feat(security): RoleMapper.Merge — additive DB-backed role grants
This commit is contained in:
Joseph Doherty
@@ -1,3 +1,5 @@
|
|||||||
|
using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
|
||||||
|
|
||||||
namespace ZB.MOM.WW.OtOpcUa.Security.Ldap;
|
namespace ZB.MOM.WW.OtOpcUa.Security.Ldap;
|
||||||
|
|
||||||
/// <summary>
|
/// <summary>
|
||||||
@@ -24,4 +26,21 @@ public static class RoleMapper
|
|||||||
}
|
}
|
||||||
return [.. roles];
|
return [.. roles];
|
||||||
}
|
}
|
||||||
|
|
||||||
|
/// <summary>
|
||||||
|
/// Merge the appsettings-derived baseline roles with system-wide DB grants. DB rows are
|
||||||
|
/// additive; cluster-scoped rows (IsSystemWide == false) are ignored under the global model.
|
||||||
|
/// </summary>
|
||||||
|
/// <param name="baselineRoles">Roles already resolved from appsettings (or the dev stub).</param>
|
||||||
|
/// <param name="dbRows">LdapGroupRoleMapping rows for the user's groups (from GetByGroupsAsync).</param>
|
||||||
|
public static IReadOnlyList<string> Merge(
|
||||||
|
IReadOnlyCollection<string> baselineRoles,
|
||||||
|
IReadOnlyCollection<LdapGroupRoleMapping> dbRows)
|
||||||
|
{
|
||||||
|
var roles = new HashSet<string>(baselineRoles, StringComparer.OrdinalIgnoreCase);
|
||||||
|
foreach (var row in dbRows)
|
||||||
|
if (row.IsSystemWide)
|
||||||
|
roles.Add(row.Role.ToString());
|
||||||
|
return [.. roles];
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|||||||
@@ -1,5 +1,7 @@
|
|||||||
using Shouldly;
|
using Shouldly;
|
||||||
using Xunit;
|
using Xunit;
|
||||||
|
using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
|
||||||
|
using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
|
||||||
using ZB.MOM.WW.OtOpcUa.Security.Ldap;
|
using ZB.MOM.WW.OtOpcUa.Security.Ldap;
|
||||||
|
|
||||||
namespace ZB.MOM.WW.OtOpcUa.Security.Tests;
|
namespace ZB.MOM.WW.OtOpcUa.Security.Tests;
|
||||||
@@ -59,4 +61,22 @@ public sealed class RoleMapperTests
|
|||||||
|
|
||||||
roles.ShouldBe(new[] { "FleetAdmin" });
|
roles.ShouldBe(new[] { "FleetAdmin" });
|
||||||
}
|
}
|
||||||
|
|
||||||
|
[Fact]
|
||||||
|
public void Merge_unions_baseline_and_systemwide_db_roles()
|
||||||
|
{
|
||||||
|
var rows = new[]
|
||||||
|
{
|
||||||
|
new LdapGroupRoleMapping { LdapGroup = "g1", Role = AdminRole.FleetAdmin, IsSystemWide = true },
|
||||||
|
new LdapGroupRoleMapping { LdapGroup = "g2", Role = AdminRole.ConfigEditor, IsSystemWide = false, ClusterId = "SITE-A" },
|
||||||
|
};
|
||||||
|
var result = RoleMapper.Merge(["ConfigViewer"], rows);
|
||||||
|
result.ShouldContain("ConfigViewer");
|
||||||
|
result.ShouldContain("FleetAdmin");
|
||||||
|
result.ShouldNotContain("ConfigEditor"); // cluster-scoped row ignored (global-only)
|
||||||
|
}
|
||||||
|
|
||||||
|
[Fact]
|
||||||
|
public void Merge_with_no_db_rows_returns_baseline()
|
||||||
|
=> RoleMapper.Merge(["FleetAdmin"], []).ShouldBe(["FleetAdmin"]);
|
||||||
}
|
}
|
||||||
|
|||||||
Reference in New Issue
Block a user