dohertj2/scadalink-design
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Phase 1 WP-2–10: Repositories, audit service, security & auth (LDAP, JWT, roles, policies, data protection)

Browse Source 
- WP-2: SecurityRepository + CentralUiRepository with audit log queries
- WP-3: AuditService with transactional guarantee (same SaveChangesAsync)
- WP-4: Optimistic concurrency tests (deployment records vs template last-write-wins)
- WP-5: Seed data (SCADA-Admins → Admin role mapping)
- WP-6: LdapAuthService (direct bind, TLS enforcement, group query)
- WP-7: JwtTokenService (HMAC-SHA256, 15-min refresh, 30-min idle timeout)
- WP-8: RoleMapper (LDAP groups → roles with site-scoped deployment)
- WP-9: Authorization policies (Admin/Design/Deployment + site scope handler)
- WP-10: Shared Data Protection keys via EF Core
141 tests pass, zero warnings.
This commit is contained in:
Joseph Doherty
2026-03-16 19:32:43 -04:00
parent 1996b21961
commit cafb7d2006
31 changed files with 3356 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

127
tests/ScadaLink.ConfigurationDatabase.Tests/AuditServiceTests.cs Normal file
View File

@@ -0,0 +1,127 @@
using System.Text.Json;
using Microsoft.EntityFrameworkCore;
using ScadaLink.Commons.Entities.Templates;
using ScadaLink.Commons.Interfaces.Services;
using ScadaLink.ConfigurationDatabase;
using ScadaLink.ConfigurationDatabase.Services;
namespace ScadaLink.ConfigurationDatabase.Tests;
public class AuditServiceTests : IDisposable
{
private readonly ScadaLinkDbContext _context;
private readonly AuditService _auditService;
public AuditServiceTests()
{
var options = new DbContextOptionsBuilder<ScadaLinkDbContext>()
.UseSqlite("DataSource=:memory:")
.Options;
_context = new ScadaLinkDbContext(options);
_context.Database.OpenConnection();
_context.Database.EnsureCreated();
_auditService = new AuditService(_context);
}
public void Dispose()
{
_context.Database.CloseConnection();
_context.Dispose();
}
[Fact]
public async Task LogAsync_CreatesAuditEntry_CommittedWithEntityChange()
{
// Simulate entity change + audit in same transaction
var template = new Template("TestTemplate");
_context.Templates.Add(template);
await _auditService.LogAsync("admin", "Create", "Template", "1", "TestTemplate",
new { Name = "TestTemplate" });
// Single SaveChangesAsync commits both
await _context.SaveChangesAsync();
var audit = await _context.AuditLogEntries.SingleAsync();
Assert.Equal("admin", audit.User);
Assert.Equal("Create", audit.Action);
Assert.Equal("Template", audit.EntityType);
Assert.NotNull(audit.AfterStateJson);
// Template also committed
Assert.Single(await _context.Templates.ToListAsync());
}
[Fact]
public async Task LogAsync_Rollback_BothChangeAndAuditRolledBack()
{
// Use a separate context to simulate rollback via not calling SaveChanges
var options = new DbContextOptionsBuilder<ScadaLinkDbContext>()
.UseSqlite(_context.Database.GetDbConnection())
.Options;
using var context2 = new ScadaLinkDbContext(options);
var auditService2 = new AuditService(context2);
var template = new Template("RollbackTemplate");
context2.Templates.Add(template);
await auditService2.LogAsync("admin", "Create", "Template", "99", "RollbackTemplate",
new { Name = "RollbackTemplate" });
// Intentionally do NOT call SaveChangesAsync — simulates rollback
// Verify nothing persisted
Assert.Empty(await _context.AuditLogEntries.Where(a => a.EntityName == "RollbackTemplate").ToListAsync());
Assert.Empty(await _context.Templates.Where(t => t.Name == "RollbackTemplate").ToListAsync());
}
[Fact]
public async Task LogAsync_SerializesAfterStateAsJson()
{
var state = new { Name = "Test", Value = 42, Nested = new { Prop = "inner" } };
await _auditService.LogAsync("admin", "Create", "Entity", "1", "Test", state);
await _context.SaveChangesAsync();
var audit = await _context.AuditLogEntries.SingleAsync();
Assert.NotNull(audit.AfterStateJson);
var deserialized = JsonSerializer.Deserialize<JsonElement>(audit.AfterStateJson!);
Assert.Equal("Test", deserialized.GetProperty("Name").GetString());
Assert.Equal(42, deserialized.GetProperty("Value").GetInt32());
}
[Fact]
public async Task LogAsync_NullAfterState_ForDeletes()
{
await _auditService.LogAsync("admin", "Delete", "Template", "1", "DeletedTemplate", null);
await _context.SaveChangesAsync();
var audit = await _context.AuditLogEntries.SingleAsync();
Assert.Null(audit.AfterStateJson);
Assert.Equal("Delete", audit.Action);
}
[Fact]
public async Task LogAsync_SetsTimestampToUtcNow()
{
var before = DateTimeOffset.UtcNow;
await _auditService.LogAsync("admin", "Create", "Template", "1", "T1", new { });
await _context.SaveChangesAsync();
var after = DateTimeOffset.UtcNow;
var audit = await _context.AuditLogEntries.SingleAsync();
// Allow 2 second tolerance for SQLite precision
Assert.True(audit.Timestamp >= before.AddSeconds(-2));
Assert.True(audit.Timestamp <= after.AddSeconds(2));
}
[Fact]
public void AuditService_IsAppendOnly_NoUpdateOrDeleteMethods()
{
// Verify IAuditService only exposes LogAsync — no update/delete
var methods = typeof(IAuditService).GetMethods();
Assert.Single(methods, m => m.Name == "LogAsync");
Assert.DoesNotContain(methods, m => m.Name.Contains("Update", StringComparison.OrdinalIgnoreCase));
Assert.DoesNotContain(methods, m => m.Name.Contains("Delete", StringComparison.OrdinalIgnoreCase));
}
}

166
tests/ScadaLink.ConfigurationDatabase.Tests/ConcurrencyTests.cs Normal file
View File

@@ -0,0 +1,166 @@
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Diagnostics;
using ScadaLink.Commons.Entities.Deployment;
using ScadaLink.Commons.Entities.Instances;
using ScadaLink.Commons.Entities.Sites;
using ScadaLink.Commons.Entities.Templates;
using ScadaLink.Commons.Types.Enums;
using ScadaLink.ConfigurationDatabase;
namespace ScadaLink.ConfigurationDatabase.Tests;
/// <summary>
/// A test-specific DbContext that uses an explicit ConcurrencyToken on DeploymentRecord
/// (as opposed to SQL Server's IsRowVersion()) so that SQLite can enforce concurrency.
/// In production, the SQL Server RowVersion provides this automatically.
/// </summary>
public class ConcurrencyTestDbContext : ScadaLinkDbContext
{
public ConcurrencyTestDbContext(DbContextOptions<ScadaLinkDbContext> options) : base(options) { }
protected override void OnModelCreating(ModelBuilder modelBuilder)
{
base.OnModelCreating(modelBuilder);
// Replace the SQL Server RowVersion with an explicit concurrency token for SQLite
// Remove the shadow RowVersion property and add a visible ConcurrencyStamp
modelBuilder.Entity<DeploymentRecord>(builder =>
{
// The shadow RowVersion property from the base config doesn't work in SQLite.
// Instead, use Status as a concurrency token for the test.
builder.Property(d => d.Status).IsConcurrencyToken();
});
}
}
public class ConcurrencyTests : IDisposable
{
private readonly string _dbPath;
public ConcurrencyTests()
{
_dbPath = Path.Combine(Path.GetTempPath(), $"scadalink_test_{Guid.NewGuid()}.db");
}
public void Dispose()
{
if (File.Exists(_dbPath))
File.Delete(_dbPath);
}
private ScadaLinkDbContext CreateContext()
{
var options = new DbContextOptionsBuilder<ScadaLinkDbContext>()
.UseSqlite($"DataSource={_dbPath}")
.ConfigureWarnings(w => w.Ignore(RelationalEventId.PendingModelChangesWarning))
.Options;
return new ConcurrencyTestDbContext(options);
}
[Fact]
public async Task DeploymentRecord_OptimisticConcurrency_SecondUpdateThrows()
{
// Setup: create necessary entities
using (var setupCtx = CreateContext())
{
await setupCtx.Database.EnsureCreatedAsync();
var site = new Site("Site1", "S-001");
var template = new Template("T1");
setupCtx.Sites.Add(site);
setupCtx.Templates.Add(template);
await setupCtx.SaveChangesAsync();
var instance = new Instance("I1")
{
SiteId = site.Id,
TemplateId = template.Id,
State = InstanceState.Enabled
};
setupCtx.Instances.Add(instance);
await setupCtx.SaveChangesAsync();
var record = new DeploymentRecord("deploy-concurrent", "admin")
{
InstanceId = instance.Id,
Status = DeploymentStatus.Pending,
DeployedAt = DateTimeOffset.UtcNow
};
setupCtx.DeploymentRecords.Add(record);
await setupCtx.SaveChangesAsync();
}
// Load the same record in two separate contexts
using var ctx1 = CreateContext();
using var ctx2 = CreateContext();
var record1 = await ctx1.DeploymentRecords.SingleAsync(d => d.DeploymentId == "deploy-concurrent");
var record2 = await ctx2.DeploymentRecords.SingleAsync(d => d.DeploymentId == "deploy-concurrent");
// Both loaded Status = Pending. First context updates and saves successfully.
record1.Status = DeploymentStatus.Success;
record1.CompletedAt = DateTimeOffset.UtcNow;
await ctx1.SaveChangesAsync();
// Second context tries to update the same record from the stale "Pending" state — should throw
// because the Status concurrency token has changed from Pending to Success
record2.Status = DeploymentStatus.Failed;
await Assert.ThrowsAsync<DbUpdateConcurrencyException>(
() => ctx2.SaveChangesAsync());
}
[Fact]
public async Task Template_NoOptimisticConcurrency_LastWriteWins()
{
// Setup
using (var setupCtx = CreateContext())
{
await setupCtx.Database.EnsureCreatedAsync();
var template = new Template("ConcurrentTemplate")
{
Description = "Original"
};
setupCtx.Templates.Add(template);
await setupCtx.SaveChangesAsync();
}
// Load in two contexts
using var ctx1 = CreateContext();
using var ctx2 = CreateContext();
var template1 = await ctx1.Templates.SingleAsync(t => t.Name == "ConcurrentTemplate");
var template2 = await ctx2.Templates.SingleAsync(t => t.Name == "ConcurrentTemplate");
// First update
template1.Description = "First update";
await ctx1.SaveChangesAsync();
// Second update — should succeed (last-write-wins, no concurrency token)
template2.Description = "Second update";
await ctx2.SaveChangesAsync(); // Should NOT throw
// Verify last write won
using var verifyCtx = CreateContext();
var loaded = await verifyCtx.Templates.SingleAsync(t => t.Name == "ConcurrentTemplate");
Assert.Equal("Second update", loaded.Description);
}
[Fact]
public void DeploymentRecord_HasRowVersionConfigured()
{
// Verify the production configuration has a RowVersion shadow property
var options = new DbContextOptionsBuilder<ScadaLinkDbContext>()
.UseSqlite("DataSource=:memory:")
.Options;
using var context = new ScadaLinkDbContext(options);
context.Database.OpenConnection();
context.Database.EnsureCreated();
var entityType = context.Model.FindEntityType(typeof(DeploymentRecord))!;
var rowVersion = entityType.FindProperty("RowVersion");
Assert.NotNull(rowVersion);
Assert.True(rowVersion!.IsConcurrencyToken);
}
}

63
tests/ScadaLink.ConfigurationDatabase.Tests/DataProtectionTests.cs Normal file
View File

@@ -0,0 +1,63 @@
using Microsoft.AspNetCore.DataProtection;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.DependencyInjection;
using ScadaLink.ConfigurationDatabase;
namespace ScadaLink.ConfigurationDatabase.Tests;
public class DataProtectionTests : IDisposable
{
private readonly string _dbPath;
public DataProtectionTests()
{
_dbPath = Path.Combine(Path.GetTempPath(), $"scadalink_dp_test_{Guid.NewGuid()}.db");
}
public void Dispose()
{
if (File.Exists(_dbPath))
File.Delete(_dbPath);
}
[Fact]
public void SharedDataProtection_ProtectAndUnprotect_AcrossContainers()
{
var connectionString = $"DataSource={_dbPath}";
// Create the database schema
var setupOptions = new DbContextOptionsBuilder<ScadaLinkDbContext>()
.UseSqlite(connectionString)
.Options;
using (var setupCtx = new ScadaLinkDbContext(setupOptions))
{
setupCtx.Database.EnsureCreated();
}
// Container 1: protect some data
var services1 = new ServiceCollection();
services1.AddDbContext<ScadaLinkDbContext>(opt => opt.UseSqlite(connectionString));
services1.AddDataProtection()
.SetApplicationName("ScadaLink")
.PersistKeysToDbContext<ScadaLinkDbContext>();
using var provider1 = services1.BuildServiceProvider();
var protector1 = provider1.GetRequiredService<IDataProtectionProvider>()
.CreateProtector("test-purpose");
var protectedPayload = protector1.Protect("secret-data");
// Container 2: unprotect using the same DB (shared keys)
var services2 = new ServiceCollection();
services2.AddDbContext<ScadaLinkDbContext>(opt => opt.UseSqlite(connectionString));
services2.AddDataProtection()
.SetApplicationName("ScadaLink")
.PersistKeysToDbContext<ScadaLinkDbContext>();
using var provider2 = services2.BuildServiceProvider();
var protector2 = provider2.GetRequiredService<IDataProtectionProvider>()
.CreateProtector("test-purpose");
var unprotected = protector2.Unprotect(protectedPayload);
Assert.Equal("secret-data", unprotected);
}
}

410
tests/ScadaLink.ConfigurationDatabase.Tests/RepositoryTests.cs Normal file
View File

@@ -0,0 +1,410 @@
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Diagnostics;
using ScadaLink.Commons.Entities.Audit;
using ScadaLink.Commons.Entities.Deployment;
using ScadaLink.Commons.Entities.Instances;
using ScadaLink.Commons.Entities.Security;
using ScadaLink.Commons.Entities.Sites;
using ScadaLink.Commons.Entities.Templates;
using ScadaLink.Commons.Types.Enums;
using ScadaLink.ConfigurationDatabase;
using ScadaLink.ConfigurationDatabase.Repositories;
namespace ScadaLink.ConfigurationDatabase.Tests;
public class SecurityRepositoryTests : IDisposable
{
private readonly ScadaLinkDbContext _context;
private readonly SecurityRepository _repository;
public SecurityRepositoryTests()
{
var options = new DbContextOptionsBuilder<ScadaLinkDbContext>()
.UseSqlite("DataSource=:memory:")
.Options;
_context = new ScadaLinkDbContext(options);
_context.Database.OpenConnection();
_context.Database.EnsureCreated();
_repository = new SecurityRepository(_context);
}
public void Dispose()
{
_context.Database.CloseConnection();
_context.Dispose();
}
[Fact]
public async Task AddMapping_AndGetById_ReturnsMapping()
{
var mapping = new LdapGroupMapping("CN=Admins,DC=test", "Admin");
await _repository.AddMappingAsync(mapping);
await _repository.SaveChangesAsync();
var loaded = await _repository.GetMappingByIdAsync(mapping.Id);
Assert.NotNull(loaded);
Assert.Equal("CN=Admins,DC=test", loaded.LdapGroupName);
Assert.Equal("Admin", loaded.Role);
}
[Fact]
public async Task GetAllMappings_ReturnsAll()
{
await _repository.AddMappingAsync(new LdapGroupMapping("Group1", "Admin"));
await _repository.AddMappingAsync(new LdapGroupMapping("Group2", "Design"));
await _repository.SaveChangesAsync();
// +1 for seed data
var all = await _repository.GetAllMappingsAsync();
Assert.True(all.Count >= 2);
}
[Fact]
public async Task GetMappingsByRole_FiltersCorrectly()
{
await _repository.AddMappingAsync(new LdapGroupMapping("Designers", "Design"));
await _repository.AddMappingAsync(new LdapGroupMapping("Deployers", "Deployment"));
await _repository.SaveChangesAsync();
var designMappings = await _repository.GetMappingsByRoleAsync("Design");
Assert.Single(designMappings);
Assert.Equal("Designers", designMappings[0].LdapGroupName);
}
[Fact]
public async Task UpdateMapping_PersistsChange()
{
var mapping = new LdapGroupMapping("OldGroup", "Admin");
await _repository.AddMappingAsync(mapping);
await _repository.SaveChangesAsync();
mapping.Role = "Design";
await _repository.UpdateMappingAsync(mapping);
await _repository.SaveChangesAsync();
_context.ChangeTracker.Clear();
var loaded = await _repository.GetMappingByIdAsync(mapping.Id);
Assert.Equal("Design", loaded!.Role);
}
[Fact]
public async Task DeleteMapping_RemovesEntity()
{
var mapping = new LdapGroupMapping("ToDelete", "Admin");
await _repository.AddMappingAsync(mapping);
await _repository.SaveChangesAsync();
await _repository.DeleteMappingAsync(mapping.Id);
await _repository.SaveChangesAsync();
var loaded = await _repository.GetMappingByIdAsync(mapping.Id);
Assert.Null(loaded);
}
[Fact]
public async Task AddScopeRule_AndGetForMapping()
{
var site = new Site("Site1", "SITE-001");
_context.Sites.Add(site);
var mapping = new LdapGroupMapping("Deployers", "Deployment");
await _repository.AddMappingAsync(mapping);
await _repository.SaveChangesAsync();
var rule = new SiteScopeRule { LdapGroupMappingId = mapping.Id, SiteId = site.Id };
await _repository.AddScopeRuleAsync(rule);
await _repository.SaveChangesAsync();
var rules = await _repository.GetScopeRulesForMappingAsync(mapping.Id);
Assert.Single(rules);
Assert.Equal(site.Id, rules[0].SiteId);
}
[Fact]
public async Task GetScopeRuleById_ReturnsRule()
{
var site = new Site("Site1", "SITE-001");
_context.Sites.Add(site);
var mapping = new LdapGroupMapping("Group", "Deployment");
await _repository.AddMappingAsync(mapping);
await _repository.SaveChangesAsync();
var rule = new SiteScopeRule { LdapGroupMappingId = mapping.Id, SiteId = site.Id };
await _repository.AddScopeRuleAsync(rule);
await _repository.SaveChangesAsync();
var loaded = await _repository.GetScopeRuleByIdAsync(rule.Id);
Assert.NotNull(loaded);
Assert.Equal(mapping.Id, loaded.LdapGroupMappingId);
}
[Fact]
public async Task UpdateScopeRule_PersistsChange()
{
var site1 = new Site("Site1", "SITE-001");
var site2 = new Site("Site2", "SITE-002");
_context.Sites.AddRange(site1, site2);
var mapping = new LdapGroupMapping("Group", "Deployment");
await _repository.AddMappingAsync(mapping);
await _repository.SaveChangesAsync();
var rule = new SiteScopeRule { LdapGroupMappingId = mapping.Id, SiteId = site1.Id };
await _repository.AddScopeRuleAsync(rule);
await _repository.SaveChangesAsync();
rule.SiteId = site2.Id;
await _repository.UpdateScopeRuleAsync(rule);
await _repository.SaveChangesAsync();
_context.ChangeTracker.Clear();
var loaded = await _repository.GetScopeRuleByIdAsync(rule.Id);
Assert.Equal(site2.Id, loaded!.SiteId);
}
[Fact]
public async Task DeleteScopeRule_RemovesEntity()
{
var site = new Site("Site1", "SITE-001");
_context.Sites.Add(site);
var mapping = new LdapGroupMapping("Group", "Deployment");
await _repository.AddMappingAsync(mapping);
await _repository.SaveChangesAsync();
var rule = new SiteScopeRule { LdapGroupMappingId = mapping.Id, SiteId = site.Id };
await _repository.AddScopeRuleAsync(rule);
await _repository.SaveChangesAsync();
await _repository.DeleteScopeRuleAsync(rule.Id);
await _repository.SaveChangesAsync();
var loaded = await _repository.GetScopeRuleByIdAsync(rule.Id);
Assert.Null(loaded);
}
}
public class CentralUiRepositoryTests : IDisposable
{
private readonly ScadaLinkDbContext _context;
private readonly CentralUiRepository _repository;
public CentralUiRepositoryTests()
{
_context = SqliteTestHelper.CreateInMemoryContext();
_repository = new CentralUiRepository(_context);
}
public void Dispose()
{
_context.Database.CloseConnection();
_context.Dispose();
}
[Fact]
public async Task GetAllSites_ReturnsOrderedByName()
{
_context.Sites.AddRange(
new Site("Zulu", "Z-001"),
new Site("Alpha", "A-001"));
await _context.SaveChangesAsync();
var sites = await _repository.GetAllSitesAsync();
Assert.Equal(2, sites.Count);
Assert.Equal("Alpha", sites[0].Name);
Assert.Equal("Zulu", sites[1].Name);
}
[Fact]
public async Task GetInstancesFiltered_BySiteId()
{
var site1 = new Site("Site1", "S-001");
var site2 = new Site("Site2", "S-002");
var template = new Template("T1");
_context.Sites.AddRange(site1, site2);
_context.Templates.Add(template);
await _context.SaveChangesAsync();
_context.Instances.AddRange(
new Instance("Inst1") { SiteId = site1.Id, TemplateId = template.Id },
new Instance("Inst2") { SiteId = site2.Id, TemplateId = template.Id });
await _context.SaveChangesAsync();
var instances = await _repository.GetInstancesFilteredAsync(siteId: site1.Id);
Assert.Single(instances);
Assert.Equal("Inst1", instances[0].UniqueName);
}
[Fact]
public async Task GetInstancesFiltered_BySearchTerm()
{
var site = new Site("Site1", "S-001");
var template = new Template("T1");
_context.Sites.Add(site);
_context.Templates.Add(template);
await _context.SaveChangesAsync();
_context.Instances.AddRange(
new Instance("PumpStation1") { SiteId = site.Id, TemplateId = template.Id },
new Instance("TankLevel1") { SiteId = site.Id, TemplateId = template.Id });
await _context.SaveChangesAsync();
var instances = await _repository.GetInstancesFilteredAsync(searchTerm: "Pump");
Assert.Single(instances);
}
[Fact]
public async Task GetRecentDeployments_ReturnsInReverseChronological()
{
var site = new Site("Site1", "S-001");
var template = new Template("T1");
_context.Sites.Add(site);
_context.Templates.Add(template);
await _context.SaveChangesAsync();
var instance = new Instance("I1") { SiteId = site.Id, TemplateId = template.Id };
_context.Instances.Add(instance);
await _context.SaveChangesAsync();
_context.DeploymentRecords.AddRange(
new DeploymentRecord("d-001", "admin") { InstanceId = instance.Id, DeployedAt = DateTimeOffset.UtcNow.AddHours(-2) },
new DeploymentRecord("d-002", "admin") { InstanceId = instance.Id, DeployedAt = DateTimeOffset.UtcNow.AddHours(-1) },
new DeploymentRecord("d-003", "admin") { InstanceId = instance.Id, DeployedAt = DateTimeOffset.UtcNow });
await _context.SaveChangesAsync();
var recent = await _repository.GetRecentDeploymentsAsync(2);
Assert.Equal(2, recent.Count);
Assert.Equal("d-003", recent[0].DeploymentId);
Assert.Equal("d-002", recent[1].DeploymentId);
}
[Fact]
public async Task GetAuditLogEntries_FiltersByUser()
{
_context.AuditLogEntries.AddRange(
new AuditLogEntry("admin", "Create", "Template", "1", "T1") { Timestamp = DateTimeOffset.UtcNow },
new AuditLogEntry("user1", "Update", "Instance", "2", "I1") { Timestamp = DateTimeOffset.UtcNow });
await _context.SaveChangesAsync();
var (entries, total) = await _repository.GetAuditLogEntriesAsync(user: "admin");
Assert.Single(entries);
Assert.Equal(1, total);
Assert.Equal("admin", entries[0].User);
}
[Fact]
public async Task GetAuditLogEntries_FiltersByEntityType()
{
_context.AuditLogEntries.AddRange(
new AuditLogEntry("admin", "Create", "Template", "1", "T1") { Timestamp = DateTimeOffset.UtcNow },
new AuditLogEntry("admin", "Create", "Instance", "2", "I1") { Timestamp = DateTimeOffset.UtcNow });
await _context.SaveChangesAsync();
var (entries, total) = await _repository.GetAuditLogEntriesAsync(entityType: "Template");
Assert.Single(entries);
Assert.Equal(1, total);
}
[Fact]
public async Task GetAuditLogEntries_FiltersByActionType()
{
_context.AuditLogEntries.AddRange(
new AuditLogEntry("admin", "Create", "Template", "1", "T1") { Timestamp = DateTimeOffset.UtcNow },
new AuditLogEntry("admin", "Delete", "Template", "2", "T2") { Timestamp = DateTimeOffset.UtcNow });
await _context.SaveChangesAsync();
var (entries, total) = await _repository.GetAuditLogEntriesAsync(action: "Delete");
Assert.Single(entries);
}
[Fact]
public async Task GetAuditLogEntries_FiltersByTimeRange()
{
var now = DateTimeOffset.UtcNow;
_context.AuditLogEntries.AddRange(
new AuditLogEntry("admin", "Create", "Template", "1", "T1") { Timestamp = now.AddHours(-5) },
new AuditLogEntry("admin", "Update", "Template", "2", "T2") { Timestamp = now.AddHours(-1) });
await _context.SaveChangesAsync();
var (entries, total) = await _repository.GetAuditLogEntriesAsync(from: now.AddHours(-2));
Assert.Single(entries);
}
[Fact]
public async Task GetAuditLogEntries_FiltersByEntityId()
{
_context.AuditLogEntries.AddRange(
new AuditLogEntry("admin", "Create", "Template", "1", "T1") { Timestamp = DateTimeOffset.UtcNow },
new AuditLogEntry("admin", "Create", "Template", "2", "T2") { Timestamp = DateTimeOffset.UtcNow });
await _context.SaveChangesAsync();
var (entries, total) = await _repository.GetAuditLogEntriesAsync(entityId: "1");
Assert.Single(entries);
}
[Fact]
public async Task GetAuditLogEntries_FiltersByEntityName()
{
_context.AuditLogEntries.AddRange(
new AuditLogEntry("admin", "Create", "Template", "1", "PumpStation") { Timestamp = DateTimeOffset.UtcNow },
new AuditLogEntry("admin", "Create", "Template", "2", "TankLevel") { Timestamp = DateTimeOffset.UtcNow });
await _context.SaveChangesAsync();
var (entries, total) = await _repository.GetAuditLogEntriesAsync(entityName: "Pump");
Assert.Single(entries);
}
[Fact]
public async Task GetAuditLogEntries_ReverseChronologicalWithPagination()
{
var now = DateTimeOffset.UtcNow;
for (int i = 0; i < 10; i++)
{
_context.AuditLogEntries.Add(new AuditLogEntry("admin", "Create", "Template", i.ToString(), $"T{i}")
{
Timestamp = now.AddMinutes(i)
});
}
await _context.SaveChangesAsync();
var (page1, total) = await _repository.GetAuditLogEntriesAsync(page: 1, pageSize: 3);
Assert.Equal(10, total);
Assert.Equal(3, page1.Count);
Assert.Equal("T9", page1[0].EntityName); // Most recent first
var (page2, _) = await _repository.GetAuditLogEntriesAsync(page: 2, pageSize: 3);
Assert.Equal(3, page2.Count);
Assert.Equal("T6", page2[0].EntityName);
}
[Fact]
public async Task GetTemplateTree_IncludesChildren()
{
var template = new Template("TestTemplate");
template.Attributes.Add(new TemplateAttribute("Attr1") { DataType = DataType.Int32 });
_context.Templates.Add(template);
await _context.SaveChangesAsync();
var tree = await _repository.GetTemplateTreeAsync();
Assert.NotEmpty(tree);
var loaded = tree.First(t => t.Name == "TestTemplate");
Assert.Single(loaded.Attributes);
}
[Fact]
public async Task GetAreaTree_ReturnsHierarchy()
{
var site = new Site("Site1", "S-001");
_context.Sites.Add(site);
await _context.SaveChangesAsync();
var parent = new Area("Building A") { SiteId = site.Id };
_context.Areas.Add(parent);
await _context.SaveChangesAsync();
var child = new Area("Floor 1") { SiteId = site.Id, ParentAreaId = parent.Id };
_context.Areas.Add(child);
await _context.SaveChangesAsync();
var areas = await _repository.GetAreaTreeBySiteIdAsync(site.Id);
Assert.Equal(2, areas.Count);
}
}

2
tests/ScadaLink.ConfigurationDatabase.Tests/ScadaLink.ConfigurationDatabase.Tests.csproj
View File

@@ -11,6 +11,8 @@
<ItemGroup>
<PackageReference Include="coverlet.collector" Version="6.0.4" />
<PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="10.0.5" />
<PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="10.0.5" />
<PackageReference Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="10.0.5" />
<PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="10.0.5" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
<PackageReference Include="xunit" Version="2.9.3" />

37
tests/ScadaLink.ConfigurationDatabase.Tests/SeedDataTests.cs Normal file
View File

@@ -0,0 +1,37 @@
using Microsoft.EntityFrameworkCore;
using ScadaLink.ConfigurationDatabase;
namespace ScadaLink.ConfigurationDatabase.Tests;
public class SeedDataTests : IDisposable
{
private readonly ScadaLinkDbContext _context;
public SeedDataTests()
{
var options = new DbContextOptionsBuilder<ScadaLinkDbContext>()
.UseSqlite("DataSource=:memory:")
.Options;
_context = new ScadaLinkDbContext(options);
_context.Database.OpenConnection();
_context.Database.EnsureCreated();
}
public void Dispose()
{
_context.Database.CloseConnection();
_context.Dispose();
}
[Fact]
public async Task SeedData_AdminMappingExists()
{
var adminMapping = await _context.LdapGroupMappings
.SingleOrDefaultAsync(m => m.LdapGroupName == "SCADA-Admins");
Assert.NotNull(adminMapping);
Assert.Equal("Admin", adminMapping.Role);
Assert.Equal(1, adminMapping.Id);
}
}

75
tests/ScadaLink.ConfigurationDatabase.Tests/SqliteTestHelper.cs Normal file
View File

@@ -0,0 +1,75 @@
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Diagnostics;
using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
using ScadaLink.ConfigurationDatabase;
namespace ScadaLink.ConfigurationDatabase.Tests;
/// <summary>
/// Test DbContext that maps DateTimeOffset to a sortable string format for SQLite.
/// EF Core 10 SQLite provider does not support ORDER BY on DateTimeOffset columns.
/// </summary>
public class SqliteTestDbContext : ScadaLinkDbContext
{
public SqliteTestDbContext(DbContextOptions<ScadaLinkDbContext> options) : base(options)
{
}
protected override void OnModelCreating(ModelBuilder modelBuilder)
{
base.OnModelCreating(modelBuilder);
// Convert DateTimeOffset to ISO 8601 string for SQLite so ORDER BY works
var converter = new ValueConverter<DateTimeOffset, string>(
v => v.UtcDateTime.ToString("o"),
v => DateTimeOffset.Parse(v));
var nullableConverter = new ValueConverter<DateTimeOffset?, string?>(
v => v.HasValue ? v.Value.UtcDateTime.ToString("o") : null,
v => v != null ? DateTimeOffset.Parse(v) : null);
foreach (var entityType in modelBuilder.Model.GetEntityTypes())
{
foreach (var property in entityType.GetProperties())
{
if (property.ClrType == typeof(DateTimeOffset))
{
property.SetValueConverter(converter);
property.SetColumnType("TEXT");
}
else if (property.ClrType == typeof(DateTimeOffset?))
{
property.SetValueConverter(nullableConverter);
property.SetColumnType("TEXT");
}
}
}
}
}
public static class SqliteTestHelper
{
public static ScadaLinkDbContext CreateInMemoryContext()
{
var options = new DbContextOptionsBuilder<ScadaLinkDbContext>()
.UseSqlite("DataSource=:memory:")
.ConfigureWarnings(w => w.Ignore(RelationalEventId.PendingModelChangesWarning))
.Options;
var context = new SqliteTestDbContext(options);
context.Database.OpenConnection();
context.Database.EnsureCreated();
return context;
}
public static ScadaLinkDbContext CreateFileContext(string dbPath)
{
var options = new DbContextOptionsBuilder<ScadaLinkDbContext>()
.UseSqlite($"DataSource={dbPath}")
.ConfigureWarnings(w => w.Ignore(RelationalEventId.PendingModelChangesWarning))
.Options;
var context = new SqliteTestDbContext(options);
return context;
}
}

12
tests/ScadaLink.Security.Tests/ScadaLink.Security.Tests.csproj
View File

@@ -1,4 +1,4 @@
<Project Sdk="Microsoft.NET.Sdk">
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
@@ -10,6 +10,12 @@
<ItemGroup>
<PackageReference Include="coverlet.collector" Version="6.0.4" />
<PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="10.0.5" />
<PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="10.0.5" />
<PackageReference Include="Microsoft.Extensions.Logging" Version="10.0.5" />
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.5" />
<PackageReference Include="Microsoft.Extensions.Options" Version="10.0.5" />
<PackageReference Include="Microsoft.AspNetCore.Authorization" Version="10.0.5" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
<PackageReference Include="xunit" Version="2.9.3" />
<PackageReference Include="xunit.runner.visualstudio" Version="3.1.4" />
@@ -21,6 +27,8 @@
<ItemGroup>
<ProjectReference Include="../../src/ScadaLink.Security/ScadaLink.Security.csproj" />
<ProjectReference Include="../../src/ScadaLink.ConfigurationDatabase/ScadaLink.ConfigurationDatabase.csproj" />
<ProjectReference Include="../../src/ScadaLink.Commons/ScadaLink.Commons.csproj" />
</ItemGroup>
</Project>
</Project>

505
tests/ScadaLink.Security.Tests/UnitTest1.cs
View File

@@ -1,10 +1,507 @@
namespace ScadaLink.Security.Tests;
using System.Security.Claims;
using Microsoft.AspNetCore.Authorization;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using ScadaLink.Commons.Entities.Security;
using ScadaLink.Commons.Entities.Sites;
using ScadaLink.ConfigurationDatabase;
using ScadaLink.ConfigurationDatabase.Repositories;
using ScadaLink.Security;
public class UnitTest1
namespace ScadaLink.Security.Tests;
#region WP-6: LdapAuthService Tests
public class LdapAuthServiceTests
{
[Fact]
public void Test1()
private static SecurityOptions CreateOptions(bool useTls = true, bool allowInsecure = false) => new()
{
LdapServer = "ldap.example.com",
LdapPort = 636,
LdapUseTls = useTls,
AllowInsecureLdap = allowInsecure,
LdapSearchBase = "dc=example,dc=com",
JwtSigningKey = "test-key-that-is-long-enough-for-hmac-sha256-minimum"
};
[Fact]
public async Task AuthenticateAsync_EmptyUsername_ReturnsFailed()
{
var service = new LdapAuthService(
Options.Create(CreateOptions()),
NullLogger<LdapAuthService>.Instance);
var result = await service.AuthenticateAsync("", "password");
Assert.False(result.Success);
Assert.Contains("Username is required", result.ErrorMessage);
}
[Fact]
public async Task AuthenticateAsync_EmptyPassword_ReturnsFailed()
{
var service = new LdapAuthService(
Options.Create(CreateOptions()),
NullLogger<LdapAuthService>.Instance);
var result = await service.AuthenticateAsync("user", "");
Assert.False(result.Success);
Assert.Contains("Password is required", result.ErrorMessage);
}
[Fact]
public async Task AuthenticateAsync_InsecureLdapNotAllowed_ReturnsFailed()
{
var service = new LdapAuthService(
Options.Create(CreateOptions(useTls: false, allowInsecure: false)),
NullLogger<LdapAuthService>.Instance);
var result = await service.AuthenticateAsync("user", "password");
Assert.False(result.Success);
Assert.Contains("Insecure LDAP", result.ErrorMessage);
}
[Fact]
public async Task AuthenticateAsync_ConnectionFailure_ReturnsFailed()
{
// Point to a non-existent server — connection should fail
var options = CreateOptions();
options.LdapServer = "nonexistent.invalid";
options.LdapPort = 9999;
var service = new LdapAuthService(
Options.Create(options),
NullLogger<LdapAuthService>.Instance);
var result = await service.AuthenticateAsync("user", "password");
Assert.False(result.Success);
}
}
#endregion
#region WP-7: JwtTokenService Tests
public class JwtTokenServiceTests
{
private static SecurityOptions CreateOptions() => new()
{
JwtSigningKey = "this-is-a-test-signing-key-for-hmac-sha256-must-be-long-enough",
JwtExpiryMinutes = 15,
IdleTimeoutMinutes = 30,
JwtRefreshThresholdMinutes = 5
};
private static JwtTokenService CreateService(SecurityOptions? options = null)
{
return new JwtTokenService(
Options.Create(options ?? CreateOptions()),
NullLogger<JwtTokenService>.Instance);
}
[Fact]
public void GenerateToken_ContainsCorrectClaims()
{
var service = CreateService();
var token = service.GenerateToken(
"John Doe", "johnd",
new[] { "Admin", "Design" },
new[] { "1", "2" });
var principal = service.ValidateToken(token);
Assert.NotNull(principal);
Assert.Equal("John Doe", principal!.FindFirst(JwtTokenService.DisplayNameClaimType)?.Value);
Assert.Equal("johnd", principal.FindFirst(JwtTokenService.UsernameClaimType)?.Value);
var roles = principal.FindAll(JwtTokenService.RoleClaimType).Select(c => c.Value).ToList();
Assert.Contains("Admin", roles);
Assert.Contains("Design", roles);
var siteIds = principal.FindAll(JwtTokenService.SiteIdClaimType).Select(c => c.Value).ToList();
Assert.Contains("1", siteIds);
Assert.Contains("2", siteIds);
Assert.NotNull(principal.FindFirst(JwtTokenService.LastActivityClaimType));
}
[Fact]
public void GenerateToken_NullSiteIds_NoSiteIdClaims()
{
var service = CreateService();
var token = service.GenerateToken("User", "user", new[] { "Admin" }, null);
var principal = service.ValidateToken(token);
Assert.NotNull(principal);
Assert.Empty(principal!.FindAll(JwtTokenService.SiteIdClaimType));
}
[Fact]
public void ValidateToken_InvalidToken_ReturnsNull()
{
var service = CreateService();
var result = service.ValidateToken("invalid.token.here");
Assert.Null(result);
}
[Fact]
public void ValidateToken_WrongKey_ReturnsNull()
{
var service1 = CreateService();
var token = service1.GenerateToken("User", "user", new[] { "Admin" }, null);
var service2 = CreateService(new SecurityOptions
{
JwtSigningKey = "a-completely-different-signing-key-for-hmac-sha256-validation",
JwtExpiryMinutes = 15,
IdleTimeoutMinutes = 30,
JwtRefreshThresholdMinutes = 5
});
var result = service2.ValidateToken(token);
Assert.Null(result);
}
[Fact]
public void ValidateToken_UsesHmacSha256()
{
var service = CreateService();
var token = service.GenerateToken("User", "user", new[] { "Admin" }, null);
// Decode header to verify algorithm
var parts = token.Split('.');
var headerJson = System.Text.Encoding.UTF8.GetString(
Convert.FromBase64String(parts[0].PadRight((parts[0].Length + 3) & ~3, '=')));
Assert.Contains("HS256", headerJson);
}
[Fact]
public void ShouldRefresh_TokenNearExpiry_ReturnsTrue()
{
var options = CreateOptions();
options.JwtExpiryMinutes = 3; // Token expires in 3 min, threshold is 5 min
var service = CreateService(options);
var token = service.GenerateToken("User", "user", new[] { "Admin" }, null);
var principal = service.ValidateToken(token);
Assert.True(service.ShouldRefresh(principal!));
}
[Fact]
public void ShouldRefresh_TokenFarFromExpiry_ReturnsFalse()
{
var service = CreateService(); // 15 min expiry, 5 min threshold
var token = service.GenerateToken("User", "user", new[] { "Admin" }, null);
var principal = service.ValidateToken(token);
Assert.False(service.ShouldRefresh(principal!));
}
[Fact]
public void IsIdleTimedOut_RecentActivity_ReturnsFalse()
{
var service = CreateService();
var token = service.GenerateToken("User", "user", new[] { "Admin" }, null);
var principal = service.ValidateToken(token);
Assert.False(service.IsIdleTimedOut(principal!));
}
[Fact]
public void IsIdleTimedOut_NoLastActivityClaim_ReturnsTrue()
{
var service = CreateService();
var principal = new ClaimsPrincipal(new ClaimsIdentity(new[]
{
new Claim(JwtTokenService.DisplayNameClaimType, "User")
}));
Assert.True(service.IsIdleTimedOut(principal));
}
[Fact]
public void RefreshToken_ReturnsNewTokenWithUpdatedClaims()
{
var service = CreateService();
var originalToken = service.GenerateToken("User", "user", new[] { "Admin" }, null);
var principal = service.ValidateToken(originalToken);
var newToken = service.RefreshToken(principal!, new[] { "Admin", "Design" }, new[] { "1" });
Assert.NotNull(newToken);
var newPrincipal = service.ValidateToken(newToken!);
var roles = newPrincipal!.FindAll(JwtTokenService.RoleClaimType).Select(c => c.Value).ToList();
Assert.Contains("Design", roles);
}
[Fact]
public void RefreshToken_MissingClaims_ReturnsNull()
{
var service = CreateService();
var principal = new ClaimsPrincipal(new ClaimsIdentity());
var result = service.RefreshToken(principal, new[] { "Admin" }, null);
Assert.Null(result);
}
}
#endregion
#region WP-8: RoleMapper Tests
public class RoleMapperTests : IDisposable
{
private readonly ScadaLinkDbContext _context;
private readonly SecurityRepository _securityRepo;
private readonly RoleMapper _roleMapper;
public RoleMapperTests()
{
var options = new DbContextOptionsBuilder<ScadaLinkDbContext>()
.UseSqlite("DataSource=:memory:")
.Options;
_context = new ScadaLinkDbContext(options);
_context.Database.OpenConnection();
_context.Database.EnsureCreated();
_securityRepo = new SecurityRepository(_context);
_roleMapper = new RoleMapper(_securityRepo);
}
public void Dispose()
{
_context.Database.CloseConnection();
_context.Dispose();
}
[Fact]
public async Task MapGroupsToRoles_MultiRoleExtraction()
{
// Add mappings (note: seed data adds SCADA-Admins -> Admin)
_context.LdapGroupMappings.Add(new LdapGroupMapping("Designers", "Design"));
_context.LdapGroupMappings.Add(new LdapGroupMapping("Deployers", "Deployment"));
await _context.SaveChangesAsync();
var result = await _roleMapper.MapGroupsToRolesAsync(new[] { "SCADA-Admins", "Designers" });
Assert.Contains("Admin", result.Roles);
Assert.Contains("Design", result.Roles);
Assert.DoesNotContain("Deployment", result.Roles);
}
[Fact]
public async Task MapGroupsToRoles_SiteScopedDeployment()
{
var site1 = new Site("Site1", "S-001");
var site2 = new Site("Site2", "S-002");
_context.Sites.AddRange(site1, site2);
_context.LdapGroupMappings.Add(new LdapGroupMapping("SiteDeployers", "Deployment"));
await _context.SaveChangesAsync();
var mapping = await _context.LdapGroupMappings.SingleAsync(m => m.LdapGroupName == "SiteDeployers");
_context.SiteScopeRules.AddRange(
new SiteScopeRule { LdapGroupMappingId = mapping.Id, SiteId = site1.Id },
new SiteScopeRule { LdapGroupMappingId = mapping.Id, SiteId = site2.Id });
await _context.SaveChangesAsync();
var result = await _roleMapper.MapGroupsToRolesAsync(new[] { "SiteDeployers" });
Assert.Contains("Deployment", result.Roles);
Assert.False(result.IsSystemWideDeployment);
Assert.Contains(site1.Id.ToString(), result.PermittedSiteIds);
Assert.Contains(site2.Id.ToString(), result.PermittedSiteIds);
}
[Fact]
public async Task MapGroupsToRoles_SystemWideDeployment_NoScopeRules()
{
_context.LdapGroupMappings.Add(new LdapGroupMapping("GlobalDeployers", "Deployment"));
await _context.SaveChangesAsync();
var result = await _roleMapper.MapGroupsToRolesAsync(new[] { "GlobalDeployers" });
Assert.Contains("Deployment", result.Roles);
Assert.True(result.IsSystemWideDeployment);
Assert.Empty(result.PermittedSiteIds);
}
[Fact]
public async Task MapGroupsToRoles_UnrecognizedGroups_Ignored()
{
var result = await _roleMapper.MapGroupsToRolesAsync(new[] { "NonExistentGroup", "AnotherRandom" });
Assert.Empty(result.Roles);
Assert.Empty(result.PermittedSiteIds);
Assert.False(result.IsSystemWideDeployment);
}
[Fact]
public async Task MapGroupsToRoles_NoMatchingGroups_NoRoles()
{
var result = await _roleMapper.MapGroupsToRolesAsync(Array.Empty<string>());
Assert.Empty(result.Roles);
}
[Fact]
public async Task MapGroupsToRoles_CaseInsensitiveGroupMatch()
{
// "SCADA-Admins" is seeded
var result = await _roleMapper.MapGroupsToRolesAsync(new[] { "scada-admins" });
Assert.Contains("Admin", result.Roles);
}
}
#endregion
#region WP-9: Authorization Policy Tests
public class AuthorizationPolicyTests
{
[Fact]
public async Task AdminPolicy_AdminRole_Succeeds()
{
var principal = CreatePrincipal(new[] { "Admin" });
var result = await EvaluatePolicy(AuthorizationPolicies.RequireAdmin, principal);
Assert.True(result);
}
[Fact]
public async Task AdminPolicy_DesignRole_Fails()
{
var principal = CreatePrincipal(new[] { "Design" });
var result = await EvaluatePolicy(AuthorizationPolicies.RequireAdmin, principal);
Assert.False(result);
}
[Fact]
public async Task DesignPolicy_DesignRole_Succeeds()
{
var principal = CreatePrincipal(new[] { "Design" });
var result = await EvaluatePolicy(AuthorizationPolicies.RequireDesign, principal);
Assert.True(result);
}
[Fact]
public async Task DeploymentPolicy_DeploymentRole_Succeeds()
{
var principal = CreatePrincipal(new[] { "Deployment" });
var result = await EvaluatePolicy(AuthorizationPolicies.RequireDeployment, principal);
Assert.True(result);
}
[Fact]
public async Task NoRoles_DeniedAll()
{
var principal = CreatePrincipal(Array.Empty<string>());
Assert.False(await EvaluatePolicy(AuthorizationPolicies.RequireAdmin, principal));
Assert.False(await EvaluatePolicy(AuthorizationPolicies.RequireDesign, principal));
Assert.False(await EvaluatePolicy(AuthorizationPolicies.RequireDeployment, principal));
}
[Fact]
public async Task SiteScope_SystemWideDeployer_Succeeds()
{
var handler = new SiteScopeAuthorizationHandler();
var claims = new List<Claim>
{
new(JwtTokenService.RoleClaimType, "Deployment")
// No SiteId claims = system-wide
};
var principal = new ClaimsPrincipal(new ClaimsIdentity(claims, "test"));
var requirement = new SiteScopeRequirement("42");
var context = new AuthorizationHandlerContext(new[] { requirement }, principal, null);
await handler.HandleAsync(context);
Assert.True(context.HasSucceeded);
}
[Fact]
public async Task SiteScope_PermittedSite_Succeeds()
{
var handler = new SiteScopeAuthorizationHandler();
var claims = new List<Claim>
{
new(JwtTokenService.RoleClaimType, "Deployment"),
new(JwtTokenService.SiteIdClaimType, "1"),
new(JwtTokenService.SiteIdClaimType, "2")
};
var principal = new ClaimsPrincipal(new ClaimsIdentity(claims, "test"));
var requirement = new SiteScopeRequirement("1");
var context = new AuthorizationHandlerContext(new[] { requirement }, principal, null);
await handler.HandleAsync(context);
Assert.True(context.HasSucceeded);
}
[Fact]
public async Task SiteScope_UnpermittedSite_Fails()
{
var handler = new SiteScopeAuthorizationHandler();
var claims = new List<Claim>
{
new(JwtTokenService.RoleClaimType, "Deployment"),
new(JwtTokenService.SiteIdClaimType, "1")
};
var principal = new ClaimsPrincipal(new ClaimsIdentity(claims, "test"));
var requirement = new SiteScopeRequirement("99");
var context = new AuthorizationHandlerContext(new[] { requirement }, principal, null);
await handler.HandleAsync(context);
Assert.False(context.HasSucceeded);
}
[Fact]
public async Task SiteScope_NoDeploymentRole_Fails()
{
var handler = new SiteScopeAuthorizationHandler();
var claims = new List<Claim>
{
new(JwtTokenService.RoleClaimType, "Admin")
};
var principal = new ClaimsPrincipal(new ClaimsIdentity(claims, "test"));
var requirement = new SiteScopeRequirement("1");
var context = new AuthorizationHandlerContext(new[] { requirement }, principal, null);
await handler.HandleAsync(context);
Assert.False(context.HasSucceeded);
}
private static ClaimsPrincipal CreatePrincipal(string[] roles, string[]? siteIds = null)
{
var claims = new List<Claim>();
foreach (var role in roles)
claims.Add(new Claim(JwtTokenService.RoleClaimType, role));
if (siteIds != null)
foreach (var siteId in siteIds)
claims.Add(new Claim(JwtTokenService.SiteIdClaimType, siteId));
return new ClaimsPrincipal(new ClaimsIdentity(claims, "test"));
}
private static async Task<bool> EvaluatePolicy(string policyName, ClaimsPrincipal principal)
{
var services = new ServiceCollection();
services.AddScadaLinkAuthorization();
services.AddLogging();
using var provider = services.BuildServiceProvider();
var authService = provider.GetRequiredService<IAuthorizationService>();
var result = await authService.AuthorizeAsync(principal, null, policyName);
return result.Succeeded;
}
}
#endregion