dohertj2/ScadaBridge
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(auth): cut ScadaBridge over to ZB.MOM.WW.Auth.Ldap; nest+rename Ldap config; roles+sitescope via IGroupRoleMapper (Task 1.2/1.4)

Browse Source
This commit is contained in:
Joseph Doherty
2026-06-02 01:04:34 -04:00
parent 9230afa25f
commit ac34dac479
31 changed files with 647 additions and 1132 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/ZB.MOM.WW.ScadaBridge.IntegrationTests/SecurityHardeningTests.cs
+25 -12
View File
@@ -1,5 +1,6 @@
using Microsoft.Extensions.Logging.Abstractions;
using Microsoft.Extensions.Options;
using ZB.MOM.WW.Auth.Abstractions.Ldap;
using ZB.MOM.WW.ScadaBridge.Security;
namespace ZB.MOM.WW.ScadaBridge.IntegrationTests;
@@ -23,18 +24,19 @@ public class SecurityHardeningTests
}
[Fact]
public void SecurityOptions_LdapUseTls_DefaultsToTrue()
public void LdapOptions_Transport_DefaultsToLdaps()
{
// Production requires LDAPS. The default must be true.
var options = new SecurityOptions();
Assert.True(options.LdapUseTls);
// Production requires encrypted transport. The shared LdapOptions defaults to
// LDAPS (secure-by-default), preserving the donor's LdapUseTls=true default.
var options = new LdapOptions();
Assert.Equal(LdapTransport.Ldaps, options.Transport);
}
[Fact]
public void SecurityOptions_AllowInsecureLdap_DefaultsToFalse()
public void LdapOptions_AllowInsecure_DefaultsToFalse()
{
var options = new SecurityOptions();
Assert.False(options.AllowInsecureLdap);
var options = new LdapOptions();
Assert.False(options.AllowInsecure);
}
[Fact]
@@ -172,10 +174,21 @@ public class SecurityHardeningTests
[Fact]
public void StartupValidator_RejectsInsecureLdapInProduction()
{
// The SecurityOptions.AllowInsecureLdap defaults to false.
// Only when explicitly set to true (for dev/test) is insecure LDAP allowed.
var prodOptions = new SecurityOptions { LdapUseTls = true, AllowInsecureLdap = false };
Assert.True(prodOptions.LdapUseTls);
Assert.False(prodOptions.AllowInsecureLdap);
// The shared LdapOptionsValidator (registered with ValidateOnStart by AddZbLdapAuth)
// rejects plaintext transport (Transport=None) unless AllowInsecure is explicitly set,
// preserving the donor's production LDAPS-enforcement guarantee.
var insecure = new LdapOptions
{
Server = "ldap.example.com",
SearchBase = "dc=example,dc=com",
ServiceAccountDn = "cn=admin,dc=example,dc=com",
Transport = LdapTransport.None,
AllowInsecure = false,
};
var result = new ZB.MOM.WW.Auth.Ldap.LdapOptionsValidator().Validate(name: null, insecure);
Assert.True(result.Failed);
Assert.Contains(nameof(LdapOptions.AllowInsecure), result.FailureMessage);
}
}