dohertj2/ScadaBridge
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
b104760b3af2c36b4d01848c16083c830d533575
ScadaBridge/tests/ZB.MOM.WW.ScadaBridge.Security.Tests/ScadaBridgeGroupRoleMapperTests.cs
T
Joseph Doherty b104760b3a feat(auth)!: ScadaBridge canonical roles + SoD collapse (Audit→Administrator, AuditReadOnly→Viewer) + config-DB migration (Task 1.7) 
Standardize role string VALUES on the canonical vocabulary
(Administrator/Designer/Deployer/Viewer; Operator/Engineer unused here):
  Admin        -> Administrator
  Design       -> Designer
  Deployment   -> Deployer
  Audit        -> Administrator   (COLLAPSE; accepted privilege escalation)
  AuditReadOnly-> Viewer          (COLLAPSE; keeps audit-read, no export)

SoD: OperationalAuditRoles = { Administrator, Viewer },
     AuditExportRoles      = { Administrator }
so Viewer reads the audit log + nav but cannot bulk-export, while
Administrator does both + holds the full admin surface (the documented,
accepted auditor/admin SoD collapse).

Atomic move across every enforcement site:
- Roles constants; AuthorizationPolicies (RequireClaim values + SoD arrays +
  honest XML-doc); RoleMapper Deployer check.
- ManagementActor.GetRequiredRole switch + the hard-coded site-scope
  admin-bypass (now Roles.Administrator at all 6 sites). Site-scoping logic
  is otherwise unchanged.
- DebugStreamHub Administrator/Deployer gates (Deployer kept case-sensitive).
- CentralUI BrowseService/BindingTester Designer guards; LdapMappingForm
  dropdown now offers canonical values (incl. Viewer).
- Config-DB seed (LdapGroupMappings Id 1-4) + EF migration CanonicalizeRoles:
  Id-keyed UpdateData for seed rows + idempotent raw catch-all UPDATEs for
  operator-added rows. Down is lossy on the collapse (documented in-file).
  No pending model changes.

Tests reworked to the collapsed model across Security/CentralUI/
ManagementService/ConfigurationDatabase/Integration suites, incl. explicit
Viewer-reads-not-exports and former-Audit-now-Administrator-escalation cases.

CHANGELOG: BREAKING security note documenting the canonicalization + SoD
collapse.
2026-06-02 08:00:47 -04:00

171 lines
8.2 KiB
C#
Raw Blame History

using ZB.MOM.WW.Auth.Abstractions.Roles;
using ZB.MOM.WW.ScadaBridge.Commons.Entities.Security;
using ZB.MOM.WW.ScadaBridge.Commons.Interfaces.Repositories;
using ZB.MOM.WW.ScadaBridge.Security;
namespace ZB.MOM.WW.ScadaBridge.Security.Tests;
#region Task 1.1: ScadaBridgeGroupRoleMapper (IGroupRoleMapper<string> seam)
public class ScadaBridgeGroupRoleMapperTests
{
// A minimal in-memory ISecurityRepository so the seam test needs no database.
// Only the two reads RoleMapper.MapGroupsToRolesAsync uses are implemented;
// the rest throw to make any accidental dependency on them obvious.
private sealed class FakeSecurityRepository : ISecurityRepository
{
private readonly IReadOnlyList<LdapGroupMapping> _mappings;
private readonly IReadOnlyDictionary<int, IReadOnlyList<SiteScopeRule>> _scopeRules;
public FakeSecurityRepository(
IReadOnlyList<LdapGroupMapping> mappings,
IReadOnlyDictionary<int, IReadOnlyList<SiteScopeRule>> scopeRules)
{
_mappings = mappings;
_scopeRules = scopeRules;
}
public Task<IReadOnlyList<LdapGroupMapping>> GetAllMappingsAsync(CancellationToken cancellationToken = default)
=> Task.FromResult(_mappings);
public Task<IReadOnlyList<SiteScopeRule>> GetScopeRulesForMappingAsync(int ldapGroupMappingId, CancellationToken cancellationToken = default)
=> Task.FromResult(_scopeRules.TryGetValue(ldapGroupMappingId, out var rules)
? rules
: (IReadOnlyList<SiteScopeRule>)Array.Empty<SiteScopeRule>());
public Task<LdapGroupMapping?> GetMappingByIdAsync(int id, CancellationToken cancellationToken = default)
=> throw new NotSupportedException();
public Task<IReadOnlyList<LdapGroupMapping>> GetMappingsByRoleAsync(string role, CancellationToken cancellationToken = default)
=> throw new NotSupportedException();
public Task AddMappingAsync(LdapGroupMapping mapping, CancellationToken cancellationToken = default)
=> throw new NotSupportedException();
public Task UpdateMappingAsync(LdapGroupMapping mapping, CancellationToken cancellationToken = default)
=> throw new NotSupportedException();
public Task DeleteMappingAsync(int id, CancellationToken cancellationToken = default)
=> throw new NotSupportedException();
public Task<SiteScopeRule?> GetScopeRuleByIdAsync(int id, CancellationToken cancellationToken = default)
=> throw new NotSupportedException();
public Task AddScopeRuleAsync(SiteScopeRule rule, CancellationToken cancellationToken = default)
=> throw new NotSupportedException();
public Task UpdateScopeRuleAsync(SiteScopeRule rule, CancellationToken cancellationToken = default)
=> throw new NotSupportedException();
public Task DeleteScopeRuleAsync(int id, CancellationToken cancellationToken = default)
=> throw new NotSupportedException();
public Task<int> SaveChangesAsync(CancellationToken cancellationToken = default)
=> throw new NotSupportedException();
}
private static LdapGroupMapping Mapping(int id, string group, string role)
{
var m = new LdapGroupMapping(group, role);
m.Id = id;
return m;
}
[Fact]
public async Task MapAsync_ReturnsSameRolesAsRoleMapper_AndCarriesResultInScope_SiteScoped()
{
// Two matched mappings: an Admin group and a site-scoped Deployment group.
var mappings = new List<LdapGroupMapping>
{
Mapping(1, "SCADA-Admins", Roles.Administrator),
Mapping(2, "SiteDeployers", Roles.Deployer),
};
var scopeRules = new Dictionary<int, IReadOnlyList<SiteScopeRule>>
{
[2] = new[]
{
new SiteScopeRule { LdapGroupMappingId = 2, SiteId = 11 },
new SiteScopeRule { LdapGroupMappingId = 2, SiteId = 22 },
},
};
var repo = new FakeSecurityRepository(mappings, scopeRules);
var roleMapper = new RoleMapper(repo);
var sut = new ScadaBridgeGroupRoleMapper(roleMapper);
var groups = new[] { "SCADA-Admins", "SiteDeployers" };
// The wrapped RoleMapper result is the oracle the seam must preserve.
var expected = await roleMapper.MapGroupsToRolesAsync(groups, CancellationToken.None);
var mapping = await sut.MapAsync(groups, CancellationToken.None);
// Roles: same set as RoleMapper.
Assert.Equal(expected.Roles.OrderBy(r => r), mapping.Roles.OrderBy(r => r));
Assert.Contains(Roles.Administrator, mapping.Roles);
Assert.Contains(Roles.Deployer, mapping.Roles);
// Scope: carries the full RoleMappingResult (no site-scope info lost).
var scope = Assert.IsType<RoleMappingResult>(mapping.Scope);
Assert.False(scope.IsSystemWideDeployment);
Assert.Contains("11", scope.PermittedSiteIds);
Assert.Contains("22", scope.PermittedSiteIds);
Assert.Equal(expected.PermittedSiteIds.OrderBy(s => s), scope.PermittedSiteIds.OrderBy(s => s));
Assert.Equal(expected.IsSystemWideDeployment, scope.IsSystemWideDeployment);
}
[Fact]
public async Task MapAsync_PreservesSystemWideDeploymentFlagInScope()
{
// Unscoped Deployment mapping -> system-wide, empty PermittedSiteIds.
var mappings = new List<LdapGroupMapping>
{
Mapping(1, "GlobalDeployers", Roles.Deployer),
};
var repo = new FakeSecurityRepository(mappings, new Dictionary<int, IReadOnlyList<SiteScopeRule>>());
var roleMapper = new RoleMapper(repo);
var sut = new ScadaBridgeGroupRoleMapper(roleMapper);
var mapping = await sut.MapAsync(new[] { "GlobalDeployers" }, CancellationToken.None);
Assert.Contains(Roles.Deployer, mapping.Roles);
var scope = Assert.IsType<RoleMappingResult>(mapping.Scope);
Assert.True(scope.IsSystemWideDeployment);
Assert.Empty(scope.PermittedSiteIds);
}
[Fact]
public async Task MapAsync_EmptyGroups_ReturnsNoRoles_AndNonNullScope()
{
// Reviewer-requested empty-groups case (Task 1.2): a user that resolves to NO
// groups must map to NO roles and a non-null, not-system-wide Scope with no
// permitted sites — so the login endpoint can build a roleless principal (which
// every authorization policy then denies) without NRE-ing on Scope. This is the
// post-cutover home for the donor's "no mapped groups" outcome, now that the
// shared LDAP service fail-closes a zero-GROUP LDAP result before it ever reaches
// the mapper.
var repo = new FakeSecurityRepository(
new List<LdapGroupMapping> { Mapping(1, "SCADA-Admins", Roles.Administrator) },
new Dictionary<int, IReadOnlyList<SiteScopeRule>>());
var sut = new ScadaBridgeGroupRoleMapper(new RoleMapper(repo));
var mapping = await sut.MapAsync(Array.Empty<string>(), CancellationToken.None);
Assert.Empty(mapping.Roles);
var scope = Assert.IsType<RoleMappingResult>(mapping.Scope);
Assert.Empty(scope.Roles);
Assert.False(scope.IsSystemWideDeployment);
Assert.Empty(scope.PermittedSiteIds);
}
[Fact]
public async Task MapAsync_GroupsMatchNoMapping_ReturnsNoRoles()
{
// A user WITH groups that match no configured LDAP-group→role mapping likewise
// yields zero roles (not an error) — the mapper is the authoritative empty-roles
// boundary now that the LDAP service no longer admits zero-group successes.
var repo = new FakeSecurityRepository(
new List<LdapGroupMapping> { Mapping(1, "SCADA-Admins", Roles.Administrator) },
new Dictionary<int, IReadOnlyList<SiteScopeRule>>());
var sut = new ScadaBridgeGroupRoleMapper(new RoleMapper(repo));
var mapping = await sut.MapAsync(new[] { "some-unmapped-group" }, CancellationToken.None);
Assert.Empty(mapping.Roles);
var scope = Assert.IsType<RoleMappingResult>(mapping.Scope);
Assert.Empty(scope.PermittedSiteIds);
Assert.False(scope.IsSystemWideDeployment);
}
}
#endregion
Reference in New Issue View Git Blame Copy Permalink