OTSSignsOrchestrator.Server/Health/Checks/AdminIntegrityHealthCheck.cs

using Microsoft.EntityFrameworkCore;
using OTSSignsOrchestrator.Server.Clients;
using OTSSignsOrchestrator.Server.Data;
using OTSSignsOrchestrator.Server.Data.Entities;

namespace OTSSignsOrchestrator.Server.Health.Checks;

/// <summary>
/// Verifies that both <c>ots-admin-{abbrev}</c> and <c>ots-svc-{abbrev}</c> exist
/// with <c>userTypeId == 1</c> (SuperAdmin). MUST use <see cref="XiboApiClientExtensions.GetAllPagesAsync{T}"/>
/// because Xibo paginates at 10 items by default.
///
/// <c>saml-usertypeid</c> is JIT-only and does NOT maintain SuperAdmin on existing users —
/// this check IS the ongoing enforcement mechanism.
/// </summary>
public sealed class AdminIntegrityHealthCheck : IHealthCheck
{
    private readonly XiboClientFactory _clientFactory;
    private readonly IServiceProvider _services;
    private readonly ILogger<AdminIntegrityHealthCheck> _logger;

    public string CheckName => "AdminIntegrity";
    public bool AutoRemediate => true;

    public AdminIntegrityHealthCheck(
        XiboClientFactory clientFactory,
        IServiceProvider services,
        ILogger<AdminIntegrityHealthCheck> logger)
    {
        _clientFactory = clientFactory;
        _services = services;
        _logger = logger;
    }

    public async Task<HealthCheckResult> RunAsync(Instance instance, CancellationToken ct)
    {
        var (client, abbrev) = await ResolveAsync(instance);
        if (client is null)
            return new HealthCheckResult(HealthStatus.Critical, "No OAuth app — cannot verify admin accounts");

        var users = await client.GetAllPagesAsync(
            (start, length) => client.GetUsersAsync(start, length));

        var adminName = $"ots-admin-{abbrev}";
        var svcName = $"ots-svc-{abbrev}";
        var problems = new List<string>();

        foreach (var expected in new[] { adminName, svcName })
        {
            var user = users.FirstOrDefault(u =>
                u.TryGetValue("userName", out var n) &&
                string.Equals(n?.ToString(), expected, StringComparison.OrdinalIgnoreCase));

            if (user is null)
            {
                problems.Add($"{expected} is MISSING");
                continue;
            }

            if (user.TryGetValue("userTypeId", out var typeObj) &&
                typeObj?.ToString() != "1")
            {
                problems.Add($"{expected} has userTypeId={typeObj} (expected 1)");
            }
        }

        if (problems.Count == 0)
            return new HealthCheckResult(HealthStatus.Healthy, "Admin accounts intact");

        return new HealthCheckResult(
            HealthStatus.Critical,
            $"Admin integrity issues: {string.Join("; ", problems)}",
            string.Join("\n", problems));
    }

    public async Task<bool> RemediateAsync(Instance instance, CancellationToken ct)
    {
        var (client, abbrev) = await ResolveAsync(instance);
        if (client is null) return false;

        await using var scope = _services.CreateAsyncScope();
        var db = scope.ServiceProvider.GetRequiredService<OrchestratorDbContext>();

        var users = await client.GetAllPagesAsync(
            (start, length) => client.GetUsersAsync(start, length));

        var adminName = $"ots-admin-{abbrev}";
        var svcName = $"ots-svc-{abbrev}";
        var allFixed = true;

        foreach (var expected in new[] { adminName, svcName })
        {
            var user = users.FirstOrDefault(u =>
                u.TryGetValue("userName", out var n) &&
                string.Equals(n?.ToString(), expected, StringComparison.OrdinalIgnoreCase));

            if (user is null)
            {
                // Recreate missing account
                var email = $"{expected}@otssigns.internal";
                var password = GenerateRandomPassword(32);
                var createResp = await client.CreateUserAsync(new CreateUserRequest(
                    expected, email, password, UserTypeId: 1, HomePageId: 1));

                if (!createResp.IsSuccessStatusCode)
                {
                    _logger.LogError("Failed to recreate {User}: {Err}", expected, createResp.Error?.Content);
                    allFixed = false;
                    continue;
                }

                // Audit
                db.AuditLogs.Add(new AuditLog
                {
                    Id = Guid.NewGuid(),
                    InstanceId = instance.Id,
                    Actor = "HealthCheckEngine:AdminIntegrity",
                    Action = "RecreateUser",
                    Target = expected,
                    Outcome = "Success",
                    Detail = "User was missing — recreated as SuperAdmin",
                    OccurredAt = DateTime.UtcNow,
                });
            }
            else
            {
                // Fix userTypeId if wrong
                if (user.TryGetValue("userTypeId", out var typeObj) && typeObj?.ToString() != "1")
                {
                    var userId = int.Parse(user["userId"]?.ToString() ?? "0");
                    if (userId == 0) { allFixed = false; continue; }

                    var updateResp = await client.UpdateUserAsync(userId, new UpdateUserRequest(
                        UserName: null, Email: null, Password: null, UserTypeId: 1,
                        HomePageId: null, Retired: null));

                    if (!updateResp.IsSuccessStatusCode)
                    {
                        _logger.LogError("Failed to fix userTypeId for {User}: {Err}",
                            expected, updateResp.Error?.Content);
                        allFixed = false;
                        continue;
                    }

                    db.AuditLogs.Add(new AuditLog
                    {
                        Id = Guid.NewGuid(),
                        InstanceId = instance.Id,
                        Actor = "HealthCheckEngine:AdminIntegrity",
                        Action = "FixUserType",
                        Target = expected,
                        Outcome = "Success",
                        Detail = $"Changed userTypeId from {typeObj} to 1 (SuperAdmin)",
                        OccurredAt = DateTime.UtcNow,
                    });
                }
            }
        }

        await db.SaveChangesAsync(ct);
        return allFixed;
    }

    private async Task<(IXiboApiClient? Client, string Abbrev)> ResolveAsync(Instance instance)
    {
        var abbrev = instance.Customer.Abbreviation;
        var oauthApp = instance.OauthAppRegistries.FirstOrDefault();
        if (oauthApp is null) return (null, abbrev);

        var settings = _services.GetRequiredService<Core.Services.SettingsService>();
        var secret = await settings.GetAsync(Core.Services.SettingsService.InstanceOAuthSecretId(abbrev));
        if (string.IsNullOrEmpty(secret)) return (null, abbrev);

        var client = await _clientFactory.CreateAsync(instance.XiboUrl, oauthApp.ClientId, secret);
        return (client, abbrev);
    }

    private static string GenerateRandomPassword(int length)
    {
        const string chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*";
        return System.Security.Cryptography.RandomNumberGenerator.GetString(chars, length);
    }
}
feat: Implement provisioning pipelines for subscription management - Add ReactivatePipeline to handle subscription reactivation, including scaling Docker services, health verification, status updates, audit logging, and broadcasting status changes. - Introduce RotateCredentialsPipeline for OAuth2 credential rotation, managing the deletion of old apps, creation of new ones, credential storage, access verification, and audit logging. - Create StepRunner to manage job step execution, including lifecycle management and progress broadcasting via SignalR. - Implement SuspendPipeline for subscription suspension, scaling down services, updating statuses, logging audits, and broadcasting changes. - Add UpdateScreenLimitPipeline to update Xibo CMS screen limits and record snapshots. - Introduce XiboFeatureManifests for hardcoded feature ACLs per role. - Add docker-compose.dev.yml for local development with PostgreSQL setup. 2026-03-18 10:27:26 -04:00			`using Microsoft.EntityFrameworkCore;`
			`using OTSSignsOrchestrator.Server.Clients;`
			`using OTSSignsOrchestrator.Server.Data;`
			`using OTSSignsOrchestrator.Server.Data.Entities;`

			`namespace OTSSignsOrchestrator.Server.Health.Checks;`

			`/// <summary>`
			`/// Verifies that both <c>ots-admin-{abbrev}</c> and <c>ots-svc-{abbrev}</c> exist`
			`/// with <c>userTypeId == 1</c> (SuperAdmin). MUST use <see cref="XiboApiClientExtensions.GetAllPagesAsync{T}"/>`
			`/// because Xibo paginates at 10 items by default.`
			`///`
			`/// <c>saml-usertypeid</c> is JIT-only and does NOT maintain SuperAdmin on existing users —`
			`/// this check IS the ongoing enforcement mechanism.`
			`/// </summary>`
			`public sealed class AdminIntegrityHealthCheck : IHealthCheck`
			`{`
			`private readonly XiboClientFactory _clientFactory;`
			`private readonly IServiceProvider _services;`
			`private readonly ILogger<AdminIntegrityHealthCheck> _logger;`

			`public string CheckName => "AdminIntegrity";`
			`public bool AutoRemediate => true;`

			`public AdminIntegrityHealthCheck(`
			`XiboClientFactory clientFactory,`
			`IServiceProvider services,`
			`ILogger<AdminIntegrityHealthCheck> logger)`
			`{`
			`_clientFactory = clientFactory;`
			`_services = services;`
			`_logger = logger;`
			`}`

			`public async Task<HealthCheckResult> RunAsync(Instance instance, CancellationToken ct)`
			`{`
			`var (client, abbrev) = await ResolveAsync(instance);`
			`if (client is null)`
			`return new HealthCheckResult(HealthStatus.Critical, "No OAuth app — cannot verify admin accounts");`

			`var users = await client.GetAllPagesAsync(`
			`(start, length) => client.GetUsersAsync(start, length));`

			`var adminName = $"ots-admin-{abbrev}";`
			`var svcName = $"ots-svc-{abbrev}";`
			`var problems = new List<string>();`

			`foreach (var expected in new[] { adminName, svcName })`
			`{`
			`var user = users.FirstOrDefault(u =>`
			`u.TryGetValue("userName", out var n) &&`
			`string.Equals(n?.ToString(), expected, StringComparison.OrdinalIgnoreCase));`

			`if (user is null)`
			`{`
			`problems.Add($"{expected} is MISSING");`
			`continue;`
			`}`

			`if (user.TryGetValue("userTypeId", out var typeObj) &&`
			`typeObj?.ToString() != "1")`
			`{`
			`problems.Add($"{expected} has userTypeId={typeObj} (expected 1)");`
			`}`
			`}`

			`if (problems.Count == 0)`
			`return new HealthCheckResult(HealthStatus.Healthy, "Admin accounts intact");`

			`return new HealthCheckResult(`
			`HealthStatus.Critical,`
			`$"Admin integrity issues: {string.Join("; ", problems)}",`
			`string.Join("\n", problems));`
			`}`

			`public async Task<bool> RemediateAsync(Instance instance, CancellationToken ct)`
			`{`
			`var (client, abbrev) = await ResolveAsync(instance);`
			`if (client is null) return false;`

			`await using var scope = _services.CreateAsyncScope();`
			`var db = scope.ServiceProvider.GetRequiredService<OrchestratorDbContext>();`

			`var users = await client.GetAllPagesAsync(`
			`(start, length) => client.GetUsersAsync(start, length));`

			`var adminName = $"ots-admin-{abbrev}";`
			`var svcName = $"ots-svc-{abbrev}";`
			`var allFixed = true;`

			`foreach (var expected in new[] { adminName, svcName })`
			`{`
			`var user = users.FirstOrDefault(u =>`
			`u.TryGetValue("userName", out var n) &&`
			`string.Equals(n?.ToString(), expected, StringComparison.OrdinalIgnoreCase));`

			`if (user is null)`
			`{`
			`// Recreate missing account`
			`var email = $"{expected}@otssigns.internal";`
			`var password = GenerateRandomPassword(32);`
			`var createResp = await client.CreateUserAsync(new CreateUserRequest(`
			`expected, email, password, UserTypeId: 1, HomePageId: 1));`

			`if (!createResp.IsSuccessStatusCode)`
			`{`
			`_logger.LogError("Failed to recreate {User}: {Err}", expected, createResp.Error?.Content);`
			`allFixed = false;`
			`continue;`
			`}`

			`// Audit`
			`db.AuditLogs.Add(new AuditLog`
			`{`
			`Id = Guid.NewGuid(),`
			`InstanceId = instance.Id,`
			`Actor = "HealthCheckEngine:AdminIntegrity",`
			`Action = "RecreateUser",`
			`Target = expected,`
			`Outcome = "Success",`
			`Detail = "User was missing — recreated as SuperAdmin",`
			`OccurredAt = DateTime.UtcNow,`
			`});`
			`}`
			`else`
			`{`
			`// Fix userTypeId if wrong`
			`if (user.TryGetValue("userTypeId", out var typeObj) && typeObj?.ToString() != "1")`
			`{`
			`var userId = int.Parse(user["userId"]?.ToString() ?? "0");`
			`if (userId == 0) { allFixed = false; continue; }`

			`var updateResp = await client.UpdateUserAsync(userId, new UpdateUserRequest(`
			`UserName: null, Email: null, Password: null, UserTypeId: 1,`
			`HomePageId: null, Retired: null));`

			`if (!updateResp.IsSuccessStatusCode)`
			`{`
			`_logger.LogError("Failed to fix userTypeId for {User}: {Err}",`
			`expected, updateResp.Error?.Content);`
			`allFixed = false;`
			`continue;`
			`}`

			`db.AuditLogs.Add(new AuditLog`
			`{`
			`Id = Guid.NewGuid(),`
			`InstanceId = instance.Id,`
			`Actor = "HealthCheckEngine:AdminIntegrity",`
			`Action = "FixUserType",`
			`Target = expected,`
			`Outcome = "Success",`
			`Detail = $"Changed userTypeId from {typeObj} to 1 (SuperAdmin)",`
			`OccurredAt = DateTime.UtcNow,`
			`});`
			`}`
			`}`
			`}`

			`await db.SaveChangesAsync(ct);`
			`return allFixed;`
			`}`

			`private async Task<(IXiboApiClient? Client, string Abbrev)> ResolveAsync(Instance instance)`
			`{`
			`var abbrev = instance.Customer.Abbreviation;`
			`var oauthApp = instance.OauthAppRegistries.FirstOrDefault();`
			`if (oauthApp is null) return (null, abbrev);`

			`var settings = _services.GetRequiredService<Core.Services.SettingsService>();`
			`var secret = await settings.GetAsync(Core.Services.SettingsService.InstanceOAuthSecretId(abbrev));`
			`if (string.IsNullOrEmpty(secret)) return (null, abbrev);`

			`var client = await _clientFactory.CreateAsync(instance.XiboUrl, oauthApp.ClientId, secret);`
			`return (client, abbrev);`
			`}`

			`private static string GenerateRandomPassword(int length)`
			`{`
			`const string chars = "abcdefghijklmnopqrstuvwxyzABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789!@#$%^&*";`
			`return System.Security.Cryptography.RandomNumberGenerator.GetString(chars, length);`
			`}`
			`}`