using System.Text;
using Microsoft.AspNetCore.SignalR;
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging;
using ScadaLink.Commons.Interfaces.Repositories;
using ScadaLink.Commons.Messages.DebugView;
using ScadaLink.Commons.Messages.Streaming;
using ScadaLink.Communication;
using ScadaLink.Security;
namespace ScadaLink.ManagementService;
///
/// SignalR hub for real-time debug stream subscriptions.
/// External consumers (CLI) connect via WebSocket, authenticate with Basic Auth,
/// and receive streaming attribute value and alarm state changes.
///
public class DebugStreamHub : Hub
{
private const string SessionIdKey = "DebugStreamSessionId";
private const string RolesKey = "DebugStreamRoles";
private const string PermittedSiteIdsKey = "DebugStreamPermittedSiteIds";
///
/// Pure site-scope authorization check for a debug-stream subscription.
/// Returns true when the caller may subscribe to a debug stream for an instance
/// belonging to .
/// Admin role, or an empty (system-wide
/// Deployment), grants access to any site; otherwise the instance's site must be
/// in the permitted set.
///
public static bool IsInstanceAccessAllowed(
IReadOnlyCollection roles,
IReadOnlyCollection permittedSiteIds,
int instanceSiteId)
{
if (roles.Contains("Admin", StringComparer.OrdinalIgnoreCase)) return true;
if (permittedSiteIds.Count == 0) return true; // system-wide deployment
return permittedSiteIds.Contains(instanceSiteId.ToString());
}
private readonly DebugStreamService _debugStreamService;
private readonly IHubContext _hubContext;
private readonly ILogger _logger;
public DebugStreamHub(
DebugStreamService debugStreamService,
IHubContext hubContext,
ILogger logger)
{
_debugStreamService = debugStreamService;
_hubContext = hubContext;
_logger = logger;
}
///
/// Authenticates the connection using Basic Auth from the HTTP negotiate request.
/// Validates credentials via LDAP and checks for the Deployment role.
///
public override async Task OnConnectedAsync()
{
var httpContext = Context.GetHttpContext();
if (httpContext == null)
{
_logger.LogWarning("DebugStreamHub connection rejected: no HTTP context");
Context.Abort();
return;
}
// Extract Basic Auth credentials
var authHeader = httpContext.Request.Headers.Authorization.ToString();
if (string.IsNullOrEmpty(authHeader) || !authHeader.StartsWith("Basic ", StringComparison.OrdinalIgnoreCase))
{
_logger.LogWarning("DebugStreamHub connection rejected: missing Basic Auth header");
Context.Abort();
return;
}
string username, password;
try
{
var decoded = Encoding.UTF8.GetString(Convert.FromBase64String(authHeader["Basic ".Length..]));
var colon = decoded.IndexOf(':');
if (colon < 0) throw new FormatException();
username = decoded[..colon];
password = decoded[(colon + 1)..];
}
catch
{
_logger.LogWarning("DebugStreamHub connection rejected: malformed Basic Auth");
Context.Abort();
return;
}
// LDAP authentication
var ldapAuth = httpContext.RequestServices.GetRequiredService();
var authResult = await ldapAuth.AuthenticateAsync(username, password);
if (!authResult.Success)
{
_logger.LogWarning("DebugStreamHub connection rejected: LDAP auth failed for {Username}", username);
Context.Abort();
return;
}
// Role check — Deployment role required
var roleMapper = httpContext.RequestServices.GetRequiredService();
var mappingResult = await roleMapper.MapGroupsToRolesAsync(
authResult.Groups ?? (IReadOnlyList)Array.Empty());
if (!mappingResult.Roles.Contains("Deployment"))
{
_logger.LogWarning("DebugStreamHub connection rejected: {Username} lacks Deployment role", username);
Context.Abort();
return;
}
// Persist the resolved identity on the connection so per-instance site-scope
// enforcement can be applied to SubscribeInstance calls.
Context.Items[RolesKey] = mappingResult.Roles.ToArray();
Context.Items[PermittedSiteIdsKey] = mappingResult.PermittedSiteIds.ToArray();
_logger.LogInformation("DebugStreamHub connection established for {Username}", username);
await base.OnConnectedAsync();
}
///
/// Subscribes to a debug stream for the specified instance.
/// Sends the initial snapshot immediately, then streams incremental changes.
///
public async Task SubscribeInstance(int instanceId)
{
// Stop any existing subscription for this connection
await UnsubscribeInstance();
var connectionId = Context.ConnectionId;
// Per-instance site-scope enforcement: a site-scoped Deployment user must not
// be able to stream an instance belonging to a site outside their scope.
var httpContext = Context.GetHttpContext();
if (httpContext == null)
{
_logger.LogWarning("DebugStreamHub: {ConnectionId} subscribe rejected — no HTTP context", connectionId);
await Clients.Caller.SendAsync("OnStreamTerminated", "Authorization context unavailable.");
return;
}
var roles = Context.Items.TryGetValue(RolesKey, out var rolesObj) && rolesObj is string[] r
? r : Array.Empty();
var permittedSiteIds = Context.Items.TryGetValue(PermittedSiteIdsKey, out var sitesObj) && sitesObj is string[] s
? s : Array.Empty();
var instanceRepo = httpContext.RequestServices.GetRequiredService();
var instance = await instanceRepo.GetInstanceByIdAsync(instanceId);
if (instance == null)
{
_logger.LogWarning("DebugStreamHub: {ConnectionId} subscribe rejected — instance {InstanceId} not found",
connectionId, instanceId);
await Clients.Caller.SendAsync("OnStreamTerminated", $"Instance {instanceId} not found.");
return;
}
if (!IsInstanceAccessAllowed(roles, permittedSiteIds, instance.SiteId))
{
_logger.LogWarning(
"DebugStreamHub: {ConnectionId} subscribe to instance {InstanceId} denied — site {SiteId} outside permitted scope",
connectionId, instanceId, instance.SiteId);
await Clients.Caller.SendAsync("OnStreamTerminated",
$"Access denied: instance {instanceId} belongs to a site outside your Deployment scope.");
return;
}
try
{
// Use IHubContext for callbacks — the hub instance is transient (disposed after method returns),
// but IHubContext is a singleton that remains valid for the lifetime of the connection.
var hubClients = _hubContext.Clients;
var session = await _debugStreamService.StartStreamAsync(
instanceId,
onEvent: evt =>
{
// Fire-and-forget — if the client disconnects, SendAsync will fail silently
_ = evt switch
{
AttributeValueChanged changed =>
hubClients.Client(connectionId).SendAsync("OnAttributeChanged", changed),
AlarmStateChanged changed =>
hubClients.Client(connectionId).SendAsync("OnAlarmChanged", changed),
DebugViewSnapshot snapshot =>
hubClients.Client(connectionId).SendAsync("OnSnapshot", snapshot),
_ => Task.CompletedTask
};
},
onTerminated: () =>
{
_ = hubClients.Client(connectionId).SendAsync("OnStreamTerminated", "Site disconnected");
});
Context.Items[SessionIdKey] = session.SessionId;
// Send the initial snapshot
await Clients.Caller.SendAsync("OnSnapshot", session.InitialSnapshot);
_logger.LogInformation("DebugStreamHub: {ConnectionId} subscribed to instance {InstanceId}",
connectionId, instanceId);
}
catch (Exception ex)
{
_logger.LogError(ex, "DebugStreamHub: Failed to subscribe {ConnectionId} to instance {InstanceId}",
connectionId, instanceId);
await Clients.Caller.SendAsync("OnStreamTerminated", ex.Message);
}
}
///
/// Unsubscribes from the current debug stream.
///
public Task UnsubscribeInstance()
{
if (Context.Items.TryGetValue(SessionIdKey, out var sessionIdObj) && sessionIdObj is string sessionId)
{
_debugStreamService.StopStream(sessionId);
Context.Items.Remove(SessionIdKey);
_logger.LogInformation("DebugStreamHub: {ConnectionId} unsubscribed", Context.ConnectionId);
}
return Task.CompletedTask;
}
public override async Task OnDisconnectedAsync(Exception? exception)
{
await UnsubscribeInstance();
await base.OnDisconnectedAsync(exception);
}
}