consolidation of some of the modules, localization fixes, product advisories work, qa work

2026-03-05 03:54:22 +02:00
parent 7bafcc3eef
commit 8e1cb9448d
3878 changed files with 72600 additions and 46861 deletions
--- a/src/Router/StellaOps.Gateway.WebService/Authorization/AuthorizationMiddleware.cs
+++ b/src/Router/StellaOps.Gateway.WebService/Authorization/AuthorizationMiddleware.cs
@@ -69,9 +69,27 @@ public sealed class AuthorizationMiddleware
        foreach (var required in effectiveClaims)
        {
            var userClaims = context.User.Claims;
-            var hasClaim = required.Value == null
-                ? userClaims.Any(c => c.Type == required.Type)
-                : userClaims.Any(c => c.Type == required.Type && c.Value == required.Value);
+            bool hasClaim;
+
+            if (required.Value == null)
+            {
+                hasClaim = userClaims.Any(c => c.Type == required.Type);
+            }
+            else if (string.Equals(required.Type, "scope", StringComparison.OrdinalIgnoreCase) ||
+                     string.Equals(required.Type, "scp", StringComparison.OrdinalIgnoreCase))
+            {
+                // Scope claims may be space-separated (RFC 6749 §3.3) or individual claims.
+                // Check both: exact match on individual claims, and contains-within-space-separated.
+                hasClaim = userClaims.Any(c =>
+                    c.Type == required.Type &&
+                    (c.Value == required.Value ||
+                     c.Value.Split(' ', StringSplitOptions.RemoveEmptyEntries)
+                            .Any(s => string.Equals(s, required.Value, StringComparison.Ordinal))));
+            }
+            else
+            {
+                hasClaim = userClaims.Any(c => c.Type == required.Type && c.Value == required.Value);
+            }

            if (!hasClaim)
            {
--- a/src/Router/StellaOps.Gateway.WebService/Dockerfile
+++ b/src/Router/StellaOps.Gateway.WebService/Dockerfile
@@ -6,7 +6,7 @@ EXPOSE 8443
 FROM mcr.microsoft.com/dotnet/sdk:10.0-preview AS build
 WORKDIR /src
 COPY . .
-RUN dotnet publish src/Gateway/StellaOps.Gateway.WebService/StellaOps.Gateway.WebService.csproj -c Release -o /app/publish
+RUN dotnet publish src/Router/StellaOps.Gateway.WebService/StellaOps.Gateway.WebService.csproj -c Release -o /app/publish

 FROM base AS final
 WORKDIR /app
--- a/src/Router/StellaOps.Gateway.WebService/Middleware/IdentityHeaderPolicyMiddleware.cs
+++ b/src/Router/StellaOps.Gateway.WebService/Middleware/IdentityHeaderPolicyMiddleware.cs
@@ -651,7 +651,9 @@ public sealed class IdentityHeaderPolicyOptions
    [
        "/connect",
        "/console",
-        "/api/admin"
+        "/authority",
+        "/doctor",
+        "/api"
    ];

    /// <summary>
--- a/src/Router/StellaOps.Gateway.WebService/TASKS.md
+++ b/src/Router/StellaOps.Gateway.WebService/TASKS.md
@@ -10,3 +10,4 @@ Source of truth: `docs-archived/implplan/2025-12-29-csproj-audit/SPRINT_20251229
 | AUDIT-0347-A | TODO | Pending approval (non-test project; revalidated 2026-01-07). |
 | REMED-06 | DONE | SOLID review notes captured for SPRINT_20260130_002. |
 | RGH-01 | DONE | 2026-02-22: Added SPA fallback handling for browser deep links on microservice route matches; API prefixes remain backend-dispatched. |
+| RGH-02 | DONE | 2026-03-04: Expanded approved auth passthrough prefixes (`/authority`, `/doctor`, `/api`) to unblock authenticated gateway routes used by Audit Log UI E2E. |