using ZB.MOM.WW.Auth.Abstractions.Roles;
namespace ZB.MOM.WW.ScadaBridge.Security;
///
/// Adapts ScadaBridge's DB-backed to the shared
/// seam from ZB.MOM.WW.Auth.Abstractions.
///
///
/// Task 1.1 of the Auth-library adoption: this is an additive wrapper. It does not
/// re-implement the LDAP-group → role resolution or the site-scope union semantics — it
/// delegates wholesale to and re-shapes the
/// result onto the shared contract. is
/// because ScadaBridge roles travel as plain strings in claims. The full
/// — including
/// and — is carried verbatim in the
/// mapping's opaque so no site-scope information
/// is lost across the seam. The existing login flow is rewired to consume this in a later task.
///
public sealed class ScadaBridgeGroupRoleMapper : IGroupRoleMapper
{
private readonly RoleMapper _roleMapper;
/// Initializes the mapper with the wrapped .
/// The DB-backed role mapper whose union semantics are reused.
public ScadaBridgeGroupRoleMapper(RoleMapper roleMapper)
{
_roleMapper = roleMapper ?? throw new ArgumentNullException(nameof(roleMapper));
}
///
public async Task> MapAsync(IReadOnlyList groups, CancellationToken ct)
{
var result = await _roleMapper.MapGroupsToRolesAsync(groups, ct);
// Carry the full RoleMappingResult as the opaque Scope so the site-scope
// payload (PermittedSiteIds + IsSystemWideDeployment) survives the seam.
return new GroupRoleMapping(result.Roles, Scope: result);
}
}