50b85d41bd
Map LDAP groups to custom OPC UA role NodeIds on RoleBasedIdentity.GrantedRoleIds during authentication, replacing the username-to-role side cache. Split ReadWrite into WriteOperate/WriteTune/WriteConfigure so write access is gated per Galaxy security classification. AnonymousCanWrite now behaves consistently regardless of LDAP state. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
37 lines
1.4 KiB
C#
37 lines
1.4 KiB
C#
using System;
|
|
using System.Collections.Generic;
|
|
using ZB.MOM.WW.LmxOpcUa.Host.Domain;
|
|
|
|
namespace ZB.MOM.WW.LmxOpcUa.Tests.Helpers
|
|
{
|
|
/// <summary>
|
|
/// Deterministic authentication provider for integration tests.
|
|
/// Validates credentials against hardcoded username/password pairs
|
|
/// and returns configured role sets per user.
|
|
/// </summary>
|
|
internal class FakeAuthenticationProvider : IUserAuthenticationProvider, IRoleProvider
|
|
{
|
|
private readonly Dictionary<string, string> _credentials =
|
|
new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
|
|
private readonly Dictionary<string, IReadOnlyList<string>> _roles =
|
|
new Dictionary<string, IReadOnlyList<string>>(StringComparer.OrdinalIgnoreCase);
|
|
|
|
public FakeAuthenticationProvider AddUser(string username, string password, params string[] roles)
|
|
{
|
|
_credentials[username] = password;
|
|
_roles[username] = roles;
|
|
return this;
|
|
}
|
|
|
|
public bool ValidateCredentials(string username, string password)
|
|
{
|
|
return _credentials.TryGetValue(username, out var expected) && expected == password;
|
|
}
|
|
|
|
public IReadOnlyList<string> GetUserRoles(string username)
|
|
{
|
|
return _roles.TryGetValue(username, out var roles) ? roles : new[] { AppRoles.ReadOnly };
|
|
}
|
|
}
|
|
}
|