test(security): cookie+JWT roundtrip, role mapper, LDAP escape/RDN helpers

2026-05-26 04:35:51 -04:00
parent e38f22e3c2
commit 38ea0c5086
5 changed files with 193 additions and 0 deletions
--- a/tests/Server/ZB.MOM.WW.OtOpcUa.Security.Tests/RoleMapperTests.cs
+++ b/tests/Server/ZB.MOM.WW.OtOpcUa.Security.Tests/RoleMapperTests.cs
@@ -0,0 +1,50 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Security.Ldap;
+
+namespace ZB.MOM.WW.OtOpcUa.Security.Tests;
+
+public sealed class RoleMapperTests
+{
+    [Fact]
+    public void Empty_mapping_returns_empty()
+    {
+        RoleMapper.Map(new[] { "Admins" }, new Dictionary<string, string>())
+            .ShouldBeEmpty();
+    }
+
+    [Fact]
+    public void Maps_group_to_role()
+    {
+        RoleMapper.Map(
+            new[] { "AdminGroup" },
+            new Dictionary<string, string> { ["AdminGroup"] = "FleetAdmin" })
+            .ShouldBe(new[] { "FleetAdmin" });
+    }
+
+    [Fact]
+    public void Case_insensitive_group_match()
+    {
+        RoleMapper.Map(
+            new[] { "admingroup" },
+            new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase)
+            {
+                ["AdminGroup"] = "FleetAdmin",
+            })
+            .ShouldBe(new[] { "FleetAdmin" });
+    }
+
+    [Fact]
+    public void Multiple_groups_dedup_roles()
+    {
+        var roles = RoleMapper.Map(
+            new[] { "AdminGroup", "AlsoAdmin" },
+            new Dictionary<string, string>
+            {
+                ["AdminGroup"] = "FleetAdmin",
+                ["AlsoAdmin"] = "FleetAdmin",
+            });
+
+        roles.ShouldBe(new[] { "FleetAdmin" });
+    }
+}