plan(phase1): record Task 1.2 review findings + LdapOptionsValidator 0.1.1 question
This commit is contained in:
Joseph Doherty
@@ -84,6 +84,32 @@ Cookie `ZB.MOM.WW.ScadaBridge.Auth`; JWT-in-cookie via `JwtTokenService`.
|
||||
5. **MxGateway ApiKeys cutover is the donor path — lowest risk** (delete locals, re-point to library; keep
|
||||
`ConstraintEnforcer`/gRPC/scopes on top). Confirms the GAPS sequencing (gateway first).
|
||||
|
||||
## Task 1.2 (LDAP cutover) — implemented + reviewed (2026-06-02)
|
||||
|
||||
Commits: OtOpcUa `257caa7`, MxGateway `c3b466e`, ScadaBridge `ac34dac`. All targeted tests green.
|
||||
Security review verdict: **sound, no credential-leak regression** in any repo (insecure-transport
|
||||
guards fire correctly; DevStubMode cannot leak to prod; claim shapes preserved). All three returned
|
||||
CHANGES-REQUESTED for fixable issues:
|
||||
|
||||
- **OtOpcUa** (no Critical): (I1) insecure-transport guard is login-time only — add startup
|
||||
validation gated on `Enabled` for defense-in-depth, verify prod overlays still boot; (I2) integration
|
||||
stub pre-populates `Roles` so the Groups→mapper path isn't actually exercised — fix the stub; (I3)
|
||||
document/test the zero-role fail-closed fallback.
|
||||
- **MxGateway** (2 Critical): (C1) library strips group DNs to short RDN names before the
|
||||
`LdapGroupClaimType` claim → verify prior behaviour, document, drop the now-dead full-DN branch in the
|
||||
mapper, add a claim-value assertion; (C2) gateway's local `LdapOptions` is now a shadow copy (validated
|
||||
but unused at runtime) → fold to the shared type or document the drift. (I1) shared `LdapOptionsValidator`
|
||||
has **no `Enabled=false` guard** → validates even when LDAP is disabled (real for MxGateway, which can
|
||||
disable dashboard LDAP).
|
||||
- **ScadaBridge** (2 Critical): (C1) `ConfigSecretsTests` still checks the OLD flat key → passes
|
||||
vacuously, no longer guards secret-in-config — repoint to nested key; (C2) `production-checklist.md`
|
||||
still lists deleted flat keys → update; (I) unsafe `(RoleMappingResult)Scope!` cast → null-guard.
|
||||
|
||||
**Cross-cutting decision — shared library `LdapOptionsValidator` `Enabled` guard:** the validator runs
|
||||
regardless of `Enabled`, requiring Server/SearchBase/ServiceAccountDn even when LDAP is off. Correct fix =
|
||||
add an `if (!Enabled) return Success` guard to the shared validator and republish `0.1.1`, re-pinning all
|
||||
consumers. (Alternative: each consumer always supplies those fields. The library fix is the principled one.)
|
||||
|
||||
## Resolved decisions (2026-06-02)
|
||||
|
||||
- **Decision A — ScadaBridge inbound API keys depth → (a) FULL ADOPT.** Re-architect inbound-API auth to the
|
||||
|
||||
Reference in New Issue
Block a user