feat(auth): add IGroupRoleMapper<string> seam (Task 1.1)

2026-06-02 00:29:45 -04:00
parent d2d7730830
commit 6534875476
4 changed files with 160 additions and 0 deletions
@@ -0,0 +1,34 @@
+using Microsoft.Extensions.Options;
+using ZB.MOM.WW.Auth.Abstractions.Roles;
+using ZB.MOM.WW.OtOpcUa.Configuration.Services;
+
+namespace ZB.MOM.WW.OtOpcUa.Security.Ldap;
+
+/// <summary>
+///     OtOpcUa's <see cref="IGroupRoleMapper{TRole}"/> implementation (roles are plain strings,
+///     so <c>TRole = string</c>). A thin, behaviour-preserving adapter over the existing
+///     <see cref="RoleMapper"/>: it computes the appsettings baseline via
+///     <see cref="RoleMapper.Map"/>, then unions in system-wide DB grants via
+///     <see cref="RoleMapper.Merge"/>. The OtOpcUa authz model is global (no per-cluster scope at
+///     login), so <see cref="GroupRoleMapping{TRole}.Scope"/> is always <c>null</c>.
+/// </summary>
+/// <remarks>
+///     This is the shared-library seam introduced ahead of rewiring the login flow; it does not
+///     duplicate mapping logic and does not change behaviour. See <c>scadaproj/components/auth</c>.
+/// </remarks>
+public sealed class OtOpcUaGroupRoleMapper(
+    IOptions<LdapOptions> ldapOptions,
+    ILdapGroupRoleMappingService dbMappings) : IGroupRoleMapper<string>
+{
+    /// <inheritdoc />
+    public async Task<GroupRoleMapping<string>> MapAsync(IReadOnlyList<string> groups, CancellationToken ct)
+    {
+        ArgumentNullException.ThrowIfNull(groups);
+
+        var baseline = RoleMapper.Map(groups, ldapOptions.Value.GroupToRole);
+        var dbRows = await dbMappings.GetByGroupsAsync(groups, ct).ConfigureAwait(false);
+        var merged = RoleMapper.Merge(baseline, dbRows);
+
+        return new GroupRoleMapping<string>(merged, Scope: null);
+    }
+}
@@ -7,6 +7,7 @@ using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using ZB.MOM.WW.Auth.Abstractions.Roles;
 using ZB.MOM.WW.OtOpcUa.Configuration;
 using ZB.MOM.WW.OtOpcUa.Security.Jwt;
 using ZB.MOM.WW.OtOpcUa.Security.Ldap;
@@ -41,6 +42,12 @@ public static class ServiceCollectionExtensions
        // driver path) ends up with exactly one descriptor regardless of registration order.
        services.TryAddSingleton<ILdapAuthService, LdapAuthService>();

+        // Shared ZB.MOM.WW.Auth group→role mapper seam (Task 1.1, additive). Wraps the existing
+        // RoleMapper.Map + RoleMapper.Merge logic; the login flow is rewired to consume it in a
+        // later task. Scoped to match ILdapGroupRoleMappingService (DbContext-backed, registered
+        // Scoped) — a singleton here would capture the scoped DB service.
+        services.TryAddScoped<IGroupRoleMapper<string>, OtOpcUaGroupRoleMapper>();
+
        services.AddDataProtection()
            .PersistKeysToDbContext<OtOpcUaConfigDbContext>()
            .SetApplicationName("OtOpcUa");
@@ -13,6 +13,7 @@
        <PackageReference Include="Microsoft.IdentityModel.Tokens"/>
        <PackageReference Include="System.IdentityModel.Tokens.Jwt"/>
        <PackageReference Include="Novell.Directory.Ldap.NETStandard"/>
+        <PackageReference Include="ZB.MOM.WW.Auth.Abstractions"/>
    </ItemGroup>

    <ItemGroup>
@@ -0,0 +1,118 @@
+using Microsoft.Extensions.Options;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.Auth.Abstractions.Roles;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+using ZB.MOM.WW.OtOpcUa.Configuration.Services;
+using ZB.MOM.WW.OtOpcUa.Security.Ldap;
+
+namespace ZB.MOM.WW.OtOpcUa.Security.Tests;
+
+/// <summary>
+///     Proves <see cref="OtOpcUaGroupRoleMapper"/> is a behaviour-preserving wrapper over the
+///     existing <see cref="RoleMapper.Map"/> + <see cref="RoleMapper.Merge"/> logic: config
+///     baseline + system-wide DB grants, cluster-scoped DB rows ignored, unmapped groups dropped,
+///     and <c>Scope</c> always null.
+/// </summary>
+public sealed class OtOpcUaGroupRoleMapperTests
+{
+    private static OtOpcUaGroupRoleMapper Build(
+        IDictionary<string, string> groupToRole,
+        params LdapGroupRoleMapping[] dbRows)
+    {
+        var options = Microsoft.Extensions.Options.Options.Create(new LdapOptions
+        {
+            GroupToRole = new Dictionary<string, string>(groupToRole, StringComparer.OrdinalIgnoreCase),
+        });
+        return new OtOpcUaGroupRoleMapper(options, new FakeMappingService(dbRows));
+    }
+
+    [Fact]
+    public async Task Maps_config_group_and_drops_unmapped_group()
+    {
+        var mapper = Build(new Dictionary<string, string> { ["AdminGroup"] = "FleetAdmin" });
+
+        var result = await mapper.MapAsync(["AdminGroup", "UnmappedGroup"], CancellationToken.None);
+
+        result.Roles.ShouldBe(["FleetAdmin"]);
+        result.Scope.ShouldBeNull();
+    }
+
+    [Fact]
+    public async Task System_wide_db_row_adds_role_on_top_of_config_baseline()
+    {
+        var mapper = Build(
+            new Dictionary<string, string> { ["viewers"] = "ConfigViewer" },
+            new LdapGroupRoleMapping { LdapGroup = "admins", Role = AdminRole.FleetAdmin, IsSystemWide = true });
+
+        var result = await mapper.MapAsync(["viewers", "admins"], CancellationToken.None);
+
+        result.Roles.ShouldContain("ConfigViewer");
+        result.Roles.ShouldContain("FleetAdmin");
+        result.Scope.ShouldBeNull();
+    }
+
+    [Fact]
+    public async Task Cluster_scoped_db_row_is_ignored()
+    {
+        var mapper = Build(
+            new Dictionary<string, string>(),
+            new LdapGroupRoleMapping
+            {
+                LdapGroup = "site-a-editors",
+                Role = AdminRole.ConfigEditor,
+                IsSystemWide = false,
+                ClusterId = "SITE-A",
+            });
+
+        var result = await mapper.MapAsync(["site-a-editors"], CancellationToken.None);
+
+        result.Roles.ShouldNotContain("ConfigEditor");
+        result.Roles.ShouldBeEmpty();
+    }
+
+    [Fact]
+    public async Task Reproduces_RoleMapper_Map_plus_Merge_for_representative_inputs()
+    {
+        var groupToRole = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase)
+        {
+            ["viewers"] = "ConfigViewer",
+            ["editors"] = "ConfigEditor",
+        };
+        var dbRows = new[]
+        {
+            new LdapGroupRoleMapping { LdapGroup = "admins", Role = AdminRole.FleetAdmin, IsSystemWide = true },
+            new LdapGroupRoleMapping { LdapGroup = "site-a", Role = AdminRole.ConfigEditor, IsSystemWide = false, ClusterId = "SITE-A" },
+        };
+        var groups = new[] { "viewers", "editors", "admins", "site-a", "noise" };
+
+        var mapper = Build(groupToRole, dbRows);
+
+        // Oracle: exactly what the legacy login path computes today.
+        var baseline = RoleMapper.Map(groups, groupToRole);
+        var expected = RoleMapper.Merge(baseline, dbRows);
+
+        var result = await mapper.MapAsync(groups, CancellationToken.None);
+
+        result.Roles.OrderBy(r => r).ShouldBe(expected.OrderBy(r => r));
+        result.Scope.ShouldBeNull();
+    }
+
+    /// <summary>In-memory stand-in for the EF-backed DB service; returns the configured rows verbatim.</summary>
+    private sealed class FakeMappingService(IReadOnlyList<LdapGroupRoleMapping> rows) : ILdapGroupRoleMappingService
+    {
+        public Task<IReadOnlyList<LdapGroupRoleMapping>> GetByGroupsAsync(
+            IEnumerable<string> ldapGroups, CancellationToken cancellationToken)
+            => Task.FromResult(rows);
+
+        public Task<IReadOnlyList<LdapGroupRoleMapping>> ListAllAsync(CancellationToken cancellationToken)
+            => Task.FromResult(rows);
+
+        public Task<LdapGroupRoleMapping> CreateAsync(LdapGroupRoleMapping row, CancellationToken cancellationToken)
+            => throw new NotSupportedException();
+
+        public Task DeleteAsync(Guid id, CancellationToken cancellationToken)
+            => throw new NotSupportedException();
+    }
+}