feat(security): LdapAuthResult.IsSystemFailure distinguishes directory outage from credential deny (03/S2)

This commit is contained in:
Joseph Doherty
2026-07-13 11:39:35 -04:00
parent 09faa05f06
commit 0d5cb89d48
4 changed files with 70 additions and 3 deletions
@@ -7,4 +7,15 @@ public sealed record LdapAuthResult(
string? Username,
IReadOnlyList<string> Groups,
IReadOnlyList<string> Roles,
string? Error);
string? Error)
{
/// <summary>
/// <c>true</c> when this failure is a SYSTEM-side directory fault (the directory is unreachable or
/// the service account is misconfigured) rather than a user-credential deny. Feeds the OPC UA
/// data-plane authenticator's outage circuit (03/S2): a run of consecutive system-side failures
/// opens the circuit and fails fast, whereas user-side denies never trip it. Always <c>false</c>
/// on success and on user-side denies; set only on the delegated real path for the library's
/// directory-unreachable bucket.
/// </summary>
public bool IsSystemFailure { get; init; }
}
@@ -113,7 +113,13 @@ public sealed class OtOpcUaLdapAuthService : ILdapAuthService
if (result.Succeeded)
return new(true, result.DisplayName, result.Username, result.Groups, [], null);
return new(false, null, username, [], [], FailureToError(result.Failure));
// ServiceAccountBindFailed is the library's directory-unreachable / service-account-misconfigured
// bucket (its enum has no dedicated DirectoryUnavailable) — flag it as system-side so the OPC UA
// authenticator's outage circuit can distinguish an outage from a user-credential deny (03/S2).
return new(false, null, username, [], [], FailureToError(result.Failure))
{
IsSystemFailure = result.Failure is LdapAuthFailure.ServiceAccountBindFailed,
};
}
/// <summary>Folds a structured library failure code into the app's user-facing error text.</summary>