using ZB.MOM.WW.Auth.Abstractions.Roles; using ZB.MOM.WW.ScadaBridge.Commons.Entities.Security; using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Repositories; using ZB.MOM.WW.ScadaBridge.Security; namespace ZB.MOM.WW.ScadaBridge.Security.Tests; #region Task 1.1: ScadaBridgeGroupRoleMapper (IGroupRoleMapper seam) public class ScadaBridgeGroupRoleMapperTests { // A minimal in-memory ISecurityRepository so the seam test needs no database. // Only the two reads RoleMapper.MapGroupsToRolesAsync uses are implemented; // the rest throw to make any accidental dependency on them obvious. private sealed class FakeSecurityRepository : ISecurityRepository { private readonly IReadOnlyList _mappings; private readonly IReadOnlyDictionary> _scopeRules; public FakeSecurityRepository( IReadOnlyList mappings, IReadOnlyDictionary> scopeRules) { _mappings = mappings; _scopeRules = scopeRules; } public Task> GetAllMappingsAsync(CancellationToken cancellationToken = default) => Task.FromResult(_mappings); public Task> GetScopeRulesForMappingAsync(int ldapGroupMappingId, CancellationToken cancellationToken = default) => Task.FromResult(_scopeRules.TryGetValue(ldapGroupMappingId, out var rules) ? rules : (IReadOnlyList)Array.Empty()); public Task GetMappingByIdAsync(int id, CancellationToken cancellationToken = default) => throw new NotSupportedException(); public Task> GetMappingsByRoleAsync(string role, CancellationToken cancellationToken = default) => throw new NotSupportedException(); public Task AddMappingAsync(LdapGroupMapping mapping, CancellationToken cancellationToken = default) => throw new NotSupportedException(); public Task UpdateMappingAsync(LdapGroupMapping mapping, CancellationToken cancellationToken = default) => throw new NotSupportedException(); public Task DeleteMappingAsync(int id, CancellationToken cancellationToken = default) => throw new NotSupportedException(); public Task GetScopeRuleByIdAsync(int id, CancellationToken cancellationToken = default) => throw new NotSupportedException(); public Task AddScopeRuleAsync(SiteScopeRule rule, CancellationToken cancellationToken = default) => throw new NotSupportedException(); public Task UpdateScopeRuleAsync(SiteScopeRule rule, CancellationToken cancellationToken = default) => throw new NotSupportedException(); public Task DeleteScopeRuleAsync(int id, CancellationToken cancellationToken = default) => throw new NotSupportedException(); public Task SaveChangesAsync(CancellationToken cancellationToken = default) => throw new NotSupportedException(); } private static LdapGroupMapping Mapping(int id, string group, string role) { var m = new LdapGroupMapping(group, role); m.Id = id; return m; } [Fact] public async Task MapAsync_ReturnsSameRolesAsRoleMapper_AndCarriesResultInScope_SiteScoped() { // Two matched mappings: an Admin group and a site-scoped Deployment group. var mappings = new List { Mapping(1, "SCADA-Admins", Roles.Administrator), Mapping(2, "SiteDeployers", Roles.Deployer), }; var scopeRules = new Dictionary> { [2] = new[] { new SiteScopeRule { LdapGroupMappingId = 2, SiteId = 11 }, new SiteScopeRule { LdapGroupMappingId = 2, SiteId = 22 }, }, }; var repo = new FakeSecurityRepository(mappings, scopeRules); var roleMapper = new RoleMapper(repo); var sut = new ScadaBridgeGroupRoleMapper(roleMapper); var groups = new[] { "SCADA-Admins", "SiteDeployers" }; // The wrapped RoleMapper result is the oracle the seam must preserve. var expected = await roleMapper.MapGroupsToRolesAsync(groups, CancellationToken.None); var mapping = await sut.MapAsync(groups, CancellationToken.None); // Roles: same set as RoleMapper. Assert.Equal(expected.Roles.OrderBy(r => r), mapping.Roles.OrderBy(r => r)); Assert.Contains(Roles.Administrator, mapping.Roles); Assert.Contains(Roles.Deployer, mapping.Roles); // Scope: carries the full RoleMappingResult (no site-scope info lost). var scope = Assert.IsType(mapping.Scope); Assert.False(scope.IsSystemWideDeployment); Assert.Contains("11", scope.PermittedSiteIds); Assert.Contains("22", scope.PermittedSiteIds); Assert.Equal(expected.PermittedSiteIds.OrderBy(s => s), scope.PermittedSiteIds.OrderBy(s => s)); Assert.Equal(expected.IsSystemWideDeployment, scope.IsSystemWideDeployment); } [Fact] public async Task MapAsync_PreservesSystemWideDeploymentFlagInScope() { // Unscoped Deployment mapping -> system-wide, empty PermittedSiteIds. var mappings = new List { Mapping(1, "GlobalDeployers", Roles.Deployer), }; var repo = new FakeSecurityRepository(mappings, new Dictionary>()); var roleMapper = new RoleMapper(repo); var sut = new ScadaBridgeGroupRoleMapper(roleMapper); var mapping = await sut.MapAsync(new[] { "GlobalDeployers" }, CancellationToken.None); Assert.Contains(Roles.Deployer, mapping.Roles); var scope = Assert.IsType(mapping.Scope); Assert.True(scope.IsSystemWideDeployment); Assert.Empty(scope.PermittedSiteIds); } [Fact] public async Task MapAsync_EmptyGroups_ReturnsNoRoles_AndNonNullScope() { // Reviewer-requested empty-groups case (Task 1.2): a user that resolves to NO // groups must map to NO roles and a non-null, not-system-wide Scope with no // permitted sites — so the login endpoint can build a roleless principal (which // every authorization policy then denies) without NRE-ing on Scope. This is the // post-cutover home for the donor's "no mapped groups" outcome, now that the // shared LDAP service fail-closes a zero-GROUP LDAP result before it ever reaches // the mapper. var repo = new FakeSecurityRepository( new List { Mapping(1, "SCADA-Admins", Roles.Administrator) }, new Dictionary>()); var sut = new ScadaBridgeGroupRoleMapper(new RoleMapper(repo)); var mapping = await sut.MapAsync(Array.Empty(), CancellationToken.None); Assert.Empty(mapping.Roles); var scope = Assert.IsType(mapping.Scope); Assert.Empty(scope.Roles); Assert.False(scope.IsSystemWideDeployment); Assert.Empty(scope.PermittedSiteIds); } [Fact] public async Task MapAsync_GroupsMatchNoMapping_ReturnsNoRoles() { // A user WITH groups that match no configured LDAP-group→role mapping likewise // yields zero roles (not an error) — the mapper is the authoritative empty-roles // boundary now that the LDAP service no longer admits zero-group successes. var repo = new FakeSecurityRepository( new List { Mapping(1, "SCADA-Admins", Roles.Administrator) }, new Dictionary>()); var sut = new ScadaBridgeGroupRoleMapper(new RoleMapper(repo)); var mapping = await sut.MapAsync(new[] { "some-unmapped-group" }, CancellationToken.None); Assert.Empty(mapping.Roles); var scope = Assert.IsType(mapping.Scope); Assert.Empty(scope.PermittedSiteIds); Assert.False(scope.IsSystemWideDeployment); } } #endregion