feat(admin): consume LDAP role grants at sign-in, incl. cluster scoping

The role-grants page authored LdapGroupRoleMapping rows but nothing consumed them — sign-in only read the static appsettings GroupToRole dictionary. Wire the DB-backed grants into the auth path. - AdminRoleGrantResolver merges the static bootstrap dictionary (always fleet-wide, lock-out-proof) with DB grants; system-wide rows fold into fleet roles, cluster-scoped rows become (cluster, role) grants. - Login emits a ClaimTypes.Role claim per fleet role and a cluster_role claim per cluster-scoped grant; lock-out check spans both scopes. - ClusterRoleClaims + ClaimsPrincipal extensions resolve the effective role for a cluster (highest of fleet-wide and cluster-scoped). - ClusterAuthorizeView gates cluster pages: ClusterDetail (view + ConfigEditor draft actions), DraftEditor (ConfigEditor / FleetAdmin publish), DiffViewer (ConfigViewer), ImportEquipment (ConfigEditor). - RoleGrants page is now FleetAdmin-only; Account surfaces fleet-wide and cluster-scoped grants separately. Control-plane only — decision #150 holds, NodeAcl is untouched. Tests: AdminRoleGrantResolverTests + ClusterRoleClaimsTests (22). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-18 03:08:39 -04:00
parent 1e04796953
commit 8adb83afee
14 changed files with 567 additions and 10 deletions
--- a/src/Server/ZB.MOM.WW.OtOpcUa.Admin/Security/AdminRoleGrantResolver.cs
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.Admin/Security/AdminRoleGrantResolver.cs
@@ -0,0 +1,48 @@
+using Microsoft.Extensions.Options;
+using ZB.MOM.WW.OtOpcUa.Configuration.Services;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Security;
+
+/// <summary>
+///     Default <see cref="IAdminRoleGrantResolver"/>. Merges the static <c>appsettings.json</c>
+///     bootstrap dictionary with the DB-backed <c>LdapGroupRoleMapping</c> rows. See
+///     <see cref="AdminRoleGrants"/> for the scope split and the decision-#150 control-plane note.
+/// </summary>
+public sealed class AdminRoleGrantResolver(
+    ILdapGroupRoleMappingService mappingService,
+    IOptions<LdapOptions> ldapOptions) : IAdminRoleGrantResolver
+{
+    private readonly LdapOptions _ldap = ldapOptions.Value;
+
+    public async Task<AdminRoleGrants> ResolveAsync(
+        IReadOnlyList<string> ldapGroups, CancellationToken cancellationToken)
+    {
+        ArgumentNullException.ThrowIfNull(ldapGroups);
+        if (ldapGroups.Count == 0) return AdminRoleGrants.Empty;
+
+        // Static bootstrap dictionary — always fleet-wide, lock-out-proof fallback.
+        var fleet = new HashSet<string>(
+            RoleMapper.Map(ldapGroups, _ldap.GroupToRole), StringComparer.OrdinalIgnoreCase);
+
+        // DB-backed grants stack additively. A system-wide row folds into the fleet set;
+        // a cluster-scoped row becomes a (cluster, role) grant, deduped on that pair.
+        var mappings = await mappingService.GetByGroupsAsync(ldapGroups, cancellationToken)
+            .ConfigureAwait(false);
+        var cluster = new Dictionary<(string, string), ClusterRoleGrant>();
+        foreach (var m in mappings)
+        {
+            var roleName = m.Role.ToString();
+            if (m.IsSystemWide || string.IsNullOrEmpty(m.ClusterId))
+            {
+                fleet.Add(roleName);
+            }
+            else
+            {
+                var key = (m.ClusterId, roleName);
+                cluster[key] = new ClusterRoleGrant(m.ClusterId, roleName);
+            }
+        }
+
+        return new AdminRoleGrants([.. fleet], [.. cluster.Values]);
+    }
+}