Joseph Doherty
171 lines
8.2 KiB
C#
171 lines
8.2 KiB
C#
using ZB.MOM.WW.Auth.Abstractions.Roles;
|
|
using ZB.MOM.WW.ScadaBridge.Commons.Entities.Security;
|
|
using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Repositories;
|
|
using ZB.MOM.WW.ScadaBridge.Security;
|
|
|
|
namespace ZB.MOM.WW.ScadaBridge.Security.Tests;
|
|
|
|
#region Task 1.1: ScadaBridgeGroupRoleMapper (IGroupRoleMapper<string> seam)
|
|
|
|
public class ScadaBridgeGroupRoleMapperTests
|
|
{
|
|
// A minimal in-memory ISecurityRepository so the seam test needs no database.
|
|
// Only the two reads RoleMapper.MapGroupsToRolesAsync uses are implemented;
|
|
// the rest throw to make any accidental dependency on them obvious.
|
|
private sealed class FakeSecurityRepository : ISecurityRepository
|
|
{
|
|
private readonly IReadOnlyList<LdapGroupMapping> _mappings;
|
|
private readonly IReadOnlyDictionary<int, IReadOnlyList<SiteScopeRule>> _scopeRules;
|
|
|
|
public FakeSecurityRepository(
|
|
IReadOnlyList<LdapGroupMapping> mappings,
|
|
IReadOnlyDictionary<int, IReadOnlyList<SiteScopeRule>> scopeRules)
|
|
{
|
|
_mappings = mappings;
|
|
_scopeRules = scopeRules;
|
|
}
|
|
|
|
public Task<IReadOnlyList<LdapGroupMapping>> GetAllMappingsAsync(CancellationToken cancellationToken = default)
|
|
=> Task.FromResult(_mappings);
|
|
|
|
public Task<IReadOnlyList<SiteScopeRule>> GetScopeRulesForMappingAsync(int ldapGroupMappingId, CancellationToken cancellationToken = default)
|
|
=> Task.FromResult(_scopeRules.TryGetValue(ldapGroupMappingId, out var rules)
|
|
? rules
|
|
: (IReadOnlyList<SiteScopeRule>)Array.Empty<SiteScopeRule>());
|
|
|
|
public Task<LdapGroupMapping?> GetMappingByIdAsync(int id, CancellationToken cancellationToken = default)
|
|
=> throw new NotSupportedException();
|
|
public Task<IReadOnlyList<LdapGroupMapping>> GetMappingsByRoleAsync(string role, CancellationToken cancellationToken = default)
|
|
=> throw new NotSupportedException();
|
|
public Task AddMappingAsync(LdapGroupMapping mapping, CancellationToken cancellationToken = default)
|
|
=> throw new NotSupportedException();
|
|
public Task UpdateMappingAsync(LdapGroupMapping mapping, CancellationToken cancellationToken = default)
|
|
=> throw new NotSupportedException();
|
|
public Task DeleteMappingAsync(int id, CancellationToken cancellationToken = default)
|
|
=> throw new NotSupportedException();
|
|
public Task<SiteScopeRule?> GetScopeRuleByIdAsync(int id, CancellationToken cancellationToken = default)
|
|
=> throw new NotSupportedException();
|
|
public Task AddScopeRuleAsync(SiteScopeRule rule, CancellationToken cancellationToken = default)
|
|
=> throw new NotSupportedException();
|
|
public Task UpdateScopeRuleAsync(SiteScopeRule rule, CancellationToken cancellationToken = default)
|
|
=> throw new NotSupportedException();
|
|
public Task DeleteScopeRuleAsync(int id, CancellationToken cancellationToken = default)
|
|
=> throw new NotSupportedException();
|
|
public Task<int> SaveChangesAsync(CancellationToken cancellationToken = default)
|
|
=> throw new NotSupportedException();
|
|
}
|
|
|
|
private static LdapGroupMapping Mapping(int id, string group, string role)
|
|
{
|
|
var m = new LdapGroupMapping(group, role);
|
|
m.Id = id;
|
|
return m;
|
|
}
|
|
|
|
[Fact]
|
|
public async Task MapAsync_ReturnsSameRolesAsRoleMapper_AndCarriesResultInScope_SiteScoped()
|
|
{
|
|
// Two matched mappings: an Admin group and a site-scoped Deployment group.
|
|
var mappings = new List<LdapGroupMapping>
|
|
{
|
|
Mapping(1, "SCADA-Admins", Roles.Admin),
|
|
Mapping(2, "SiteDeployers", Roles.Deployment),
|
|
};
|
|
var scopeRules = new Dictionary<int, IReadOnlyList<SiteScopeRule>>
|
|
{
|
|
[2] = new[]
|
|
{
|
|
new SiteScopeRule { LdapGroupMappingId = 2, SiteId = 11 },
|
|
new SiteScopeRule { LdapGroupMappingId = 2, SiteId = 22 },
|
|
},
|
|
};
|
|
var repo = new FakeSecurityRepository(mappings, scopeRules);
|
|
var roleMapper = new RoleMapper(repo);
|
|
var sut = new ScadaBridgeGroupRoleMapper(roleMapper);
|
|
|
|
var groups = new[] { "SCADA-Admins", "SiteDeployers" };
|
|
|
|
// The wrapped RoleMapper result is the oracle the seam must preserve.
|
|
var expected = await roleMapper.MapGroupsToRolesAsync(groups, CancellationToken.None);
|
|
var mapping = await sut.MapAsync(groups, CancellationToken.None);
|
|
|
|
// Roles: same set as RoleMapper.
|
|
Assert.Equal(expected.Roles.OrderBy(r => r), mapping.Roles.OrderBy(r => r));
|
|
Assert.Contains(Roles.Admin, mapping.Roles);
|
|
Assert.Contains(Roles.Deployment, mapping.Roles);
|
|
|
|
// Scope: carries the full RoleMappingResult (no site-scope info lost).
|
|
var scope = Assert.IsType<RoleMappingResult>(mapping.Scope);
|
|
Assert.False(scope.IsSystemWideDeployment);
|
|
Assert.Contains("11", scope.PermittedSiteIds);
|
|
Assert.Contains("22", scope.PermittedSiteIds);
|
|
Assert.Equal(expected.PermittedSiteIds.OrderBy(s => s), scope.PermittedSiteIds.OrderBy(s => s));
|
|
Assert.Equal(expected.IsSystemWideDeployment, scope.IsSystemWideDeployment);
|
|
}
|
|
|
|
[Fact]
|
|
public async Task MapAsync_PreservesSystemWideDeploymentFlagInScope()
|
|
{
|
|
// Unscoped Deployment mapping -> system-wide, empty PermittedSiteIds.
|
|
var mappings = new List<LdapGroupMapping>
|
|
{
|
|
Mapping(1, "GlobalDeployers", Roles.Deployment),
|
|
};
|
|
var repo = new FakeSecurityRepository(mappings, new Dictionary<int, IReadOnlyList<SiteScopeRule>>());
|
|
var roleMapper = new RoleMapper(repo);
|
|
var sut = new ScadaBridgeGroupRoleMapper(roleMapper);
|
|
|
|
var mapping = await sut.MapAsync(new[] { "GlobalDeployers" }, CancellationToken.None);
|
|
|
|
Assert.Contains(Roles.Deployment, mapping.Roles);
|
|
var scope = Assert.IsType<RoleMappingResult>(mapping.Scope);
|
|
Assert.True(scope.IsSystemWideDeployment);
|
|
Assert.Empty(scope.PermittedSiteIds);
|
|
}
|
|
|
|
[Fact]
|
|
public async Task MapAsync_EmptyGroups_ReturnsNoRoles_AndNonNullScope()
|
|
{
|
|
// Reviewer-requested empty-groups case (Task 1.2): a user that resolves to NO
|
|
// groups must map to NO roles and a non-null, not-system-wide Scope with no
|
|
// permitted sites — so the login endpoint can build a roleless principal (which
|
|
// every authorization policy then denies) without NRE-ing on Scope. This is the
|
|
// post-cutover home for the donor's "no mapped groups" outcome, now that the
|
|
// shared LDAP service fail-closes a zero-GROUP LDAP result before it ever reaches
|
|
// the mapper.
|
|
var repo = new FakeSecurityRepository(
|
|
new List<LdapGroupMapping> { Mapping(1, "SCADA-Admins", Roles.Admin) },
|
|
new Dictionary<int, IReadOnlyList<SiteScopeRule>>());
|
|
var sut = new ScadaBridgeGroupRoleMapper(new RoleMapper(repo));
|
|
|
|
var mapping = await sut.MapAsync(Array.Empty<string>(), CancellationToken.None);
|
|
|
|
Assert.Empty(mapping.Roles);
|
|
var scope = Assert.IsType<RoleMappingResult>(mapping.Scope);
|
|
Assert.Empty(scope.Roles);
|
|
Assert.False(scope.IsSystemWideDeployment);
|
|
Assert.Empty(scope.PermittedSiteIds);
|
|
}
|
|
|
|
[Fact]
|
|
public async Task MapAsync_GroupsMatchNoMapping_ReturnsNoRoles()
|
|
{
|
|
// A user WITH groups that match no configured LDAP-group→role mapping likewise
|
|
// yields zero roles (not an error) — the mapper is the authoritative empty-roles
|
|
// boundary now that the LDAP service no longer admits zero-group successes.
|
|
var repo = new FakeSecurityRepository(
|
|
new List<LdapGroupMapping> { Mapping(1, "SCADA-Admins", Roles.Admin) },
|
|
new Dictionary<int, IReadOnlyList<SiteScopeRule>>());
|
|
var sut = new ScadaBridgeGroupRoleMapper(new RoleMapper(repo));
|
|
|
|
var mapping = await sut.MapAsync(new[] { "some-unmapped-group" }, CancellationToken.None);
|
|
|
|
Assert.Empty(mapping.Roles);
|
|
var scope = Assert.IsType<RoleMappingResult>(mapping.Scope);
|
|
Assert.Empty(scope.PermittedSiteIds);
|
|
Assert.False(scope.IsSystemWideDeployment);
|
|
}
|
|
}
|
|
|
|
#endregion
|