OTSSignsOrchestrator.Server/Health/Checks/OauthAppHealthCheck.cs

using OTSSignsOrchestrator.Server.Clients;
using OTSSignsOrchestrator.Server.Data.Entities;

namespace OTSSignsOrchestrator.Server.Health.Checks;

/// <summary>
/// Verifies the OAuth2 app in <see cref="OauthAppRegistry"/> can still authenticate
/// by testing a <c>client_credentials</c> flow against the Xibo CMS instance.
/// AutoRemediate=false — credential rotation requires a separate job.
/// </summary>
public sealed class OauthAppHealthCheck : IHealthCheck
{
    private readonly XiboClientFactory _clientFactory;
    private readonly IServiceProvider _services;
    private readonly ILogger<OauthAppHealthCheck> _logger;

    public string CheckName => "OauthApp";
    public bool AutoRemediate => false;

    public OauthAppHealthCheck(
        XiboClientFactory clientFactory,
        IServiceProvider services,
        ILogger<OauthAppHealthCheck> logger)
    {
        _clientFactory = clientFactory;
        _services = services;
        _logger = logger;
    }

    public async Task<HealthCheckResult> RunAsync(Instance instance, CancellationToken ct)
    {
        var oauthApp = instance.OauthAppRegistries.FirstOrDefault();
        if (oauthApp is null)
            return new HealthCheckResult(HealthStatus.Critical, "No OAuth app registered");

        var abbrev = instance.Customer.Abbreviation;
        var settings = _services.GetRequiredService<Core.Services.SettingsService>();
        var secret = await settings.GetAsync(Core.Services.SettingsService.InstanceOAuthSecretId(abbrev));

        if (string.IsNullOrEmpty(secret))
            return new HealthCheckResult(HealthStatus.Critical,
                "OAuth client secret not found in Bitwarden — cannot authenticate");

        try
        {
            // Attempt to create a client (which fetches a token via client_credentials)
            var client = await _clientFactory.CreateAsync(instance.XiboUrl, oauthApp.ClientId, secret);

            // If we got here, the token was obtained successfully
            return new HealthCheckResult(HealthStatus.Healthy, "OAuth2 client_credentials flow successful");
        }
        catch (Exception ex)
        {
            return new HealthCheckResult(HealthStatus.Critical,
                $"OAuth2 authentication failed: {ex.Message}",
                "Credential rotation job may be required");
        }
    }
}
feat: Implement provisioning pipelines for subscription management - Add ReactivatePipeline to handle subscription reactivation, including scaling Docker services, health verification, status updates, audit logging, and broadcasting status changes. - Introduce RotateCredentialsPipeline for OAuth2 credential rotation, managing the deletion of old apps, creation of new ones, credential storage, access verification, and audit logging. - Create StepRunner to manage job step execution, including lifecycle management and progress broadcasting via SignalR. - Implement SuspendPipeline for subscription suspension, scaling down services, updating statuses, logging audits, and broadcasting changes. - Add UpdateScreenLimitPipeline to update Xibo CMS screen limits and record snapshots. - Introduce XiboFeatureManifests for hardcoded feature ACLs per role. - Add docker-compose.dev.yml for local development with PostgreSQL setup. 2026-03-18 10:27:26 -04:00			`using OTSSignsOrchestrator.Server.Clients;`
			`using OTSSignsOrchestrator.Server.Data.Entities;`

			`namespace OTSSignsOrchestrator.Server.Health.Checks;`

			`/// <summary>`
			`/// Verifies the OAuth2 app in <see cref="OauthAppRegistry"/> can still authenticate`
			`/// by testing a <c>client_credentials</c> flow against the Xibo CMS instance.`
			`/// AutoRemediate=false — credential rotation requires a separate job.`
			`/// </summary>`
			`public sealed class OauthAppHealthCheck : IHealthCheck`
			`{`
			`private readonly XiboClientFactory _clientFactory;`
			`private readonly IServiceProvider _services;`
			`private readonly ILogger<OauthAppHealthCheck> _logger;`

			`public string CheckName => "OauthApp";`
			`public bool AutoRemediate => false;`

			`public OauthAppHealthCheck(`
			`XiboClientFactory clientFactory,`
			`IServiceProvider services,`
			`ILogger<OauthAppHealthCheck> logger)`
			`{`
			`_clientFactory = clientFactory;`
			`_services = services;`
			`_logger = logger;`
			`}`

			`public async Task<HealthCheckResult> RunAsync(Instance instance, CancellationToken ct)`
			`{`
			`var oauthApp = instance.OauthAppRegistries.FirstOrDefault();`
			`if (oauthApp is null)`
			`return new HealthCheckResult(HealthStatus.Critical, "No OAuth app registered");`

			`var abbrev = instance.Customer.Abbreviation;`
			`var settings = _services.GetRequiredService<Core.Services.SettingsService>();`
			`var secret = await settings.GetAsync(Core.Services.SettingsService.InstanceOAuthSecretId(abbrev));`

			`if (string.IsNullOrEmpty(secret))`
			`return new HealthCheckResult(HealthStatus.Critical,`
			`"OAuth client secret not found in Bitwarden — cannot authenticate");`

			`try`
			`{`
			`// Attempt to create a client (which fetches a token via client_credentials)`
			`var client = await _clientFactory.CreateAsync(instance.XiboUrl, oauthApp.ClientId, secret);`

			`// If we got here, the token was obtained successfully`
			`return new HealthCheckResult(HealthStatus.Healthy, "OAuth2 client_credentials flow successful");`
			`}`
			`catch (Exception ex)`
			`{`
			`return new HealthCheckResult(HealthStatus.Critical,`
			`$"OAuth2 authentication failed: {ex.Message}",`
			`"Credential rotation job may be required");`
			`}`
			`}`
			`}`