dohertj2/ScadaBridge
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

refactor: rename ScadaLink → ZB.MOM.WW.ScadaBridge (code + projects + namespaces)

Browse Source 
Solution + 23 src projects + 26 test projects renamed; folders, csproj,
namespaces, and ScadaLinkDbContext/ScadaBridgeDbContext class updated.
ActorSystem "scadalink" → "scadabridge", Akka seed-node URLs migrated.
SQL roles/logins, LDAP domains, CLI command name, and CLI config dir
(~/.scadalink → ~/.scadabridge) also renamed.

Build green; 5 Host.Tests fail awaiting SQL login rename in next commit.
Pre-existing StaleTagMonitor timing flakes unchanged.

Rename script committed at tools/rename-to-scadabridge.sh.
This commit is contained in:
Joseph Doherty
2026-05-28 09:37:45 -04:00
parent 6d87ee3c3b
commit 7b0b9c7365
1531 changed files with 11180 additions and 11054 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/ZB.MOM.WW.ScadaBridge.Security/RoleMapper.cs
+83
View File
@@ -0,0 +1,83 @@
using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Repositories;
namespace ZB.MOM.WW.ScadaBridge.Security;
public class RoleMapper
{
private readonly ISecurityRepository _securityRepository;
/// <summary>Initializes the mapper with the security repository.</summary>
/// <param name="securityRepository">Repository used to retrieve LDAP group-to-role mappings and scope rules.</param>
public RoleMapper(ISecurityRepository securityRepository)
{
_securityRepository = securityRepository ?? throw new ArgumentNullException(nameof(securityRepository));
}
// virtual: a test seam so HTTP-pipeline tests (e.g. the #23 M8 audit
// endpoints) can substitute the LDAP-group→role resolution.
/// <summary>Maps a list of LDAP group names to ScadaBridge roles and computes site-scope permissions.</summary>
/// <param name="ldapGroups">LDAP group names from the authenticated user's directory entry.</param>
/// <param name="ct">Cancellation token.</param>
/// <returns>A <see cref="RoleMappingResult"/> containing matched roles, permitted site IDs, and the system-wide flag.</returns>
public virtual async Task<RoleMappingResult> MapGroupsToRolesAsync(
IReadOnlyList<string> ldapGroups,
CancellationToken ct = default)
{
var allMappings = await _securityRepository.GetAllMappingsAsync(ct);
var matchedRoles = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
var permittedSiteIds = new HashSet<string>();
var hasDeploymentRole = false;
var hasScopedDeploymentMapping = false;
var hasUnscopedDeploymentMapping = false;
foreach (var mapping in allMappings)
{
// Match LDAP group names (case-insensitive)
if (!ldapGroups.Any(g => g.Equals(mapping.LdapGroupName, StringComparison.OrdinalIgnoreCase)))
continue;
matchedRoles.Add(mapping.Role);
if (mapping.Role.Equals(Roles.Deployment, StringComparison.OrdinalIgnoreCase))
{
hasDeploymentRole = true;
var scopeRules = await _securityRepository.GetScopeRulesForMappingAsync(mapping.Id, ct);
if (scopeRules.Count > 0)
{
hasScopedDeploymentMapping = true;
foreach (var rule in scopeRules)
{
permittedSiteIds.Add(rule.SiteId.ToString());
}
}
else
{
hasUnscopedDeploymentMapping = true;
}
}
}
// Union semantics (Security-016): a Deployment user is system-wide iff
// *any* matched Deployment mapping has no scope rules. A user in both
// SCADA-Deploy-All (unscoped) and SCADA-Deploy-SiteA (scoped to Site A)
// gets the broader grant, not the narrower one — matching the design's
// "roles are independent — there is no implied hierarchy" rule.
var isSystemWide = hasUnscopedDeploymentMapping
|| (hasDeploymentRole && !hasScopedDeploymentMapping);
// When system-wide, drop any accumulated scope ids — the empty
// permitted set is the system-wide signal downstream consumers
// (SiteScopeService, ManagementActor) already use.
if (isSystemWide)
{
permittedSiteIds.Clear();
}
return new RoleMappingResult(
matchedRoles.ToList(),
permittedSiteIds.ToList(),
isSystemWide);
}
}