chore: organize solution into module folders (Core/Server/Drivers/Client/Tooling)

Group all 69 projects into category subfolders under src/ and tests/ so the Rider Solution Explorer mirrors the module structure. Folders: Core, Server, Drivers (with a nested Driver CLIs subfolder), Client, Tooling. - Move every project folder on disk with git mv (history preserved as renames). - Recompute relative paths in 57 .csproj files: cross-category ProjectReferences, the lib/ HintPath+None refs in Driver.Historian.Wonderware, and the external mxaccessgw refs in Driver.Galaxy and its test project. - Rebuild ZB.MOM.WW.OtOpcUa.slnx with nested solution folders. - Re-prefix project paths in functional scripts (e2e, compliance, smoke SQL, integration, install). Build green (0 errors); unit tests pass. Docs left for a separate pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-17 01:55:28 -04:00
parent 69f02fed7f
commit a25593a9c6
1044 changed files with 365 additions and 343 deletions
--- a/src/Server/ZB.MOM.WW.OtOpcUa.Admin/Services/PermissionProbeService.cs
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.Admin/Services/PermissionProbeService.cs
@@ -0,0 +1,63 @@
+using Microsoft.EntityFrameworkCore;
+using ZB.MOM.WW.OtOpcUa.Configuration;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+using ZB.MOM.WW.OtOpcUa.Core.Authorization;
+
+namespace ZB.MOM.WW.OtOpcUa.Admin.Services;
+
+/// <summary>
+///     Runs an ad-hoc permission probe against a draft or published generation's NodeAcl rows —
+///     "if LDAP group X asks for permission Y on node Z, would the trie grant it, and which
+///     rows contributed?" Powers the AclsTab "Probe this permission" form per the #196 sub-slice.
+/// </summary>
+/// <remarks>
+///     Thin wrapper over <see cref="PermissionTrieBuilder"/> + <see cref="PermissionTrie.CollectMatches"/> —
+///     the same code path the Server's dispatch layer uses at request time, so a probe result
+///     is guaranteed to match what the live server would decide. The probe is read-only + has
+///     no side effects; failing probes do NOT generate audit log rows.
+/// </remarks>
+public sealed class PermissionProbeService(OtOpcUaConfigDbContext db)
+{
+    /// <summary>
+    ///     Evaluate <paramref name="required"/> against the NodeAcl rows of
+    ///     <paramref name="generationId"/> for a request by <paramref name="ldapGroup"/> at
+    ///     <paramref name="scope"/>. Returns whether the permission would be granted + the list
+    ///     of matching grants so the UI can show *why*.
+    /// </summary>
+    public async Task<PermissionProbeResult> ProbeAsync(
+        long generationId,
+        string ldapGroup,
+        NodeScope scope,
+        NodePermissions required,
+        CancellationToken ct)
+    {
+        ArgumentException.ThrowIfNullOrWhiteSpace(ldapGroup);
+        ArgumentNullException.ThrowIfNull(scope);
+
+        var rows = await db.NodeAcls.AsNoTracking()
+            .Where(a => a.GenerationId == generationId && a.ClusterId == scope.ClusterId)
+            .ToListAsync(ct).ConfigureAwait(false);
+
+        var trie = PermissionTrieBuilder.Build(scope.ClusterId, generationId, rows);
+        var matches = trie.CollectMatches(scope, [ldapGroup]);
+
+        var effective = NodePermissions.None;
+        foreach (var m in matches)
+            effective |= m.PermissionFlags;
+
+        var granted = (effective & required) == required;
+        return new PermissionProbeResult(
+            Granted: granted,
+            Required: required,
+            Effective: effective,
+            Matches: matches);
+    }
+}
+
+/// <summary>Outcome of a <see cref="PermissionProbeService.ProbeAsync"/> call.</summary>
+public sealed record PermissionProbeResult(
+    bool Granted,
+    NodePermissions Required,
+    NodePermissions Effective,
+    IReadOnlyList<MatchedGrant> Matches);