Phase 1 WP-2–10: Repositories, audit service, security & auth (LDAP, JWT, roles, policies, data protection)

- WP-2: SecurityRepository + CentralUiRepository with audit log queries - WP-3: AuditService with transactional guarantee (same SaveChangesAsync) - WP-4: Optimistic concurrency tests (deployment records vs template last-write-wins) - WP-5: Seed data (SCADA-Admins → Admin role mapping) - WP-6: LdapAuthService (direct bind, TLS enforcement, group query) - WP-7: JwtTokenService (HMAC-SHA256, 15-min refresh, 30-min idle timeout) - WP-8: RoleMapper (LDAP groups → roles with site-scoped deployment) - WP-9: Authorization policies (Admin/Design/Deployment + site scope handler) - WP-10: Shared Data Protection keys via EF Core 141 tests pass, zero warnings.
2026-03-16 19:32:43 -04:00
parent 1996b21961
commit cafb7d2006
31 changed files with 3356 additions and 8 deletions
--- a/tests/ScadaLink.ConfigurationDatabase.Tests/DataProtectionTests.cs
+++ b/tests/ScadaLink.ConfigurationDatabase.Tests/DataProtectionTests.cs
@@ -0,0 +1,63 @@
+using Microsoft.AspNetCore.DataProtection;
+using Microsoft.EntityFrameworkCore;
+using Microsoft.Extensions.DependencyInjection;
+using ScadaLink.ConfigurationDatabase;
+
+namespace ScadaLink.ConfigurationDatabase.Tests;
+
+public class DataProtectionTests : IDisposable
+{
+    private readonly string _dbPath;
+
+    public DataProtectionTests()
+    {
+        _dbPath = Path.Combine(Path.GetTempPath(), $"scadalink_dp_test_{Guid.NewGuid()}.db");
+    }
+
+    public void Dispose()
+    {
+        if (File.Exists(_dbPath))
+            File.Delete(_dbPath);
+    }
+
+    [Fact]
+    public void SharedDataProtection_ProtectAndUnprotect_AcrossContainers()
+    {
+        var connectionString = $"DataSource={_dbPath}";
+
+        // Create the database schema
+        var setupOptions = new DbContextOptionsBuilder<ScadaLinkDbContext>()
+            .UseSqlite(connectionString)
+            .Options;
+        using (var setupCtx = new ScadaLinkDbContext(setupOptions))
+        {
+            setupCtx.Database.EnsureCreated();
+        }
+
+        // Container 1: protect some data
+        var services1 = new ServiceCollection();
+        services1.AddDbContext<ScadaLinkDbContext>(opt => opt.UseSqlite(connectionString));
+        services1.AddDataProtection()
+            .SetApplicationName("ScadaLink")
+            .PersistKeysToDbContext<ScadaLinkDbContext>();
+
+        using var provider1 = services1.BuildServiceProvider();
+        var protector1 = provider1.GetRequiredService<IDataProtectionProvider>()
+            .CreateProtector("test-purpose");
+        var protectedPayload = protector1.Protect("secret-data");
+
+        // Container 2: unprotect using the same DB (shared keys)
+        var services2 = new ServiceCollection();
+        services2.AddDbContext<ScadaLinkDbContext>(opt => opt.UseSqlite(connectionString));
+        services2.AddDataProtection()
+            .SetApplicationName("ScadaLink")
+            .PersistKeysToDbContext<ScadaLinkDbContext>();
+
+        using var provider2 = services2.BuildServiceProvider();
+        var protector2 = provider2.GetRequiredService<IDataProtectionProvider>()
+            .CreateProtector("test-purpose");
+        var unprotected = protector2.Unprotect(protectedPayload);
+
+        Assert.Equal("secret-data", unprotected);
+    }
+}