feat: Implement provisioning pipelines for subscription management

- Add ReactivatePipeline to handle subscription reactivation, including scaling Docker services, health verification, status updates, audit logging, and broadcasting status changes. - Introduce RotateCredentialsPipeline for OAuth2 credential rotation, managing the deletion of old apps, creation of new ones, credential storage, access verification, and audit logging. - Create StepRunner to manage job step execution, including lifecycle management and progress broadcasting via SignalR. - Implement SuspendPipeline for subscription suspension, scaling down services, updating statuses, logging audits, and broadcasting changes. - Add UpdateScreenLimitPipeline to update Xibo CMS screen limits and record snapshots. - Introduce XiboFeatureManifests for hardcoded feature ACLs per role. - Add docker-compose.dev.yml for local development with PostgreSQL setup.
2026-03-18 10:27:26 -04:00
parent c2e03de8bb
commit c6d46098dd
77 changed files with 9412 additions and 29 deletions
--- a/OTSSignsOrchestrator.Server/Health/Checks/OauthAppAgeHealthCheck.cs
+++ b/OTSSignsOrchestrator.Server/Health/Checks/OauthAppAgeHealthCheck.cs
@@ -0,0 +1,50 @@
+using OTSSignsOrchestrator.Server.Data.Entities;
+
+namespace OTSSignsOrchestrator.Server.Health.Checks;
+
+/// <summary>
+/// Checks the age of the OAuth2 application credentials from <see cref="OauthAppRegistry.CreatedAt"/>.
+/// Alerts Warning at 180 days, Critical at 365 days. AutoRemediate=false — suggests
+/// a "rotate-oauth2" job instead.
+/// </summary>
+public sealed class OauthAppAgeHealthCheck : IHealthCheck
+{
+    /// <summary>Days at which severity escalates to Warning.</summary>
+    internal const int WarningThresholdDays = 180;
+
+    /// <summary>Days at which severity escalates to Critical.</summary>
+    internal const int CriticalThresholdDays = 365;
+
+    public string CheckName => "OauthAppAge";
+    public bool AutoRemediate => false;
+
+    public Task<HealthCheckResult> RunAsync(Instance instance, CancellationToken ct)
+    {
+        var oauthApp = instance.OauthAppRegistries
+            .OrderByDescending(o => o.CreatedAt)
+            .FirstOrDefault();
+
+        if (oauthApp is null)
+            return Task.FromResult(new HealthCheckResult(HealthStatus.Degraded,
+                "No OAuth app registered"));
+
+        var ageDays = (DateTime.UtcNow - oauthApp.CreatedAt).TotalDays;
+
+        if (ageDays >= CriticalThresholdDays)
+        {
+            return Task.FromResult(new HealthCheckResult(HealthStatus.Critical,
+                $"OAuth2 credentials are {(int)ageDays} days old (critical threshold: {CriticalThresholdDays}d)",
+                "Create a 'rotate-credentials' job to rotate the OAuth2 application"));
+        }
+
+        if (ageDays >= WarningThresholdDays)
+        {
+            return Task.FromResult(new HealthCheckResult(HealthStatus.Degraded,
+                $"OAuth2 credentials are {(int)ageDays} days old (warning threshold: {WarningThresholdDays}d)",
+                "Schedule credential rotation before they reach 365 days"));
+        }
+
+        return Task.FromResult(new HealthCheckResult(HealthStatus.Healthy,
+            $"OAuth2 credentials are {(int)ageDays} days old"));
+    }
+}