feat(auth): cut ScadaBridge over to ZB.MOM.WW.Auth.Ldap; nest+rename Ldap config; roles+sitescope via IGroupRoleMapper (Task 1.2/1.4)

2026-06-02 01:04:34 -04:00
parent 9230afa25f
commit ac34dac479
31 changed files with 647 additions and 1132 deletions
@@ -21,6 +21,7 @@ using ZB.MOM.WW.ScadaBridge.Host.Health;
 using ZB.MOM.WW.ScadaBridge.InboundAPI;
 using ZB.MOM.WW.ScadaBridge.ManagementService;
 using ZB.MOM.WW.ScadaBridge.NotificationService;
+using ZB.MOM.WW.Auth.Abstractions.Ldap;
 using ZB.MOM.WW.ScadaBridge.Security;
 using ZB.MOM.WW.ScadaBridge.SiteEventLogging;
 using ZB.MOM.WW.ScadaBridge.Communication.Grpc;
@@ -102,11 +103,15 @@ public class CentralCompositionRootTests : IDisposable
                        ["ScadaBridge:Cluster:SeedNodes:1"] = "akka.tcp://scadabridge@localhost:2552",
                        ["ScadaBridge:Database:SkipMigrations"] = "true",
                        ["ScadaBridge:Security:JwtSigningKey"] = "test-signing-key-must-be-at-least-32-chars-long!",
-                        ["ScadaBridge:Security:LdapServer"] = "localhost",
-                        ["ScadaBridge:Security:LdapPort"] = "3893",
-                        ["ScadaBridge:Security:LdapUseTls"] = "false",
-                        ["ScadaBridge:Security:AllowInsecureLdap"] = "true",
-                        ["ScadaBridge:Security:LdapSearchBase"] = "dc=scadabridge,dc=local",
+                        // Task 1.4: LDAP settings nest under Security:Ldap (shared LdapOptions).
+                        // ServiceAccountDn is now required by the library's LdapOptionsValidator
+                        // (ValidateOnStart), so it must be present for the host to start.
+                        ["ScadaBridge:Security:Ldap:Server"] = "localhost",
+                        ["ScadaBridge:Security:Ldap:Port"] = "3893",
+                        ["ScadaBridge:Security:Ldap:Transport"] = "None",
+                        ["ScadaBridge:Security:Ldap:AllowInsecure"] = "true",
+                        ["ScadaBridge:Security:Ldap:SearchBase"] = "dc=scadabridge,dc=local",
+                        ["ScadaBridge:Security:Ldap:ServiceAccountDn"] = "cn=admin,dc=scadabridge,dc=local",
                        // ConfigurationDatabase-012: inbound-API keys are hashed
                        // with a server-side HMAC pepper; ApiKeyHasher fails fast
                        // if it is missing or weak, so resolving ApiKeyValidator
@@ -167,6 +172,9 @@ public class CentralCompositionRootTests : IDisposable
        new object[] { typeof(OperationLockManager) },
        new object[] { typeof(OAuth2TokenService) },
        new object[] { typeof(InboundScriptExecutor) },
+        // Security: the shared ZB.MOM.WW.Auth.Ldap service is registered as a stateless
+        // singleton by AddZbLdapAuth (Task 1.2), replacing the old scoped LdapAuthService.
+        new object[] { typeof(ILdapAuthService) },
    };

    // --- Scoped services ---
@@ -193,8 +201,7 @@ public class CentralCompositionRootTests : IDisposable
        new object[] { typeof(IFlatteningPipeline) },
        new object[] { typeof(DeploymentService) },
        new object[] { typeof(ArtifactDeploymentService) },
-        // Security
-        new object[] { typeof(LdapAuthService) },
+        // Security (ILdapAuthService is now a singleton — see CentralSingletonServices)
        new object[] { typeof(JwtTokenService) },
        new object[] { typeof(RoleMapper) },
        // InboundAPI