feat(auth): add IGroupRoleMapper<string> seam (Task 1.1)

2026-06-02 00:29:45 -04:00
parent d2d7730830
commit 6534875476
4 changed files with 160 additions and 0 deletions
@@ -0,0 +1,34 @@
+using Microsoft.Extensions.Options;
+using ZB.MOM.WW.Auth.Abstractions.Roles;
+using ZB.MOM.WW.OtOpcUa.Configuration.Services;
+
+namespace ZB.MOM.WW.OtOpcUa.Security.Ldap;
+
+/// <summary>
+///     OtOpcUa's <see cref="IGroupRoleMapper{TRole}"/> implementation (roles are plain strings,
+///     so <c>TRole = string</c>). A thin, behaviour-preserving adapter over the existing
+///     <see cref="RoleMapper"/>: it computes the appsettings baseline via
+///     <see cref="RoleMapper.Map"/>, then unions in system-wide DB grants via
+///     <see cref="RoleMapper.Merge"/>. The OtOpcUa authz model is global (no per-cluster scope at
+///     login), so <see cref="GroupRoleMapping{TRole}.Scope"/> is always <c>null</c>.
+/// </summary>
+/// <remarks>
+///     This is the shared-library seam introduced ahead of rewiring the login flow; it does not
+///     duplicate mapping logic and does not change behaviour. See <c>scadaproj/components/auth</c>.
+/// </remarks>
+public sealed class OtOpcUaGroupRoleMapper(
+    IOptions<LdapOptions> ldapOptions,
+    ILdapGroupRoleMappingService dbMappings) : IGroupRoleMapper<string>
+{
+    /// <inheritdoc />
+    public async Task<GroupRoleMapping<string>> MapAsync(IReadOnlyList<string> groups, CancellationToken ct)
+    {
+        ArgumentNullException.ThrowIfNull(groups);
+
+        var baseline = RoleMapper.Map(groups, ldapOptions.Value.GroupToRole);
+        var dbRows = await dbMappings.GetByGroupsAsync(groups, ct).ConfigureAwait(false);
+        var merged = RoleMapper.Merge(baseline, dbRows);
+
+        return new GroupRoleMapping<string>(merged, Scope: null);
+    }
+}
@@ -7,6 +7,7 @@ using Microsoft.Extensions.DependencyInjection;
 using Microsoft.Extensions.DependencyInjection.Extensions;
 using Microsoft.Extensions.Logging;
 using Microsoft.Extensions.Options;
+using ZB.MOM.WW.Auth.Abstractions.Roles;
 using ZB.MOM.WW.OtOpcUa.Configuration;
 using ZB.MOM.WW.OtOpcUa.Security.Jwt;
 using ZB.MOM.WW.OtOpcUa.Security.Ldap;
@@ -41,6 +42,12 @@ public static class ServiceCollectionExtensions
        // driver path) ends up with exactly one descriptor regardless of registration order.
        services.TryAddSingleton<ILdapAuthService, LdapAuthService>();

+        // Shared ZB.MOM.WW.Auth group→role mapper seam (Task 1.1, additive). Wraps the existing
+        // RoleMapper.Map + RoleMapper.Merge logic; the login flow is rewired to consume it in a
+        // later task. Scoped to match ILdapGroupRoleMappingService (DbContext-backed, registered
+        // Scoped) — a singleton here would capture the scoped DB service.
+        services.TryAddScoped<IGroupRoleMapper<string>, OtOpcUaGroupRoleMapper>();
+
        services.AddDataProtection()
            .PersistKeysToDbContext<OtOpcUaConfigDbContext>()
            .SetApplicationName("OtOpcUa");
@@ -13,6 +13,7 @@
        <PackageReference Include="Microsoft.IdentityModel.Tokens"/>
        <PackageReference Include="System.IdentityModel.Tokens.Jwt"/>
        <PackageReference Include="Novell.Directory.Ldap.NETStandard"/>
+        <PackageReference Include="ZB.MOM.WW.Auth.Abstractions"/>
    </ItemGroup>

    <ItemGroup>