dohertj2/lmxopcua
1
0
Fork 0
Code Issues 2 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
c1619d95f509026eb05538249d05ed04ac657761
lmxopcua/tests/Server/ZB.MOM.WW.OtOpcUa.Security.Tests/RoleMapperTests.cs
T
Joseph Doherty c1619d95f5 feat(auth)!: OtOpcUa canonical control-plane roles + config-DB migration (Task 1.7) 
Standardize the control-plane admin role VALUES on the canonical six
(ZB.MOM.WW.Auth CanonicalRole). OtOpcUa uses four:
  ConfigViewer   -> Viewer
  ConfigEditor   -> Designer
  FleetAdmin     -> Administrator
  DriverOperator -> Operator   (appsettings-only string role)

This is a rename, not a permission change: enforcement semantics are
preserved (whoever could deploy/administer/operate before still can).

- AdminRole enum members renamed (persisted as string names via
  HasConversion<string>); RoleGrants.razor dropdown default updated.
- EF DATA migration CanonicalizeAdminRoles rewrites existing
  LdapGroupRoleMapping.Role rows old->new (Up) and back (Down); schema /
  model snapshot byte-identical (no pending model changes).
- Enforcement role STRINGS canonicalized:
  * Security policies keep their NAMES ("DriverOperator"/"FleetAdmin")
    but require canonical roles: RequireRole("Operator","Administrator")
    and RequireRole("Administrator").
  * Deployments.razor [Authorize(Roles="Administrator,Designer")].
  * DevStub now grants "Administrator"; LdapOptions/doc-comment examples
    canonicalized.
- Data-plane authorization (NodePermissions/NodeAcl/IPermissionEvaluator/
  TriePermissionEvaluator/UserAuthorizationState) UNTOUCHED.
- New CanonicalAdminRolesTests pins canonical claim values end-to-end and
  the real registered policies; existing role-string tests updated.
2026-06-02 07:30:00 -04:00

83 lines
2.5 KiB
C#
Raw Blame History

using Shouldly;
using Xunit;
using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
using ZB.MOM.WW.OtOpcUa.Security.Ldap;
namespace ZB.MOM.WW.OtOpcUa.Security.Tests;
public sealed class RoleMapperTests
{
/// <summary>
/// Verifies that empty mapping returns no roles.
/// </summary>
[Fact]
public void Empty_mapping_returns_empty()
{
RoleMapper.Map(new[] { "Admins" }, new Dictionary<string, string>())
.ShouldBeEmpty();
}
/// <summary>
/// Verifies that RoleMapper maps a group to its corresponding role.
/// </summary>
[Fact]
public void Maps_group_to_role()
{
RoleMapper.Map(
new[] { "AdminGroup" },
new Dictionary<string, string> { ["AdminGroup"] = "Administrator" })
.ShouldBe(new[] { "Administrator" });
}
/// <summary>
/// Verifies that group matching is case-insensitive.
/// </summary>
[Fact]
public void Case_insensitive_group_match()
{
RoleMapper.Map(
new[] { "admingroup" },
new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase)
{
["AdminGroup"] = "Administrator",
})
.ShouldBe(new[] { "Administrator" });
}
/// <summary>
/// Verifies that multiple groups are deduplicated to unique roles.
/// </summary>
[Fact]
public void Multiple_groups_dedup_roles()
{
var roles = RoleMapper.Map(
new[] { "AdminGroup", "AlsoAdmin" },
new Dictionary<string, string>
{
["AdminGroup"] = "Administrator",
["AlsoAdmin"] = "Administrator",
});
roles.ShouldBe(new[] { "Administrator" });
}
[Fact]
public void Merge_unions_baseline_and_systemwide_db_roles()
{
var rows = new[]
{
new LdapGroupRoleMapping { LdapGroup = "g1", Role = AdminRole.Administrator, IsSystemWide = true },
new LdapGroupRoleMapping { LdapGroup = "g2", Role = AdminRole.Designer, IsSystemWide = false, ClusterId = "SITE-A" },
};
var result = RoleMapper.Merge(["Viewer"], rows);
result.ShouldContain("Viewer");
result.ShouldContain("Administrator");
result.ShouldNotContain("Designer"); // cluster-scoped row ignored (global-only)
}
[Fact]
public void Merge_with_no_db_rows_returns_baseline()
=> RoleMapper.Merge(["Administrator"], []).ShouldBe(["Administrator"]);
}
Reference in New Issue View Git Blame Copy Permalink