feat(security): add ConfigEditor + AuthenticatedRead AdminUI policies behind AdminUiPolicies constants
This commit is contained in:
@@ -0,0 +1,22 @@
|
||||
namespace ZB.MOM.WW.OtOpcUa.Security.Auth;
|
||||
|
||||
/// <summary>
|
||||
/// Names of the AdminUI authorization policies registered by <c>AddOtOpcUaAuth</c>.
|
||||
/// Single source of truth — pages, AuthorizeView blocks, imperative checks, and endpoint
|
||||
/// groups must reference these constants, never string literals (guarded by
|
||||
/// PageAuthorizationGuardTests). Policy → role mapping lives in ServiceCollectionExtensions.
|
||||
/// </summary>
|
||||
public static class AdminUiPolicies
|
||||
{
|
||||
/// <summary>Fleet-wide admin actions (RoleGrants page, certificate mutations). Roles: Administrator.</summary>
|
||||
public const string FleetAdmin = "FleetAdmin";
|
||||
|
||||
/// <summary>Live driver operations (reconnect/restart, alarm ack/shelve, live address browse). Roles: Operator, Administrator.</summary>
|
||||
public const string DriverOperator = "DriverOperator";
|
||||
|
||||
/// <summary>Config authoring: UNS/equipment/cluster/driver/ACL/namespace/script editors + deploy + script analysis. Roles: Administrator, Designer.</summary>
|
||||
public const string ConfigEditor = "ConfigEditor";
|
||||
|
||||
/// <summary>Read-only AdminUI access (dashboards, lists, live tails). Any authenticated user.</summary>
|
||||
public const string AuthenticatedRead = "AuthenticatedRead";
|
||||
}
|
||||
@@ -152,12 +152,24 @@ public static class ServiceCollectionExtensions
|
||||
// are the canonical control-plane roles: Operator (was DriverOperator) and
|
||||
// Administrator (was FleetAdmin). Map LDAP group → role via GroupToRole in appsettings
|
||||
// (e.g. "ot-driver-operator": "Operator").
|
||||
o.AddPolicy("DriverOperator", policy =>
|
||||
policy.RequireRole("Operator", "Administrator"));
|
||||
o.AddPolicy(AdminUiPolicies.DriverOperator, policy =>
|
||||
policy.RequireRole(DevAuthRoles.Operator, "Administrator"));
|
||||
|
||||
// FleetAdmin (policy NAME kept stable): full administrative access; gates fleet-wide pages
|
||||
// such as RoleGrants. Requires the canonical Administrator role (was FleetAdmin).
|
||||
o.AddPolicy("FleetAdmin", policy => policy.RequireRole("Administrator"));
|
||||
o.AddPolicy(AdminUiPolicies.FleetAdmin, policy => policy.RequireRole("Administrator"));
|
||||
|
||||
// ConfigEditor: may author configuration (UNS, equipment, clusters, drivers incl. live
|
||||
// ResilienceConfig, ACLs, namespaces, scripts) and trigger deploys. Same semantics the
|
||||
// Deployments/Scripts/ScriptEdit pages previously spelled as Roles="Administrator,Designer".
|
||||
o.AddPolicy(AdminUiPolicies.ConfigEditor, policy =>
|
||||
policy.RequireRole("Administrator", "Designer"));
|
||||
|
||||
// AuthenticatedRead: explicit name for "any authenticated user" so read-only pages can carry
|
||||
// a non-bare attribute and the page-authorization guard can ban bare [Authorize] outright.
|
||||
// Semantically identical to the FallbackPolicy.
|
||||
o.AddPolicy(AdminUiPolicies.AuthenticatedRead, policy =>
|
||||
policy.RequireAuthenticatedUser());
|
||||
});
|
||||
|
||||
return services;
|
||||
|
||||
Reference in New Issue
Block a user