dohertj2/lmxopcua
1
0
Fork 0
Code Issues 2 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
653487547687f08742f4408b0a28b9d700209ea3
lmxopcua/tests/Server/ZB.MOM.WW.OtOpcUa.Security.Tests/OtOpcUaGroupRoleMapperTests.cs
T
Joseph Doherty 6534875476 feat(auth): add IGroupRoleMapper<string> seam (Task 1.1)
2026-06-02 00:29:45 -04:00

119 lines
4.6 KiB
C#
Raw Blame History

using Microsoft.Extensions.Options;
using Shouldly;
using Xunit;
using ZB.MOM.WW.Auth.Abstractions.Roles;
using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
using ZB.MOM.WW.OtOpcUa.Configuration.Services;
using ZB.MOM.WW.OtOpcUa.Security.Ldap;
namespace ZB.MOM.WW.OtOpcUa.Security.Tests;
/// <summary>
/// Proves <see cref="OtOpcUaGroupRoleMapper"/> is a behaviour-preserving wrapper over the
/// existing <see cref="RoleMapper.Map"/> + <see cref="RoleMapper.Merge"/> logic: config
/// baseline + system-wide DB grants, cluster-scoped DB rows ignored, unmapped groups dropped,
/// and <c>Scope</c> always null.
/// </summary>
public sealed class OtOpcUaGroupRoleMapperTests
{
private static OtOpcUaGroupRoleMapper Build(
IDictionary<string, string> groupToRole,
params LdapGroupRoleMapping[] dbRows)
{
var options = Microsoft.Extensions.Options.Options.Create(new LdapOptions
{
GroupToRole = new Dictionary<string, string>(groupToRole, StringComparer.OrdinalIgnoreCase),
});
return new OtOpcUaGroupRoleMapper(options, new FakeMappingService(dbRows));
}
[Fact]
public async Task Maps_config_group_and_drops_unmapped_group()
{
var mapper = Build(new Dictionary<string, string> { ["AdminGroup"] = "FleetAdmin" });
var result = await mapper.MapAsync(["AdminGroup", "UnmappedGroup"], CancellationToken.None);
result.Roles.ShouldBe(["FleetAdmin"]);
result.Scope.ShouldBeNull();
}
[Fact]
public async Task System_wide_db_row_adds_role_on_top_of_config_baseline()
{
var mapper = Build(
new Dictionary<string, string> { ["viewers"] = "ConfigViewer" },
new LdapGroupRoleMapping { LdapGroup = "admins", Role = AdminRole.FleetAdmin, IsSystemWide = true });
var result = await mapper.MapAsync(["viewers", "admins"], CancellationToken.None);
result.Roles.ShouldContain("ConfigViewer");
result.Roles.ShouldContain("FleetAdmin");
result.Scope.ShouldBeNull();
}
[Fact]
public async Task Cluster_scoped_db_row_is_ignored()
{
var mapper = Build(
new Dictionary<string, string>(),
new LdapGroupRoleMapping
{
LdapGroup = "site-a-editors",
Role = AdminRole.ConfigEditor,
IsSystemWide = false,
ClusterId = "SITE-A",
});
var result = await mapper.MapAsync(["site-a-editors"], CancellationToken.None);
result.Roles.ShouldNotContain("ConfigEditor");
result.Roles.ShouldBeEmpty();
}
[Fact]
public async Task Reproduces_RoleMapper_Map_plus_Merge_for_representative_inputs()
{
var groupToRole = new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase)
{
["viewers"] = "ConfigViewer",
["editors"] = "ConfigEditor",
};
var dbRows = new[]
{
new LdapGroupRoleMapping { LdapGroup = "admins", Role = AdminRole.FleetAdmin, IsSystemWide = true },
new LdapGroupRoleMapping { LdapGroup = "site-a", Role = AdminRole.ConfigEditor, IsSystemWide = false, ClusterId = "SITE-A" },
};
var groups = new[] { "viewers", "editors", "admins", "site-a", "noise" };
var mapper = Build(groupToRole, dbRows);
// Oracle: exactly what the legacy login path computes today.
var baseline = RoleMapper.Map(groups, groupToRole);
var expected = RoleMapper.Merge(baseline, dbRows);
var result = await mapper.MapAsync(groups, CancellationToken.None);
result.Roles.OrderBy(r => r).ShouldBe(expected.OrderBy(r => r));
result.Scope.ShouldBeNull();
}
/// <summary>In-memory stand-in for the EF-backed DB service; returns the configured rows verbatim.</summary>
private sealed class FakeMappingService(IReadOnlyList<LdapGroupRoleMapping> rows) : ILdapGroupRoleMappingService
{
public Task<IReadOnlyList<LdapGroupRoleMapping>> GetByGroupsAsync(
IEnumerable<string> ldapGroups, CancellationToken cancellationToken)
=> Task.FromResult(rows);
public Task<IReadOnlyList<LdapGroupRoleMapping>> ListAllAsync(CancellationToken cancellationToken)
=> Task.FromResult(rows);
public Task<LdapGroupRoleMapping> CreateAsync(LdapGroupRoleMapping row, CancellationToken cancellationToken)
=> throw new NotSupportedException();
public Task DeleteAsync(Guid id, CancellationToken cancellationToken)
=> throw new NotSupportedException();
}
}
Reference in New Issue View Git Blame Copy Permalink