Joseph Doherty
544a6ddb77
Resolves the 35 findings from the 2026-06-01 baseline (commit 26ba1c7),
test-first for every behavioral change. +51 tests (331 -> 382 passing, 0 failed).
- Telemetry-001 (HIGH): RedactionEnricher now honours property removal, so a
redactor that drops a key actually scrubs the secret from the event.
- Auth: LDAP validator ValidateOnStart; API-key verify no longer fails on a
best-effort MarkUsed write or a corrupt scopes column (fail-closed); LDAP cert
validation hook; KeyPrefix persistence aligned; README algorithm corrected.
- Health: Akka checks return Degraded (not throw) when the cluster isn't up yet;
GrpcDependencyHealthCheck catch-all; null 'description' rendered; composite
endpoint builder; XML docs shipped.
- Audit: CompositeAuditWriter no longer re-throws OperationCanceledException;
TruncatingAuditRedactor over-redact scrubs Target + safe negative max; options
record; XML docs shipped.
- Configuration: TryAddEnumerable idempotent registration; consistent port
quoting; strict invariant port parsing; XML docs + README packaged.
- Theme: mobile toggle is now CSS-only (no Bootstrap JS); token/CSS hygiene;
XML docs on the public parameter surface.
Shared-contract/spec docs updated where the code was the source of truth
(observability service.instance.id, MapZbMetrics, redactor reach). All changes
additive/back-compatible at v0.1.0. code-reviews bookkeeping follows separately.
60 lines
3.2 KiB
C#
60 lines
3.2 KiB
C#
using System.Net.Security;
|
|
|
|
namespace ZB.MOM.WW.Auth.Abstractions.Ldap;
|
|
|
|
public enum LdapTransport { Ldaps, StartTls, None }
|
|
|
|
public sealed record LdapOptions
|
|
{
|
|
public bool Enabled { get; init; } = true;
|
|
public string Server { get; init; } = "localhost";
|
|
public int Port { get; init; } = 3893;
|
|
public LdapTransport Transport { get; init; } = LdapTransport.Ldaps;
|
|
public bool AllowInsecure { get; init; }
|
|
public string SearchBase { get; init; } = "";
|
|
public string ServiceAccountDn { get; init; } = "";
|
|
public string ServiceAccountPassword { get; init; } = "";
|
|
public string UserNameAttribute { get; init; } = "cn";
|
|
public string DisplayNameAttribute { get; init; } = "cn";
|
|
public string GroupAttribute { get; init; } = "memberOf";
|
|
public int ConnectionTimeoutMs { get; init; } = 10_000;
|
|
|
|
/// <summary>
|
|
/// Optional hook to harden (or, in dev, relax) TLS server-certificate validation for the
|
|
/// <see cref="LdapTransport.Ldaps"/> / <see cref="LdapTransport.StartTls"/> transports. When
|
|
/// <see langword="null"/> (the default) the LDAP client validates the server certificate against
|
|
/// the OS trust store — it does <em>not</em> blind-accept. Supply a callback to pin a CA, validate
|
|
/// the SAN against <see cref="Server"/>, or otherwise tighten validation. This is a code-only seam
|
|
/// (not bound from configuration) and takes precedence over <see cref="AllowInsecure"/>.
|
|
/// </summary>
|
|
public RemoteCertificateValidationCallback? ServerCertificateValidationCallback { get; init; }
|
|
}
|
|
|
|
public enum LdapAuthFailure { BadCredentials, UserNotFound, AmbiguousUser, GroupLookupFailed, ServiceAccountBindFailed, Disabled }
|
|
|
|
public sealed record LdapAuthResult(bool Succeeded, string Username, string DisplayName, IReadOnlyList<string> Groups, LdapAuthFailure? Failure)
|
|
{
|
|
public static LdapAuthResult Success(string username, string displayName, IReadOnlyList<string> groups) => new(true, username, displayName, groups, null);
|
|
public static LdapAuthResult Fail(LdapAuthFailure failure) => new(false, "", "", Array.Empty<string>(), failure);
|
|
}
|
|
|
|
public interface ILdapAuthService
|
|
{
|
|
/// <summary>
|
|
/// Authenticates <paramref name="username"/> against the directory by bind-then-search and
|
|
/// returns the outcome, including the resolved display name and group memberships on success.
|
|
/// </summary>
|
|
/// <param name="username">The login name to authenticate.</param>
|
|
/// <param name="password">The credential to bind with.</param>
|
|
/// <param name="ct">A token to request cancellation of the operation.</param>
|
|
/// <returns>The authentication result.</returns>
|
|
/// <remarks>
|
|
/// The cancellation token is observed at entry only. Implementations backed by synchronous
|
|
/// LDAP clients cannot abort an in-flight bind or search once it has been dispatched, so full
|
|
/// cooperative cancellation is not guaranteed mid-call: a request that has already reached the
|
|
/// directory will run to completion (subject to the configured connection timeout) even if the
|
|
/// token is cancelled.
|
|
/// </remarks>
|
|
Task<LdapAuthResult> AuthenticateAsync(string username, string password, CancellationToken ct);
|
|
}
|