feat(security): add AuthDisableLoginOptions + DevAuthRoles for dev login bypass
This commit is contained in:
Joseph Doherty
@@ -0,0 +1,18 @@
|
|||||||
|
namespace ZB.MOM.WW.OtOpcUa.Security.Auth;
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Dev/test flag: when <see cref="DisableLogin"/> is true the AdminUI bypasses the login
|
||||||
|
/// form entirely and auto-authenticates every request as <see cref="User"/> with all roles.
|
||||||
|
/// Default OFF. Never enable in production.
|
||||||
|
/// </summary>
|
||||||
|
public sealed class AuthDisableLoginOptions
|
||||||
|
{
|
||||||
|
/// <summary>Configuration section name (<c>Security:Auth</c>).</summary>
|
||||||
|
public const string SectionName = "Security:Auth";
|
||||||
|
|
||||||
|
/// <summary>When true, disable login and auto-authenticate every request. Default false.</summary>
|
||||||
|
public bool DisableLogin { get; set; }
|
||||||
|
|
||||||
|
/// <summary>The username the auto-login principal is minted with. Default "multi-role-test".</summary>
|
||||||
|
public string User { get; set; } = "multi-role-test";
|
||||||
|
}
|
||||||
@@ -0,0 +1,18 @@
|
|||||||
|
using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
|
||||||
|
|
||||||
|
namespace ZB.MOM.WW.OtOpcUa.Security.Auth;
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// The full canonical role set granted to the auto-login dev principal: every
|
||||||
|
/// <see cref="AdminRole"/> plus the appsettings-only control-plane role "Operator"
|
||||||
|
/// (required by the DriverOperator policy). Centralised so adding an AdminRole
|
||||||
|
/// automatically widens the grant.
|
||||||
|
/// </summary>
|
||||||
|
public static class DevAuthRoles
|
||||||
|
{
|
||||||
|
/// <summary>Operator role string — not an <see cref="AdminRole"/> enum member; used by the DriverOperator policy.</summary>
|
||||||
|
public const string Operator = "Operator";
|
||||||
|
|
||||||
|
/// <summary>All roles granted to the auto-login principal.</summary>
|
||||||
|
public static readonly string[] All = [.. Enum.GetNames<AdminRole>(), Operator];
|
||||||
|
}
|
||||||
@@ -0,0 +1,19 @@
|
|||||||
|
using Shouldly;
|
||||||
|
using Xunit;
|
||||||
|
using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
|
||||||
|
using ZB.MOM.WW.OtOpcUa.Security.Auth;
|
||||||
|
|
||||||
|
namespace ZB.MOM.WW.OtOpcUa.Security.Tests;
|
||||||
|
|
||||||
|
public class DevAuthRolesTests
|
||||||
|
{
|
||||||
|
[Fact]
|
||||||
|
public void All_covers_every_AdminRole_plus_Operator()
|
||||||
|
{
|
||||||
|
foreach (var name in Enum.GetNames<AdminRole>())
|
||||||
|
DevAuthRoles.All.ShouldContain(name);
|
||||||
|
DevAuthRoles.All.ShouldContain("Operator");
|
||||||
|
DevAuthRoles.All.Length.ShouldBe(Enum.GetNames<AdminRole>().Length + 1);
|
||||||
|
DevAuthRoles.All.Distinct().Count().ShouldBe(DevAuthRoles.All.Length);
|
||||||
|
}
|
||||||
|
}
|
||||||
Reference in New Issue
Block a user