fix(data-connection): resolve DataConnectionLayer-006..012 — quality-counter reconciliation, per-tag batch reads, configurable failover threshold, dedup retry, stale-callback guard, secure cert default

2026-05-16 21:11:24 -04:00
parent 0c82ffcbe6
commit c9b236e507
8 changed files with 515 additions and 34 deletions
@@ -14,7 +14,10 @@ public record OpcUaConnectionOptions(
    int SamplingIntervalMs = 1000,
    int QueueSize = 10,
    string SecurityMode = "None",
-    bool AutoAcceptUntrustedCerts = true,
+    // DataConnectionLayer-012: secure-by-default — untrusted server certificates are
+    // rejected unless an operator explicitly opts in per connection. Accepting any
+    // certificate defeats the Sign / SignAndEncrypt modes against a man-in-the-middle.
+    bool AutoAcceptUntrustedCerts = false,
    bool DiscardOldest = true,
    byte SubscriptionPriority = 0,
    string SubscriptionDisplayName = "ScadaLink",
@@ -186,10 +186,26 @@ public class OpcUaDataConnection : IDataConnection

    public async Task<IReadOnlyDictionary<string, ReadResult>> ReadBatchAsync(IEnumerable<string> tagPaths, CancellationToken cancellationToken = default)
    {
+        // DataConnectionLayer-007: a single failing tag must not abort the whole batch.
+        // ReadAsync re-throws non-cancellation exceptions; catch them per tag and record
+        // a failed ReadResult so the caller receives a complete result map for every
+        // requested tag (the ReadResult shape already carries per-tag Success/error).
        var results = new Dictionary<string, ReadResult>();
        foreach (var tagPath in tagPaths)
        {
-            results[tagPath] = await ReadAsync(tagPath, cancellationToken);
+            try
+            {
+                results[tagPath] = await ReadAsync(tagPath, cancellationToken);
+            }
+            catch (OperationCanceledException)
+            {
+                // Cancellation aborts the whole batch — propagate it.
+                throw;
+            }
+            catch (Exception ex)
+            {
+                results[tagPath] = new ReadResult(false, null, ex.Message);
+            }
        }
        return results;
    }
@@ -1,5 +1,7 @@
 using System.Collections.Concurrent;
 using System.Security.Cryptography.X509Certificates;
+using Microsoft.Extensions.Logging;
+using Microsoft.Extensions.Logging.Abstractions;
 using Opc.Ua;
 using Opc.Ua.Client;
 using Opc.Ua.Configuration;
@@ -25,10 +27,12 @@ public class RealOpcUaClient : IOpcUaClient
    private volatile bool _connectionLostFired;
    private OpcUaConnectionOptions _options = new();
    private readonly OpcUaGlobalOptions _globalOptions;
+    private readonly ILogger<RealOpcUaClient> _logger;

-    public RealOpcUaClient(OpcUaGlobalOptions? globalOptions = null)
+    public RealOpcUaClient(OpcUaGlobalOptions? globalOptions = null, ILogger<RealOpcUaClient>? logger = null)
    {
        _globalOptions = globalOptions ?? new OpcUaGlobalOptions();
+        _logger = logger ?? NullLogger<RealOpcUaClient>.Instance;
    }

    public bool IsConnected => _session?.Connected ?? false;
@@ -65,7 +69,16 @@ public class RealOpcUaClient : IOpcUaClient

        await appConfig.ValidateAsync(ApplicationType.Client);
        if (opts.AutoAcceptUntrustedCerts)
+        {
+            // DataConnectionLayer-012: this accepts ANY server certificate, defeating
+            // certificate trust enforcement. Surface a prominent warning so an operator
+            // who has opted in is aware of the man-in-the-middle exposure on the link.
+            _logger.LogWarning(
+                "OPC UA connection to {Endpoint} has AutoAcceptUntrustedCerts enabled — every " +
+                "server certificate is accepted unconditionally. This defeats Sign / " +
+                "SignAndEncrypt protection against a man-in-the-middle.", endpointUrl);
            appConfig.CertificateValidator.CertificateValidation += (_, e) => e.Accept = true;
+        }

        // Discover endpoints from the server, pick the preferred security mode
        EndpointDescription? endpoint;