Joseph Doherty
153 lines
6.0 KiB
Plaintext
153 lines
6.0 KiB
Plaintext
@page "/role-grants"
|
|
@attribute [Microsoft.AspNetCore.Authorization.Authorize(Policy = "FleetAdmin")]
|
|
@rendermode RenderMode.InteractiveServer
|
|
@using Microsoft.Extensions.Options
|
|
@using ZB.MOM.WW.OtOpcUa.Configuration.Entities
|
|
@using ZB.MOM.WW.OtOpcUa.Configuration.Enums
|
|
@using ZB.MOM.WW.OtOpcUa.Configuration.Services
|
|
@using ZB.MOM.WW.OtOpcUa.Security.Ldap
|
|
@inject IOptionsSnapshot<LdapOptions> Ldap
|
|
@inject ILdapGroupRoleMappingService RoleMappings
|
|
|
|
<div class="d-flex justify-content-between align-items-center mb-3">
|
|
<h4 class="mb-0">Role grants</h4>
|
|
</div>
|
|
|
|
@if (_options is not null)
|
|
{
|
|
<section class="card-grid rise" style="animation-delay:.02s">
|
|
<div class="metric-card">
|
|
<div class="panel-head">LDAP binding</div>
|
|
<div class="kv"><span class="k">Enabled</span><span class="v">@(_options.Enabled ? "yes" : "no")</span></div>
|
|
<div class="kv"><span class="k">Server</span><span class="v mono">@_options.Server:@_options.Port</span></div>
|
|
<div class="kv"><span class="k">UseTls</span><span class="v">@_options.UseTls</span></div>
|
|
<div class="kv"><span class="k">SearchBase</span><span class="v mono small">@_options.SearchBase</span></div>
|
|
@if (!_options.UseTls && _options.AllowInsecureLdap)
|
|
{
|
|
<div class="kv"><span class="k">Warning</span><span class="v"><span class="chip chip-alert">Plaintext credentials over LDAP — dev mode only</span></span></div>
|
|
}
|
|
</div>
|
|
</section>
|
|
}
|
|
|
|
<section class="panel rise mt-3" style="animation-delay:.08s">
|
|
<div class="panel-head">Group → role (database)</div>
|
|
<div style="padding:1rem">
|
|
<div class="d-flex gap-2 align-items-center flex-wrap">
|
|
<input class="form-control form-control-sm mono" style="max-width:32rem"
|
|
@bind="_newGroup" placeholder="cn=fleet-admin,ou=groups,..." />
|
|
<select class="form-select form-select-sm" style="max-width:14rem" @bind="_newRole">
|
|
@foreach (var role in Enum.GetValues<AdminRole>())
|
|
{
|
|
<option value="@role">@role</option>
|
|
}
|
|
</select>
|
|
<button class="btn btn-sm btn-primary" @onclick="AddAsync" disabled="@_busy">Add</button>
|
|
</div>
|
|
@if (_error is not null)
|
|
{
|
|
<div class="text-danger small mt-2">@_error</div>
|
|
}
|
|
</div>
|
|
<div class="table-wrap">
|
|
<table class="data-table">
|
|
<thead><tr><th>LDAP group</th><th>Role</th><th></th></tr></thead>
|
|
<tbody>
|
|
@if (_rows.Count == 0)
|
|
{
|
|
<tr><td colspan="3" class="text-muted">No database role grants. Authentication falls back to the appsettings map below.</td></tr>
|
|
}
|
|
else
|
|
{
|
|
@foreach (var r in _rows)
|
|
{
|
|
<tr>
|
|
<td><span class="mono">@r.LdapGroup</span></td>
|
|
<td><span class="chip chip-idle">@r.Role</span></td>
|
|
<td><button class="btn btn-sm btn-link text-danger" @onclick="() => DeleteAsync(r.Id)" disabled="@_busy">Delete</button></td>
|
|
</tr>
|
|
}
|
|
}
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
</section>
|
|
|
|
@if (_options is not null)
|
|
{
|
|
<section class="panel rise mt-3" style="animation-delay:.14s">
|
|
<div class="panel-head">Fallback (appsettings) (@(_options.GroupToRole?.Count ?? 0))</div>
|
|
<div style="padding:1rem 1rem 0" class="text-muted small">
|
|
These <span class="mono">Authentication:Ldap:GroupToRole</span> entries apply when a group has no database row above.
|
|
</div>
|
|
@if (_options.GroupToRole is null || _options.GroupToRole.Count == 0)
|
|
{
|
|
<div style="padding:1rem" class="text-muted">No appsettings fallback mapping configured.</div>
|
|
}
|
|
else
|
|
{
|
|
<div class="table-wrap">
|
|
<table class="data-table">
|
|
<thead><tr><th>LDAP group</th><th>Resolved role</th></tr></thead>
|
|
<tbody>
|
|
@foreach (var kvp in _options.GroupToRole.OrderBy(k => k.Key, StringComparer.OrdinalIgnoreCase))
|
|
{
|
|
<tr>
|
|
<td><span class="mono">@kvp.Key</span></td>
|
|
<td><span class="chip chip-idle">@kvp.Value</span></td>
|
|
</tr>
|
|
}
|
|
</tbody>
|
|
</table>
|
|
</div>
|
|
}
|
|
</section>
|
|
}
|
|
|
|
@code {
|
|
private LdapOptions? _options;
|
|
private IReadOnlyList<LdapGroupRoleMapping> _rows = [];
|
|
private string _newGroup = "";
|
|
private AdminRole _newRole = AdminRole.ConfigViewer;
|
|
private string? _error;
|
|
private bool _busy;
|
|
|
|
protected override async Task OnInitializedAsync()
|
|
{
|
|
_options = Ldap.Value;
|
|
await ReloadAsync();
|
|
}
|
|
|
|
private async Task ReloadAsync()
|
|
=> _rows = (await RoleMappings.ListAllAsync(default)).Where(r => r.IsSystemWide).ToList();
|
|
|
|
private async Task AddAsync()
|
|
{
|
|
_error = null;
|
|
if (string.IsNullOrWhiteSpace(_newGroup)) { _error = "LDAP group is required."; return; }
|
|
_busy = true;
|
|
StateHasChanged();
|
|
try
|
|
{
|
|
await RoleMappings.CreateAsync(new LdapGroupRoleMapping
|
|
{
|
|
LdapGroup = _newGroup.Trim(), Role = _newRole, IsSystemWide = true, ClusterId = null,
|
|
}, default);
|
|
_newGroup = "";
|
|
_newRole = AdminRole.ConfigViewer;
|
|
await ReloadAsync();
|
|
}
|
|
catch (Exception ex) { _error = ex.Message; }
|
|
finally { _busy = false; }
|
|
}
|
|
|
|
private async Task DeleteAsync(Guid id)
|
|
{
|
|
_error = null; _busy = true;
|
|
StateHasChanged();
|
|
try { await RoleMappings.DeleteAsync(id, default); await ReloadAsync(); }
|
|
catch (Exception ex) { _error = ex.Message; }
|
|
finally { _busy = false; }
|
|
}
|
|
}
|