dohertj2/lmxopcua
1
0
Fork 0
Code Issues 2 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(adminui): editable DB-backed LDAP role map (global, FleetAdmin-gated)

Browse Source
This commit is contained in:
Joseph Doherty
2026-05-29 09:55:07 -04:00
parent 1fd093d95d
commit a58151e99e
1 changed files with 95 additions and 26 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/Server/ZB.MOM.WW.OtOpcUa.AdminUI/Components/Pages/RoleGrants.razor
+95 -26
View File
@@ -1,33 +1,21 @@
@page "/role-grants"
@* Per Q4 of the AdminUI rebuild plan, v2 replaced v1's per-cluster RoleGrants table with a
fleet-wide LDAP-group → role map. This page surfaces the mapping read-only; the source of
truth is Authentication:Ldap:GroupToRole in appsettings (editable on the host filesystem, not
from the UI yet). *@
@attribute [Microsoft.AspNetCore.Authorization.Authorize]
@attribute [Microsoft.AspNetCore.Authorization.Authorize(Policy = "FleetAdmin")]
@rendermode RenderMode.InteractiveServer
@using Microsoft.Extensions.Options
@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
@using ZB.MOM.WW.OtOpcUa.Configuration.Services
@using ZB.MOM.WW.OtOpcUa.Security.Ldap
@inject IOptionsSnapshot<LdapOptions> Ldap
@inject ILdapGroupRoleMappingService RoleMappings
<div class="d-flex justify-content-between align-items-center mb-3">
<h4 class="mb-0">Role grants</h4>
</div>
<section class="panel notice rise" style="animation-delay:.02s">
LDAP group membership determines fleet roles. Edit the mapping in
<span class="mono">appsettings.json</span> under <span class="mono">Authentication:Ldap:GroupToRole</span>
and restart the admin node (or sign out + back in for cached claims to refresh). UI-driven
editing of the mapping is deferred — it implies a config-reload mechanism that doesn't exist
yet.
</section>
@if (_options is null)
@if (_options is not null)
{
<p>Loading…</p>
}
else
{
<section class="card-grid rise mt-3" style="animation-delay:.08s">
<section class="card-grid rise" style="animation-delay:.02s">
<div class="metric-card">
<div class="panel-head">LDAP binding</div>
<div class="kv"><span class="k">Enabled</span><span class="v">@(_options.Enabled ? "yes" : "no")</span></div>
@@ -40,16 +28,61 @@ else
}
</div>
</section>
}
<section class="panel rise mt-3" style="animation-delay:.08s">
<div class="panel-head">Group → role (database)</div>
<div style="padding:1rem">
<div class="d-flex gap-2 align-items-center flex-wrap">
<input class="form-control form-control-sm mono" style="max-width:32rem"
@bind="_newGroup" placeholder="cn=fleet-admin,ou=groups,..." />
<select class="form-select form-select-sm" style="max-width:14rem" @bind="_newRole">
@foreach (var role in Enum.GetValues<AdminRole>())
{
<option value="@role">@role</option>
}
</select>
<button class="btn btn-sm btn-primary" @onclick="AddAsync" disabled="@_busy">Add</button>
</div>
@if (_error is not null)
{
<div class="text-danger small mt-2">@_error</div>
}
</div>
<div class="table-wrap">
<table class="data-table">
<thead><tr><th>LDAP group</th><th>Role</th><th></th></tr></thead>
<tbody>
@if (_rows.Count == 0)
{
<tr><td colspan="3" class="text-muted">No database role grants. Authentication falls back to the appsettings map below.</td></tr>
}
else
{
@foreach (var r in _rows)
{
<tr>
<td><span class="mono">@r.LdapGroup</span></td>
<td><span class="chip chip-idle">@r.Role</span></td>
<td><button class="btn btn-sm btn-link text-danger" @onclick="() => DeleteAsync(r.Id)" disabled="@_busy">Delete</button></td>
</tr>
}
}
</tbody>
</table>
</div>
</section>
@if (_options is not null)
{
<section class="panel rise mt-3" style="animation-delay:.14s">
<div class="panel-head">Group → role mapping (@(_options.GroupToRole?.Count ?? 0))</div>
<div class="panel-head">Fallback (appsettings) (@(_options.GroupToRole?.Count ?? 0))</div>
<div style="padding:1rem 1rem 0" class="text-muted small">
These <span class="mono">Authentication:Ldap:GroupToRole</span> entries apply when a group has no database row above.
</div>
@if (_options.GroupToRole is null || _options.GroupToRole.Count == 0)
{
<div style="padding:1rem" class="text-muted">
No mapping configured. Every authenticated user lands with zero roles —
the fallback authorization policy will refuse every request. Add a
<span class="mono">GroupToRole</span> entry before deploying.
</div>
<div style="padding:1rem" class="text-muted">No appsettings fallback mapping configured.</div>
}
else
{
@@ -73,9 +106,45 @@ else
@code {
private LdapOptions? _options;
private IReadOnlyList<LdapGroupRoleMapping> _rows = [];
private string _newGroup = "";
private AdminRole _newRole = AdminRole.ConfigViewer;
private string? _error;
private bool _busy;
protected override void OnInitialized()
protected override async Task OnInitializedAsync()
{
_options = Ldap.Value;
await ReloadAsync();
}
private async Task ReloadAsync()
=> _rows = (await RoleMappings.ListAllAsync(default)).Where(r => r.IsSystemWide).ToList();
private async Task AddAsync()
{
_error = null;
if (string.IsNullOrWhiteSpace(_newGroup)) { _error = "LDAP group is required."; return; }
_busy = true;
try
{
await RoleMappings.CreateAsync(new LdapGroupRoleMapping
{
LdapGroup = _newGroup.Trim(), Role = _newRole, IsSystemWide = true, ClusterId = null,
}, default);
_newGroup = "";
_newRole = AdminRole.ConfigViewer;
await ReloadAsync();
}
catch (Exception ex) { _error = ex.Message; }
finally { _busy = false; }
}
private async Task DeleteAsync(Guid id)
{
_error = null; _busy = true;
try { await RoleMappings.DeleteAsync(id, default); await ReloadAsync(); }
catch (Exception ex) { _error = ex.Message; }
finally { _busy = false; }
}
}