Joseph Doherty
b104760b3a
Standardize role string VALUES on the canonical vocabulary
(Administrator/Designer/Deployer/Viewer; Operator/Engineer unused here):
Admin -> Administrator
Design -> Designer
Deployment -> Deployer
Audit -> Administrator (COLLAPSE; accepted privilege escalation)
AuditReadOnly-> Viewer (COLLAPSE; keeps audit-read, no export)
SoD: OperationalAuditRoles = { Administrator, Viewer },
AuditExportRoles = { Administrator }
so Viewer reads the audit log + nav but cannot bulk-export, while
Administrator does both + holds the full admin surface (the documented,
accepted auditor/admin SoD collapse).
Atomic move across every enforcement site:
- Roles constants; AuthorizationPolicies (RequireClaim values + SoD arrays +
honest XML-doc); RoleMapper Deployer check.
- ManagementActor.GetRequiredRole switch + the hard-coded site-scope
admin-bypass (now Roles.Administrator at all 6 sites). Site-scoping logic
is otherwise unchanged.
- DebugStreamHub Administrator/Deployer gates (Deployer kept case-sensitive).
- CentralUI BrowseService/BindingTester Designer guards; LdapMappingForm
dropdown now offers canonical values (incl. Viewer).
- Config-DB seed (LdapGroupMappings Id 1-4) + EF migration CanonicalizeRoles:
Id-keyed UpdateData for seed rows + idempotent raw catch-all UPDATEs for
operator-added rows. Down is lossy on the collapse (documented in-file).
No pending model changes.
Tests reworked to the collapsed model across Security/CentralUI/
ManagementService/ConfigurationDatabase/Integration suites, incl. explicit
Viewer-reads-not-exports and former-Audit-now-Administrator-escalation cases.
CHANGELOG: BREAKING security note documenting the canonicalization + SoD
collapse.
84 lines
3.5 KiB
C#
84 lines
3.5 KiB
C#
using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Repositories;
|
|
|
|
namespace ZB.MOM.WW.ScadaBridge.Security;
|
|
|
|
public class RoleMapper
|
|
{
|
|
private readonly ISecurityRepository _securityRepository;
|
|
|
|
/// <summary>Initializes the mapper with the security repository.</summary>
|
|
/// <param name="securityRepository">Repository used to retrieve LDAP group-to-role mappings and scope rules.</param>
|
|
public RoleMapper(ISecurityRepository securityRepository)
|
|
{
|
|
_securityRepository = securityRepository ?? throw new ArgumentNullException(nameof(securityRepository));
|
|
}
|
|
|
|
// virtual: a test seam so HTTP-pipeline tests (e.g. the #23 M8 audit
|
|
// endpoints) can substitute the LDAP-group→role resolution.
|
|
/// <summary>Maps a list of LDAP group names to ScadaBridge roles and computes site-scope permissions.</summary>
|
|
/// <param name="ldapGroups">LDAP group names from the authenticated user's directory entry.</param>
|
|
/// <param name="ct">Cancellation token.</param>
|
|
/// <returns>A <see cref="RoleMappingResult"/> containing matched roles, permitted site IDs, and the system-wide flag.</returns>
|
|
public virtual async Task<RoleMappingResult> MapGroupsToRolesAsync(
|
|
IReadOnlyList<string> ldapGroups,
|
|
CancellationToken ct = default)
|
|
{
|
|
var allMappings = await _securityRepository.GetAllMappingsAsync(ct);
|
|
|
|
var matchedRoles = new HashSet<string>(StringComparer.OrdinalIgnoreCase);
|
|
var permittedSiteIds = new HashSet<string>();
|
|
var hasDeploymentRole = false;
|
|
var hasScopedDeploymentMapping = false;
|
|
var hasUnscopedDeploymentMapping = false;
|
|
|
|
foreach (var mapping in allMappings)
|
|
{
|
|
// Match LDAP group names (case-insensitive)
|
|
if (!ldapGroups.Any(g => g.Equals(mapping.LdapGroupName, StringComparison.OrdinalIgnoreCase)))
|
|
continue;
|
|
|
|
matchedRoles.Add(mapping.Role);
|
|
|
|
if (mapping.Role.Equals(Roles.Deployer, StringComparison.OrdinalIgnoreCase))
|
|
{
|
|
hasDeploymentRole = true;
|
|
|
|
var scopeRules = await _securityRepository.GetScopeRulesForMappingAsync(mapping.Id, ct);
|
|
if (scopeRules.Count > 0)
|
|
{
|
|
hasScopedDeploymentMapping = true;
|
|
foreach (var rule in scopeRules)
|
|
{
|
|
permittedSiteIds.Add(rule.SiteId.ToString());
|
|
}
|
|
}
|
|
else
|
|
{
|
|
hasUnscopedDeploymentMapping = true;
|
|
}
|
|
}
|
|
}
|
|
|
|
// Union semantics (Security-016): a Deployment user is system-wide iff
|
|
// *any* matched Deployment mapping has no scope rules. A user in both
|
|
// SCADA-Deploy-All (unscoped) and SCADA-Deploy-SiteA (scoped to Site A)
|
|
// gets the broader grant, not the narrower one — matching the design's
|
|
// "roles are independent — there is no implied hierarchy" rule.
|
|
var isSystemWide = hasUnscopedDeploymentMapping
|
|
|| (hasDeploymentRole && !hasScopedDeploymentMapping);
|
|
|
|
// When system-wide, drop any accumulated scope ids — the empty
|
|
// permitted set is the system-wide signal downstream consumers
|
|
// (SiteScopeService, ManagementActor) already use.
|
|
if (isSystemWide)
|
|
{
|
|
permittedSiteIds.Clear();
|
|
}
|
|
|
|
return new RoleMappingResult(
|
|
matchedRoles.ToList(),
|
|
permittedSiteIds.ToList(),
|
|
isSystemWide);
|
|
}
|
|
}
|