dohertj2/lmxopcua
1
0
Fork 0
Code Issues 2 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(auth)!: OtOpcUa canonical control-plane roles + config-DB migration (Task 1.7)

Browse Source 
Standardize the control-plane admin role VALUES on the canonical six
(ZB.MOM.WW.Auth CanonicalRole). OtOpcUa uses four:
  ConfigViewer   -> Viewer
  ConfigEditor   -> Designer
  FleetAdmin     -> Administrator
  DriverOperator -> Operator   (appsettings-only string role)

This is a rename, not a permission change: enforcement semantics are
preserved (whoever could deploy/administer/operate before still can).

- AdminRole enum members renamed (persisted as string names via
  HasConversion<string>); RoleGrants.razor dropdown default updated.
- EF DATA migration CanonicalizeAdminRoles rewrites existing
  LdapGroupRoleMapping.Role rows old->new (Up) and back (Down); schema /
  model snapshot byte-identical (no pending model changes).
- Enforcement role STRINGS canonicalized:
  * Security policies keep their NAMES ("DriverOperator"/"FleetAdmin")
    but require canonical roles: RequireRole("Operator","Administrator")
    and RequireRole("Administrator").
  * Deployments.razor [Authorize(Roles="Administrator,Designer")].
  * DevStub now grants "Administrator"; LdapOptions/doc-comment examples
    canonicalized.
- Data-plane authorization (NodePermissions/NodeAcl/IPermissionEvaluator/
  TriePermissionEvaluator/UserAuthorizationState) UNTOUCHED.
- New CanonicalAdminRolesTests pins canonical claim values end-to-end and
  the real registered policies; existing role-string tests updated.
This commit is contained in:
Joseph Doherty
2026-06-02 07:30:00 -04:00
parent 8ba289f975
commit c1619d95f5
16 changed files with 2063 additions and 97 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/Server/ZB.MOM.WW.OtOpcUa.Security.Tests/RoleMapperTests.cs
+14 -14
View File
@@ -26,8 +26,8 @@ public sealed class RoleMapperTests
{
RoleMapper.Map(
new[] { "AdminGroup" },
new Dictionary<string, string> { ["AdminGroup"] = "FleetAdmin" })
.ShouldBe(new[] { "FleetAdmin" });
new Dictionary<string, string> { ["AdminGroup"] = "Administrator" })
.ShouldBe(new[] { "Administrator" });
}
/// <summary>
@@ -40,9 +40,9 @@ public sealed class RoleMapperTests
new[] { "admingroup" },
new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase)
{
["AdminGroup"] = "FleetAdmin",
["AdminGroup"] = "Administrator",
})
.ShouldBe(new[] { "FleetAdmin" });
.ShouldBe(new[] { "Administrator" });
}
/// <summary>
@@ -55,11 +55,11 @@ public sealed class RoleMapperTests
new[] { "AdminGroup", "AlsoAdmin" },
new Dictionary<string, string>
{
["AdminGroup"] = "FleetAdmin",
["AlsoAdmin"] = "FleetAdmin",
["AdminGroup"] = "Administrator",
["AlsoAdmin"] = "Administrator",
});
roles.ShouldBe(new[] { "FleetAdmin" });
roles.ShouldBe(new[] { "Administrator" });
}
[Fact]
@@ -67,16 +67,16 @@ public sealed class RoleMapperTests
{
var rows = new[]
{
new LdapGroupRoleMapping { LdapGroup = "g1", Role = AdminRole.FleetAdmin, IsSystemWide = true },
new LdapGroupRoleMapping { LdapGroup = "g2", Role = AdminRole.ConfigEditor, IsSystemWide = false, ClusterId = "SITE-A" },
new LdapGroupRoleMapping { LdapGroup = "g1", Role = AdminRole.Administrator, IsSystemWide = true },
new LdapGroupRoleMapping { LdapGroup = "g2", Role = AdminRole.Designer, IsSystemWide = false, ClusterId = "SITE-A" },
};
var result = RoleMapper.Merge(["ConfigViewer"], rows);
result.ShouldContain("ConfigViewer");
result.ShouldContain("FleetAdmin");
result.ShouldNotContain("ConfigEditor"); // cluster-scoped row ignored (global-only)
var result = RoleMapper.Merge(["Viewer"], rows);
result.ShouldContain("Viewer");
result.ShouldContain("Administrator");
result.ShouldNotContain("Designer"); // cluster-scoped row ignored (global-only)
}
[Fact]
public void Merge_with_no_db_rows_returns_baseline()
=> RoleMapper.Merge(["FleetAdmin"], []).ShouldBe(["FleetAdmin"]);
=> RoleMapper.Merge(["Administrator"], []).ShouldBe(["Administrator"]);
}