Joseph Doherty
c1619d95f5
Standardize the control-plane admin role VALUES on the canonical six
(ZB.MOM.WW.Auth CanonicalRole). OtOpcUa uses four:
ConfigViewer -> Viewer
ConfigEditor -> Designer
FleetAdmin -> Administrator
DriverOperator -> Operator (appsettings-only string role)
This is a rename, not a permission change: enforcement semantics are
preserved (whoever could deploy/administer/operate before still can).
- AdminRole enum members renamed (persisted as string names via
HasConversion<string>); RoleGrants.razor dropdown default updated.
- EF DATA migration CanonicalizeAdminRoles rewrites existing
LdapGroupRoleMapping.Role rows old->new (Up) and back (Down); schema /
model snapshot byte-identical (no pending model changes).
- Enforcement role STRINGS canonicalized:
* Security policies keep their NAMES ("DriverOperator"/"FleetAdmin")
but require canonical roles: RequireRole("Operator","Administrator")
and RequireRole("Administrator").
* Deployments.razor [Authorize(Roles="Administrator,Designer")].
* DevStub now grants "Administrator"; LdapOptions/doc-comment examples
canonicalized.
- Data-plane authorization (NodePermissions/NodeAcl/IPermissionEvaluator/
TriePermissionEvaluator/UserAuthorizationState) UNTOUCHED.
- New CanonicalAdminRolesTests pins canonical claim values end-to-end and
the real registered policies; existing role-string tests updated.
169 lines
6.6 KiB
C#
169 lines
6.6 KiB
C#
using Microsoft.EntityFrameworkCore;
|
|
using Shouldly;
|
|
using Xunit;
|
|
using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
|
|
using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
|
|
using ZB.MOM.WW.OtOpcUa.Configuration.Services;
|
|
|
|
namespace ZB.MOM.WW.OtOpcUa.Configuration.Tests;
|
|
|
|
[Trait("Category", "Unit")]
|
|
public sealed class LdapGroupRoleMappingServiceTests : IDisposable
|
|
{
|
|
private readonly OtOpcUaConfigDbContext _db;
|
|
|
|
/// <summary>Initializes a new instance of the LdapGroupRoleMappingServiceTests class.</summary>
|
|
public LdapGroupRoleMappingServiceTests()
|
|
{
|
|
var options = new DbContextOptionsBuilder<OtOpcUaConfigDbContext>()
|
|
.UseInMemoryDatabase($"ldap-grm-{Guid.NewGuid():N}")
|
|
.Options;
|
|
_db = new OtOpcUaConfigDbContext(options);
|
|
}
|
|
|
|
/// <summary>Disposes the database context.</summary>
|
|
public void Dispose() => _db.Dispose();
|
|
|
|
private LdapGroupRoleMapping Make(string group, AdminRole role, string? clusterId = null, bool? isSystemWide = null) =>
|
|
new()
|
|
{
|
|
LdapGroup = group,
|
|
Role = role,
|
|
ClusterId = clusterId,
|
|
IsSystemWide = isSystemWide ?? (clusterId is null),
|
|
};
|
|
|
|
/// <summary>Verifies that Create sets Id and CreatedAtUtc.</summary>
|
|
[Fact]
|
|
public async Task Create_SetsId_AndCreatedAtUtc()
|
|
{
|
|
var svc = new LdapGroupRoleMappingService(_db);
|
|
var row = Make("cn=fleet,dc=x", AdminRole.Administrator);
|
|
|
|
var saved = await svc.CreateAsync(row, CancellationToken.None);
|
|
|
|
saved.Id.ShouldNotBe(Guid.Empty);
|
|
saved.CreatedAtUtc.ShouldBeGreaterThan(DateTime.UtcNow.AddMinutes(-1));
|
|
}
|
|
|
|
/// <summary>Verifies that Create rejects empty LDAP group.</summary>
|
|
[Fact]
|
|
public async Task Create_Rejects_EmptyLdapGroup()
|
|
{
|
|
var svc = new LdapGroupRoleMappingService(_db);
|
|
var row = Make("", AdminRole.Administrator);
|
|
|
|
await Should.ThrowAsync<InvalidLdapGroupRoleMappingException>(
|
|
() => svc.CreateAsync(row, CancellationToken.None));
|
|
}
|
|
|
|
/// <summary>Verifies that Create rejects system-wide mapping with ClusterId.</summary>
|
|
[Fact]
|
|
public async Task Create_Rejects_SystemWide_With_ClusterId()
|
|
{
|
|
var svc = new LdapGroupRoleMappingService(_db);
|
|
var row = Make("cn=g", AdminRole.Viewer, clusterId: "c1", isSystemWide: true);
|
|
|
|
await Should.ThrowAsync<InvalidLdapGroupRoleMappingException>(
|
|
() => svc.CreateAsync(row, CancellationToken.None));
|
|
}
|
|
|
|
/// <summary>Verifies that Create rejects non-system-wide mapping without ClusterId.</summary>
|
|
[Fact]
|
|
public async Task Create_Rejects_NonSystemWide_WithoutClusterId()
|
|
{
|
|
var svc = new LdapGroupRoleMappingService(_db);
|
|
var row = Make("cn=g", AdminRole.Viewer, clusterId: null, isSystemWide: false);
|
|
|
|
await Should.ThrowAsync<InvalidLdapGroupRoleMappingException>(
|
|
() => svc.CreateAsync(row, CancellationToken.None));
|
|
}
|
|
|
|
/// <summary>Verifies that GetByGroups returns only matching grants.</summary>
|
|
[Fact]
|
|
public async Task GetByGroups_Returns_MatchingGrants_Only()
|
|
{
|
|
var svc = new LdapGroupRoleMappingService(_db);
|
|
await svc.CreateAsync(Make("cn=fleet,dc=x", AdminRole.Administrator), CancellationToken.None);
|
|
await svc.CreateAsync(Make("cn=editor,dc=x", AdminRole.Designer), CancellationToken.None);
|
|
await svc.CreateAsync(Make("cn=viewer,dc=x", AdminRole.Viewer), CancellationToken.None);
|
|
|
|
var results = await svc.GetByGroupsAsync(
|
|
["cn=fleet,dc=x", "cn=viewer,dc=x"], CancellationToken.None);
|
|
|
|
results.Count.ShouldBe(2);
|
|
results.Select(r => r.Role).ShouldBe([AdminRole.Administrator, AdminRole.Viewer], ignoreOrder: true);
|
|
}
|
|
|
|
/// <summary>Verifies that GetByGroups returns empty when input is empty.</summary>
|
|
[Fact]
|
|
public async Task GetByGroups_Empty_Input_ReturnsEmpty()
|
|
{
|
|
var svc = new LdapGroupRoleMappingService(_db);
|
|
await svc.CreateAsync(Make("cn=fleet,dc=x", AdminRole.Administrator), CancellationToken.None);
|
|
|
|
var results = await svc.GetByGroupsAsync([], CancellationToken.None);
|
|
|
|
results.ShouldBeEmpty();
|
|
}
|
|
|
|
/// <summary>Verifies that ListAll orders results by group then cluster.</summary>
|
|
[Fact]
|
|
public async Task ListAll_Orders_ByGroupThenCluster()
|
|
{
|
|
var svc = new LdapGroupRoleMappingService(_db);
|
|
await svc.CreateAsync(Make("cn=b,dc=x", AdminRole.Administrator), CancellationToken.None);
|
|
await svc.CreateAsync(Make("cn=a,dc=x", AdminRole.Designer, clusterId: "c2", isSystemWide: false), CancellationToken.None);
|
|
await svc.CreateAsync(Make("cn=a,dc=x", AdminRole.Designer, clusterId: "c1", isSystemWide: false), CancellationToken.None);
|
|
|
|
var results = await svc.ListAllAsync(CancellationToken.None);
|
|
|
|
results[0].LdapGroup.ShouldBe("cn=a,dc=x");
|
|
results[0].ClusterId.ShouldBe("c1");
|
|
results[1].ClusterId.ShouldBe("c2");
|
|
results[2].LdapGroup.ShouldBe("cn=b,dc=x");
|
|
}
|
|
|
|
/// <summary>Verifies that Delete removes the matching row.</summary>
|
|
[Fact]
|
|
public async Task Delete_Removes_Matching_Row()
|
|
{
|
|
var svc = new LdapGroupRoleMappingService(_db);
|
|
var saved = await svc.CreateAsync(Make("cn=fleet,dc=x", AdminRole.Administrator), CancellationToken.None);
|
|
|
|
await svc.DeleteAsync(saved.Id, CancellationToken.None);
|
|
|
|
var after = await svc.ListAllAsync(CancellationToken.None);
|
|
after.ShouldBeEmpty();
|
|
}
|
|
|
|
/// <summary>Verifies that Delete with unknown Id is a no-op.</summary>
|
|
[Fact]
|
|
public async Task Delete_Unknown_Id_IsNoOp()
|
|
{
|
|
var svc = new LdapGroupRoleMappingService(_db);
|
|
|
|
await svc.DeleteAsync(Guid.NewGuid(), CancellationToken.None);
|
|
// no exception
|
|
}
|
|
|
|
/// <summary>Verifies that a system-wide row (IsSystemWide=true, ClusterId=null) appears in both ListAllAsync and GetByGroupsAsync.</summary>
|
|
[Fact]
|
|
public async Task SystemWide_Row_AppearsIn_ListAll_And_GetByGroups()
|
|
{
|
|
var svc = new LdapGroupRoleMappingService(_db);
|
|
var saved = await svc.CreateAsync(
|
|
Make("cn=sysadmins,dc=x", AdminRole.Administrator, clusterId: null, isSystemWide: true),
|
|
CancellationToken.None);
|
|
|
|
saved.IsSystemWide.ShouldBeTrue();
|
|
saved.ClusterId.ShouldBeNull();
|
|
|
|
var all = await svc.ListAllAsync(CancellationToken.None);
|
|
all.ShouldContain(r => r.Id == saved.Id);
|
|
|
|
var byGroup = await svc.GetByGroupsAsync(["cn=sysadmins,dc=x"], CancellationToken.None);
|
|
byGroup.ShouldContain(r => r.Id == saved.Id);
|
|
}
|
|
}
|