dohertj2/scadalink-design
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Phase 1 WP-2–10: Repositories, audit service, security & auth (LDAP, JWT, roles, policies, data protection)

Browse Source 
- WP-2: SecurityRepository + CentralUiRepository with audit log queries
- WP-3: AuditService with transactional guarantee (same SaveChangesAsync)
- WP-4: Optimistic concurrency tests (deployment records vs template last-write-wins)
- WP-5: Seed data (SCADA-Admins → Admin role mapping)
- WP-6: LdapAuthService (direct bind, TLS enforcement, group query)
- WP-7: JwtTokenService (HMAC-SHA256, 15-min refresh, 30-min idle timeout)
- WP-8: RoleMapper (LDAP groups → roles with site-scoped deployment)
- WP-9: Authorization policies (Admin/Design/Deployment + site scope handler)
- WP-10: Shared Data Protection keys via EF Core
141 tests pass, zero warnings.
This commit is contained in:
Joseph Doherty
2026-03-16 19:32:43 -04:00
parent 1996b21961
commit cafb7d2006
31 changed files with 3356 additions and 8 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3
src/ScadaLink.Commons/Entities/Security/LdapGroupMapping.cs
View File

@@ -6,6 +6,9 @@ public class LdapGroupMapping
public string LdapGroupName { get; set; }
public string Role { get; set; }
// Parameterless constructor for EF Core seed data
private LdapGroupMapping() { LdapGroupName = null!; Role = null!; }
public LdapGroupMapping(string ldapGroupName, string role)
{
LdapGroupName = ldapGroupName ?? throw new ArgumentNullException(nameof(ldapGroupName));

14
src/ScadaLink.Commons/Interfaces/Repositories/ICentralUiRepository.cs
View File

@@ -1,3 +1,4 @@
using ScadaLink.Commons.Entities.Audit;
using ScadaLink.Commons.Entities.Deployment;
using ScadaLink.Commons.Entities.Instances;
using ScadaLink.Commons.Entities.Sites;
@@ -15,5 +16,18 @@ public interface ICentralUiRepository
Task<IReadOnlyList<DeploymentRecord>> GetRecentDeploymentsAsync(int count, CancellationToken cancellationToken = default);
Task<IReadOnlyList<Area>> GetAreaTreeBySiteIdAsync(int siteId, CancellationToken cancellationToken = default);
// Audit log queries
Task<(IReadOnlyList<AuditLogEntry> Entries, int TotalCount)> GetAuditLogEntriesAsync(
string? user = null,
string? entityType = null,
string? action = null,
DateTimeOffset? from = null,
DateTimeOffset? to = null,
string? entityId = null,
string? entityName = null,
int page = 1,
int pageSize = 50,
CancellationToken cancellationToken = default);
Task<int> SaveChangesAsync(CancellationToken cancellationToken = default);
}

3
src/ScadaLink.ConfigurationDatabase/Configurations/SecurityConfiguration.cs
View File

@@ -20,6 +20,9 @@ public class LdapGroupMappingConfiguration : IEntityTypeConfiguration<LdapGroupM
.HasMaxLength(100);
builder.HasIndex(m => m.LdapGroupName).IsUnique();
// Seed default admin mapping
builder.HasData(new LdapGroupMapping("SCADA-Admins", "Admin") { Id = 1 });
}
}

1152
src/ScadaLink.ConfigurationDatabase/Migrations/20260316231942_SeedData.Designer.cs generated Normal file
View File

File diff suppressed because it is too large Load Diff

28
src/ScadaLink.ConfigurationDatabase/Migrations/20260316231942_SeedData.cs Normal file
View File

@@ -0,0 +1,28 @@
using Microsoft.EntityFrameworkCore.Migrations;
#nullable disable
namespace ScadaLink.ConfigurationDatabase.Migrations
{
/// <inheritdoc />
public partial class SeedData : Migration
{
/// <inheritdoc />
protected override void Up(MigrationBuilder migrationBuilder)
{
migrationBuilder.InsertData(
table: "LdapGroupMappings",
columns: new[] { "Id", "LdapGroupName", "Role" },
values: new object[] { 1, "SCADA-Admins", "Admin" });
}
/// <inheritdoc />
protected override void Down(MigrationBuilder migrationBuilder)
{
migrationBuilder.DeleteData(
table: "LdapGroupMappings",
keyColumn: "Id",
keyValue: 1);
}
}
}

8
src/ScadaLink.ConfigurationDatabase/Migrations/ScadaLinkDbContextModelSnapshot.cs
View File

@@ -631,6 +631,14 @@ namespace ScadaLink.ConfigurationDatabase.Migrations
.IsUnique();
b.ToTable("LdapGroupMappings");
b.HasData(
new
{
Id = 1,
LdapGroupName = "SCADA-Admins",
Role = "Admin"
});
});
modelBuilder.Entity("ScadaLink.Commons.Entities.Security.SiteScopeRule", b =>

147
src/ScadaLink.ConfigurationDatabase/Repositories/CentralUiRepository.cs Normal file
View File

@@ -0,0 +1,147 @@
using Microsoft.EntityFrameworkCore;
using ScadaLink.Commons.Entities.Audit;
using ScadaLink.Commons.Entities.Deployment;
using ScadaLink.Commons.Entities.Instances;
using ScadaLink.Commons.Entities.Sites;
using ScadaLink.Commons.Entities.Templates;
using ScadaLink.Commons.Interfaces.Repositories;
namespace ScadaLink.ConfigurationDatabase.Repositories;
public class CentralUiRepository : ICentralUiRepository
{
private readonly ScadaLinkDbContext _context;
public CentralUiRepository(ScadaLinkDbContext context)
{
_context = context ?? throw new ArgumentNullException(nameof(context));
}
public async Task<IReadOnlyList<Site>> GetAllSitesAsync(CancellationToken cancellationToken = default)
{
return await _context.Sites
.AsNoTracking()
.OrderBy(s => s.Name)
.ToListAsync(cancellationToken);
}
public async Task<IReadOnlyList<DataConnection>> GetDataConnectionsBySiteIdAsync(int siteId, CancellationToken cancellationToken = default)
{
return await _context.SiteDataConnectionAssignments
.AsNoTracking()
.Where(a => a.SiteId == siteId)
.Join(_context.DataConnections, a => a.DataConnectionId, d => d.Id, (_, d) => d)
.ToListAsync(cancellationToken);
}
public async Task<IReadOnlyList<SiteDataConnectionAssignment>> GetAllSiteDataConnectionAssignmentsAsync(CancellationToken cancellationToken = default)
{
return await _context.SiteDataConnectionAssignments
.AsNoTracking()
.ToListAsync(cancellationToken);
}
public async Task<IReadOnlyList<Template>> GetTemplateTreeAsync(CancellationToken cancellationToken = default)
{
return await _context.Templates
.AsNoTracking()
.Include(t => t.Attributes)
.Include(t => t.Alarms)
.Include(t => t.Scripts)
.Include(t => t.Compositions)
.OrderBy(t => t.Name)
.ToListAsync(cancellationToken);
}
public async Task<IReadOnlyList<Instance>> GetInstancesFilteredAsync(
int? siteId = null,
int? templateId = null,
string? searchTerm = null,
CancellationToken cancellationToken = default)
{
var query = _context.Instances.AsNoTracking().AsQueryable();
if (siteId.HasValue)
query = query.Where(i => i.SiteId == siteId.Value);
if (templateId.HasValue)
query = query.Where(i => i.TemplateId == templateId.Value);
if (!string.IsNullOrWhiteSpace(searchTerm))
query = query.Where(i => i.UniqueName.Contains(searchTerm));
return await query
.OrderBy(i => i.UniqueName)
.ToListAsync(cancellationToken);
}
public async Task<IReadOnlyList<DeploymentRecord>> GetRecentDeploymentsAsync(int count, CancellationToken cancellationToken = default)
{
return await _context.DeploymentRecords
.AsNoTracking()
.OrderByDescending(d => d.DeployedAt)
.Take(count)
.ToListAsync(cancellationToken);
}
public async Task<IReadOnlyList<Area>> GetAreaTreeBySiteIdAsync(int siteId, CancellationToken cancellationToken = default)
{
return await _context.Areas
.AsNoTracking()
.Where(a => a.SiteId == siteId)
.Include(a => a.Children)
.OrderBy(a => a.Name)
.ToListAsync(cancellationToken);
}
public async Task<(IReadOnlyList<AuditLogEntry> Entries, int TotalCount)> GetAuditLogEntriesAsync(
string? user = null,
string? entityType = null,
string? action = null,
DateTimeOffset? from = null,
DateTimeOffset? to = null,
string? entityId = null,
string? entityName = null,
int page = 1,
int pageSize = 50,
CancellationToken cancellationToken = default)
{
var query = _context.AuditLogEntries.AsNoTracking().AsQueryable();
if (!string.IsNullOrWhiteSpace(user))
query = query.Where(a => a.User == user);
if (!string.IsNullOrWhiteSpace(entityType))
query = query.Where(a => a.EntityType == entityType);
if (!string.IsNullOrWhiteSpace(action))
query = query.Where(a => a.Action == action);
if (from.HasValue)
query = query.Where(a => a.Timestamp >= from.Value);
if (to.HasValue)
query = query.Where(a => a.Timestamp <= to.Value);
if (!string.IsNullOrWhiteSpace(entityId))
query = query.Where(a => a.EntityId == entityId);
if (!string.IsNullOrWhiteSpace(entityName))
query = query.Where(a => a.EntityName.Contains(entityName));
var totalCount = await query.CountAsync(cancellationToken);
var entries = await query
.OrderByDescending(a => a.Timestamp)
.Skip((page - 1) * pageSize)
.Take(pageSize)
.ToListAsync(cancellationToken);
return (entries, totalCount);
}
public async Task<int> SaveChangesAsync(CancellationToken cancellationToken = default)
{
return await _context.SaveChangesAsync(cancellationToken);
}
}

93
src/ScadaLink.ConfigurationDatabase/Repositories/SecurityRepository.cs Normal file
View File

@@ -0,0 +1,93 @@
using Microsoft.EntityFrameworkCore;
using ScadaLink.Commons.Entities.Security;
using ScadaLink.Commons.Interfaces.Repositories;
namespace ScadaLink.ConfigurationDatabase.Repositories;
public class SecurityRepository : ISecurityRepository
{
private readonly ScadaLinkDbContext _context;
public SecurityRepository(ScadaLinkDbContext context)
{
_context = context ?? throw new ArgumentNullException(nameof(context));
}
// LdapGroupMapping
public async Task<LdapGroupMapping?> GetMappingByIdAsync(int id, CancellationToken cancellationToken = default)
{
return await _context.LdapGroupMappings.FindAsync(new object[] { id }, cancellationToken);
}
public async Task<IReadOnlyList<LdapGroupMapping>> GetAllMappingsAsync(CancellationToken cancellationToken = default)
{
return await _context.LdapGroupMappings.ToListAsync(cancellationToken);
}
public async Task<IReadOnlyList<LdapGroupMapping>> GetMappingsByRoleAsync(string role, CancellationToken cancellationToken = default)
{
return await _context.LdapGroupMappings
.Where(m => m.Role == role)
.ToListAsync(cancellationToken);
}
public async Task AddMappingAsync(LdapGroupMapping mapping, CancellationToken cancellationToken = default)
{
await _context.LdapGroupMappings.AddAsync(mapping, cancellationToken);
}
public Task UpdateMappingAsync(LdapGroupMapping mapping, CancellationToken cancellationToken = default)
{
_context.LdapGroupMappings.Update(mapping);
return Task.CompletedTask;
}
public async Task DeleteMappingAsync(int id, CancellationToken cancellationToken = default)
{
var mapping = await _context.LdapGroupMappings.FindAsync(new object[] { id }, cancellationToken);
if (mapping != null)
{
_context.LdapGroupMappings.Remove(mapping);
}
}
// SiteScopeRule
public async Task<SiteScopeRule?> GetScopeRuleByIdAsync(int id, CancellationToken cancellationToken = default)
{
return await _context.SiteScopeRules.FindAsync(new object[] { id }, cancellationToken);
}
public async Task<IReadOnlyList<SiteScopeRule>> GetScopeRulesForMappingAsync(int ldapGroupMappingId, CancellationToken cancellationToken = default)
{
return await _context.SiteScopeRules
.Where(r => r.LdapGroupMappingId == ldapGroupMappingId)
.ToListAsync(cancellationToken);
}
public async Task AddScopeRuleAsync(SiteScopeRule rule, CancellationToken cancellationToken = default)
{
await _context.SiteScopeRules.AddAsync(rule, cancellationToken);
}
public Task UpdateScopeRuleAsync(SiteScopeRule rule, CancellationToken cancellationToken = default)
{
_context.SiteScopeRules.Update(rule);
return Task.CompletedTask;
}
public async Task DeleteScopeRuleAsync(int id, CancellationToken cancellationToken = default)
{
var rule = await _context.SiteScopeRules.FindAsync(new object[] { id }, cancellationToken);
if (rule != null)
{
_context.SiteScopeRules.Remove(rule);
}
}
public async Task<int> SaveChangesAsync(CancellationToken cancellationToken = default)
{
return await _context.SaveChangesAsync(cancellationToken);
}
}

1
src/ScadaLink.ConfigurationDatabase/ScadaLink.ConfigurationDatabase.csproj
View File

@@ -17,6 +17,7 @@
<PackageReference Include="Microsoft.Extensions.Configuration.Json" Version="10.0.5" />
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.5" />
<PackageReference Include="Microsoft.Extensions.Options" Version="10.0.5" />
<PackageReference Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="10.0.5" />
</ItemGroup>
<ItemGroup>

6
src/ScadaLink.ConfigurationDatabase/ScadaLinkDbContext.cs
View File

@@ -1,3 +1,4 @@
using Microsoft.AspNetCore.DataProtection.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore;
using ScadaLink.Commons.Entities.Audit;
using ScadaLink.Commons.Entities.Deployment;
@@ -12,7 +13,7 @@ using ScadaLink.Commons.Entities.Templates;
namespace ScadaLink.ConfigurationDatabase;
public class ScadaLinkDbContext : DbContext
public class ScadaLinkDbContext : DbContext, IDataProtectionKeyContext
{
public ScadaLinkDbContext(DbContextOptions<ScadaLinkDbContext> options) : base(options)
{
@@ -64,6 +65,9 @@ public class ScadaLinkDbContext : DbContext
// Audit
public DbSet<AuditLogEntry> AuditLogEntries => Set<AuditLogEntry>();
// Data Protection Keys (for shared ASP.NET Data Protection across nodes)
public DbSet<DataProtectionKey> DataProtectionKeys => Set<DataProtectionKey>();
protected override void OnModelCreating(ModelBuilder modelBuilder)
{
modelBuilder.ApplyConfigurationsFromAssembly(typeof(ScadaLinkDbContext).Assembly);

12
src/ScadaLink.ConfigurationDatabase/ServiceCollectionExtensions.cs
View File

@@ -1,5 +1,10 @@
using Microsoft.AspNetCore.DataProtection;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.DependencyInjection;
using ScadaLink.Commons.Interfaces.Repositories;
using ScadaLink.Commons.Interfaces.Services;
using ScadaLink.ConfigurationDatabase.Repositories;
using ScadaLink.ConfigurationDatabase.Services;
namespace ScadaLink.ConfigurationDatabase;
@@ -13,6 +18,13 @@ public static class ServiceCollectionExtensions
services.AddDbContext<ScadaLinkDbContext>(options =>
options.UseSqlServer(connectionString));
services.AddScoped<ISecurityRepository, SecurityRepository>();
services.AddScoped<ICentralUiRepository, CentralUiRepository>();
services.AddScoped<IAuditService, AuditService>();
services.AddDataProtection()
.PersistKeysToDbContext<ScadaLinkDbContext>();
return services;
}

37
src/ScadaLink.ConfigurationDatabase/Services/AuditService.cs Normal file
View File

@@ -0,0 +1,37 @@
using System.Text.Json;
using ScadaLink.Commons.Entities.Audit;
using ScadaLink.Commons.Interfaces.Services;
namespace ScadaLink.ConfigurationDatabase.Services;
public class AuditService : IAuditService
{
private readonly ScadaLinkDbContext _context;
public AuditService(ScadaLinkDbContext context)
{
_context = context ?? throw new ArgumentNullException(nameof(context));
}
public async Task LogAsync(
string user,
string action,
string entityType,
string entityId,
string entityName,
object? afterState,
CancellationToken cancellationToken = default)
{
var entry = new AuditLogEntry(user, action, entityType, entityId, entityName)
{
Timestamp = DateTimeOffset.UtcNow,
AfterStateJson = afterState != null
? JsonSerializer.Serialize(afterState)
: null
};
// Add to change tracker only — caller is responsible for calling SaveChangesAsync
// to ensure atomicity with the entity change.
await _context.AuditLogEntries.AddAsync(entry, cancellationToken);
}
}

30
src/ScadaLink.Security/AuthorizationPolicies.cs Normal file
View File

@@ -0,0 +1,30 @@
using Microsoft.AspNetCore.Authorization;
using Microsoft.Extensions.DependencyInjection;
namespace ScadaLink.Security;
public static class AuthorizationPolicies
{
public const string RequireAdmin = "RequireAdmin";
public const string RequireDesign = "RequireDesign";
public const string RequireDeployment = "RequireDeployment";
public static IServiceCollection AddScadaLinkAuthorization(this IServiceCollection services)
{
services.AddAuthorization(options =>
{
options.AddPolicy(RequireAdmin, policy =>
policy.RequireClaim(JwtTokenService.RoleClaimType, "Admin"));
options.AddPolicy(RequireDesign, policy =>
policy.RequireClaim(JwtTokenService.RoleClaimType, "Design"));
options.AddPolicy(RequireDeployment, policy =>
policy.RequireClaim(JwtTokenService.RoleClaimType, "Deployment"));
});
services.AddSingleton<IAuthorizationHandler, SiteScopeAuthorizationHandler>();
return services;
}
}

124
src/ScadaLink.Security/JwtTokenService.cs Normal file
View File

@@ -0,0 +1,124 @@
using System.IdentityModel.Tokens.Jwt;
using System.Security.Claims;
using System.Text;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Microsoft.IdentityModel.Tokens;
namespace ScadaLink.Security;
public class JwtTokenService
{
private readonly SecurityOptions _options;
private readonly ILogger<JwtTokenService> _logger;
public const string DisplayNameClaimType = "DisplayName";
public const string UsernameClaimType = "Username";
public const string RoleClaimType = "Role";
public const string SiteIdClaimType = "SiteId";
public const string LastActivityClaimType = "LastActivity";
public JwtTokenService(IOptions<SecurityOptions> options, ILogger<JwtTokenService> logger)
{
_options = options?.Value ?? throw new ArgumentNullException(nameof(options));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public string GenerateToken(
string displayName,
string username,
IReadOnlyList<string> roles,
IReadOnlyList<string>? permittedSiteIds)
{
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_options.JwtSigningKey));
var credentials = new SigningCredentials(key, SecurityAlgorithms.HmacSha256);
var claims = new List<Claim>
{
new(DisplayNameClaimType, displayName),
new(UsernameClaimType, username),
new(LastActivityClaimType, DateTimeOffset.UtcNow.ToString("o"))
};
foreach (var role in roles)
{
claims.Add(new Claim(RoleClaimType, role));
}
if (permittedSiteIds != null)
{
foreach (var siteId in permittedSiteIds)
{
claims.Add(new Claim(SiteIdClaimType, siteId));
}
}
var token = new JwtSecurityToken(
claims: claims,
expires: DateTime.UtcNow.AddMinutes(_options.JwtExpiryMinutes),
signingCredentials: credentials);
return new JwtSecurityTokenHandler().WriteToken(token);
}
public ClaimsPrincipal? ValidateToken(string token)
{
var key = new SymmetricSecurityKey(Encoding.UTF8.GetBytes(_options.JwtSigningKey));
var validationParameters = new TokenValidationParameters
{
ValidateIssuer = false,
ValidateAudience = false,
ValidateLifetime = true,
ValidateIssuerSigningKey = true,
IssuerSigningKey = key,
ClockSkew = TimeSpan.Zero
};
try
{
var handler = new JwtSecurityTokenHandler();
var principal = handler.ValidateToken(token, validationParameters, out _);
return principal;
}
catch (Exception ex) when (ex is SecurityTokenException or ArgumentException)
{
_logger.LogDebug(ex, "Token validation failed");
return null;
}
}
public bool ShouldRefresh(ClaimsPrincipal principal)
{
var expClaim = principal.FindFirst("exp");
if (expClaim == null || !long.TryParse(expClaim.Value, out var expUnix))
return false;
var expiry = DateTimeOffset.FromUnixTimeSeconds(expUnix);
var remaining = expiry - DateTimeOffset.UtcNow;
return remaining.TotalMinutes < _options.JwtRefreshThresholdMinutes;
}
public bool IsIdleTimedOut(ClaimsPrincipal principal)
{
var lastActivityClaim = principal.FindFirst(LastActivityClaimType);
if (lastActivityClaim == null || !DateTimeOffset.TryParse(lastActivityClaim.Value, out var lastActivity))
return true;
return (DateTimeOffset.UtcNow - lastActivity).TotalMinutes > _options.IdleTimeoutMinutes;
}
public string? RefreshToken(ClaimsPrincipal currentPrincipal, IReadOnlyList<string> currentRoles, IReadOnlyList<string>? permittedSiteIds)
{
var displayName = currentPrincipal.FindFirst(DisplayNameClaimType)?.Value;
var username = currentPrincipal.FindFirst(UsernameClaimType)?.Value;
if (displayName == null || username == null)
{
_logger.LogWarning("Cannot refresh token: missing DisplayName or Username claims");
return null;
}
return GenerateToken(displayName, username, currentRoles, permittedSiteIds);
}
}

8
src/ScadaLink.Security/LdapAuthResult.cs Normal file
View File

@@ -0,0 +1,8 @@
namespace ScadaLink.Security;
public record LdapAuthResult(
bool Success,
string? DisplayName,
string? Username,
IReadOnlyList<string>? Groups,
string? ErrorMessage);

148
src/ScadaLink.Security/LdapAuthService.cs Normal file
View File

@@ -0,0 +1,148 @@
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using Novell.Directory.Ldap;
namespace ScadaLink.Security;
public class LdapAuthService
{
private readonly SecurityOptions _options;
private readonly ILogger<LdapAuthService> _logger;
public LdapAuthService(IOptions<SecurityOptions> options, ILogger<LdapAuthService> logger)
{
_options = options?.Value ?? throw new ArgumentNullException(nameof(options));
_logger = logger ?? throw new ArgumentNullException(nameof(logger));
}
public async Task<LdapAuthResult> AuthenticateAsync(string username, string password, CancellationToken ct = default)
{
if (string.IsNullOrWhiteSpace(username))
return new LdapAuthResult(false, null, null, null, "Username is required.");
if (string.IsNullOrWhiteSpace(password))
return new LdapAuthResult(false, null, null, null, "Password is required.");
// Enforce TLS unless explicitly allowed for dev/test
if (!_options.LdapUseTls && !_options.AllowInsecureLdap)
{
return new LdapAuthResult(false, null, null, null,
"Insecure LDAP connections are not allowed. Enable TLS or set AllowInsecureLdap for dev/test.");
}
try
{
using var connection = new LdapConnection();
if (_options.LdapUseTls)
{
connection.SecureSocketLayer = true;
}
await Task.Run(() => connection.Connect(_options.LdapServer, _options.LdapPort), ct);
if (_options.LdapUseTls && !connection.SecureSocketLayer)
{
await Task.Run(() => connection.StartTls(), ct);
}
// Direct bind with user credentials
var bindDn = BuildBindDn(username);
await Task.Run(() => connection.Bind(bindDn, password), ct);
// Query for user attributes and group memberships
var displayName = username;
var groups = new List<string>();
try
{
var searchFilter = $"(uid={EscapeLdapFilter(username)})";
var searchResults = await Task.Run(() =>
connection.Search(
_options.LdapSearchBase,
LdapConnection.ScopeSub,
searchFilter,
new[] { _options.LdapDisplayNameAttribute, _options.LdapGroupAttribute },
false), ct);
while (searchResults.HasMore())
{
try
{
var entry = searchResults.Next();
var dnAttr = entry.GetAttribute(_options.LdapDisplayNameAttribute);
if (dnAttr != null)
displayName = dnAttr.StringValue;
var groupAttr = entry.GetAttribute(_options.LdapGroupAttribute);
if (groupAttr != null)
{
foreach (var groupDn in groupAttr.StringValueArray)
{
groups.Add(ExtractCn(groupDn));
}
}
}
catch (LdapException)
{
// No more results
break;
}
}
}
catch (LdapException ex)
{
_logger.LogWarning(ex, "Failed to query LDAP attributes for user {Username}; authentication succeeded but group lookup failed", username);
// Auth succeeded even if attribute lookup failed
}
connection.Disconnect();
return new LdapAuthResult(true, displayName, username, groups, null);
}
catch (LdapException ex)
{
_logger.LogWarning(ex, "LDAP authentication failed for user {Username}", username);
return new LdapAuthResult(false, null, username, null, "Invalid username or password.");
}
catch (Exception ex) when (ex is not OperationCanceledException)
{
_logger.LogError(ex, "Unexpected error during LDAP authentication for user {Username}", username);
return new LdapAuthResult(false, null, username, null, "An unexpected error occurred during authentication.");
}
}
private string BuildBindDn(string username)
{
// If username already looks like a DN, use it as-is
if (username.Contains('='))
return username;
// Build DN from username and search base
return string.IsNullOrWhiteSpace(_options.LdapSearchBase)
? $"cn={username}"
: $"cn={username},{_options.LdapSearchBase}";
}
private static string EscapeLdapFilter(string input)
{
return input
.Replace("\\", "\\5c")
.Replace("*", "\\2a")
.Replace("(", "\\28")
.Replace(")", "\\29")
.Replace("\0", "\\00");
}
private static string ExtractCn(string dn)
{
// Extract CN from a DN like "cn=GroupName,dc=example,dc=com"
if (dn.StartsWith("cn=", StringComparison.OrdinalIgnoreCase) ||
dn.StartsWith("CN=", StringComparison.OrdinalIgnoreCase))
{
var commaIndex = dn.IndexOf(',');
return commaIndex > 3 ? dn[3..commaIndex] : dn[3..];
}
return dn;
}
}

58
src/ScadaLink.Security/RoleMapper.cs Normal file
View File

@@ -0,0 +1,58 @@
using ScadaLink.Commons.Interfaces.Repositories;
namespace ScadaLink.Security;
public class RoleMapper
{
private readonly ISecurityRepository _securityRepository;
public RoleMapper(ISecurityRepository securityRepository)
{
_securityRepository = securityRepository ?? throw new ArgumentNullException(nameof(securityRepository));
}
public async Task<RoleMappingResult> MapGroupsToRolesAsync(
IReadOnlyList<string> ldapGroups,
CancellationToken ct = default)
{
var allMappings = await _securityRepository.GetAllMappingsAsync(ct);
var matchedRoles = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
var permittedSiteIds = new HashSet<string>();
var hasDeploymentRole = false;
var hasDeploymentWithScopeRules = false;
foreach (var mapping in allMappings)
{
// Match LDAP group names (case-insensitive)
if (!ldapGroups.Any(g => g.Equals(mapping.LdapGroupName, StringComparison.OrdinalIgnoreCase)))
continue;
matchedRoles.Add(mapping.Role);
if (mapping.Role.Equals("Deployment", StringComparison.OrdinalIgnoreCase))
{
hasDeploymentRole = true;
// Check for site scope rules
var scopeRules = await _securityRepository.GetScopeRulesForMappingAsync(mapping.Id, ct);
if (scopeRules.Count > 0)
{
hasDeploymentWithScopeRules = true;
foreach (var rule in scopeRules)
{
permittedSiteIds.Add(rule.SiteId.ToString());
}
}
}
}
// System-wide deployment: user has Deployment role but no site scope rules restrict them
var isSystemWide = hasDeploymentRole && !hasDeploymentWithScopeRules;
return new RoleMappingResult(
matchedRoles.ToList(),
permittedSiteIds.ToList(),
isSystemWide);
}
}

6
src/ScadaLink.Security/RoleMappingResult.cs Normal file
View File

@@ -0,0 +1,6 @@
namespace ScadaLink.Security;
public record RoleMappingResult(
IReadOnlyList<string> Roles,
IReadOnlyList<string> PermittedSiteIds,
bool IsSystemWideDeployment);

4
src/ScadaLink.Security/ScadaLink.Security.csproj
View File

@@ -10,6 +10,10 @@
<ItemGroup>
<PackageReference Include="Microsoft.Extensions.DependencyInjection.Abstractions" Version="10.0.5" />
<PackageReference Include="Microsoft.Extensions.Options" Version="10.0.5" />
<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="10.0.5" />
<PackageReference Include="Microsoft.AspNetCore.Authorization" Version="10.0.5" />
<PackageReference Include="System.IdentityModel.Tokens.Jwt" Version="8.11.0" />
<PackageReference Include="Novell.Directory.Ldap.NETStandard" Version="3.6.0" />
</ItemGroup>
<ItemGroup>

27
src/ScadaLink.Security/SecurityOptions.cs
View File

@@ -5,7 +5,34 @@ public class SecurityOptions
public string LdapServer { get; set; } = string.Empty;
public int LdapPort { get; set; } = 389;
public bool LdapUseTls { get; set; } = true;
/// <summary>
/// Allow insecure (non-TLS) LDAP connections. ONLY for dev/test with GLAuth.
/// Must be false in production.
/// </summary>
public bool AllowInsecureLdap { get; set; } = false;
/// <summary>
/// Base DN for LDAP searches (e.g., "dc=example,dc=com").
/// </summary>
public string LdapSearchBase { get; set; } = string.Empty;
/// <summary>
/// LDAP attribute that contains the user's display name.
/// </summary>
public string LdapDisplayNameAttribute { get; set; } = "cn";
/// <summary>
/// LDAP attribute that contains group membership.
/// </summary>
public string LdapGroupAttribute { get; set; } = "memberOf";
public string JwtSigningKey { get; set; } = string.Empty;
public int JwtExpiryMinutes { get; set; } = 15;
public int IdleTimeoutMinutes { get; set; } = 30;
/// <summary>
/// Minutes before token expiry to trigger refresh.
/// </summary>
public int JwtRefreshThresholdMinutes { get; set; } = 5;
}

6
src/ScadaLink.Security/ServiceCollectionExtensions.cs
View File

@@ -6,7 +6,11 @@ public static class ServiceCollectionExtensions
{
public static IServiceCollection AddSecurity(this IServiceCollection services)
{
// Phase 0: skeleton only
services.AddScoped<LdapAuthService>();
services.AddScoped<JwtTokenService>();
services.AddScoped<RoleMapper>();
services.AddScadaLinkAuthorization();
return services;
}

52
src/ScadaLink.Security/SiteScopeAuthorizationHandler.cs Normal file
View File

@@ -0,0 +1,52 @@
using Microsoft.AspNetCore.Authorization;
namespace ScadaLink.Security;
/// <summary>
/// Authorization requirement for site-scoped deployment operations.
/// </summary>
public class SiteScopeRequirement : IAuthorizationRequirement
{
public string TargetSiteId { get; }
public SiteScopeRequirement(string targetSiteId)
{
TargetSiteId = targetSiteId ?? throw new ArgumentNullException(nameof(targetSiteId));
}
}
/// <summary>
/// Checks that a user with the Deployment role is permitted to operate on the target site.
/// Users with Deployment role and no SiteId claims are system-wide deployers.
/// Users with SiteId claims are only permitted on those specific sites.
/// </summary>
public class SiteScopeAuthorizationHandler : AuthorizationHandler<SiteScopeRequirement>
{
protected override Task HandleRequirementAsync(
AuthorizationHandlerContext context,
SiteScopeRequirement requirement)
{
// Must have Deployment role
var hasDeploymentRole = context.User.HasClaim(JwtTokenService.RoleClaimType, "Deployment");
if (!hasDeploymentRole)
{
return Task.CompletedTask; // Fail — no Deployment role
}
var siteIdClaims = context.User.FindAll(JwtTokenService.SiteIdClaimType).ToList();
if (siteIdClaims.Count == 0)
{
// No site scope restrictions — system-wide deployer
context.Succeed(requirement);
}
else if (siteIdClaims.Any(c => c.Value == requirement.TargetSiteId))
{
// User is permitted on this specific site
context.Succeed(requirement);
}
// Otherwise, silently fail (not authorized for this site)
return Task.CompletedTask;
}
}

127
tests/ScadaLink.ConfigurationDatabase.Tests/AuditServiceTests.cs Normal file
View File

@@ -0,0 +1,127 @@
using System.Text.Json;
using Microsoft.EntityFrameworkCore;
using ScadaLink.Commons.Entities.Templates;
using ScadaLink.Commons.Interfaces.Services;
using ScadaLink.ConfigurationDatabase;
using ScadaLink.ConfigurationDatabase.Services;
namespace ScadaLink.ConfigurationDatabase.Tests;
public class AuditServiceTests : IDisposable
{
private readonly ScadaLinkDbContext _context;
private readonly AuditService _auditService;
public AuditServiceTests()
{
var options = new DbContextOptionsBuilder<ScadaLinkDbContext>()
.UseSqlite("DataSource=:memory:")
.Options;
_context = new ScadaLinkDbContext(options);
_context.Database.OpenConnection();
_context.Database.EnsureCreated();
_auditService = new AuditService(_context);
}
public void Dispose()
{
_context.Database.CloseConnection();
_context.Dispose();
}
[Fact]
public async Task LogAsync_CreatesAuditEntry_CommittedWithEntityChange()
{
// Simulate entity change + audit in same transaction
var template = new Template("TestTemplate");
_context.Templates.Add(template);
await _auditService.LogAsync("admin", "Create", "Template", "1", "TestTemplate",
new { Name = "TestTemplate" });
// Single SaveChangesAsync commits both
await _context.SaveChangesAsync();
var audit = await _context.AuditLogEntries.SingleAsync();
Assert.Equal("admin", audit.User);
Assert.Equal("Create", audit.Action);
Assert.Equal("Template", audit.EntityType);
Assert.NotNull(audit.AfterStateJson);
// Template also committed
Assert.Single(await _context.Templates.ToListAsync());
}
[Fact]
public async Task LogAsync_Rollback_BothChangeAndAuditRolledBack()
{
// Use a separate context to simulate rollback via not calling SaveChanges
var options = new DbContextOptionsBuilder<ScadaLinkDbContext>()
.UseSqlite(_context.Database.GetDbConnection())
.Options;
using var context2 = new ScadaLinkDbContext(options);
var auditService2 = new AuditService(context2);
var template = new Template("RollbackTemplate");
context2.Templates.Add(template);
await auditService2.LogAsync("admin", "Create", "Template", "99", "RollbackTemplate",
new { Name = "RollbackTemplate" });
// Intentionally do NOT call SaveChangesAsync — simulates rollback
// Verify nothing persisted
Assert.Empty(await _context.AuditLogEntries.Where(a => a.EntityName == "RollbackTemplate").ToListAsync());
Assert.Empty(await _context.Templates.Where(t => t.Name == "RollbackTemplate").ToListAsync());
}
[Fact]
public async Task LogAsync_SerializesAfterStateAsJson()
{
var state = new { Name = "Test", Value = 42, Nested = new { Prop = "inner" } };
await _auditService.LogAsync("admin", "Create", "Entity", "1", "Test", state);
await _context.SaveChangesAsync();
var audit = await _context.AuditLogEntries.SingleAsync();
Assert.NotNull(audit.AfterStateJson);
var deserialized = JsonSerializer.Deserialize<JsonElement>(audit.AfterStateJson!);
Assert.Equal("Test", deserialized.GetProperty("Name").GetString());
Assert.Equal(42, deserialized.GetProperty("Value").GetInt32());
}
[Fact]
public async Task LogAsync_NullAfterState_ForDeletes()
{
await _auditService.LogAsync("admin", "Delete", "Template", "1", "DeletedTemplate", null);
await _context.SaveChangesAsync();
var audit = await _context.AuditLogEntries.SingleAsync();
Assert.Null(audit.AfterStateJson);
Assert.Equal("Delete", audit.Action);
}
[Fact]
public async Task LogAsync_SetsTimestampToUtcNow()
{
var before = DateTimeOffset.UtcNow;
await _auditService.LogAsync("admin", "Create", "Template", "1", "T1", new { });
await _context.SaveChangesAsync();
var after = DateTimeOffset.UtcNow;
var audit = await _context.AuditLogEntries.SingleAsync();
// Allow 2 second tolerance for SQLite precision
Assert.True(audit.Timestamp >= before.AddSeconds(-2));
Assert.True(audit.Timestamp <= after.AddSeconds(2));
}
[Fact]
public void AuditService_IsAppendOnly_NoUpdateOrDeleteMethods()
{
// Verify IAuditService only exposes LogAsync — no update/delete
var methods = typeof(IAuditService).GetMethods();
Assert.Single(methods, m => m.Name == "LogAsync");
Assert.DoesNotContain(methods, m => m.Name.Contains("Update", StringComparison.OrdinalIgnoreCase));
Assert.DoesNotContain(methods, m => m.Name.Contains("Delete", StringComparison.OrdinalIgnoreCase));
}
}

166
tests/ScadaLink.ConfigurationDatabase.Tests/ConcurrencyTests.cs Normal file
View File

@@ -0,0 +1,166 @@
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Diagnostics;
using ScadaLink.Commons.Entities.Deployment;
using ScadaLink.Commons.Entities.Instances;
using ScadaLink.Commons.Entities.Sites;
using ScadaLink.Commons.Entities.Templates;
using ScadaLink.Commons.Types.Enums;
using ScadaLink.ConfigurationDatabase;
namespace ScadaLink.ConfigurationDatabase.Tests;
/// <summary>
/// A test-specific DbContext that uses an explicit ConcurrencyToken on DeploymentRecord
/// (as opposed to SQL Server's IsRowVersion()) so that SQLite can enforce concurrency.
/// In production, the SQL Server RowVersion provides this automatically.
/// </summary>
public class ConcurrencyTestDbContext : ScadaLinkDbContext
{
public ConcurrencyTestDbContext(DbContextOptions<ScadaLinkDbContext> options) : base(options) { }
protected override void OnModelCreating(ModelBuilder modelBuilder)
{
base.OnModelCreating(modelBuilder);
// Replace the SQL Server RowVersion with an explicit concurrency token for SQLite
// Remove the shadow RowVersion property and add a visible ConcurrencyStamp
modelBuilder.Entity<DeploymentRecord>(builder =>
{
// The shadow RowVersion property from the base config doesn't work in SQLite.
// Instead, use Status as a concurrency token for the test.
builder.Property(d => d.Status).IsConcurrencyToken();
});
}
}
public class ConcurrencyTests : IDisposable
{
private readonly string _dbPath;
public ConcurrencyTests()
{
_dbPath = Path.Combine(Path.GetTempPath(), $"scadalink_test_{Guid.NewGuid()}.db");
}
public void Dispose()
{
if (File.Exists(_dbPath))
File.Delete(_dbPath);
}
private ScadaLinkDbContext CreateContext()
{
var options = new DbContextOptionsBuilder<ScadaLinkDbContext>()
.UseSqlite($"DataSource={_dbPath}")
.ConfigureWarnings(w => w.Ignore(RelationalEventId.PendingModelChangesWarning))
.Options;
return new ConcurrencyTestDbContext(options);
}
[Fact]
public async Task DeploymentRecord_OptimisticConcurrency_SecondUpdateThrows()
{
// Setup: create necessary entities
using (var setupCtx = CreateContext())
{
await setupCtx.Database.EnsureCreatedAsync();
var site = new Site("Site1", "S-001");
var template = new Template("T1");
setupCtx.Sites.Add(site);
setupCtx.Templates.Add(template);
await setupCtx.SaveChangesAsync();
var instance = new Instance("I1")
{
SiteId = site.Id,
TemplateId = template.Id,
State = InstanceState.Enabled
};
setupCtx.Instances.Add(instance);
await setupCtx.SaveChangesAsync();
var record = new DeploymentRecord("deploy-concurrent", "admin")
{
InstanceId = instance.Id,
Status = DeploymentStatus.Pending,
DeployedAt = DateTimeOffset.UtcNow
};
setupCtx.DeploymentRecords.Add(record);
await setupCtx.SaveChangesAsync();
}
// Load the same record in two separate contexts
using var ctx1 = CreateContext();
using var ctx2 = CreateContext();
var record1 = await ctx1.DeploymentRecords.SingleAsync(d => d.DeploymentId == "deploy-concurrent");
var record2 = await ctx2.DeploymentRecords.SingleAsync(d => d.DeploymentId == "deploy-concurrent");
// Both loaded Status = Pending. First context updates and saves successfully.
record1.Status = DeploymentStatus.Success;
record1.CompletedAt = DateTimeOffset.UtcNow;
await ctx1.SaveChangesAsync();
// Second context tries to update the same record from the stale "Pending" state — should throw
// because the Status concurrency token has changed from Pending to Success
record2.Status = DeploymentStatus.Failed;
await Assert.ThrowsAsync<DbUpdateConcurrencyException>(
() => ctx2.SaveChangesAsync());
}
[Fact]
public async Task Template_NoOptimisticConcurrency_LastWriteWins()
{
// Setup
using (var setupCtx = CreateContext())
{
await setupCtx.Database.EnsureCreatedAsync();
var template = new Template("ConcurrentTemplate")
{
Description = "Original"
};
setupCtx.Templates.Add(template);
await setupCtx.SaveChangesAsync();
}
// Load in two contexts
using var ctx1 = CreateContext();
using var ctx2 = CreateContext();
var template1 = await ctx1.Templates.SingleAsync(t => t.Name == "ConcurrentTemplate");
var template2 = await ctx2.Templates.SingleAsync(t => t.Name == "ConcurrentTemplate");
// First update
template1.Description = "First update";
await ctx1.SaveChangesAsync();
// Second update — should succeed (last-write-wins, no concurrency token)
template2.Description = "Second update";
await ctx2.SaveChangesAsync(); // Should NOT throw
// Verify last write won
using var verifyCtx = CreateContext();
var loaded = await verifyCtx.Templates.SingleAsync(t => t.Name == "ConcurrentTemplate");
Assert.Equal("Second update", loaded.Description);
}
[Fact]
public void DeploymentRecord_HasRowVersionConfigured()
{
// Verify the production configuration has a RowVersion shadow property
var options = new DbContextOptionsBuilder<ScadaLinkDbContext>()
.UseSqlite("DataSource=:memory:")
.Options;
using var context = new ScadaLinkDbContext(options);
context.Database.OpenConnection();
context.Database.EnsureCreated();
var entityType = context.Model.FindEntityType(typeof(DeploymentRecord))!;
var rowVersion = entityType.FindProperty("RowVersion");
Assert.NotNull(rowVersion);
Assert.True(rowVersion!.IsConcurrencyToken);
}
}

63
tests/ScadaLink.ConfigurationDatabase.Tests/DataProtectionTests.cs Normal file
View File

@@ -0,0 +1,63 @@
using Microsoft.AspNetCore.DataProtection;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.DependencyInjection;
using ScadaLink.ConfigurationDatabase;
namespace ScadaLink.ConfigurationDatabase.Tests;
public class DataProtectionTests : IDisposable
{
private readonly string _dbPath;
public DataProtectionTests()
{
_dbPath = Path.Combine(Path.GetTempPath(), $"scadalink_dp_test_{Guid.NewGuid()}.db");
}
public void Dispose()
{
if (File.Exists(_dbPath))
File.Delete(_dbPath);
}
[Fact]
public void SharedDataProtection_ProtectAndUnprotect_AcrossContainers()
{
var connectionString = $"DataSource={_dbPath}";
// Create the database schema
var setupOptions = new DbContextOptionsBuilder<ScadaLinkDbContext>()
.UseSqlite(connectionString)
.Options;
using (var setupCtx = new ScadaLinkDbContext(setupOptions))
{
setupCtx.Database.EnsureCreated();
}
// Container 1: protect some data
var services1 = new ServiceCollection();
services1.AddDbContext<ScadaLinkDbContext>(opt => opt.UseSqlite(connectionString));
services1.AddDataProtection()
.SetApplicationName("ScadaLink")
.PersistKeysToDbContext<ScadaLinkDbContext>();
using var provider1 = services1.BuildServiceProvider();
var protector1 = provider1.GetRequiredService<IDataProtectionProvider>()
.CreateProtector("test-purpose");
var protectedPayload = protector1.Protect("secret-data");
// Container 2: unprotect using the same DB (shared keys)
var services2 = new ServiceCollection();
services2.AddDbContext<ScadaLinkDbContext>(opt => opt.UseSqlite(connectionString));
services2.AddDataProtection()
.SetApplicationName("ScadaLink")
.PersistKeysToDbContext<ScadaLinkDbContext>();
using var provider2 = services2.BuildServiceProvider();
var protector2 = provider2.GetRequiredService<IDataProtectionProvider>()
.CreateProtector("test-purpose");
var unprotected = protector2.Unprotect(protectedPayload);
Assert.Equal("secret-data", unprotected);
}
}

410
tests/ScadaLink.ConfigurationDatabase.Tests/RepositoryTests.cs Normal file
View File

@@ -0,0 +1,410 @@
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Diagnostics;
using ScadaLink.Commons.Entities.Audit;
using ScadaLink.Commons.Entities.Deployment;
using ScadaLink.Commons.Entities.Instances;
using ScadaLink.Commons.Entities.Security;
using ScadaLink.Commons.Entities.Sites;
using ScadaLink.Commons.Entities.Templates;
using ScadaLink.Commons.Types.Enums;
using ScadaLink.ConfigurationDatabase;
using ScadaLink.ConfigurationDatabase.Repositories;
namespace ScadaLink.ConfigurationDatabase.Tests;
public class SecurityRepositoryTests : IDisposable
{
private readonly ScadaLinkDbContext _context;
private readonly SecurityRepository _repository;
public SecurityRepositoryTests()
{
var options = new DbContextOptionsBuilder<ScadaLinkDbContext>()
.UseSqlite("DataSource=:memory:")
.Options;
_context = new ScadaLinkDbContext(options);
_context.Database.OpenConnection();
_context.Database.EnsureCreated();
_repository = new SecurityRepository(_context);
}
public void Dispose()
{
_context.Database.CloseConnection();
_context.Dispose();
}
[Fact]
public async Task AddMapping_AndGetById_ReturnsMapping()
{
var mapping = new LdapGroupMapping("CN=Admins,DC=test", "Admin");
await _repository.AddMappingAsync(mapping);
await _repository.SaveChangesAsync();
var loaded = await _repository.GetMappingByIdAsync(mapping.Id);
Assert.NotNull(loaded);
Assert.Equal("CN=Admins,DC=test", loaded.LdapGroupName);
Assert.Equal("Admin", loaded.Role);
}
[Fact]
public async Task GetAllMappings_ReturnsAll()
{
await _repository.AddMappingAsync(new LdapGroupMapping("Group1", "Admin"));
await _repository.AddMappingAsync(new LdapGroupMapping("Group2", "Design"));
await _repository.SaveChangesAsync();
// +1 for seed data
var all = await _repository.GetAllMappingsAsync();
Assert.True(all.Count >= 2);
}
[Fact]
public async Task GetMappingsByRole_FiltersCorrectly()
{
await _repository.AddMappingAsync(new LdapGroupMapping("Designers", "Design"));
await _repository.AddMappingAsync(new LdapGroupMapping("Deployers", "Deployment"));
await _repository.SaveChangesAsync();
var designMappings = await _repository.GetMappingsByRoleAsync("Design");
Assert.Single(designMappings);
Assert.Equal("Designers", designMappings[0].LdapGroupName);
}
[Fact]
public async Task UpdateMapping_PersistsChange()
{
var mapping = new LdapGroupMapping("OldGroup", "Admin");
await _repository.AddMappingAsync(mapping);
await _repository.SaveChangesAsync();
mapping.Role = "Design";
await _repository.UpdateMappingAsync(mapping);
await _repository.SaveChangesAsync();
_context.ChangeTracker.Clear();
var loaded = await _repository.GetMappingByIdAsync(mapping.Id);
Assert.Equal("Design", loaded!.Role);
}
[Fact]
public async Task DeleteMapping_RemovesEntity()
{
var mapping = new LdapGroupMapping("ToDelete", "Admin");
await _repository.AddMappingAsync(mapping);
await _repository.SaveChangesAsync();
await _repository.DeleteMappingAsync(mapping.Id);
await _repository.SaveChangesAsync();
var loaded = await _repository.GetMappingByIdAsync(mapping.Id);
Assert.Null(loaded);
}
[Fact]
public async Task AddScopeRule_AndGetForMapping()
{
var site = new Site("Site1", "SITE-001");
_context.Sites.Add(site);
var mapping = new LdapGroupMapping("Deployers", "Deployment");
await _repository.AddMappingAsync(mapping);
await _repository.SaveChangesAsync();
var rule = new SiteScopeRule { LdapGroupMappingId = mapping.Id, SiteId = site.Id };
await _repository.AddScopeRuleAsync(rule);
await _repository.SaveChangesAsync();
var rules = await _repository.GetScopeRulesForMappingAsync(mapping.Id);
Assert.Single(rules);
Assert.Equal(site.Id, rules[0].SiteId);
}
[Fact]
public async Task GetScopeRuleById_ReturnsRule()
{
var site = new Site("Site1", "SITE-001");
_context.Sites.Add(site);
var mapping = new LdapGroupMapping("Group", "Deployment");
await _repository.AddMappingAsync(mapping);
await _repository.SaveChangesAsync();
var rule = new SiteScopeRule { LdapGroupMappingId = mapping.Id, SiteId = site.Id };
await _repository.AddScopeRuleAsync(rule);
await _repository.SaveChangesAsync();
var loaded = await _repository.GetScopeRuleByIdAsync(rule.Id);
Assert.NotNull(loaded);
Assert.Equal(mapping.Id, loaded.LdapGroupMappingId);
}
[Fact]
public async Task UpdateScopeRule_PersistsChange()
{
var site1 = new Site("Site1", "SITE-001");
var site2 = new Site("Site2", "SITE-002");
_context.Sites.AddRange(site1, site2);
var mapping = new LdapGroupMapping("Group", "Deployment");
await _repository.AddMappingAsync(mapping);
await _repository.SaveChangesAsync();
var rule = new SiteScopeRule { LdapGroupMappingId = mapping.Id, SiteId = site1.Id };
await _repository.AddScopeRuleAsync(rule);
await _repository.SaveChangesAsync();
rule.SiteId = site2.Id;
await _repository.UpdateScopeRuleAsync(rule);
await _repository.SaveChangesAsync();
_context.ChangeTracker.Clear();
var loaded = await _repository.GetScopeRuleByIdAsync(rule.Id);
Assert.Equal(site2.Id, loaded!.SiteId);
}
[Fact]
public async Task DeleteScopeRule_RemovesEntity()
{
var site = new Site("Site1", "SITE-001");
_context.Sites.Add(site);
var mapping = new LdapGroupMapping("Group", "Deployment");
await _repository.AddMappingAsync(mapping);
await _repository.SaveChangesAsync();
var rule = new SiteScopeRule { LdapGroupMappingId = mapping.Id, SiteId = site.Id };
await _repository.AddScopeRuleAsync(rule);
await _repository.SaveChangesAsync();
await _repository.DeleteScopeRuleAsync(rule.Id);
await _repository.SaveChangesAsync();
var loaded = await _repository.GetScopeRuleByIdAsync(rule.Id);
Assert.Null(loaded);
}
}
public class CentralUiRepositoryTests : IDisposable
{
private readonly ScadaLinkDbContext _context;
private readonly CentralUiRepository _repository;
public CentralUiRepositoryTests()
{
_context = SqliteTestHelper.CreateInMemoryContext();
_repository = new CentralUiRepository(_context);
}
public void Dispose()
{
_context.Database.CloseConnection();
_context.Dispose();
}
[Fact]
public async Task GetAllSites_ReturnsOrderedByName()
{
_context.Sites.AddRange(
new Site("Zulu", "Z-001"),
new Site("Alpha", "A-001"));
await _context.SaveChangesAsync();
var sites = await _repository.GetAllSitesAsync();
Assert.Equal(2, sites.Count);
Assert.Equal("Alpha", sites[0].Name);
Assert.Equal("Zulu", sites[1].Name);
}
[Fact]
public async Task GetInstancesFiltered_BySiteId()
{
var site1 = new Site("Site1", "S-001");
var site2 = new Site("Site2", "S-002");
var template = new Template("T1");
_context.Sites.AddRange(site1, site2);
_context.Templates.Add(template);
await _context.SaveChangesAsync();
_context.Instances.AddRange(
new Instance("Inst1") { SiteId = site1.Id, TemplateId = template.Id },
new Instance("Inst2") { SiteId = site2.Id, TemplateId = template.Id });
await _context.SaveChangesAsync();
var instances = await _repository.GetInstancesFilteredAsync(siteId: site1.Id);
Assert.Single(instances);
Assert.Equal("Inst1", instances[0].UniqueName);
}
[Fact]
public async Task GetInstancesFiltered_BySearchTerm()
{
var site = new Site("Site1", "S-001");
var template = new Template("T1");
_context.Sites.Add(site);
_context.Templates.Add(template);
await _context.SaveChangesAsync();
_context.Instances.AddRange(
new Instance("PumpStation1") { SiteId = site.Id, TemplateId = template.Id },
new Instance("TankLevel1") { SiteId = site.Id, TemplateId = template.Id });
await _context.SaveChangesAsync();
var instances = await _repository.GetInstancesFilteredAsync(searchTerm: "Pump");
Assert.Single(instances);
}
[Fact]
public async Task GetRecentDeployments_ReturnsInReverseChronological()
{
var site = new Site("Site1", "S-001");
var template = new Template("T1");
_context.Sites.Add(site);
_context.Templates.Add(template);
await _context.SaveChangesAsync();
var instance = new Instance("I1") { SiteId = site.Id, TemplateId = template.Id };
_context.Instances.Add(instance);
await _context.SaveChangesAsync();
_context.DeploymentRecords.AddRange(
new DeploymentRecord("d-001", "admin") { InstanceId = instance.Id, DeployedAt = DateTimeOffset.UtcNow.AddHours(-2) },
new DeploymentRecord("d-002", "admin") { InstanceId = instance.Id, DeployedAt = DateTimeOffset.UtcNow.AddHours(-1) },
new DeploymentRecord("d-003", "admin") { InstanceId = instance.Id, DeployedAt = DateTimeOffset.UtcNow });
await _context.SaveChangesAsync();
var recent = await _repository.GetRecentDeploymentsAsync(2);
Assert.Equal(2, recent.Count);
Assert.Equal("d-003", recent[0].DeploymentId);
Assert.Equal("d-002", recent[1].DeploymentId);
}
[Fact]
public async Task GetAuditLogEntries_FiltersByUser()
{
_context.AuditLogEntries.AddRange(
new AuditLogEntry("admin", "Create", "Template", "1", "T1") { Timestamp = DateTimeOffset.UtcNow },
new AuditLogEntry("user1", "Update", "Instance", "2", "I1") { Timestamp = DateTimeOffset.UtcNow });
await _context.SaveChangesAsync();
var (entries, total) = await _repository.GetAuditLogEntriesAsync(user: "admin");
Assert.Single(entries);
Assert.Equal(1, total);
Assert.Equal("admin", entries[0].User);
}
[Fact]
public async Task GetAuditLogEntries_FiltersByEntityType()
{
_context.AuditLogEntries.AddRange(
new AuditLogEntry("admin", "Create", "Template", "1", "T1") { Timestamp = DateTimeOffset.UtcNow },
new AuditLogEntry("admin", "Create", "Instance", "2", "I1") { Timestamp = DateTimeOffset.UtcNow });
await _context.SaveChangesAsync();
var (entries, total) = await _repository.GetAuditLogEntriesAsync(entityType: "Template");
Assert.Single(entries);
Assert.Equal(1, total);
}
[Fact]
public async Task GetAuditLogEntries_FiltersByActionType()
{
_context.AuditLogEntries.AddRange(
new AuditLogEntry("admin", "Create", "Template", "1", "T1") { Timestamp = DateTimeOffset.UtcNow },
new AuditLogEntry("admin", "Delete", "Template", "2", "T2") { Timestamp = DateTimeOffset.UtcNow });
await _context.SaveChangesAsync();
var (entries, total) = await _repository.GetAuditLogEntriesAsync(action: "Delete");
Assert.Single(entries);
}
[Fact]
public async Task GetAuditLogEntries_FiltersByTimeRange()
{
var now = DateTimeOffset.UtcNow;
_context.AuditLogEntries.AddRange(
new AuditLogEntry("admin", "Create", "Template", "1", "T1") { Timestamp = now.AddHours(-5) },
new AuditLogEntry("admin", "Update", "Template", "2", "T2") { Timestamp = now.AddHours(-1) });
await _context.SaveChangesAsync();
var (entries, total) = await _repository.GetAuditLogEntriesAsync(from: now.AddHours(-2));
Assert.Single(entries);
}
[Fact]
public async Task GetAuditLogEntries_FiltersByEntityId()
{
_context.AuditLogEntries.AddRange(
new AuditLogEntry("admin", "Create", "Template", "1", "T1") { Timestamp = DateTimeOffset.UtcNow },
new AuditLogEntry("admin", "Create", "Template", "2", "T2") { Timestamp = DateTimeOffset.UtcNow });
await _context.SaveChangesAsync();
var (entries, total) = await _repository.GetAuditLogEntriesAsync(entityId: "1");
Assert.Single(entries);
}
[Fact]
public async Task GetAuditLogEntries_FiltersByEntityName()
{
_context.AuditLogEntries.AddRange(
new AuditLogEntry("admin", "Create", "Template", "1", "PumpStation") { Timestamp = DateTimeOffset.UtcNow },
new AuditLogEntry("admin", "Create", "Template", "2", "TankLevel") { Timestamp = DateTimeOffset.UtcNow });
await _context.SaveChangesAsync();
var (entries, total) = await _repository.GetAuditLogEntriesAsync(entityName: "Pump");
Assert.Single(entries);
}
[Fact]
public async Task GetAuditLogEntries_ReverseChronologicalWithPagination()
{
var now = DateTimeOffset.UtcNow;
for (int i = 0; i < 10; i++)
{
_context.AuditLogEntries.Add(new AuditLogEntry("admin", "Create", "Template", i.ToString(), $"T{i}")
{
Timestamp = now.AddMinutes(i)
});
}
await _context.SaveChangesAsync();
var (page1, total) = await _repository.GetAuditLogEntriesAsync(page: 1, pageSize: 3);
Assert.Equal(10, total);
Assert.Equal(3, page1.Count);
Assert.Equal("T9", page1[0].EntityName); // Most recent first
var (page2, _) = await _repository.GetAuditLogEntriesAsync(page: 2, pageSize: 3);
Assert.Equal(3, page2.Count);
Assert.Equal("T6", page2[0].EntityName);
}
[Fact]
public async Task GetTemplateTree_IncludesChildren()
{
var template = new Template("TestTemplate");
template.Attributes.Add(new TemplateAttribute("Attr1") { DataType = DataType.Int32 });
_context.Templates.Add(template);
await _context.SaveChangesAsync();
var tree = await _repository.GetTemplateTreeAsync();
Assert.NotEmpty(tree);
var loaded = tree.First(t => t.Name == "TestTemplate");
Assert.Single(loaded.Attributes);
}
[Fact]
public async Task GetAreaTree_ReturnsHierarchy()
{
var site = new Site("Site1", "S-001");
_context.Sites.Add(site);
await _context.SaveChangesAsync();
var parent = new Area("Building A") { SiteId = site.Id };
_context.Areas.Add(parent);
await _context.SaveChangesAsync();
var child = new Area("Floor 1") { SiteId = site.Id, ParentAreaId = parent.Id };
_context.Areas.Add(child);
await _context.SaveChangesAsync();
var areas = await _repository.GetAreaTreeBySiteIdAsync(site.Id);
Assert.Equal(2, areas.Count);
}
}

2
tests/ScadaLink.ConfigurationDatabase.Tests/ScadaLink.ConfigurationDatabase.Tests.csproj
View File

@@ -11,6 +11,8 @@
<ItemGroup>
<PackageReference Include="coverlet.collector" Version="6.0.4" />
<PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="10.0.5" />
<PackageReference Include="Microsoft.AspNetCore.DataProtection" Version="10.0.5" />
<PackageReference Include="Microsoft.AspNetCore.DataProtection.EntityFrameworkCore" Version="10.0.5" />
<PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="10.0.5" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
<PackageReference Include="xunit" Version="2.9.3" />

37
tests/ScadaLink.ConfigurationDatabase.Tests/SeedDataTests.cs Normal file
View File

@@ -0,0 +1,37 @@
using Microsoft.EntityFrameworkCore;
using ScadaLink.ConfigurationDatabase;
namespace ScadaLink.ConfigurationDatabase.Tests;
public class SeedDataTests : IDisposable
{
private readonly ScadaLinkDbContext _context;
public SeedDataTests()
{
var options = new DbContextOptionsBuilder<ScadaLinkDbContext>()
.UseSqlite("DataSource=:memory:")
.Options;
_context = new ScadaLinkDbContext(options);
_context.Database.OpenConnection();
_context.Database.EnsureCreated();
}
public void Dispose()
{
_context.Database.CloseConnection();
_context.Dispose();
}
[Fact]
public async Task SeedData_AdminMappingExists()
{
var adminMapping = await _context.LdapGroupMappings
.SingleOrDefaultAsync(m => m.LdapGroupName == "SCADA-Admins");
Assert.NotNull(adminMapping);
Assert.Equal("Admin", adminMapping.Role);
Assert.Equal(1, adminMapping.Id);
}
}

75
tests/ScadaLink.ConfigurationDatabase.Tests/SqliteTestHelper.cs Normal file
View File

@@ -0,0 +1,75 @@
using Microsoft.EntityFrameworkCore;
using Microsoft.EntityFrameworkCore.Diagnostics;
using Microsoft.EntityFrameworkCore.Storage.ValueConversion;
using ScadaLink.ConfigurationDatabase;
namespace ScadaLink.ConfigurationDatabase.Tests;
/// <summary>
/// Test DbContext that maps DateTimeOffset to a sortable string format for SQLite.
/// EF Core 10 SQLite provider does not support ORDER BY on DateTimeOffset columns.
/// </summary>
public class SqliteTestDbContext : ScadaLinkDbContext
{
public SqliteTestDbContext(DbContextOptions<ScadaLinkDbContext> options) : base(options)
{
}
protected override void OnModelCreating(ModelBuilder modelBuilder)
{
base.OnModelCreating(modelBuilder);
// Convert DateTimeOffset to ISO 8601 string for SQLite so ORDER BY works
var converter = new ValueConverter<DateTimeOffset, string>(
v => v.UtcDateTime.ToString("o"),
v => DateTimeOffset.Parse(v));
var nullableConverter = new ValueConverter<DateTimeOffset?, string?>(
v => v.HasValue ? v.Value.UtcDateTime.ToString("o") : null,
v => v != null ? DateTimeOffset.Parse(v) : null);
foreach (var entityType in modelBuilder.Model.GetEntityTypes())
{
foreach (var property in entityType.GetProperties())
{
if (property.ClrType == typeof(DateTimeOffset))
{
property.SetValueConverter(converter);
property.SetColumnType("TEXT");
}
else if (property.ClrType == typeof(DateTimeOffset?))
{
property.SetValueConverter(nullableConverter);
property.SetColumnType("TEXT");
}
}
}
}
}
public static class SqliteTestHelper
{
public static ScadaLinkDbContext CreateInMemoryContext()
{
var options = new DbContextOptionsBuilder<ScadaLinkDbContext>()
.UseSqlite("DataSource=:memory:")
.ConfigureWarnings(w => w.Ignore(RelationalEventId.PendingModelChangesWarning))
.Options;
var context = new SqliteTestDbContext(options);
context.Database.OpenConnection();
context.Database.EnsureCreated();
return context;
}
public static ScadaLinkDbContext CreateFileContext(string dbPath)
{
var options = new DbContextOptionsBuilder<ScadaLinkDbContext>()
.UseSqlite($"DataSource={dbPath}")
.ConfigureWarnings(w => w.Ignore(RelationalEventId.PendingModelChangesWarning))
.Options;
var context = new SqliteTestDbContext(options);
return context;
}
}

10
tests/ScadaLink.Security.Tests/ScadaLink.Security.Tests.csproj
View File

@@ -1,4 +1,4 @@
<Project Sdk="Microsoft.NET.Sdk">
<Project Sdk="Microsoft.NET.Sdk">
<PropertyGroup>
<TargetFramework>net10.0</TargetFramework>
@@ -10,6 +10,12 @@
<ItemGroup>
<PackageReference Include="coverlet.collector" Version="6.0.4" />
<PackageReference Include="Microsoft.EntityFrameworkCore.Sqlite" Version="10.0.5" />
<PackageReference Include="Microsoft.Extensions.DependencyInjection" Version="10.0.5" />
<PackageReference Include="Microsoft.Extensions.Logging" Version="10.0.5" />
<PackageReference Include="Microsoft.Extensions.Logging.Abstractions" Version="10.0.5" />
<PackageReference Include="Microsoft.Extensions.Options" Version="10.0.5" />
<PackageReference Include="Microsoft.AspNetCore.Authorization" Version="10.0.5" />
<PackageReference Include="Microsoft.NET.Test.Sdk" Version="17.14.1" />
<PackageReference Include="xunit" Version="2.9.3" />
<PackageReference Include="xunit.runner.visualstudio" Version="3.1.4" />
@@ -21,6 +27,8 @@
<ItemGroup>
<ProjectReference Include="../../src/ScadaLink.Security/ScadaLink.Security.csproj" />
<ProjectReference Include="../../src/ScadaLink.ConfigurationDatabase/ScadaLink.ConfigurationDatabase.csproj" />
<ProjectReference Include="../../src/ScadaLink.Commons/ScadaLink.Commons.csproj" />
</ItemGroup>
</Project>

505
tests/ScadaLink.Security.Tests/UnitTest1.cs
View File

@@ -1,10 +1,507 @@
namespace ScadaLink.Security.Tests;
using System.Security.Claims;
using Microsoft.AspNetCore.Authorization;
using Microsoft.EntityFrameworkCore;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using ScadaLink.Commons.Entities.Security;
using ScadaLink.Commons.Entities.Sites;
using ScadaLink.ConfigurationDatabase;
using ScadaLink.ConfigurationDatabase.Repositories;
using ScadaLink.Security;
public class UnitTest1
namespace ScadaLink.Security.Tests;
#region WP-6: LdapAuthService Tests
public class LdapAuthServiceTests
{
[Fact]
public void Test1()
private static SecurityOptions CreateOptions(bool useTls = true, bool allowInsecure = false) => new()
{
LdapServer = "ldap.example.com",
LdapPort = 636,
LdapUseTls = useTls,
AllowInsecureLdap = allowInsecure,
LdapSearchBase = "dc=example,dc=com",
JwtSigningKey = "test-key-that-is-long-enough-for-hmac-sha256-minimum"
};
[Fact]
public async Task AuthenticateAsync_EmptyUsername_ReturnsFailed()
{
var service = new LdapAuthService(
Options.Create(CreateOptions()),
NullLogger<LdapAuthService>.Instance);
var result = await service.AuthenticateAsync("", "password");
Assert.False(result.Success);
Assert.Contains("Username is required", result.ErrorMessage);
}
[Fact]
public async Task AuthenticateAsync_EmptyPassword_ReturnsFailed()
{
var service = new LdapAuthService(
Options.Create(CreateOptions()),
NullLogger<LdapAuthService>.Instance);
var result = await service.AuthenticateAsync("user", "");
Assert.False(result.Success);
Assert.Contains("Password is required", result.ErrorMessage);
}
[Fact]
public async Task AuthenticateAsync_InsecureLdapNotAllowed_ReturnsFailed()
{
var service = new LdapAuthService(
Options.Create(CreateOptions(useTls: false, allowInsecure: false)),
NullLogger<LdapAuthService>.Instance);
var result = await service.AuthenticateAsync("user", "password");
Assert.False(result.Success);
Assert.Contains("Insecure LDAP", result.ErrorMessage);
}
[Fact]
public async Task AuthenticateAsync_ConnectionFailure_ReturnsFailed()
{
// Point to a non-existent server — connection should fail
var options = CreateOptions();
options.LdapServer = "nonexistent.invalid";
options.LdapPort = 9999;
var service = new LdapAuthService(
Options.Create(options),
NullLogger<LdapAuthService>.Instance);
var result = await service.AuthenticateAsync("user", "password");
Assert.False(result.Success);
}
}
#endregion
#region WP-7: JwtTokenService Tests
public class JwtTokenServiceTests
{
private static SecurityOptions CreateOptions() => new()
{
JwtSigningKey = "this-is-a-test-signing-key-for-hmac-sha256-must-be-long-enough",
JwtExpiryMinutes = 15,
IdleTimeoutMinutes = 30,
JwtRefreshThresholdMinutes = 5
};
private static JwtTokenService CreateService(SecurityOptions? options = null)
{
return new JwtTokenService(
Options.Create(options ?? CreateOptions()),
NullLogger<JwtTokenService>.Instance);
}
[Fact]
public void GenerateToken_ContainsCorrectClaims()
{
var service = CreateService();
var token = service.GenerateToken(
"John Doe", "johnd",
new[] { "Admin", "Design" },
new[] { "1", "2" });
var principal = service.ValidateToken(token);
Assert.NotNull(principal);
Assert.Equal("John Doe", principal!.FindFirst(JwtTokenService.DisplayNameClaimType)?.Value);
Assert.Equal("johnd", principal.FindFirst(JwtTokenService.UsernameClaimType)?.Value);
var roles = principal.FindAll(JwtTokenService.RoleClaimType).Select(c => c.Value).ToList();
Assert.Contains("Admin", roles);
Assert.Contains("Design", roles);
var siteIds = principal.FindAll(JwtTokenService.SiteIdClaimType).Select(c => c.Value).ToList();
Assert.Contains("1", siteIds);
Assert.Contains("2", siteIds);
Assert.NotNull(principal.FindFirst(JwtTokenService.LastActivityClaimType));
}
[Fact]
public void GenerateToken_NullSiteIds_NoSiteIdClaims()
{
var service = CreateService();
var token = service.GenerateToken("User", "user", new[] { "Admin" }, null);
var principal = service.ValidateToken(token);
Assert.NotNull(principal);
Assert.Empty(principal!.FindAll(JwtTokenService.SiteIdClaimType));
}
[Fact]
public void ValidateToken_InvalidToken_ReturnsNull()
{
var service = CreateService();
var result = service.ValidateToken("invalid.token.here");
Assert.Null(result);
}
[Fact]
public void ValidateToken_WrongKey_ReturnsNull()
{
var service1 = CreateService();
var token = service1.GenerateToken("User", "user", new[] { "Admin" }, null);
var service2 = CreateService(new SecurityOptions
{
JwtSigningKey = "a-completely-different-signing-key-for-hmac-sha256-validation",
JwtExpiryMinutes = 15,
IdleTimeoutMinutes = 30,
JwtRefreshThresholdMinutes = 5
});
var result = service2.ValidateToken(token);
Assert.Null(result);
}
[Fact]
public void ValidateToken_UsesHmacSha256()
{
var service = CreateService();
var token = service.GenerateToken("User", "user", new[] { "Admin" }, null);
// Decode header to verify algorithm
var parts = token.Split('.');
var headerJson = System.Text.Encoding.UTF8.GetString(
Convert.FromBase64String(parts[0].PadRight((parts[0].Length + 3) & ~3, '=')));
Assert.Contains("HS256", headerJson);
}
[Fact]
public void ShouldRefresh_TokenNearExpiry_ReturnsTrue()
{
var options = CreateOptions();
options.JwtExpiryMinutes = 3; // Token expires in 3 min, threshold is 5 min
var service = CreateService(options);
var token = service.GenerateToken("User", "user", new[] { "Admin" }, null);
var principal = service.ValidateToken(token);
Assert.True(service.ShouldRefresh(principal!));
}
[Fact]
public void ShouldRefresh_TokenFarFromExpiry_ReturnsFalse()
{
var service = CreateService(); // 15 min expiry, 5 min threshold
var token = service.GenerateToken("User", "user", new[] { "Admin" }, null);
var principal = service.ValidateToken(token);
Assert.False(service.ShouldRefresh(principal!));
}
[Fact]
public void IsIdleTimedOut_RecentActivity_ReturnsFalse()
{
var service = CreateService();
var token = service.GenerateToken("User", "user", new[] { "Admin" }, null);
var principal = service.ValidateToken(token);
Assert.False(service.IsIdleTimedOut(principal!));
}
[Fact]
public void IsIdleTimedOut_NoLastActivityClaim_ReturnsTrue()
{
var service = CreateService();
var principal = new ClaimsPrincipal(new ClaimsIdentity(new[]
{
new Claim(JwtTokenService.DisplayNameClaimType, "User")
}));
Assert.True(service.IsIdleTimedOut(principal));
}
[Fact]
public void RefreshToken_ReturnsNewTokenWithUpdatedClaims()
{
var service = CreateService();
var originalToken = service.GenerateToken("User", "user", new[] { "Admin" }, null);
var principal = service.ValidateToken(originalToken);
var newToken = service.RefreshToken(principal!, new[] { "Admin", "Design" }, new[] { "1" });
Assert.NotNull(newToken);
var newPrincipal = service.ValidateToken(newToken!);
var roles = newPrincipal!.FindAll(JwtTokenService.RoleClaimType).Select(c => c.Value).ToList();
Assert.Contains("Design", roles);
}
[Fact]
public void RefreshToken_MissingClaims_ReturnsNull()
{
var service = CreateService();
var principal = new ClaimsPrincipal(new ClaimsIdentity());
var result = service.RefreshToken(principal, new[] { "Admin" }, null);
Assert.Null(result);
}
}
#endregion
#region WP-8: RoleMapper Tests
public class RoleMapperTests : IDisposable
{
private readonly ScadaLinkDbContext _context;
private readonly SecurityRepository _securityRepo;
private readonly RoleMapper _roleMapper;
public RoleMapperTests()
{
var options = new DbContextOptionsBuilder<ScadaLinkDbContext>()
.UseSqlite("DataSource=:memory:")
.Options;
_context = new ScadaLinkDbContext(options);
_context.Database.OpenConnection();
_context.Database.EnsureCreated();
_securityRepo = new SecurityRepository(_context);
_roleMapper = new RoleMapper(_securityRepo);
}
public void Dispose()
{
_context.Database.CloseConnection();
_context.Dispose();
}
[Fact]
public async Task MapGroupsToRoles_MultiRoleExtraction()
{
// Add mappings (note: seed data adds SCADA-Admins -> Admin)
_context.LdapGroupMappings.Add(new LdapGroupMapping("Designers", "Design"));
_context.LdapGroupMappings.Add(new LdapGroupMapping("Deployers", "Deployment"));
await _context.SaveChangesAsync();
var result = await _roleMapper.MapGroupsToRolesAsync(new[] { "SCADA-Admins", "Designers" });
Assert.Contains("Admin", result.Roles);
Assert.Contains("Design", result.Roles);
Assert.DoesNotContain("Deployment", result.Roles);
}
[Fact]
public async Task MapGroupsToRoles_SiteScopedDeployment()
{
var site1 = new Site("Site1", "S-001");
var site2 = new Site("Site2", "S-002");
_context.Sites.AddRange(site1, site2);
_context.LdapGroupMappings.Add(new LdapGroupMapping("SiteDeployers", "Deployment"));
await _context.SaveChangesAsync();
var mapping = await _context.LdapGroupMappings.SingleAsync(m => m.LdapGroupName == "SiteDeployers");
_context.SiteScopeRules.AddRange(
new SiteScopeRule { LdapGroupMappingId = mapping.Id, SiteId = site1.Id },
new SiteScopeRule { LdapGroupMappingId = mapping.Id, SiteId = site2.Id });
await _context.SaveChangesAsync();
var result = await _roleMapper.MapGroupsToRolesAsync(new[] { "SiteDeployers" });
Assert.Contains("Deployment", result.Roles);
Assert.False(result.IsSystemWideDeployment);
Assert.Contains(site1.Id.ToString(), result.PermittedSiteIds);
Assert.Contains(site2.Id.ToString(), result.PermittedSiteIds);
}
[Fact]
public async Task MapGroupsToRoles_SystemWideDeployment_NoScopeRules()
{
_context.LdapGroupMappings.Add(new LdapGroupMapping("GlobalDeployers", "Deployment"));
await _context.SaveChangesAsync();
var result = await _roleMapper.MapGroupsToRolesAsync(new[] { "GlobalDeployers" });
Assert.Contains("Deployment", result.Roles);
Assert.True(result.IsSystemWideDeployment);
Assert.Empty(result.PermittedSiteIds);
}
[Fact]
public async Task MapGroupsToRoles_UnrecognizedGroups_Ignored()
{
var result = await _roleMapper.MapGroupsToRolesAsync(new[] { "NonExistentGroup", "AnotherRandom" });
Assert.Empty(result.Roles);
Assert.Empty(result.PermittedSiteIds);
Assert.False(result.IsSystemWideDeployment);
}
[Fact]
public async Task MapGroupsToRoles_NoMatchingGroups_NoRoles()
{
var result = await _roleMapper.MapGroupsToRolesAsync(Array.Empty<string>());
Assert.Empty(result.Roles);
}
[Fact]
public async Task MapGroupsToRoles_CaseInsensitiveGroupMatch()
{
// "SCADA-Admins" is seeded
var result = await _roleMapper.MapGroupsToRolesAsync(new[] { "scada-admins" });
Assert.Contains("Admin", result.Roles);
}
}
#endregion
#region WP-9: Authorization Policy Tests
public class AuthorizationPolicyTests
{
[Fact]
public async Task AdminPolicy_AdminRole_Succeeds()
{
var principal = CreatePrincipal(new[] { "Admin" });
var result = await EvaluatePolicy(AuthorizationPolicies.RequireAdmin, principal);
Assert.True(result);
}
[Fact]
public async Task AdminPolicy_DesignRole_Fails()
{
var principal = CreatePrincipal(new[] { "Design" });
var result = await EvaluatePolicy(AuthorizationPolicies.RequireAdmin, principal);
Assert.False(result);
}
[Fact]
public async Task DesignPolicy_DesignRole_Succeeds()
{
var principal = CreatePrincipal(new[] { "Design" });
var result = await EvaluatePolicy(AuthorizationPolicies.RequireDesign, principal);
Assert.True(result);
}
[Fact]
public async Task DeploymentPolicy_DeploymentRole_Succeeds()
{
var principal = CreatePrincipal(new[] { "Deployment" });
var result = await EvaluatePolicy(AuthorizationPolicies.RequireDeployment, principal);
Assert.True(result);
}
[Fact]
public async Task NoRoles_DeniedAll()
{
var principal = CreatePrincipal(Array.Empty<string>());
Assert.False(await EvaluatePolicy(AuthorizationPolicies.RequireAdmin, principal));
Assert.False(await EvaluatePolicy(AuthorizationPolicies.RequireDesign, principal));
Assert.False(await EvaluatePolicy(AuthorizationPolicies.RequireDeployment, principal));
}
[Fact]
public async Task SiteScope_SystemWideDeployer_Succeeds()
{
var handler = new SiteScopeAuthorizationHandler();
var claims = new List<Claim>
{
new(JwtTokenService.RoleClaimType, "Deployment")
// No SiteId claims = system-wide
};
var principal = new ClaimsPrincipal(new ClaimsIdentity(claims, "test"));
var requirement = new SiteScopeRequirement("42");
var context = new AuthorizationHandlerContext(new[] { requirement }, principal, null);
await handler.HandleAsync(context);
Assert.True(context.HasSucceeded);
}
[Fact]
public async Task SiteScope_PermittedSite_Succeeds()
{
var handler = new SiteScopeAuthorizationHandler();
var claims = new List<Claim>
{
new(JwtTokenService.RoleClaimType, "Deployment"),
new(JwtTokenService.SiteIdClaimType, "1"),
new(JwtTokenService.SiteIdClaimType, "2")
};
var principal = new ClaimsPrincipal(new ClaimsIdentity(claims, "test"));
var requirement = new SiteScopeRequirement("1");
var context = new AuthorizationHandlerContext(new[] { requirement }, principal, null);
await handler.HandleAsync(context);
Assert.True(context.HasSucceeded);
}
[Fact]
public async Task SiteScope_UnpermittedSite_Fails()
{
var handler = new SiteScopeAuthorizationHandler();
var claims = new List<Claim>
{
new(JwtTokenService.RoleClaimType, "Deployment"),
new(JwtTokenService.SiteIdClaimType, "1")
};
var principal = new ClaimsPrincipal(new ClaimsIdentity(claims, "test"));
var requirement = new SiteScopeRequirement("99");
var context = new AuthorizationHandlerContext(new[] { requirement }, principal, null);
await handler.HandleAsync(context);
Assert.False(context.HasSucceeded);
}
[Fact]
public async Task SiteScope_NoDeploymentRole_Fails()
{
var handler = new SiteScopeAuthorizationHandler();
var claims = new List<Claim>
{
new(JwtTokenService.RoleClaimType, "Admin")
};
var principal = new ClaimsPrincipal(new ClaimsIdentity(claims, "test"));
var requirement = new SiteScopeRequirement("1");
var context = new AuthorizationHandlerContext(new[] { requirement }, principal, null);
await handler.HandleAsync(context);
Assert.False(context.HasSucceeded);
}
private static ClaimsPrincipal CreatePrincipal(string[] roles, string[]? siteIds = null)
{
var claims = new List<Claim>();
foreach (var role in roles)
claims.Add(new Claim(JwtTokenService.RoleClaimType, role));
if (siteIds != null)
foreach (var siteId in siteIds)
claims.Add(new Claim(JwtTokenService.SiteIdClaimType, siteId));
return new ClaimsPrincipal(new ClaimsIdentity(claims, "test"));
}
private static async Task<bool> EvaluatePolicy(string policyName, ClaimsPrincipal principal)
{
var services = new ServiceCollection();
services.AddScadaLinkAuthorization();
services.AddLogging();
using var provider = services.BuildServiceProvider();
var authService = provider.GetRequiredService<IAuthorizationService>();
var result = await authService.AuthorizeAsync(principal, null, policyName);
return result.Succeeded;
}
}
#endregion