feat: Implement provisioning pipelines for subscription management

- Add ReactivatePipeline to handle subscription reactivation, including scaling Docker services, health verification, status updates, audit logging, and broadcasting status changes. - Introduce RotateCredentialsPipeline for OAuth2 credential rotation, managing the deletion of old apps, creation of new ones, credential storage, access verification, and audit logging. - Create StepRunner to manage job step execution, including lifecycle management and progress broadcasting via SignalR. - Implement SuspendPipeline for subscription suspension, scaling down services, updating statuses, logging audits, and broadcasting changes. - Add UpdateScreenLimitPipeline to update Xibo CMS screen limits and record snapshots. - Introduce XiboFeatureManifests for hardcoded feature ACLs per role. - Add docker-compose.dev.yml for local development with PostgreSQL setup.
2026-03-18 10:27:26 -04:00
parent c2e03de8bb
commit c6d46098dd
77 changed files with 9412 additions and 29 deletions
--- a/OTSSignsOrchestrator.Server/Health/Checks/GroupStructureHealthCheck.cs
+++ b/OTSSignsOrchestrator.Server/Health/Checks/GroupStructureHealthCheck.cs
@@ -0,0 +1,124 @@
+using OTSSignsOrchestrator.Server.Clients;
+using OTSSignsOrchestrator.Server.Data;
+using OTSSignsOrchestrator.Server.Data.Entities;
+
+namespace OTSSignsOrchestrator.Server.Health.Checks;
+
+/// <summary>
+/// Verifies all 4 expected Xibo groups exist for the instance:
+/// <c>{abbrev}-viewer</c>, <c>{abbrev}-editor</c>, <c>{abbrev}-admin</c>, <c>ots-it-{abbrev}</c>.
+/// Uses <see cref="XiboApiClientExtensions.GetAllPagesAsync{T}"/> to avoid pagination truncation.
+/// </summary>
+public sealed class GroupStructureHealthCheck : IHealthCheck
+{
+    private readonly XiboClientFactory _clientFactory;
+    private readonly IServiceProvider _services;
+    private readonly ILogger<GroupStructureHealthCheck> _logger;
+
+    public string CheckName => "GroupStructure";
+    public bool AutoRemediate => true;
+
+    public GroupStructureHealthCheck(
+        XiboClientFactory clientFactory,
+        IServiceProvider services,
+        ILogger<GroupStructureHealthCheck> logger)
+    {
+        _clientFactory = clientFactory;
+        _services = services;
+        _logger = logger;
+    }
+
+    public async Task<HealthCheckResult> RunAsync(Instance instance, CancellationToken ct)
+    {
+        var (client, abbrev) = await ResolveAsync(instance);
+        if (client is null)
+            return new HealthCheckResult(HealthStatus.Critical, "No OAuth app — cannot verify groups");
+
+        var expected = ExpectedGroups(abbrev);
+        var groups = await client.GetAllPagesAsync(
+            (start, length) => client.GetGroupsAsync(start, length));
+
+        var existing = groups
+            .Select(g => g.TryGetValue("group", out var n) ? n?.ToString() : null)
+            .Where(n => n is not null)
+            .ToHashSet(StringComparer.OrdinalIgnoreCase);
+
+        var missing = expected.Where(e => !existing.Contains(e)).ToList();
+
+        if (missing.Count == 0)
+            return new HealthCheckResult(HealthStatus.Healthy, "All 4 expected groups present");
+
+        return new HealthCheckResult(
+            HealthStatus.Critical,
+            $"Missing groups: {string.Join(", ", missing)}",
+            $"Expected: {string.Join(", ", expected)}");
+    }
+
+    public async Task<bool> RemediateAsync(Instance instance, CancellationToken ct)
+    {
+        var (client, abbrev) = await ResolveAsync(instance);
+        if (client is null) return false;
+
+        await using var scope = _services.CreateAsyncScope();
+        var db = scope.ServiceProvider.GetRequiredService<OrchestratorDbContext>();
+
+        var expected = ExpectedGroups(abbrev);
+        var groups = await client.GetAllPagesAsync(
+            (start, length) => client.GetGroupsAsync(start, length));
+
+        var existing = groups
+            .Select(g => g.TryGetValue("group", out var n) ? n?.ToString() : null)
+            .Where(n => n is not null)
+            .ToHashSet(StringComparer.OrdinalIgnoreCase);
+
+        var allFixed = true;
+        foreach (var name in expected.Where(e => !existing.Contains(e)))
+        {
+            var resp = await client.CreateGroupAsync(new CreateGroupRequest(name, $"Auto-created by health check for {abbrev}"));
+            if (resp.IsSuccessStatusCode)
+            {
+                db.AuditLogs.Add(new AuditLog
+                {
+                    Id = Guid.NewGuid(),
+                    InstanceId = instance.Id,
+                    Actor = "HealthCheckEngine:GroupStructure",
+                    Action = "CreateGroup",
+                    Target = name,
+                    Outcome = "Success",
+                    Detail = $"Recreated missing group {name}",
+                    OccurredAt = DateTime.UtcNow,
+                });
+            }
+            else
+            {
+                _logger.LogError("Failed to create group {Group}: {Err}", name, resp.Error?.Content);
+                allFixed = false;
+            }
+        }
+
+        await db.SaveChangesAsync(ct);
+        return allFixed;
+    }
+
+    private static string[] ExpectedGroups(string abbrev) =>
+    [
+        $"{abbrev}-viewer",
+        $"{abbrev}-editor",
+        $"{abbrev}-admin",
+        $"ots-it-{abbrev}",
+    ];
+
+    private async Task<(IXiboApiClient? Client, string Abbrev)> ResolveAsync(Instance instance)
+    {
+        var abbrev = instance.Customer.Abbreviation;
+        var oauthApp = instance.OauthAppRegistries.FirstOrDefault();
+        if (oauthApp is null) return (null, abbrev);
+
+        var settings = _services.GetRequiredService<Core.Services.SettingsService>();
+        var secret = await settings.GetAsync(Core.Services.SettingsService.InstanceOAuthSecretId(abbrev));
+        if (string.IsNullOrEmpty(secret)) return (null, abbrev);
+
+        var client = await _clientFactory.CreateAsync(instance.XiboUrl, oauthApp.ClientId, secret);
+        return (client, abbrev);
+    }
+}