feat(auth): add IGroupRoleMapper<string> seam (Task 1.1)

2026-06-02 00:30:42 -04:00
parent aaad38958e
commit 9230afa25f
4 changed files with 177 additions and 0 deletions
@@ -0,0 +1,40 @@
+using ZB.MOM.WW.Auth.Abstractions.Roles;
+
+namespace ZB.MOM.WW.ScadaBridge.Security;
+
+/// <summary>
+/// Adapts ScadaBridge's DB-backed <see cref="RoleMapper"/> to the shared
+/// <see cref="IGroupRoleMapper{TRole}"/> seam from <c>ZB.MOM.WW.Auth.Abstractions</c>.
+/// </summary>
+/// <remarks>
+/// Task 1.1 of the Auth-library adoption: this is an <b>additive</b> wrapper. It does not
+/// re-implement the LDAP-group → role resolution or the site-scope union semantics — it
+/// delegates wholesale to <see cref="RoleMapper.MapGroupsToRolesAsync"/> and re-shapes the
+/// result onto the shared contract. <typeparamref name="TRole"/> is <see cref="string"/>
+/// because ScadaBridge roles travel as plain strings in claims. The full
+/// <see cref="RoleMappingResult"/> — including <see cref="RoleMappingResult.PermittedSiteIds"/>
+/// and <see cref="RoleMappingResult.IsSystemWideDeployment"/> — is carried verbatim in the
+/// mapping's opaque <see cref="GroupRoleMapping{TRole}.Scope"/> so no site-scope information
+/// is lost across the seam. The existing login flow is rewired to consume this in a later task.
+/// </remarks>
+public sealed class ScadaBridgeGroupRoleMapper : IGroupRoleMapper<string>
+{
+    private readonly RoleMapper _roleMapper;
+
+    /// <summary>Initializes the mapper with the wrapped <see cref="RoleMapper"/>.</summary>
+    /// <param name="roleMapper">The DB-backed role mapper whose union semantics are reused.</param>
+    public ScadaBridgeGroupRoleMapper(RoleMapper roleMapper)
+    {
+        _roleMapper = roleMapper ?? throw new ArgumentNullException(nameof(roleMapper));
+    }
+
+    /// <inheritdoc />
+    public async Task<GroupRoleMapping<string>> MapAsync(IReadOnlyList<string> groups, CancellationToken ct)
+    {
+        var result = await _roleMapper.MapGroupsToRolesAsync(groups, ct);
+
+        // Carry the full RoleMappingResult as the opaque Scope so the site-scope
+        // payload (PermittedSiteIds + IsSystemWideDeployment) survives the seam.
+        return new GroupRoleMapping<string>(result.Roles, Scope: result);
+    }
+}
@@ -3,6 +3,7 @@ using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using ZB.MOM.WW.Auth.Abstractions.Roles;

 namespace ZB.MOM.WW.ScadaBridge.Security;

@@ -18,6 +19,14 @@ public static class ServiceCollectionExtensions
        services.AddScoped<JwtTokenService>();
        services.AddScoped<RoleMapper>();

+        // Auth-adoption Task 1.1: register the shared IGroupRoleMapper<string>
+        // seam additively, wrapping RoleMapper to reuse its DB-backed mapping +
+        // site-scope union semantics. Scoped to match RoleMapper's lifetime (it
+        // depends on the Scoped ISecurityRepository). The existing RoleMapper
+        // registration and its call sites are left untouched — login is rewired
+        // to consume this seam in a later task.
+        services.AddScoped<IGroupRoleMapper<string>, ScadaBridgeGroupRoleMapper>();
+
        // Security-020: register the IValidateOptions<SecurityOptions> so a
        // missing/empty LdapServer or LdapSearchBase fails fast at startup
        // with a clear, key-naming message rather than a generic LDAP error
@@ -14,6 +14,7 @@
    <PackageReference Include="Microsoft.AspNetCore.Authorization" />
    <PackageReference Include="System.IdentityModel.Tokens.Jwt" />
    <PackageReference Include="Novell.Directory.Ldap.NETStandard" />
+    <PackageReference Include="ZB.MOM.WW.Auth.Abstractions" />
    <PackageReference Include="ZB.MOM.WW.Configuration" />
  </ItemGroup>