dohertj2/ScadaBridge
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

refactor(siteruntime): M3.3 ValidateTrustModel delegates to shared ScriptAnalysis + compile-surface parity test

Browse Source
This commit is contained in:
Joseph Doherty
2026-06-16 19:37:50 -04:00
parent 14bd25196a
commit 64d6ac7288
6 changed files with 195 additions and 185 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/ZB.MOM.WW.ScadaBridge.SiteRuntime.Tests/Scripts/CompileSurfaceParityTests.cs
+105
View File
@@ -0,0 +1,105 @@
using System.Reflection;
using ZB.MOM.WW.ScadaBridge.ScriptAnalysis;
using ZB.MOM.WW.ScadaBridge.SiteRuntime.Scripts;
namespace ZB.MOM.WW.ScadaBridge.SiteRuntime.Tests.Scripts;
/// <summary>
/// M3.3: compile-surface parity guard. The shared
/// <see cref="ScriptCompileSurface"/> / <see cref="TriggerCompileSurface"/> are
/// compile-only stubs the design-time deploy gate binds candidate scripts
/// against; they must mirror the real SiteRuntime <see cref="ScriptGlobals"/> /
/// <see cref="TriggerExpressionGlobals"/> bind surfaces. If a member a script can
/// reference on the real globals is missing from the compile surface, a script
/// that uses it would pass the design-time gate but fail at the site — so the
/// compile surface's public top-level member NAMES must be a SUPERSET of the
/// real globals' names. This test fails loudly (listing the missing names) when
/// the surface drifts behind the runtime globals.
///
/// <para>
/// Top-level member-name parity is sufficient: the design-time compile against
/// the surface catches deeper signature mismatches itself; this guard only
/// ensures every entry point a script can name on the real globals exists on the
/// stub.
/// </para>
/// </summary>
public class CompileSurfaceParityTests
{
[Fact]
public void ScriptCompileSurface_MemberNames_AreSupersetOf_ScriptGlobals()
{
AssertSurfaceCoversGlobals(
surface: typeof(ScriptCompileSurface),
globals: typeof(ScriptGlobals));
}
[Fact]
public void TriggerCompileSurface_MemberNames_AreSupersetOf_TriggerExpressionGlobals()
{
AssertSurfaceCoversGlobals(
surface: typeof(TriggerCompileSurface),
globals: typeof(TriggerExpressionGlobals));
}
/// <summary>
/// Asserts that the public instance property + method member names of
/// <paramref name="surface"/> are a superset of those of
/// <paramref name="globals"/>. Inherited <see cref="object"/> members
/// (ToString/GetHashCode/Equals/GetType) are excluded. Fails with the exact
/// list of missing names when the surface does not cover the globals.
/// </summary>
private static void AssertSurfaceCoversGlobals(Type surface, Type globals)
{
var surfaceNames = PublicInstanceMemberNames(surface);
var globalsNames = PublicInstanceMemberNames(globals);
var missing = globalsNames
.Where(name => !surfaceNames.Contains(name))
.OrderBy(name => name, StringComparer.Ordinal)
.ToList();
Assert.True(
missing.Count == 0,
$"Compile surface '{surface.Name}' is missing {missing.Count} member name(s) "
+ $"present on '{globals.Name}': {string.Join(", ", missing)}. "
+ "The compile-only surface must mirror the runtime globals — add the "
+ "missing member(s) to the ScriptAnalysis surface type.");
}
/// <summary>
/// Public instance property + method member names declared on or inherited by
/// <paramref name="type"/>, excluding the inherited <see cref="object"/>
/// members (ToString, GetHashCode, Equals, GetType) so only script-reachable
/// API names remain. Property/method names are compared (no signatures).
/// </summary>
private static HashSet<string> PublicInstanceMemberNames(Type type)
{
const BindingFlags flags = BindingFlags.Public | BindingFlags.Instance;
var objectMembers = new HashSet<string>(StringComparer.Ordinal)
{
nameof(ToString),
nameof(GetHashCode),
nameof(Equals),
nameof(GetType),
};
var names = new HashSet<string>(StringComparer.Ordinal);
foreach (var property in type.GetProperties(flags))
names.Add(property.Name);
foreach (var method in type.GetMethods(flags))
{
// Skip compiler-generated property accessors (get_X / set_X) — the
// property itself is already counted by name above.
if (method.IsSpecialName)
continue;
if (objectMembers.Contains(method.Name))
continue;
names.Add(method.Name);
}
return names;
}
}
tests/ZB.MOM.WW.ScadaBridge.SiteRuntime.Tests/Scripts/ScriptCompilationServiceTests.cs
+67
View File
@@ -5,6 +5,16 @@ namespace ZB.MOM.WW.ScadaBridge.SiteRuntime.Tests.Scripts;
/// <summary>
/// WP-19: Script Trust Model tests — validates forbidden API detection and compilation.
///
/// As of the M3.3 consolidation, <c>ScriptCompilationService.ValidateTrustModel</c>
/// delegates its forbidden-API verdict to the shared authoritative
/// <c>ScriptAnalysis.ScriptTrustValidator</c>, which is stricter than SiteRuntime's
/// original deny-list: ALL of <c>System.Net</c> is forbidden (not just Sockets/Http),
/// plus reflection gateways, <c>dynamic</c>, <c>Activator</c>,
/// <c>System.Runtime.InteropServices</c> and <c>Microsoft.Win32</c>. Only
/// <c>System.Diagnostics.Process</c> is blocked under System.Diagnostics —
/// <c>Stopwatch</c> stays allowed. The real execution-path compile against
/// <c>ScriptGlobals</c> / <c>TriggerExpressionGlobals</c> is unchanged.
/// </summary>
public class ScriptCompilationServiceTests
{
@@ -108,4 +118,61 @@ public class ScriptCompilationServiceTests
Assert.False(result.IsSuccess);
Assert.NotEmpty(result.Errors);
}
// ── M3.3: stricter shared-validator behavior ──
[Fact]
public void ValidateTrustModel_SystemNetDns_Forbidden()
{
// The shared validator forbids ALL of System.Net — not just Sockets/Http.
// System.Net.Dns was allowed under the old SiteRuntime list; now blocked.
var violations = _service.ValidateTrustModel(
"System.Net.Dns.GetHostName()");
Assert.NotEmpty(violations);
Assert.Contains(violations, v => v.Contains("System.Net"));
}
[Fact]
public void ValidateTrustModel_ReflectionGatewayViaPermittedType_Forbidden()
{
// typeof(x).Assembly.GetType(...) never spells a forbidden namespace, but
// the shared validator rejects the reflection-gateway members regardless of
// receiver — this was NOT caught by the old SiteRuntime list.
var violations = _service.ValidateTrustModel(
"typeof(string).Assembly.GetType(\"System.IO.File\")");
Assert.NotEmpty(violations);
}
[Fact]
public void ValidateTrustModel_Dynamic_Forbidden()
{
var violations = _service.ValidateTrustModel("dynamic d = 1; return d;");
Assert.NotEmpty(violations);
}
[Fact]
public void ValidateTrustModel_Activator_Forbidden()
{
var violations = _service.ValidateTrustModel(
"Activator.CreateInstance(typeof(string))");
Assert.NotEmpty(violations);
}
[Fact]
public void ValidateTrustModel_InteropServices_Forbidden()
{
var violations = _service.ValidateTrustModel(
"System.Runtime.InteropServices.Marshal.SizeOf<int>()");
Assert.NotEmpty(violations);
}
[Fact]
public void ValidateTrustModel_Stopwatch_Allowed()
{
// Only System.Diagnostics.Process is blocked under System.Diagnostics —
// Stopwatch stays allowed.
var violations = _service.ValidateTrustModel(
"var sw = System.Diagnostics.Stopwatch.StartNew(); return sw.ElapsedMilliseconds;");
Assert.Empty(violations);
}
}
tests/ZB.MOM.WW.ScadaBridge.SiteRuntime.Tests/Scripts/TrustModelSemanticTests.cs
+6
View File
@@ -8,6 +8,12 @@ namespace ZB.MOM.WW.ScadaBridge.SiteRuntime.Tests.Scripts;
/// The previous implementation was a raw substring scan of the source text — it both
/// missed forbidden APIs (no literal namespace string) and raised false positives on
/// the namespace string appearing in comments, string literals or unrelated identifiers.
///
/// As of M3.3, <c>ValidateTrustModel</c> delegates to the shared authoritative
/// <c>ScriptAnalysis.ScriptTrustValidator</c>, which retains this same Roslyn
/// semantic-symbol analysis (plus reflection-gateway hardening), so these bypass /
/// false-positive / allowed-exception regressions continue to hold through the
/// delegating service.
/// </summary>
public class TrustModelSemanticTests
{