null, null, "Password is required.");
+
+        // Enforce TLS unless explicitly allowed for dev/test
+        if (!_options.LdapUseTls && !_options.AllowInsecureLdap)
+        {
+            return new LdapAuthResult(false, null, null, null,
+                "Insecure LDAP connections are not allowed. Enable TLS or set AllowInsecureLdap for dev/test.");
+        }
+
+        try
+        {
+            using var connection = new LdapConnection();
+
+            if (_options.LdapUseTls)
+            {
+                connection.SecureSocketLayer = true;
+            }
+
+            await Task.Run(() => connection.Connect(_options.LdapServer, _options.LdapPort), ct);
+
+            if (_options.LdapUseTls && !connection.SecureSocketLayer)
+            {
+                await Task.Run(() => connection.StartTls(), ct);
+            }
+
+            // Direct bind with user credentials
+            var bindDn = BuildBindDn(username);
+            await Task.Run(() => connection.Bind(bindDn, password), ct);
+
+            // Query for user attributes and group memberships
+            var displayName = username;
+            var groups = new List<string>();
+
+            try
+            {
+                var searchFilter = $"(uid={EscapeLdapFilter(username)})";
+                var searchResults = await Task.Run(() =>
+                    connection.Search(
+                        _options.LdapSearchBase,
+                        LdapConnection.ScopeSub,
+                        searchFilter,
+                        new[] { _options.LdapDisplayNameAttribute, _options.LdapGroupAttribute },
+                        false), ct);
+
+                while (searchResults.HasMore())
+                {
+                    try
+                    {
+                        var entry = searchResults.Next();
+                        var dnAttr = entry.GetAttribute(_options.LdapDisplayNameAttribute);
+                        if (dnAttr != null)
+                            displayName = dnAttr.StringValue;
+
+                        var groupAttr = entry.GetAttribute(_options.LdapGroupAttribute);
+                        if (groupAttr != null)
+                        {
+                            foreach (var groupDn in groupAttr.StringValueArray)
+                            {
+                                groups.Add(ExtractCn(groupDn));
+                            }
+                        }
+                    }
+                    catch (LdapException)
+                    {
+                        // No more results
+                        break;
+                    }
+                }
+            }
+            catch (LdapException ex)
+            {
+                _logger.LogWarning(ex, "Failed to query LDAP attributes for user {Username}; authentication succeeded but group lookup failed", username);
+                // Auth succeeded even if attribute lookup failed
+            }
+
+            connection.Disconnect();
+
+            return new LdapAuthResult(true, displayName, username, groups, null);
+        }
+        catch (LdapException ex)
+        {
+            _logger.LogWarning(ex, "LDAP authentication failed for user {Username}", username);
+            return new LdapAuthResult(false, null, username, null, "Invalid username or password.");
+        }
+        catch (Exception ex) when (ex is not OperationCanceledException)
+        {
+            _logger.LogError(ex, "Unexpected error during LDAP authentication for user {Username}", username);
+            return new LdapAuthResult(false, null, username, null, "An unexpected error occurred during authentication.");
+        }
+    }
+
+    private string BuildBindDn(string username)
+    {
+        // If username already looks like a DN, use it as-is
+        if (username.Contains('='))
+            return username;
+
+        // Build DN from username and search base
+        return string.IsNullOrWhiteSpace(_options.LdapSearchBase)
+            ? $"cn={username}"
+            : $"cn={username},{_options.LdapSearchBase}";
+    }
+
+    private static string EscapeLdapFilter(string input)
+    {
+        return input
+            .Replace("\\", "\\5c")
+            .Replace("*", "\\2a")
+            .Replace("(", "\\28")
+            .Replace(")", "\\29")
+            .Replace("\0", "\\00");
+    }
+
+    private static string ExtractCn(string dn)
+    {
+        // Extract CN from a DN like "cn=GroupName,dc=example,dc=com"
+        if (dn.StartsWith("cn=", StringComparison.OrdinalIgnoreCase) ||
+            dn.StartsWith("CN=", StringComparison.OrdinalIgnoreCase))
+        {
+            var commaIndex = dn.IndexOf(',');
+            return commaIndex > 3 ? dn[3..commaIndex] : dn[3..];
+        }
+        return dn;
+    }
+}
--- a/src/ScadaLink.Security/RoleMapper.cs
+++ b/src/ScadaLink.Security/RoleMapper.cs
@@ -0,0 +1,58 @@
+using ScadaLink.Commons.Interfaces.Repositories;
+
+namespace ScadaLink.Security;
+
+public class RoleMapper
+{
+    private readonly ISecurityRepository _securityRepository;
+
+    public RoleMapper(ISecurityRepository securityRepository)
+    {
+        _securityRepository = securityRepository ?? throw new ArgumentNullException(nameof(securityRepository));
+    }
+
+    public async Task<RoleMappingResult> MapGroupsToRolesAsync(
+        IReadOnlyList<string> ldapGroups,
+        CancellationToken ct = default)
+    {
+        var allMappings = await _securityRepository.GetAllMappingsAsync(ct);
+
+        var matchedRoles = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
+        var permittedSiteIds = new HashSet<string>();
+        var hasDeploymentRole = false;
+        var hasDeploymentWithScopeRules = false;
+
+        foreach (var mapping in allMappings)
+        {
+            // Match LDAP group names (case-insensitive)
+            if (!ldapGroups.Any(g => g.Equals(mapping.LdapGroupName, StringComparison.OrdinalIgnoreCase)))
+                continue;
+
+            matchedRoles.Add(mapping.Role);
+
+            if (mapping.Role.Equals("Deployment", StringComparison.OrdinalIgnoreCase))
+            {
+                hasDeploymentRole = true;
+
+                // Check for site scope rules
+                var scopeRules = await _securityRepository.GetScopeRulesForMappingAsync(mapping.Id, ct);
+                if (scopeRules.Count > 0)
+                {
+                    hasDeploymentWithScopeRules = true;
+                    foreach (var rule in scopeRules)
+                    {
+                        permittedSiteIds.Add(rule.SiteId.ToString());
+                    }
+                }
+            }
+        }
+
+        // System-wide deployment: user has Deployment role but no site scope rules restrict them
+        var isSystemWide = hasDeploymentRole && !hasDeploymentWithScopeRules;
+
+        return new RoleMappingResult(
+            matchedRoles.ToList(),
+            permittedSiteIds.ToList(),
+            isSystemWide);
+    }
+}
--- a/src/ScadaLink.Security/RoleMappingResult.cs
+++ b/src/ScadaLink.Security/RoleMappingResult.cs
@@ -0,0 +1,6 @@
+namespace ScadaLink.Security;
+
+public record RoleMappingResult(
+    IReadOnlyList<string> Roles,
+    IReadOnlyList<string> PermittedSiteIds,
+    bool IsSystemWideDeployment);
--- a/src/ScadaLink.Security/ScadaLink.Security.csproj
+++ b/src/ScadaLink.Security/ScadaLink.Security.csproj
@@ -10,6 +10,10 @@
  <ItemGroup>
    <PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.5" />
    <PackageReference Include="Microsoft.Extensions.Options" Version="10.0.5" />
+    <PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.5" />
+    <PackageReference Include="Microsoft.AspNetCore.Authorization" Version="10.0.5" />
+    <PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.11.0" />
+    <PackageReference Include="Novell.Directory.Ldap.NETStandard" Version="3.6.0" />
  </ItemGroup>

  <ItemGroup>
--- a/src/ScadaLink.Security/SecurityOptions.cs
+++ b/src/ScadaLink.Security/SecurityOptions.cs
@@ -5,7 +5,34 @@ public class SecurityOptions
    public string LdapServer { get; set; } = string.Empty;
    public int LdapPort { get; set; } = 389;
    public bool LdapUseTls { get; set; } = true;
+
+    /// <summary>
+    /// Allow insecure (non-TLS) LDAP connections. ONLY for dev/test with GLAuth.
+    /// Must be false in production.
+    /// </summary>
+    public bool AllowInsecureLdap { get; set; } = false;
+
+    /// <summary>
+    /// Base DN for LDAP searches (e.g., "dc=example,dc=com").
+    /// </summary>
+    public string LdapSearchBase { get; set; } = string.Empty;
+
+    /// <summary>
+    /// LDAP attribute that contains the user's display name.
+    /// </summary>
+    public string LdapDisplayNameAttribute { get; set; } = "cn";
+
+    /// <summary>
+    /// LDAP attribute that contains group membership.
+    /// </summary>
+    public string LdapGroupAttribute { get; set; } = "memberOf";
+
    public string JwtSigningKey { get; set; } = string.Empty;
    public int JwtExpiryMinutes { get; set; } = 15;
    public int IdleTimeoutMinutes { get; set; } = 30;
+
+    /// <summary>
+    /// Minutes before token expiry to trigger refresh.
+    /// </summary>
+    public int JwtRefreshThresholdMinutes { get; set; } = 5;
 }
--- a/src/ScadaLink.Security/ServiceCollectionExtensions.cs
+++ b/src/ScadaLink.Security/ServiceCollectionExtensions.cs
@@ -6,7 +6,11 @@ public static class ServiceCollectionExtensions
 {
    public static IServiceCollection AddSecurity(this IServiceCollection services)
    {
-        // Phase 0: skeleton only
+        services.AddScoped<LdapAuthService>();
+        services.AddScoped<JwtTokenService>();
+        services.AddScoped<RoleMapper>();
+        services.AddScadaLinkAuthorization();
+
        return services;
    }

--- a/src/ScadaLink.Security/SiteScopeAuthorizationHandler.cs
+++ b/src/ScadaLink.Security/SiteScopeAuthorizationHandler.cs
@@ -0,0 +1,52 @@
+using Microsoft.AspNetCore.Authorization;
+
+namespace ScadaLink.Security;
+
+/// <summary>
+/// Authorization requirement for site-scoped deployment operations.
+/// </summary>
+public class SiteScopeRequirement : IAuthorizationRequirement
+{
+    public string TargetSiteId { get; }
+
+    public SiteScopeRequirement(string targetSiteId)
+    {
+        TargetSiteId = targetSiteId ?? throw new ArgumentNullException(nameof(targetSiteId));
+    }
+}
+
+/// <summary>
+/// Checks that a user with the Deployment role is permitted to operate on the target site.
+/// Users with Deployment role and no SiteId claims are system-wide deployers.
+/// Users with SiteId claims are only permitted on those specific sites.
+/// </summary>
+public class SiteScopeAuthorizationHandler : AuthorizationHandler<SiteScopeRequirement>
+{
+    protected override Task HandleRequirementAsync(
+        AuthorizationHandlerContext context,
+        SiteScopeRequirement requirement)
+    {
+        // Must have Deployment role
+        var hasDeploymentRole = context.User.HasClaim(JwtTokenService.RoleClaimType, "Deployment");
+        if (!hasDeploymentRole)
+        {
+            return Task.CompletedTask; // Fail — no Deployment role
+        }
+
+        var siteIdClaims = context.User.FindAll(JwtTokenService.SiteIdClaimType).ToList();
+
+        if (siteIdClaims.Count == 0)
+        {
+            // No site scope restrictions — system-wide deployer
+            context.Succeed(requirement);
+        }
+        else if (siteIdClaims.Any(c => c.Value == requirement.TargetSiteId))
+        {
+            // User is permitted on this specific site
+            context.Succeed(requirement);
+        }
+
+        // Otherwise, silently fail (not authorized for this site)
+        return Task.CompletedTask;
+    }
+}