dohertj2/ScadaBridge
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(auth): add IGroupRoleMapper<string> seam (Task 1.1)

Browse Source
This commit is contained in:
Joseph Doherty
2026-06-02 00:30:42 -04:00
parent aaad38958e
commit 9230afa25f
4 changed files with 177 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/ZB.MOM.WW.ScadaBridge.Security/ScadaBridgeGroupRoleMapper.cs
+40
View File
@@ -0,0 +1,40 @@
using ZB.MOM.WW.Auth.Abstractions.Roles;
namespace ZB.MOM.WW.ScadaBridge.Security;
/// <summary>
/// Adapts ScadaBridge's DB-backed <see cref="RoleMapper"/> to the shared
/// <see cref="IGroupRoleMapper{TRole}"/> seam from <c>ZB.MOM.WW.Auth.Abstractions</c>.
/// </summary>
/// <remarks>
/// Task 1.1 of the Auth-library adoption: this is an <b>additive</b> wrapper. It does not
/// re-implement the LDAP-group → role resolution or the site-scope union semantics — it
/// delegates wholesale to <see cref="RoleMapper.MapGroupsToRolesAsync"/> and re-shapes the
/// result onto the shared contract. <typeparamref name="TRole"/> is <see cref="string"/>
/// because ScadaBridge roles travel as plain strings in claims. The full
/// <see cref="RoleMappingResult"/> — including <see cref="RoleMappingResult.PermittedSiteIds"/>
/// and <see cref="RoleMappingResult.IsSystemWideDeployment"/> — is carried verbatim in the
/// mapping's opaque <see cref="GroupRoleMapping{TRole}.Scope"/> so no site-scope information
/// is lost across the seam. The existing login flow is rewired to consume this in a later task.
/// </remarks>
public sealed class ScadaBridgeGroupRoleMapper : IGroupRoleMapper<string>
{
private readonly RoleMapper _roleMapper;
/// <summary>Initializes the mapper with the wrapped <see cref="RoleMapper"/>.</summary>
/// <param name="roleMapper">The DB-backed role mapper whose union semantics are reused.</param>
public ScadaBridgeGroupRoleMapper(RoleMapper roleMapper)
{
_roleMapper = roleMapper ?? throw new ArgumentNullException(nameof(roleMapper));
}
/// <inheritdoc />
public async Task<GroupRoleMapping<string>> MapAsync(IReadOnlyList<string> groups, CancellationToken ct)
{
var result = await _roleMapper.MapGroupsToRolesAsync(groups, ct);
// Carry the full RoleMappingResult as the opaque Scope so the site-scope
// payload (PermittedSiteIds + IsSystemWideDeployment) survives the seam.
return new GroupRoleMapping<string>(result.Roles, Scope: result);
}
}
src/ZB.MOM.WW.ScadaBridge.Security/ServiceCollectionExtensions.cs
+9
View File
@@ -3,6 +3,7 @@ using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.DependencyInjection.Extensions;
using Microsoft.Extensions.Logging;
using Microsoft.Extensions.Options;
using ZB.MOM.WW.Auth.Abstractions.Roles;
namespace ZB.MOM.WW.ScadaBridge.Security;
@@ -18,6 +19,14 @@ public static class ServiceCollectionExtensions
services.AddScoped<JwtTokenService>();
services.AddScoped<RoleMapper>();
// Auth-adoption Task 1.1: register the shared IGroupRoleMapper<string>
// seam additively, wrapping RoleMapper to reuse its DB-backed mapping +
// site-scope union semantics. Scoped to match RoleMapper's lifetime (it
// depends on the Scoped ISecurityRepository). The existing RoleMapper
// registration and its call sites are left untouched — login is rewired
// to consume this seam in a later task.
services.AddScoped<IGroupRoleMapper<string>, ScadaBridgeGroupRoleMapper>();
// Security-020: register the IValidateOptions<SecurityOptions> so a
// missing/empty LdapServer or LdapSearchBase fails fast at startup
// with a clear, key-naming message rather than a generic LDAP error
src/ZB.MOM.WW.ScadaBridge.Security/ZB.MOM.WW.ScadaBridge.Security.csproj
+1
View File
@@ -14,6 +14,7 @@
<PackageReference Include="Microsoft.AspNetCore.Authorization" />
<PackageReference Include="System.IdentityModel.Tokens.Jwt" />
<PackageReference Include="Novell.Directory.Ldap.NETStandard" />
<PackageReference Include="ZB.MOM.WW.Auth.Abstractions" />
<PackageReference Include="ZB.MOM.WW.Configuration" />
</ItemGroup>
tests/ZB.MOM.WW.ScadaBridge.Security.Tests/ScadaBridgeGroupRoleMapperTests.cs
+127
View File
@@ -0,0 +1,127 @@
using ZB.MOM.WW.Auth.Abstractions.Roles;
using ZB.MOM.WW.ScadaBridge.Commons.Entities.Security;
using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Repositories;
using ZB.MOM.WW.ScadaBridge.Security;
namespace ZB.MOM.WW.ScadaBridge.Security.Tests;
#region Task 1.1: ScadaBridgeGroupRoleMapper (IGroupRoleMapper<string> seam)
public class ScadaBridgeGroupRoleMapperTests
{
// A minimal in-memory ISecurityRepository so the seam test needs no database.
// Only the two reads RoleMapper.MapGroupsToRolesAsync uses are implemented;
// the rest throw to make any accidental dependency on them obvious.
private sealed class FakeSecurityRepository : ISecurityRepository
{
private readonly IReadOnlyList<LdapGroupMapping> _mappings;
private readonly IReadOnlyDictionary<int, IReadOnlyList<SiteScopeRule>> _scopeRules;
public FakeSecurityRepository(
IReadOnlyList<LdapGroupMapping> mappings,
IReadOnlyDictionary<int, IReadOnlyList<SiteScopeRule>> scopeRules)
{
_mappings = mappings;
_scopeRules = scopeRules;
}
public Task<IReadOnlyList<LdapGroupMapping>> GetAllMappingsAsync(CancellationToken cancellationToken = default)
=> Task.FromResult(_mappings);
public Task<IReadOnlyList<SiteScopeRule>> GetScopeRulesForMappingAsync(int ldapGroupMappingId, CancellationToken cancellationToken = default)
=> Task.FromResult(_scopeRules.TryGetValue(ldapGroupMappingId, out var rules)
? rules
: (IReadOnlyList<SiteScopeRule>)Array.Empty<SiteScopeRule>());
public Task<LdapGroupMapping?> GetMappingByIdAsync(int id, CancellationToken cancellationToken = default)
=> throw new NotSupportedException();
public Task<IReadOnlyList<LdapGroupMapping>> GetMappingsByRoleAsync(string role, CancellationToken cancellationToken = default)
=> throw new NotSupportedException();
public Task AddMappingAsync(LdapGroupMapping mapping, CancellationToken cancellationToken = default)
=> throw new NotSupportedException();
public Task UpdateMappingAsync(LdapGroupMapping mapping, CancellationToken cancellationToken = default)
=> throw new NotSupportedException();
public Task DeleteMappingAsync(int id, CancellationToken cancellationToken = default)
=> throw new NotSupportedException();
public Task<SiteScopeRule?> GetScopeRuleByIdAsync(int id, CancellationToken cancellationToken = default)
=> throw new NotSupportedException();
public Task AddScopeRuleAsync(SiteScopeRule rule, CancellationToken cancellationToken = default)
=> throw new NotSupportedException();
public Task UpdateScopeRuleAsync(SiteScopeRule rule, CancellationToken cancellationToken = default)
=> throw new NotSupportedException();
public Task DeleteScopeRuleAsync(int id, CancellationToken cancellationToken = default)
=> throw new NotSupportedException();
public Task<int> SaveChangesAsync(CancellationToken cancellationToken = default)
=> throw new NotSupportedException();
}
private static LdapGroupMapping Mapping(int id, string group, string role)
{
var m = new LdapGroupMapping(group, role);
m.Id = id;
return m;
}
[Fact]
public async Task MapAsync_ReturnsSameRolesAsRoleMapper_AndCarriesResultInScope_SiteScoped()
{
// Two matched mappings: an Admin group and a site-scoped Deployment group.
var mappings = new List<LdapGroupMapping>
{
Mapping(1, "SCADA-Admins", Roles.Admin),
Mapping(2, "SiteDeployers", Roles.Deployment),
};
var scopeRules = new Dictionary<int, IReadOnlyList<SiteScopeRule>>
{
[2] = new[]
{
new SiteScopeRule { LdapGroupMappingId = 2, SiteId = 11 },
new SiteScopeRule { LdapGroupMappingId = 2, SiteId = 22 },
},
};
var repo = new FakeSecurityRepository(mappings, scopeRules);
var roleMapper = new RoleMapper(repo);
var sut = new ScadaBridgeGroupRoleMapper(roleMapper);
var groups = new[] { "SCADA-Admins", "SiteDeployers" };
// The wrapped RoleMapper result is the oracle the seam must preserve.
var expected = await roleMapper.MapGroupsToRolesAsync(groups, CancellationToken.None);
var mapping = await sut.MapAsync(groups, CancellationToken.None);
// Roles: same set as RoleMapper.
Assert.Equal(expected.Roles.OrderBy(r => r), mapping.Roles.OrderBy(r => r));
Assert.Contains(Roles.Admin, mapping.Roles);
Assert.Contains(Roles.Deployment, mapping.Roles);
// Scope: carries the full RoleMappingResult (no site-scope info lost).
var scope = Assert.IsType<RoleMappingResult>(mapping.Scope);
Assert.False(scope.IsSystemWideDeployment);
Assert.Contains("11", scope.PermittedSiteIds);
Assert.Contains("22", scope.PermittedSiteIds);
Assert.Equal(expected.PermittedSiteIds.OrderBy(s => s), scope.PermittedSiteIds.OrderBy(s => s));
Assert.Equal(expected.IsSystemWideDeployment, scope.IsSystemWideDeployment);
}
[Fact]
public async Task MapAsync_PreservesSystemWideDeploymentFlagInScope()
{
// Unscoped Deployment mapping -> system-wide, empty PermittedSiteIds.
var mappings = new List<LdapGroupMapping>
{
Mapping(1, "GlobalDeployers", Roles.Deployment),
};
var repo = new FakeSecurityRepository(mappings, new Dictionary<int, IReadOnlyList<SiteScopeRule>>());
var roleMapper = new RoleMapper(repo);
var sut = new ScadaBridgeGroupRoleMapper(roleMapper);
var mapping = await sut.MapAsync(new[] { "GlobalDeployers" }, CancellationToken.None);
Assert.Contains(Roles.Deployment, mapping.Roles);
var scope = Assert.IsType<RoleMappingResult>(mapping.Scope);
Assert.True(scope.IsSystemWideDeployment);
Assert.Empty(scope.PermittedSiteIds);
}
}
#endregion