a2b8b69281
- NavMenu: move Import Bundle out of the nested RequireDesign/RequireAdmin double-gate into the top-level Admin section so an Admin-only user sees it without needing the Design role; Export Bundle stays in the Design section. - TransportImport: inject IAuditService + ScadaLinkDbContext; emit a BundleImportUnlockFailed audit row (best-effort, swallowed on failure) on every wrong-passphrase attempt in SubmitPassphraseAsync, with attempt number and error reason in afterState. - docker central-node-a/b appsettings: add ScadaLink:Transport section with SourceEnvironment = "docker-cluster" so the importer picks up a non-null environment name in the audit trail. - CentralUI.Tests: register IAuditService mock + SQLite in-memory ScadaLinkDbContext in TransportImportPageTests to satisfy the two new injects.
324 lines
15 KiB
Plaintext
324 lines
15 KiB
Plaintext
@using System.Linq
|
|
@using ScadaLink.Security
|
|
@using Microsoft.AspNetCore.Components.Routing
|
|
@using Microsoft.JSInterop
|
|
@implements IDisposable
|
|
@inject NavigationManager Navigation
|
|
@inject IJSRuntime JS
|
|
|
|
<nav class="sidebar d-flex flex-column">
|
|
<div class="brand"><span class="mark">▮</span> ScadaBridge</div>
|
|
|
|
<div style="overflow-y:auto; flex:1 1 auto; min-height:0;">
|
|
<ul class="nav flex-column">
|
|
<li class="nav-item">
|
|
<NavLink class="nav-link" href="/" Match="NavLinkMatch.All">Dashboard</NavLink>
|
|
</li>
|
|
|
|
<AuthorizeView>
|
|
<Authorized>
|
|
@* Admin section — Admin role only *@
|
|
<AuthorizeView Policy="@AuthorizationPolicies.RequireAdmin">
|
|
<Authorized Context="adminContext">
|
|
<NavSection Title="Admin"
|
|
Expanded="@_expanded.Contains("admin")"
|
|
OnToggle="@(() => ToggleAsync("admin"))">
|
|
<li class="nav-item">
|
|
<NavLink class="nav-link" href="/admin/ldap-mappings">LDAP Mappings</NavLink>
|
|
</li>
|
|
<li class="nav-item">
|
|
<NavLink class="nav-link" href="/admin/sites">Sites</NavLink>
|
|
</li>
|
|
<li class="nav-item">
|
|
<NavLink class="nav-link" href="/admin/api-keys">API Keys</NavLink>
|
|
</li>
|
|
@* Import Bundle requires Admin only — Design role is not sufficient.
|
|
Export Bundle lives in the Design section (RequireDesign). *@
|
|
<li class="nav-item">
|
|
<NavLink class="nav-link" href="/design/transport/import">Import Bundle</NavLink>
|
|
</li>
|
|
</NavSection>
|
|
</Authorized>
|
|
</AuthorizeView>
|
|
|
|
@* Design section — Design role *@
|
|
<AuthorizeView Policy="@AuthorizationPolicies.RequireDesign">
|
|
<Authorized Context="designContext">
|
|
<NavSection Title="Design"
|
|
Expanded="@_expanded.Contains("design")"
|
|
OnToggle="@(() => ToggleAsync("design"))">
|
|
<li class="nav-item">
|
|
<NavLink class="nav-link" href="/design/templates">Templates</NavLink>
|
|
</li>
|
|
<li class="nav-item">
|
|
<NavLink class="nav-link" href="/design/shared-scripts">Shared Scripts</NavLink>
|
|
</li>
|
|
<li class="nav-item">
|
|
<NavLink class="nav-link" href="/design/connections">Connections</NavLink>
|
|
</li>
|
|
<li class="nav-item">
|
|
<NavLink class="nav-link" href="/design/external-systems">External Systems</NavLink>
|
|
</li>
|
|
<li class="nav-item">
|
|
<NavLink class="nav-link" href="/design/transport/export">Export Bundle</NavLink>
|
|
</li>
|
|
</NavSection>
|
|
</Authorized>
|
|
</AuthorizeView>
|
|
|
|
@* Deployment section — Deployment role *@
|
|
<AuthorizeView Policy="@AuthorizationPolicies.RequireDeployment">
|
|
<Authorized Context="deploymentContext">
|
|
<NavSection Title="Deployment"
|
|
Expanded="@_expanded.Contains("deployment")"
|
|
OnToggle="@(() => ToggleAsync("deployment"))">
|
|
<li class="nav-item">
|
|
<NavLink class="nav-link" href="/deployment/topology">Topology</NavLink>
|
|
</li>
|
|
<li class="nav-item">
|
|
<NavLink class="nav-link" href="/deployment/deployments">Deployments</NavLink>
|
|
</li>
|
|
<li class="nav-item">
|
|
<NavLink class="nav-link" href="/deployment/debug-view">Debug View</NavLink>
|
|
</li>
|
|
</NavSection>
|
|
</Authorized>
|
|
</AuthorizeView>
|
|
|
|
@* Notifications — mixed-role section; each item gated by its own policy.
|
|
The section is ungated: every authenticated user holds at least one of
|
|
Admin/Design/Deployment, so it always has a visible child. *@
|
|
<NavSection Title="Notifications"
|
|
Expanded="@_expanded.Contains("notifications")"
|
|
OnToggle="@(() => ToggleAsync("notifications"))">
|
|
<AuthorizeView Policy="@AuthorizationPolicies.RequireAdmin">
|
|
<Authorized Context="notifAdminContext">
|
|
<li class="nav-item">
|
|
<NavLink class="nav-link" href="/notifications/smtp">SMTP Configuration</NavLink>
|
|
</li>
|
|
</Authorized>
|
|
</AuthorizeView>
|
|
<AuthorizeView Policy="@AuthorizationPolicies.RequireDesign">
|
|
<Authorized Context="notifDesignContext">
|
|
<li class="nav-item">
|
|
<NavLink class="nav-link" href="/notifications/lists">Notification Lists</NavLink>
|
|
</li>
|
|
</Authorized>
|
|
</AuthorizeView>
|
|
<AuthorizeView Policy="@AuthorizationPolicies.RequireDeployment">
|
|
<Authorized Context="notifDeploymentContext">
|
|
<li class="nav-item">
|
|
<NavLink class="nav-link" href="/notifications/report">Notification Report</NavLink>
|
|
</li>
|
|
<li class="nav-item">
|
|
<NavLink class="nav-link" href="/notifications/kpis">Notification KPIs</NavLink>
|
|
</li>
|
|
</Authorized>
|
|
</AuthorizeView>
|
|
</NavSection>
|
|
|
|
@* Site Calls — Site Call Audit (#22). Deployment-role only,
|
|
matching the Notification Report page's gate; the whole
|
|
section sits inside the policy block so a non-Deployment
|
|
user does not see the heading. *@
|
|
<AuthorizeView Policy="@AuthorizationPolicies.RequireDeployment">
|
|
<Authorized Context="siteCallsContext">
|
|
<NavSection Title="Site Calls"
|
|
Expanded="@_expanded.Contains("sitecalls")"
|
|
OnToggle="@(() => ToggleAsync("sitecalls"))">
|
|
<li class="nav-item">
|
|
<NavLink class="nav-link" href="/site-calls/report">Site Calls</NavLink>
|
|
</li>
|
|
</NavSection>
|
|
</Authorized>
|
|
</AuthorizeView>
|
|
|
|
@* Monitoring — Health Dashboard is all-roles; Event Logs and
|
|
Parked Messages are Deployment-role only (Component-CentralUI).
|
|
The section is ungated because Health Dashboard is always
|
|
a visible child. *@
|
|
<NavSection Title="Monitoring"
|
|
Expanded="@_expanded.Contains("monitoring")"
|
|
OnToggle="@(() => ToggleAsync("monitoring"))">
|
|
<li class="nav-item">
|
|
<NavLink class="nav-link" href="/monitoring/health">Health Dashboard</NavLink>
|
|
</li>
|
|
<AuthorizeView Policy="@AuthorizationPolicies.RequireDeployment">
|
|
<Authorized Context="monitoringContext">
|
|
<li class="nav-item">
|
|
<NavLink class="nav-link" href="/monitoring/event-logs">Event Logs</NavLink>
|
|
</li>
|
|
<li class="nav-item">
|
|
<NavLink class="nav-link" href="/monitoring/parked-messages">Parked Messages</NavLink>
|
|
</li>
|
|
</Authorized>
|
|
</AuthorizeView>
|
|
</NavSection>
|
|
|
|
@* Audit — gated on the OperationalAudit policy (#23 M7-T15
|
|
/ Bundle G). Hosts the Audit Log page (#23 M7) and the
|
|
Configuration Audit Log (IAuditService config-change
|
|
viewer). The whole section sits inside the policy block:
|
|
a non-audit user does not even see the heading.
|
|
OperationalAudit is satisfied by the Admin, Audit, and
|
|
AuditReadOnly roles. *@
|
|
<AuthorizeView Policy="@AuthorizationPolicies.OperationalAudit">
|
|
<Authorized Context="auditContext">
|
|
<NavSection Title="Audit"
|
|
Expanded="@_expanded.Contains("audit")"
|
|
OnToggle="@(() => ToggleAsync("audit"))">
|
|
<li class="nav-item">
|
|
<NavLink class="nav-link" href="/audit/log">Audit Log</NavLink>
|
|
</li>
|
|
<li class="nav-item">
|
|
<NavLink class="nav-link" href="/audit/configuration">Configuration Audit Log</NavLink>
|
|
</li>
|
|
</NavSection>
|
|
</Authorized>
|
|
</AuthorizeView>
|
|
</Authorized>
|
|
</AuthorizeView>
|
|
</ul>
|
|
</div>
|
|
|
|
<AuthorizeView>
|
|
<Authorized>
|
|
<div class="border-top px-3 py-2">
|
|
<div class="d-flex justify-content-between align-items-center">
|
|
@* CentralUI-024: claim type resolved via JwtTokenService. *@
|
|
<span class="text-body-secondary small">@context.User.GetDisplayName()</span>
|
|
<form method="post" action="/auth/logout" data-enhance="false">
|
|
@* CentralUI-017: logout is a state-changing POST and is
|
|
CSRF-protected — the antiforgery token is required. *@
|
|
<AntiforgeryToken />
|
|
<button type="submit" class="btn btn-outline-secondary btn-sm py-0 px-2">Sign Out</button>
|
|
</form>
|
|
</div>
|
|
</div>
|
|
</Authorized>
|
|
</AuthorizeView>
|
|
</nav>
|
|
|
|
@code {
|
|
// Expanded-section state persists in the "scadabridge_nav" cookie, written
|
|
// by navState.set / read by navState.get (wwwroot/js/nav-state.js) — a
|
|
// comma-separated list of section ids.
|
|
|
|
// Every collapsible section id. Also the allow-list for parsing the cookie.
|
|
private static readonly string[] SectionIds =
|
|
{ "admin", "design", "deployment", "notifications", "sitecalls", "monitoring", "audit" };
|
|
|
|
// The currently-expanded sections. Populated from the cookie on first
|
|
// render; mutated by ToggleAsync and by navigating into a section.
|
|
private readonly HashSet<string> _expanded = new(StringComparer.Ordinal);
|
|
|
|
protected override void OnInitialized()
|
|
{
|
|
Navigation.LocationChanged += OnLocationChanged;
|
|
}
|
|
|
|
protected override async Task OnAfterRenderAsync(bool firstRender)
|
|
{
|
|
if (!firstRender)
|
|
{
|
|
return;
|
|
}
|
|
|
|
// Hydrate from the cookie. Until this completes the sidebar paints
|
|
// collapsed (the "collapsed by default" state) — matching how TreeView
|
|
// hydrates its expand state in OnAfterRenderAsync(firstRender).
|
|
string saved;
|
|
try
|
|
{
|
|
saved = await JS.InvokeAsync<string>("navState.get") ?? string.Empty;
|
|
}
|
|
catch (JSDisconnectedException)
|
|
{
|
|
return;
|
|
}
|
|
|
|
foreach (var id in saved.Split(
|
|
',', StringSplitOptions.RemoveEmptyEntries | StringSplitOptions.TrimEntries))
|
|
{
|
|
if (Array.IndexOf(SectionIds, id) >= 0)
|
|
{
|
|
_expanded.Add(id);
|
|
}
|
|
}
|
|
|
|
// The section of the page we loaded on is always expanded.
|
|
if (EnsureCurrentSectionExpanded())
|
|
{
|
|
await PersistAsync();
|
|
}
|
|
|
|
StateHasChanged();
|
|
}
|
|
|
|
private void OnLocationChanged(object? sender, LocationChangedEventArgs e)
|
|
{
|
|
// Navigating into a collapsed section expands it (and remembers it).
|
|
if (EnsureCurrentSectionExpanded())
|
|
{
|
|
_ = PersistAsync();
|
|
_ = InvokeAsync(StateHasChanged);
|
|
}
|
|
}
|
|
|
|
private async Task ToggleAsync(string id)
|
|
{
|
|
if (!_expanded.Remove(id))
|
|
{
|
|
_expanded.Add(id);
|
|
}
|
|
|
|
await PersistAsync();
|
|
}
|
|
|
|
// Adds the current page's section to _expanded; returns true if it changed.
|
|
private bool EnsureCurrentSectionExpanded()
|
|
{
|
|
var section = CurrentSection();
|
|
return section is not null && _expanded.Add(section);
|
|
}
|
|
|
|
// Maps the current URL's first path segment to a section id, or null for
|
|
// sectionless pages (Dashboard, Login).
|
|
private string? CurrentSection()
|
|
{
|
|
var relative = Navigation.ToBaseRelativePath(Navigation.Uri);
|
|
var firstSegment = relative.Split('?', '#')[0]
|
|
.Split('/', StringSplitOptions.RemoveEmptyEntries)
|
|
.FirstOrDefault();
|
|
|
|
return firstSegment switch
|
|
{
|
|
"admin" => "admin",
|
|
"design" => "design",
|
|
"deployment" => "deployment",
|
|
"notifications" => "notifications",
|
|
"site-calls" => "sitecalls",
|
|
"monitoring" => "monitoring",
|
|
"audit" => "audit",
|
|
_ => null,
|
|
};
|
|
}
|
|
|
|
private async Task PersistAsync()
|
|
{
|
|
try
|
|
{
|
|
await JS.InvokeVoidAsync("navState.set", string.Join(',', _expanded));
|
|
}
|
|
catch (JSDisconnectedException)
|
|
{
|
|
// The circuit is gone — nothing to persist to.
|
|
}
|
|
}
|
|
|
|
public void Dispose()
|
|
{
|
|
Navigation.LocationChanged -= OnLocationChanged;
|
|
}
|
|
}
|