dohertj2/scadalink-design
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Phase 1 WP-2–10: Repositories, audit service, security & auth (LDAP, JWT, roles, policies, data protection)

Browse Source 
- WP-2: SecurityRepository + CentralUiRepository with audit log queries
- WP-3: AuditService with transactional guarantee (same SaveChangesAsync)
- WP-4: Optimistic concurrency tests (deployment records vs template last-write-wins)
- WP-5: Seed data (SCADA-Admins → Admin role mapping)
- WP-6: LdapAuthService (direct bind, TLS enforcement, group query)
- WP-7: JwtTokenService (HMAC-SHA256, 15-min refresh, 30-min idle timeout)
- WP-8: RoleMapper (LDAP groups → roles with site-scoped deployment)
- WP-9: Authorization policies (Admin/Design/Deployment + site scope handler)
- WP-10: Shared Data Protection keys via EF Core
141 tests pass, zero warnings.
This commit is contained in:
Joseph Doherty
2026-03-16 19:32:43 -04:00
parent 1996b21961
commit cafb7d2006
31 changed files with 3356 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

30
src/ScadaLink.Security/AuthorizationPolicies.cs Normal file
View File

@@ -0,0 +1,30 @@
using Microsoft.AspNetCore.Authorization;
using Microsoft.Extensions.DependencyInjection;
namespace ScadaLink.Security;
public static class AuthorizationPolicies
{
public const string RequireAdmin = "RequireAdmin";
public const string RequireDesign = "RequireDesign";
public const string RequireDeployment = "RequireDeployment";
public static IServiceCollection AddScadaLinkAuthorization(this IServiceCollection services)
{
services.AddAuthorization(options =>
{
options.AddPolicy(RequireAdmin, policy =>
policy.RequireClaim(JwtTokenService.RoleClaimType, "Admin"));
options.AddPolicy(RequireDesign, policy =>
policy.RequireClaim(JwtTokenService.RoleClaimType, "Design"));
options.AddPolicy(RequireDeployment, policy =>
policy.RequireClaim(JwtTokenService.RoleClaimType, "Deployment"));
});
services.AddSingleton<IAuthorizationHandler, SiteScopeAuthorizationHandler>();
return services;
}
}

124
src/ScadaLink.Security/JwtTokenService.cs Normal file
View File

@@ -0,0 +1,124 @@
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Text;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Microsoft.IdentityModel.Tokens;
namespace ScadaLink.Security;
public class JwtTokenService
{
private readonly SecurityOptions _options;
private readonly ILogger<JwtTokenService> _logger;
public const string DisplayNameClaimType = "DisplayName";
public const string UsernameClaimType = "Username";
public const string RoleClaimType = "Role";
public const string SiteIdClaimType = "SiteId";
public const string LastActivityClaimType = "LastActivity";
public JwtTokenService(IOptions<SecurityOptions> options, ILogger<JwtTokenService> logger)
{
_options = options?.Value ?? throw new ArgumentNullException(nameof(options));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public string GenerateToken(
string displayName,
string username,
IReadOnlyList<string> roles,
IReadOnlyList<string>? permittedSiteIds)
{
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_options.JwtSigningKey));
var credentials = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var claims = new List<Claim>
{
new(DisplayNameClaimType, displayName),
new(UsernameClaimType, username),
new(LastActivityClaimType, DateTimeOffset.UtcNow.ToString("o"))
};
foreach (var role in roles)
{
claims.Add(new Claim(RoleClaimType, role));
}
if (permittedSiteIds != null)
{
foreach (var siteId in permittedSiteIds)
{
claims.Add(new Claim(SiteIdClaimType, siteId));
}
}
var token = new JwtSecurityToken(
claims: claims,
expires: DateTime.UtcNow.AddMinutes(_options.JwtExpiryMinutes),
signingCredentials: credentials);
return new JwtSecurityTokenHandler().WriteToken(token);
}
public ClaimsPrincipal? ValidateToken(string token)
{
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_options.JwtSigningKey));
var validationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
ValidateAudience = false,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
IssuerSigningKey = key,
ClockSkew = TimeSpan.Zero
};
try
{
var handler = new JwtSecurityTokenHandler();
var principal = handler.ValidateToken(token, validationParameters, out _);
return principal;
}
catch (Exception ex) when (ex is SecurityTokenException or ArgumentException)
{
_logger.LogDebug(ex, "Token validation failed");
return null;
}
}
public bool ShouldRefresh(ClaimsPrincipal principal)
{
var expClaim = principal.FindFirst("exp");
if (expClaim == null || !long.TryParse(expClaim.Value, out var expUnix))
return false;
var expiry = DateTimeOffset.FromUnixTimeSeconds(expUnix);
var remaining = expiry - DateTimeOffset.UtcNow;
return remaining.TotalMinutes < _options.JwtRefreshThresholdMinutes;
}
public bool IsIdleTimedOut(ClaimsPrincipal principal)
{
var lastActivityClaim = principal.FindFirst(LastActivityClaimType);
if (lastActivityClaim == null || !DateTimeOffset.TryParse(lastActivityClaim.Value, out var lastActivity))
return true;
return (DateTimeOffset.UtcNow - lastActivity).TotalMinutes > _options.IdleTimeoutMinutes;
}
public string? RefreshToken(ClaimsPrincipal currentPrincipal, IReadOnlyList<string> currentRoles, IReadOnlyList<string>? permittedSiteIds)
{
var displayName = currentPrincipal.FindFirst(DisplayNameClaimType)?.Value;
var username = currentPrincipal.FindFirst(UsernameClaimType)?.Value;
if (displayName == null || username == null)
{
_logger.LogWarning("Cannot refresh token: missing DisplayName or Username claims");
return null;
}
return GenerateToken(displayName, username, currentRoles, permittedSiteIds);
}
}

8
src/ScadaLink.Security/LdapAuthResult.cs Normal file
View File

@@ -0,0 +1,8 @@
namespace ScadaLink.Security;
public record LdapAuthResult(
bool Success,
string? DisplayName,
string? Username,
IReadOnlyList<string>? Groups,
string? ErrorMessage);

148
src/ScadaLink.Security/LdapAuthService.cs Normal file
View File

@@ -0,0 +1,148 @@
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Novell.Directory.Ldap;
namespace ScadaLink.Security;
public class LdapAuthService
{
private readonly SecurityOptions _options;
private readonly ILogger<LdapAuthService> _logger;
public LdapAuthService(IOptions<SecurityOptions> options, ILogger<LdapAuthService> logger)
{
_options = options?.Value ?? throw new ArgumentNullException(nameof(options));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public async Task<LdapAuthResult> AuthenticateAsync(string username, string password, CancellationToken ct = default)
{
if (string.IsNullOrWhiteSpace(username))
return new LdapAuthResult(false, null, null, null, "Username is required.");
if (string.IsNullOrWhiteSpace(password))
return new LdapAuthResult(false, null, null, null, "Password is required.");
// Enforce TLS unless explicitly allowed for dev/test
if (!_options.LdapUseTls && !_options.AllowInsecureLdap)
{
return new LdapAuthResult(false, null, null, null,
"Insecure LDAP connections are not allowed. Enable TLS or set AllowInsecureLdap for dev/test.");
}
try
{
using var connection = new LdapConnection();
if (_options.LdapUseTls)
{
connection.SecureSocketLayer = true;
}
await Task.Run(() => connection.Connect(_options.LdapServer, _options.LdapPort), ct);
if (_options.LdapUseTls && !connection.SecureSocketLayer)
{
await Task.Run(() => connection.StartTls(), ct);
}
// Direct bind with user credentials
var bindDn = BuildBindDn(username);
await Task.Run(() => connection.Bind(bindDn, password), ct);
// Query for user attributes and group memberships
var displayName = username;
var groups = new List<string>();
try
{
var searchFilter = $"(uid={EscapeLdapFilter(username)})";
var searchResults = await Task.Run(() =>
connection.Search(
_options.LdapSearchBase,
LdapConnection.ScopeSub,
searchFilter,
new[] { _options.LdapDisplayNameAttribute, _options.LdapGroupAttribute },
false), ct);
while (searchResults.HasMore())
{
try
{
var entry = searchResults.Next();
var dnAttr = entry.GetAttribute(_options.LdapDisplayNameAttribute);
if (dnAttr != null)
displayName = dnAttr.StringValue;
var groupAttr = entry.GetAttribute(_options.LdapGroupAttribute);
if (groupAttr != null)
{
foreach (var groupDn in groupAttr.StringValueArray)
{
groups.Add(ExtractCn(groupDn));
}
}
}
catch (LdapException)
{
// No more results
break;
}
}
}
catch (LdapException ex)
{
_logger.LogWarning(ex, "Failed to query LDAP attributes for user {Username}; authentication succeeded but group lookup failed", username);
// Auth succeeded even if attribute lookup failed
}
connection.Disconnect();
return new LdapAuthResult(true, displayName, username, groups, null);
}
catch (LdapException ex)
{
_logger.LogWarning(ex, "LDAP authentication failed for user {Username}", username);
return new LdapAuthResult(false, null, username, null, "Invalid username or password.");
}
catch (Exception ex) when (ex is not OperationCanceledException)
{
_logger.LogError(ex, "Unexpected error during LDAP authentication for user {Username}", username);
return new LdapAuthResult(false, null, username, null, "An unexpected error occurred during authentication.");
}
}
private string BuildBindDn(string username)
{
// If username already looks like a DN, use it as-is
if (username.Contains('='))
return username;
// Build DN from username and search base
return string.IsNullOrWhiteSpace(_options.LdapSearchBase)
? $"cn={username}"
: $"cn={username},{_options.LdapSearchBase}";
}
private static string EscapeLdapFilter(string input)
{
return input
.Replace("\\", "\\5c")
.Replace("*", "\\2a")
.Replace("(", "\\28")
.Replace(")", "\\29")
.Replace("\0", "\\00");
}
private static string ExtractCn(string dn)
{
// Extract CN from a DN like "cn=GroupName,dc=example,dc=com"
if (dn.StartsWith("cn=", StringComparison.OrdinalIgnoreCase) ||
dn.StartsWith("CN=", StringComparison.OrdinalIgnoreCase))
{
var commaIndex = dn.IndexOf(',');
return commaIndex > 3 ? dn[3..commaIndex] : dn[3..];
}
return dn;
}
}

58
src/ScadaLink.Security/RoleMapper.cs Normal file
View File

@@ -0,0 +1,58 @@
using ScadaLink.Commons.Interfaces.Repositories;
namespace ScadaLink.Security;
public class RoleMapper
{
private readonly ISecurityRepository _securityRepository;
public RoleMapper(ISecurityRepository securityRepository)
{
_securityRepository = securityRepository ?? throw new ArgumentNullException(nameof(securityRepository));
}
public async Task<RoleMappingResult> MapGroupsToRolesAsync(
IReadOnlyList<string> ldapGroups,
CancellationToken ct = default)
{
var allMappings = await _securityRepository.GetAllMappingsAsync(ct);
var matchedRoles = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
var permittedSiteIds = new HashSet<string>();
var hasDeploymentRole = false;
var hasDeploymentWithScopeRules = false;
foreach (var mapping in allMappings)
{
// Match LDAP group names (case-insensitive)
if (!ldapGroups.Any(g => g.Equals(mapping.LdapGroupName, StringComparison.OrdinalIgnoreCase)))
continue;
matchedRoles.Add(mapping.Role);
if (mapping.Role.Equals("Deployment", StringComparison.OrdinalIgnoreCase))
{
hasDeploymentRole = true;
// Check for site scope rules
var scopeRules = await _securityRepository.GetScopeRulesForMappingAsync(mapping.Id, ct);
if (scopeRules.Count > 0)
{
hasDeploymentWithScopeRules = true;
foreach (var rule in scopeRules)
{
permittedSiteIds.Add(rule.SiteId.ToString());
}
}
}
}
// System-wide deployment: user has Deployment role but no site scope rules restrict them
var isSystemWide = hasDeploymentRole && !hasDeploymentWithScopeRules;
return new RoleMappingResult(
matchedRoles.ToList(),
permittedSiteIds.ToList(),
isSystemWide);
}
}

6
src/ScadaLink.Security/RoleMappingResult.cs Normal file
View File

@@ -0,0 +1,6 @@
namespace ScadaLink.Security;
public record RoleMappingResult(
IReadOnlyList<string> Roles,
IReadOnlyList<string> PermittedSiteIds,
bool IsSystemWideDeployment);

4
src/ScadaLink.Security/ScadaLink.Security.csproj
View File

@@ -10,6 +10,10 @@
<ItemGroup>
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.5" />
<PackageReference Include="Microsoft.Extensions.Options" Version="10.0.5" />
<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.5" />
<PackageReference Include="Microsoft.AspNetCore.Authorization" Version="10.0.5" />
<PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.11.0" />
<PackageReference Include="Novell.Directory.Ldap.NETStandard" Version="3.6.0" />
</ItemGroup>
<ItemGroup>

27
src/ScadaLink.Security/SecurityOptions.cs
View File

@@ -5,7 +5,34 @@ public class SecurityOptions
public string LdapServer { get; set; } = string.Empty;
public int LdapPort { get; set; } = 389;
public bool LdapUseTls { get; set; } = true;
/// <summary>
/// Allow insecure (non-TLS) LDAP connections. ONLY for dev/test with GLAuth.
/// Must be false in production.
/// </summary>
public bool AllowInsecureLdap { get; set; } = false;
/// <summary>
/// Base DN for LDAP searches (e.g., "dc=example,dc=com").
/// </summary>
public string LdapSearchBase { get; set; } = string.Empty;
/// <summary>
/// LDAP attribute that contains the user's display name.
/// </summary>
public string LdapDisplayNameAttribute { get; set; } = "cn";
/// <summary>
/// LDAP attribute that contains group membership.
/// </summary>
public string LdapGroupAttribute { get; set; } = "memberOf";
public string JwtSigningKey { get; set; } = string.Empty;
public int JwtExpiryMinutes { get; set; } = 15;
public int IdleTimeoutMinutes { get; set; } = 30;
/// <summary>
/// Minutes before token expiry to trigger refresh.
/// </summary>
public int JwtRefreshThresholdMinutes { get; set; } = 5;
}

6
src/ScadaLink.Security/ServiceCollectionExtensions.cs
View File

@@ -6,7 +6,11 @@ public static class ServiceCollectionExtensions
{
public static IServiceCollection AddSecurity(this IServiceCollection services)
{
// Phase 0: skeleton only
services.AddScoped<LdapAuthService>();
services.AddScoped<JwtTokenService>();
services.AddScoped<RoleMapper>();
services.AddScadaLinkAuthorization();
return services;
}

52
src/ScadaLink.Security/SiteScopeAuthorizationHandler.cs Normal file
View File

@@ -0,0 +1,52 @@
using Microsoft.AspNetCore.Authorization;
namespace ScadaLink.Security;
/// <summary>
/// Authorization requirement for site-scoped deployment operations.
/// </summary>
public class SiteScopeRequirement : IAuthorizationRequirement
{
public string TargetSiteId { get; }
public SiteScopeRequirement(string targetSiteId)
{
TargetSiteId = targetSiteId ?? throw new ArgumentNullException(nameof(targetSiteId));
}
}
/// <summary>
/// Checks that a user with the Deployment role is permitted to operate on the target site.
/// Users with Deployment role and no SiteId claims are system-wide deployers.
/// Users with SiteId claims are only permitted on those specific sites.
/// </summary>
public class SiteScopeAuthorizationHandler : AuthorizationHandler<SiteScopeRequirement>
{
protected override Task HandleRequirementAsync(
AuthorizationHandlerContext context,
SiteScopeRequirement requirement)
{
// Must have Deployment role
var hasDeploymentRole = context.User.HasClaim(JwtTokenService.RoleClaimType, "Deployment");
if (!hasDeploymentRole)
{
return Task.CompletedTask; // Fail — no Deployment role
}
var siteIdClaims = context.User.FindAll(JwtTokenService.SiteIdClaimType).ToList();
if (siteIdClaims.Count == 0)
{
// No site scope restrictions — system-wide deployer
context.Succeed(requirement);
}
else if (siteIdClaims.Any(c => c.Value == requirement.TargetSiteId))
{
// User is permitted on this specific site
context.Succeed(requirement);
}
// Otherwise, silently fail (not authorized for this site)
return Task.CompletedTask;
}
}