using ZB.MOM.WW.Auth.Abstractions.Roles; namespace ZB.MOM.WW.ScadaBridge.Security; ///

/// Adapts ScadaBridge's DB-backed to the shared /// seam from ZB.MOM.WW.Auth.Abstractions. ///

/// /// Task 1.1 of the Auth-library adoption: this is an additive wrapper. It does not /// re-implement the LDAP-group → role resolution or the site-scope union semantics — it /// delegates wholesale to and re-shapes the /// result onto the shared contract. is /// because ScadaBridge roles travel as plain strings in claims. The full /// — including /// and — is carried verbatim in the /// mapping's opaque so no site-scope information /// is lost across the seam. The existing login flow is rewired to consume this in a later task. /// public sealed class ScadaBridgeGroupRoleMapper : IGroupRoleMapper { private readonly RoleMapper _roleMapper; ///

Initializes the mapper with the wrapped .

/// The DB-backed role mapper whose union semantics are reused. public ScadaBridgeGroupRoleMapper(RoleMapper roleMapper) { _roleMapper = roleMapper ?? throw new ArgumentNullException(nameof(roleMapper)); } ///

/// Maps a list of LDAP/AD group names to ScadaBridge roles using the wrapped /// and returns the resulting role mapping with site-scope /// information carried in the opaque Scope field. ///

/// The AD/LDAP group names to resolve into roles. /// Cancellation token. /// A task that resolves to the group-to-role mapping including permitted site identifiers. public async Task> MapAsync(IReadOnlyList groups, CancellationToken ct) { var result = await _roleMapper.MapGroupsToRolesAsync(groups, ct); // Carry the full RoleMappingResult as the opaque Scope so the site-scope // payload (PermittedSiteIds + IsSystemWideDeployment) survives the seam. return new GroupRoleMapping(result.Roles, Scope: result); } }