feat(audit): security events en Auth + authorization handlers (UDT-010 B9)

Instruments auth pipeline with ISecurityEventLogger per #REQ-AUTH-SEC: LoginCommandHandler: - login success → action=login result=success actorUserId=user.Id - login failure disaggregated internally (client still sees 401 unified): user_not_found / user_inactive / invalid_password — attempts captured with attemptedUsername + FailureReason LogoutCommandHandler: - action=logout result=success actorUserId=cmd.UsuarioId RefreshCommandHandler: - refresh.issue success on successful rotation - refresh.reuse_detected failure when revoked token is presented (chain revoke already happens; we add the security event with metadata.familyId) - refresh.issue failure for: token_expired / sub_mismatch / user_not_found / user_inactive PermissionAuthorizationHandler: - permission.denied failure on require-permission rejection, with metadata { permissionRequired, endpoint, method }. ActorUserId from JWT sub. DI: ISecurityEventLogger was already registered by B6 (AddInfrastructure). Test updates: 4 test classes now inject ISecurityEventLogger mock: - LoginCommandHandlerTests, LogoutCommandHandlerTests, RefreshCommandHandlerTests - PermissionAuthorizationHandlerTests (Api.Tests) Suite: 378/378 Application.Tests + 141/141 Api.Tests = 519/519 passing. Refs: sdd/udt-010-auditoria-trazabilidad/{spec#REQ-SEC-2/3/4/5 #REQ-AUTH-SEC, design, tasks#B9}
2026-04-16 13:59:27 -03:00
parent a3f01bc6c9
commit b619c05762
8 changed files with 89 additions and 10 deletions
--- a/src/api/SIGCM2.Api/Authorization/PermissionAuthorizationHandler.cs
+++ b/src/api/SIGCM2.Api/Authorization/PermissionAuthorizationHandler.cs
@@ -2,6 +2,7 @@ using System.IdentityModel.Tokens.Jwt;
 using Microsoft.AspNetCore.Authorization;
 using Microsoft.AspNetCore.Http;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Common;

 namespace SIGCM2.Api.Authorization;
@@ -12,21 +13,25 @@ namespace SIGCM2.Api.Authorization;
 /// and IUsuarioRepository, resolves effective permissions via PermisoResolver,
 /// and succeeds if at least one required permission matches (OR semantics).
 /// No caching — always authoritative from DB (UDT-006 D1, UDT-009 D3).
+/// UDT-010: emits SecurityEvent 'permission.denied' on rejection.
 /// </summary>
 public sealed class PermissionAuthorizationHandler
    : AuthorizationHandler<RequirePermissionAttribute>
 {
    private readonly IRolPermisoRepository _rolPermisoRepo;
    private readonly IUsuarioRepository _usuarioRepo;
+    private readonly ISecurityEventLogger _security;
    private readonly ILogger<PermissionAuthorizationHandler> _logger;

    public PermissionAuthorizationHandler(
        IRolPermisoRepository rolPermisoRepo,
        IUsuarioRepository usuarioRepo,
+        ISecurityEventLogger security,
        ILogger<PermissionAuthorizationHandler> logger)
    {
        _rolPermisoRepo = rolPermisoRepo;
        _usuarioRepo = usuarioRepo;
+        _security = security;
        _logger = logger;
    }

@@ -83,8 +88,17 @@ public sealed class PermissionAuthorizationHandler
        }

        // 8. Stash required permission for ForbiddenProblemDetailsHandler
+        var requiredPermission = requirement.PermissionCodes[0];
        if (context.Resource is HttpContext httpContext)
-            httpContext.Items["RequiredPermission"] = requirement.PermissionCodes[0];
+            httpContext.Items["RequiredPermission"] = requiredPermission;
+
+        // 9. Emit SecurityEvent for the denial
+        var endpoint = (context.Resource as HttpContext)?.Request?.Path.Value;
+        var method = (context.Resource as HttpContext)?.Request?.Method;
+        await _security.LogAsync("permission.denied", "failure",
+            actorUserId: userId,
+            failureReason: $"missing_permission:{requiredPermission}",
+            metadata: new { permissionRequired = requiredPermission, endpoint, method });

        context.Fail(new AuthorizationFailureReason(this,
            $"missing_permission:{string.Join('|', requirement.PermissionCodes)}"));
--- a/src/api/SIGCM2.Application/Auth/Login/LoginCommandHandler.cs
+++ b/src/api/SIGCM2.Application/Auth/Login/LoginCommandHandler.cs
@@ -2,6 +2,7 @@ using Microsoft.Extensions.Logging;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
 using SIGCM2.Application.Abstractions.Security;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Common;
 using SIGCM2.Domain.Entities;
 using SIGCM2.Domain.Exceptions;
@@ -19,6 +20,7 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
    private readonly IClientContext _clientContext;
    private readonly AuthOptions _authOptions;
    private readonly IRolPermisoRepository _rolPermisoRepository;
+    private readonly ISecurityEventLogger _security;
    private readonly ILogger<LoginCommandHandler> _logger;

    public LoginCommandHandler(
@@ -30,6 +32,7 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
        IClientContext clientContext,
        AuthOptions authOptions,
        IRolPermisoRepository rolPermisoRepository,
+        ISecurityEventLogger security,
        ILogger<LoginCommandHandler> logger)
    {
        _repository = repository;
@@ -40,6 +43,7 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
        _clientContext = clientContext;
        _authOptions = authOptions;
        _rolPermisoRepository = rolPermisoRepository;
+        _security = security;
        _logger = logger;
    }

@@ -47,12 +51,30 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
    {
        var usuario = await _repository.GetByUsernameAsync(command.Username);

-        // Deliberately vague — never reveal which check failed
-        if (usuario is null || !usuario.Activo)
+        // Deliberately vague to the client — never reveal which check failed.
+        // Internally, SecurityEvent captures the precise FailureReason for ops.
+        if (usuario is null)
+        {
+            await _security.LogAsync("login", "failure",
+                actorUserId: null, attemptedUsername: command.Username,
+                failureReason: "user_not_found");
            throw new InvalidCredentialsException();
+        }
+        if (!usuario.Activo)
+        {
+            await _security.LogAsync("login", "failure",
+                actorUserId: usuario.Id, attemptedUsername: command.Username,
+                failureReason: "user_inactive");
+            throw new InvalidCredentialsException();
+        }

        if (!_hasher.Verify(command.Password, usuario.PasswordHash))
+        {
+            await _security.LogAsync("login", "failure",
+                actorUserId: usuario.Id, attemptedUsername: command.Username,
+                failureReason: "invalid_password");
            throw new InvalidCredentialsException();
+        }

        var accessToken = _jwtService.GenerateAccessToken(usuario);

@@ -83,6 +105,8 @@ public sealed class LoginCommandHandler : ICommandHandler<LoginCommand, LoginRes
        var effective = PermisoResolver.Resolve(rolPermisos, overrides);
        var permisos = effective.OrderBy(p => p, StringComparer.Ordinal).ToArray();

+        await _security.LogAsync("login", "success", actorUserId: usuario.Id);
+
        return new LoginResponseDto(
            AccessToken: accessToken,
            RefreshToken: rawRefresh,      // raw to client — never stored
--- a/src/api/SIGCM2.Application/Auth/Logout/LogoutCommandHandler.cs
+++ b/src/api/SIGCM2.Application/Auth/Logout/LogoutCommandHandler.cs
@@ -1,15 +1,18 @@
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;

 namespace SIGCM2.Application.Auth.Logout;

 public sealed class LogoutCommandHandler : ICommandHandler<LogoutCommand, LogoutResponseDto>
 {
    private readonly IRefreshTokenRepository _refreshRepo;
+    private readonly ISecurityEventLogger _security;

-    public LogoutCommandHandler(IRefreshTokenRepository refreshRepo)
+    public LogoutCommandHandler(IRefreshTokenRepository refreshRepo, ISecurityEventLogger security)
    {
        _refreshRepo = refreshRepo;
+        _security = security;
    }

    public async Task<LogoutResponseDto> Handle(LogoutCommand command)
@@ -17,6 +20,7 @@ public sealed class LogoutCommandHandler : ICommandHandler<LogoutCommand, Logout
        // Revoke all active tokens for the user across all families.
        // Idempotent: 0 rows affected is not an error.
        await _refreshRepo.RevokeAllActiveForUserAsync(command.UsuarioId, DateTime.UtcNow);
+        await _security.LogAsync("logout", "success", actorUserId: command.UsuarioId);
        return new LogoutResponseDto(true, "Sesión cerrada correctamente");
    }
 }
--- a/src/api/SIGCM2.Application/Auth/Refresh/RefreshCommandHandler.cs
+++ b/src/api/SIGCM2.Application/Auth/Refresh/RefreshCommandHandler.cs
@@ -1,6 +1,7 @@
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
 using SIGCM2.Application.Abstractions.Security;
+using SIGCM2.Application.Audit;
 using SIGCM2.Domain.Entities;
 using SIGCM2.Domain.Exceptions;
 using SIGCM2.Domain.Security;
@@ -15,6 +16,7 @@ public sealed class RefreshCommandHandler : ICommandHandler<RefreshCommand, Refr
    private readonly IRefreshTokenGenerator _refreshGenerator;
    private readonly IClientContext _clientCtx;
    private readonly AuthOptions _authOptions;
+    private readonly ISecurityEventLogger _security;

    public RefreshCommandHandler(
        IRefreshTokenRepository refreshRepo,
@@ -22,7 +24,8 @@ public sealed class RefreshCommandHandler : ICommandHandler<RefreshCommand, Refr
        IJwtService jwt,
        IRefreshTokenGenerator refreshGenerator,
        IClientContext clientCtx,
-        AuthOptions authOptions)
+        AuthOptions authOptions,
+        ISecurityEventLogger security)
    {
        _refreshRepo = refreshRepo;
        _usuarioRepo = usuarioRepo;
@@ -30,6 +33,7 @@ public sealed class RefreshCommandHandler : ICommandHandler<RefreshCommand, Refr
        _refreshGenerator = refreshGenerator;
        _clientCtx = clientCtx;
        _authOptions = authOptions;
+        _security = security;
    }

    public async Task<RefreshResponseDto> Handle(RefreshCommand command)
@@ -62,23 +66,44 @@ public sealed class RefreshCommandHandler : ICommandHandler<RefreshCommand, Refr
        if (stored.IsRevoked)
        {
            await _refreshRepo.RevokeFamilyAsync(stored.FamilyId, now);
+            await _security.LogAsync("refresh.reuse_detected", "failure",
+                actorUserId: stored.UsuarioId,
+                failureReason: "token_reused",
+                metadata: new { familyId = stored.FamilyId });
            throw new TokenReuseDetectedException();
        }

        // 5. Absolute expiration check
        if (stored.IsExpired(now))
+        {
+            await _security.LogAsync("refresh.issue", "failure",
+                actorUserId: stored.UsuarioId, failureReason: "token_expired");
            throw new InvalidRefreshTokenException();
+        }

        // 6. UsuarioId must match access token's sub claim
        if (stored.UsuarioId != accessUserId)
+        {
+            await _security.LogAsync("refresh.issue", "failure",
+                actorUserId: stored.UsuarioId, failureReason: "sub_mismatch");
            throw new InvalidRefreshTokenException();
+        }

        // 7. Load current user (so access token has up-to-date claims)
-        var usuario = await _usuarioRepo.GetByIdAsync(stored.UsuarioId)
-                      ?? throw new InvalidRefreshTokenException();
+        var usuario = await _usuarioRepo.GetByIdAsync(stored.UsuarioId);
+        if (usuario is null)
+        {
+            await _security.LogAsync("refresh.issue", "failure",
+                actorUserId: stored.UsuarioId, failureReason: "user_not_found");
+            throw new InvalidRefreshTokenException();
+        }

        if (!usuario.Activo)
+        {
+            await _security.LogAsync("refresh.issue", "failure",
+                actorUserId: usuario.Id, failureReason: "user_inactive");
            throw new InvalidRefreshTokenException();
+        }

        // 8. Rotate: create new token, persist, then revoke old
        var newRaw = _refreshGenerator.Generate();
@@ -90,6 +115,9 @@ public sealed class RefreshCommandHandler : ICommandHandler<RefreshCommand, Refr

        // 9. Issue new access token
        var newAccess = _jwt.GenerateAccessToken(usuario);
+
+        await _security.LogAsync("refresh.issue", "success", actorUserId: usuario.Id);
+
        return new RefreshResponseDto(newAccess, newRaw, _authOptions.AccessTokenMinutes * 60);
    }
 }
--- a/tests/SIGCM2.Api.Tests/Authorization/PermissionAuthorizationHandlerTests.cs
+++ b/tests/SIGCM2.Api.Tests/Authorization/PermissionAuthorizationHandlerTests.cs
@@ -6,6 +6,7 @@ using Microsoft.Extensions.Logging.Abstractions;
 using NSubstitute;
 using SIGCM2.Api.Authorization;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Domain.Entities;

 namespace SIGCM2.Api.Tests.Authorization;
@@ -18,6 +19,7 @@ public sealed class PermissionAuthorizationHandlerTests
 {
    private readonly IRolPermisoRepository _rolPermisoRepo = Substitute.For<IRolPermisoRepository>();
    private readonly IUsuarioRepository _usuarioRepo = Substitute.For<IUsuarioRepository>();
+    private readonly ISecurityEventLogger _security = Substitute.For<ISecurityEventLogger>();
    private readonly PermissionAuthorizationHandler _handler;

    public PermissionAuthorizationHandlerTests()
@@ -29,6 +31,7 @@ public sealed class PermissionAuthorizationHandlerTests
        _handler = new PermissionAuthorizationHandler(
            _rolPermisoRepo,
            _usuarioRepo,
+            _security,
            NullLogger<PermissionAuthorizationHandler>.Instance);
    }

--- a/tests/SIGCM2.Application.Tests/Auth/Login/LoginCommandHandlerTests.cs
+++ b/tests/SIGCM2.Application.Tests/Auth/Login/LoginCommandHandlerTests.cs
@@ -3,6 +3,7 @@ using NSubstitute;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
 using SIGCM2.Application.Abstractions.Security;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Auth;
 using SIGCM2.Application.Auth.Login;
 using SIGCM2.Domain.Entities;
@@ -20,6 +21,7 @@ public class LoginCommandHandlerTests
    private readonly IRefreshTokenGenerator _refreshGenerator = Substitute.For<IRefreshTokenGenerator>();
    private readonly IClientContext _clientCtx = Substitute.For<IClientContext>();
    private readonly IRolPermisoRepository _rolPermisoRepo = Substitute.For<IRolPermisoRepository>();
+    private readonly ISecurityEventLogger _security = Substitute.For<ISecurityEventLogger>();
    private readonly ILogger<LoginCommandHandler> _logger = Substitute.For<ILogger<LoginCommandHandler>>();
    private readonly AuthOptions _authOptions = new() { AccessTokenMinutes = 60, RefreshTokenDays = 7 };
    private readonly LoginCommandHandler _handler;
@@ -42,7 +44,7 @@ public class LoginCommandHandlerTests
        _handler = new LoginCommandHandler(
            _repository, _hasher, _jwtService,
            _refreshRepo, _refreshGenerator, _clientCtx, _authOptions,
-            _rolPermisoRepo, _logger);
+            _rolPermisoRepo, _security, _logger);
    }

    // Scenario: valid credentials → returns token response with usuario populated
--- a/tests/SIGCM2.Application.Tests/Auth/Logout/LogoutCommandHandlerTests.cs
+++ b/tests/SIGCM2.Application.Tests/Auth/Logout/LogoutCommandHandlerTests.cs
@@ -1,5 +1,6 @@
 using NSubstitute;
 using SIGCM2.Application.Abstractions.Persistence;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Auth.Logout;

 namespace SIGCM2.Application.Tests.Auth.Logout;
@@ -7,11 +8,12 @@ namespace SIGCM2.Application.Tests.Auth.Logout;
 public class LogoutCommandHandlerTests
 {
    private readonly IRefreshTokenRepository _refreshRepo = Substitute.For<IRefreshTokenRepository>();
+    private readonly ISecurityEventLogger _security = Substitute.For<ISecurityEventLogger>();
    private readonly LogoutCommandHandler _handler;

    public LogoutCommandHandlerTests()
    {
-        _handler = new LogoutCommandHandler(_refreshRepo);
+        _handler = new LogoutCommandHandler(_refreshRepo, _security);
    }

    [Fact]
--- a/tests/SIGCM2.Application.Tests/Auth/Refresh/RefreshCommandHandlerTests.cs
+++ b/tests/SIGCM2.Application.Tests/Auth/Refresh/RefreshCommandHandlerTests.cs
@@ -4,6 +4,7 @@ using NSubstitute.ExceptionExtensions;
 using SIGCM2.Application.Abstractions;
 using SIGCM2.Application.Abstractions.Persistence;
 using SIGCM2.Application.Abstractions.Security;
+using SIGCM2.Application.Audit;
 using SIGCM2.Application.Auth;
 using SIGCM2.Application.Auth.Refresh;
 using SIGCM2.Domain.Entities;
@@ -19,6 +20,7 @@ public class RefreshCommandHandlerTests
    private readonly IJwtService _jwtService = Substitute.For<IJwtService>();
    private readonly IRefreshTokenGenerator _generator = Substitute.For<IRefreshTokenGenerator>();
    private readonly IClientContext _clientCtx = Substitute.For<IClientContext>();
+    private readonly ISecurityEventLogger _security = Substitute.For<ISecurityEventLogger>();
    private readonly AuthOptions _authOptions = new() { AccessTokenMinutes = 60, RefreshTokenDays = 7 };
    private readonly RefreshCommandHandler _handler;

@@ -34,7 +36,7 @@ public class RefreshCommandHandlerTests
        _generator.Generate().Returns("new_raw_token_value_xyz");

        _handler = new RefreshCommandHandler(
-            _refreshRepo, _usuarioRepo, _jwtService, _generator, _clientCtx, _authOptions);
+            _refreshRepo, _usuarioRepo, _jwtService, _generator, _clientCtx, _authOptions, _security);
    }

    // Helper: build an active stored RefreshToken with a matching principal