fix(auth): move AddZbLdapAuth to Host composition root so component-lib AddSecurity() drops IConfiguration param (satisfy OptionsTests arch rule; fix pre-existing ac34dac red); behaviour-preserving
This commit is contained in:
Joseph Doherty
@@ -1,4 +1,5 @@
|
||||
using ZB.MOM.WW.Auth.ApiKeys.DependencyInjection;
|
||||
using ZB.MOM.WW.Auth.AspNetCore;
|
||||
using ZB.MOM.WW.Health;
|
||||
using ZB.MOM.WW.Health.Akka;
|
||||
using ZB.MOM.WW.Health.EntityFrameworkCore;
|
||||
@@ -104,7 +105,16 @@ try
|
||||
builder.Services.AddSiteCallAudit();
|
||||
builder.Services.AddTemplateEngine();
|
||||
builder.Services.AddDeploymentManager();
|
||||
builder.Services.AddSecurity(builder.Configuration);
|
||||
// Host is the composition root and owns config-coupled wiring: register the
|
||||
// shared LDAP auth (binds LdapOptions + IValidateOptions<LdapOptions> with
|
||||
// ValidateOnStart + ILdapAuthService singleton) here, then AddSecurity() for the
|
||||
// config-free remainder. AddSecurity is a component library and takes no
|
||||
// IConfiguration (Options pattern only). Behaviour-preserving: identical
|
||||
// registrations to the previous AddSecurity(builder.Configuration) call.
|
||||
builder.Services.AddZbLdapAuth(
|
||||
builder.Configuration,
|
||||
ZB.MOM.WW.ScadaBridge.Security.ServiceCollectionExtensions.LdapSectionPath);
|
||||
builder.Services.AddSecurity();
|
||||
builder.Services.AddCentralUI();
|
||||
builder.Services.AddInboundAPI();
|
||||
|
||||
|
||||
@@ -1,5 +1,4 @@
|
||||
using Microsoft.AspNetCore.Authentication.Cookies;
|
||||
using Microsoft.Extensions.Configuration;
|
||||
using Microsoft.Extensions.DependencyInjection;
|
||||
using Microsoft.Extensions.Logging;
|
||||
using Microsoft.Extensions.Options;
|
||||
@@ -15,29 +14,37 @@ public static class ServiceCollectionExtensions
|
||||
/// under the existing <c>ScadaBridge:Security</c> section as a <c>Ldap</c> sub-section
|
||||
/// (Task 1.4 config rename) so the non-LDAP <see cref="SecurityOptions"/> fields stay
|
||||
/// where they are while the LDAP connection settings bind to the shared library.
|
||||
/// The Host composition root references this constant to register the shared LDAP
|
||||
/// auth (<c>AddZbLdapAuth</c>) before calling <see cref="AddSecurity"/>.
|
||||
/// </summary>
|
||||
public const string LdapSectionPath = "ScadaBridge:Security:Ldap";
|
||||
|
||||
/// <summary>
|
||||
/// Registers LDAP authentication (shared <c>ZB.MOM.WW.Auth.Ldap</c>), JWT token service,
|
||||
/// role mapper, cookie authentication, and authorization policies.
|
||||
/// Registers the JWT token service, role mapper, cookie authentication, and
|
||||
/// authorization policies. This is a component library and therefore takes no
|
||||
/// <c>IConfiguration</c> (Options pattern only).
|
||||
/// </summary>
|
||||
/// <remarks>
|
||||
/// LDAP authentication (shared <c>ZB.MOM.WW.Auth.Ldap</c> via <c>AddZbLdapAuth</c>) is
|
||||
/// registered by the Host composition root — which calls <c>AddZbLdapAuth</c> with the
|
||||
/// nested <see cref="LdapSectionPath"/> <em>before</em> this method — because that
|
||||
/// registration is config-coupled (it binds <c>LdapOptions</c> from
|
||||
/// <c>IConfiguration</c>) and component libraries must not accept <c>IConfiguration</c>.
|
||||
/// </remarks>
|
||||
/// <param name="services">The service collection to register into.</param>
|
||||
/// <param name="configuration">
|
||||
/// Application configuration, read for the nested <see cref="LdapSectionPath"/> LDAP
|
||||
/// options bound + validated by <c>AddZbLdapAuth</c>.
|
||||
/// </param>
|
||||
public static IServiceCollection AddSecurity(this IServiceCollection services, IConfiguration configuration)
|
||||
public static IServiceCollection AddSecurity(this IServiceCollection services)
|
||||
{
|
||||
// Task 1.2 cutover: replace ScadaBridge's bespoke LdapAuthService with the shared
|
||||
// ZB.MOM.WW.Auth.Ldap implementation (ScadaBridge was the donor for its hardened
|
||||
// bind-then-search / escaping / fail-closed semantics, so this is a behaviour-
|
||||
// equivalent re-point). AddZbLdapAuth binds LdapOptions from the nested Ldap
|
||||
// sub-section, registers IValidateOptions<LdapOptions> with ValidateOnStart (so a
|
||||
// misconfigured directory fails fast at boot — superseding the old
|
||||
// SecurityOptionsValidator LDAP checks), and registers ILdapAuthService as a
|
||||
// stateless singleton.
|
||||
services.AddZbLdapAuth(configuration, LdapSectionPath);
|
||||
// Task 1.2 cutover: ScadaBridge's bespoke LdapAuthService was replaced by the
|
||||
// shared ZB.MOM.WW.Auth.Ldap implementation (ScadaBridge was the donor for its
|
||||
// hardened bind-then-search / escaping / fail-closed semantics, so this was a
|
||||
// behaviour-equivalent re-point). That registration — AddZbLdapAuth, which binds
|
||||
// LdapOptions from the nested Ldap sub-section, registers IValidateOptions<LdapOptions>
|
||||
// with ValidateOnStart (so a misconfigured directory fails fast at boot —
|
||||
// superseding the old SecurityOptionsValidator LDAP checks), and registers
|
||||
// ILdapAuthService as a stateless singleton — now lives at the Host composition
|
||||
// root (which calls AddZbLdapAuth(configuration, LdapSectionPath) immediately
|
||||
// before AddSecurity()), because it is config-coupled and this is a component
|
||||
// library.
|
||||
|
||||
services.AddScoped<JwtTokenService>();
|
||||
services.AddScoped<RoleMapper>();
|
||||
|
||||
Reference in New Issue
Block a user