feat(security): add Operator + Verifier roles + policies + LDAP mapping options (T14a)

tests/ZB.MOM.WW.ScadaBridge.Security.Tests/RolesAllTests.cs

@@ -9,7 +9,7 @@ public class RolesAllTests
     public void All_ContainsEveryDeclaredRole()
     {
         Assert.Equal(
-            new[] { Roles.Administrator, Roles.Designer, Roles.Deployer, Roles.Viewer },
+            new[] { Roles.Administrator, Roles.Designer, Roles.Deployer, Roles.Viewer, Roles.Operator, Roles.Verifier },
             Roles.All);
     }
 }

tests/ZB.MOM.WW.ScadaBridge.Security.Tests/RolesTests.cs

@@ -0,0 +1,47 @@
+using ZB.MOM.WW.ScadaBridge.Security;
+using Xunit;
+
+namespace ZB.MOM.WW.ScadaBridge.Security.Tests;
+
+/// <summary>
+/// Pins the role-name string literals and the contents of <see cref="Roles.All"/>.
+/// Added for M7-A3 (T14a): the two-person Secured Writes feature introduces the
+/// <c>Operator</c> (initiates) and <c>Verifier</c> (approves) global roles.
+/// </summary>
+public class RolesTests
+{
+    [Fact]
+    public void OperatorConst_HasCanonicalValue()
+    {
+        Assert.Equal("Operator", Roles.Operator);
+    }
+
+    [Fact]
+    public void VerifierConst_HasCanonicalValue()
+    {
+        Assert.Equal("Verifier", Roles.Verifier);
+    }
+
+    [Fact]
+    public void All_StillContainsOriginalFourRoles()
+    {
+        Assert.Contains(Roles.Administrator, Roles.All);
+        Assert.Contains(Roles.Designer, Roles.All);
+        Assert.Contains(Roles.Deployer, Roles.All);
+        Assert.Contains(Roles.Viewer, Roles.All);
+    }
+
+    [Fact]
+    public void All_ContainsOperatorAndVerifier()
+    {
+        Assert.Contains("Operator", Roles.All);
+        Assert.Contains("Verifier", Roles.All);
+    }
+
+    [Fact]
+    public void AuthorizationPolicies_DeclareOperatorAndVerifierPolicyNames()
+    {
+        Assert.Equal("RequireOperator", AuthorizationPolicies.RequireOperator);
+        Assert.Equal("RequireVerifier", AuthorizationPolicies.RequireVerifier);
+    }
+}