dohertj2/lmxopcua
1
0
Fork 0
Code Issues 2 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(auth): cut OtOpcUa over to ZB.MOM.WW.Auth.Ldap; preserve DevStubMode; route roles via IGroupRoleMapper (Task 1.2/1.4)

Browse Source
This commit is contained in:
Joseph Doherty
2026-06-02 00:55:10 -04:00
parent 6534875476
commit 257caa7bd1
14 changed files with 495 additions and 274 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests/LdapOpcUaUserAuthenticatorTests.cs
+72 -11
View File
@@ -1,24 +1,32 @@
using Microsoft.Extensions.DependencyInjection;
using Microsoft.Extensions.Logging.Abstractions;
using Shouldly;
using Xunit;
using ZB.MOM.WW.Auth.Abstractions.Roles;
using ZB.MOM.WW.OtOpcUa.Host.OpcUa;
using ZB.MOM.WW.OtOpcUa.Security.Ldap;
namespace ZB.MOM.WW.OtOpcUa.Host.IntegrationTests;
/// <summary>
/// F13c — verifies <see cref="LdapOpcUaUserAuthenticator"/> faithfully translates
/// <see cref="ILdapAuthService"/> outcomes into <c>OpcUaUserAuthResult</c> and turns LDAP
/// backend exceptions into a denial rather than letting them escape into the SDK.
/// Verifies <see cref="LdapOpcUaUserAuthenticator"/> translates app <see cref="ILdapAuthService"/>
/// outcomes into <c>OpcUaUserAuthResult</c>, resolves roles from the directory's <em>groups</em>
/// through the shared <see cref="IGroupRoleMapper{TRole}"/> seam (Task 1.2), unions any pre-resolved
/// roles (the DevStub FleetAdmin grant) in, and turns LDAP backend exceptions into a denial rather
/// than letting them escape into the SDK.
/// </summary>
public sealed class LdapOpcUaUserAuthenticatorTests
{
/// <summary>Verifies that successful LDAP authentication returns Allow result with user roles.</summary>
/// <summary>On success the data-plane authenticator resolves roles via the mapper from the
/// returned Groups — not from the auth result's Roles field — and grants identity.</summary>
[Fact]
public async Task Authenticate_LDAP_success_returns_Allow_with_roles()
public async Task Authenticate_LDAP_success_resolves_roles_via_mapper_from_groups()
{
var ldap = new FakeLdap(new LdapAuthResult(true, "Alice", "alice", new[] { "configeditor" }, new[] { "ConfigEditor" }, null));
var sut = new LdapOpcUaUserAuthenticator(ldap, NullLogger<LdapOpcUaUserAuthenticator>.Instance);
// Library-style result: groups present, Roles empty (the real path). The mapper maps the
// group "configeditor" -> "ConfigEditor".
var ldap = new FakeLdap(new LdapAuthResult(true, "Alice", "alice", new[] { "configeditor" }, Array.Empty<string>(), null));
var mapper = new FakeMapper(g => g.Select(x => x == "configeditor" ? "ConfigEditor" : x).ToArray());
var sut = new LdapOpcUaUserAuthenticator(ldap, ScopeFactoryWith(mapper), NullLogger<LdapOpcUaUserAuthenticator>.Instance);
var result = await sut.AuthenticateUserNameAsync("alice", "secret", CancellationToken.None);
@@ -27,12 +35,45 @@ public sealed class LdapOpcUaUserAuthenticatorTests
result.Roles.ShouldBe(new[] { "ConfigEditor" });
}
/// <summary>The DevStub pre-resolved roles (FleetAdmin) survive the move to the mapper: they are
/// unioned with the mapper output so the dev grant still reaches the OPC UA session.</summary>
[Fact]
public async Task Authenticate_devstub_preresolved_roles_are_unioned_with_mapper()
{
// DevStub-shaped result: group "dev", pre-resolved role "FleetAdmin". Mapper maps "dev" to
// nothing, so the union is exactly {FleetAdmin}.
var ldap = new FakeLdap(new LdapAuthResult(true, "dev", "dev", new[] { "dev" }, new[] { "FleetAdmin" }, null));
var mapper = new FakeMapper(_ => Array.Empty<string>());
var sut = new LdapOpcUaUserAuthenticator(ldap, ScopeFactoryWith(mapper), NullLogger<LdapOpcUaUserAuthenticator>.Instance);
var result = await sut.AuthenticateUserNameAsync("dev", "anything", CancellationToken.None);
result.Success.ShouldBeTrue();
result.Roles.ShouldBe(new[] { "FleetAdmin" });
}
/// <summary>A mapper fault (e.g. DB outage) must not deny an authenticated session — it falls
/// back to the pre-resolved roles, matching the login endpoint's behaviour.</summary>
[Fact]
public async Task Authenticate_mapper_fault_falls_back_to_preresolved_roles()
{
var ldap = new FakeLdap(new LdapAuthResult(true, "dev", "dev", new[] { "dev" }, new[] { "FleetAdmin" }, null));
var mapper = new FakeMapper(_ => throw new InvalidOperationException("DB down"));
var sut = new LdapOpcUaUserAuthenticator(ldap, ScopeFactoryWith(mapper), NullLogger<LdapOpcUaUserAuthenticator>.Instance);
var result = await sut.AuthenticateUserNameAsync("dev", "anything", CancellationToken.None);
result.Success.ShouldBeTrue();
result.Roles.ShouldBe(new[] { "FleetAdmin" });
}
/// <summary>Verifies that LDAP authentication failure returns Deny result with error text.</summary>
[Fact]
public async Task Authenticate_LDAP_failure_returns_Deny_with_error_text()
{
var ldap = new FakeLdap(new LdapAuthResult(false, null, "mallory", Array.Empty<string>(), Array.Empty<string>(), "Invalid username or password"));
var sut = new LdapOpcUaUserAuthenticator(ldap, NullLogger<LdapOpcUaUserAuthenticator>.Instance);
var mapper = new FakeMapper(g => g.ToArray());
var sut = new LdapOpcUaUserAuthenticator(ldap, ScopeFactoryWith(mapper), NullLogger<LdapOpcUaUserAuthenticator>.Instance);
var result = await sut.AuthenticateUserNameAsync("mallory", "wrong", CancellationToken.None);
@@ -45,7 +86,8 @@ public sealed class LdapOpcUaUserAuthenticatorTests
public async Task Authenticate_LDAP_exception_returns_backend_error_denial()
{
var ldap = new FakeLdap(_ => throw new InvalidOperationException("LDAP unreachable"));
var sut = new LdapOpcUaUserAuthenticator(ldap, NullLogger<LdapOpcUaUserAuthenticator>.Instance);
var mapper = new FakeMapper(g => g.ToArray());
var sut = new LdapOpcUaUserAuthenticator(ldap, ScopeFactoryWith(mapper), NullLogger<LdapOpcUaUserAuthenticator>.Instance);
var result = await sut.AuthenticateUserNameAsync("anyone", "x", CancellationToken.None);
@@ -58,8 +100,9 @@ public sealed class LdapOpcUaUserAuthenticatorTests
[Fact]
public async Task Authenticate_falls_back_to_username_when_LDAP_omits_display_name()
{
var ldap = new FakeLdap(new LdapAuthResult(true, null, "alice", Array.Empty<string>(), new[] { "ReadOnly" }, null));
var sut = new LdapOpcUaUserAuthenticator(ldap, NullLogger<LdapOpcUaUserAuthenticator>.Instance);
var ldap = new FakeLdap(new LdapAuthResult(true, null, "alice", new[] { "ReadOnly" }, Array.Empty<string>(), null));
var mapper = new FakeMapper(g => g.ToArray());
var sut = new LdapOpcUaUserAuthenticator(ldap, ScopeFactoryWith(mapper), NullLogger<LdapOpcUaUserAuthenticator>.Instance);
var result = await sut.AuthenticateUserNameAsync("alice", "x", CancellationToken.None);
@@ -67,6 +110,14 @@ public sealed class LdapOpcUaUserAuthenticatorTests
result.DisplayName.ShouldBe("alice");
}
/// <summary>Builds an IServiceScopeFactory whose scopes resolve the supplied mapper.</summary>
private static IServiceScopeFactory ScopeFactoryWith(IGroupRoleMapper<string> mapper)
{
var services = new ServiceCollection();
services.AddScoped(_ => mapper);
return services.BuildServiceProvider().GetRequiredService<IServiceScopeFactory>();
}
/// <summary>Test fake implementation of LDAP authentication service.</summary>
private sealed class FakeLdap : ILdapAuthService
{
@@ -87,4 +138,14 @@ public sealed class LdapOpcUaUserAuthenticatorTests
public Task<LdapAuthResult> AuthenticateAsync(string username, string password, CancellationToken ct = default)
=> Task.FromResult(_handler(username));
}
/// <summary>Test fake group→role mapper driven by a delegate over the supplied groups.</summary>
private sealed class FakeMapper(Func<IReadOnlyList<string>, IReadOnlyList<string>> map) : IGroupRoleMapper<string>
{
/// <summary>Maps groups to roles via the configured delegate; Scope is always null.</summary>
/// <param name="groups">The LDAP groups to map.</param>
/// <param name="ct">The cancellation token.</param>
public Task<GroupRoleMapping<string>> MapAsync(IReadOnlyList<string> groups, CancellationToken ct)
=> Task.FromResult(new GroupRoleMapping<string>(map(groups), Scope: null));
}
}
tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests/TwoNodeClusterHarness.cs
+10 -8
View File
@@ -178,14 +178,16 @@ public sealed class TwoNodeClusterHarness : IAsyncDisposable
if (harness.Mode.UseRealLdap)
{
configOverrides["Authentication:Ldap:Enabled"] = "true";
configOverrides["Authentication:Ldap:Server"] = "localhost";
configOverrides["Authentication:Ldap:Port"] = "3894";
configOverrides["Authentication:Ldap:UseTls"] = "false";
configOverrides["Authentication:Ldap:AllowInsecureLdap"] = "true";
configOverrides["Authentication:Ldap:SearchBase"] = "dc=lmxopcua,dc=local";
configOverrides["Authentication:Ldap:ServiceAccountDn"] = "cn=admin,dc=lmxopcua,dc=local";
configOverrides["Authentication:Ldap:ServiceAccountPassword"] = "ldapadmin";
// Bound section is Security:Ldap (see LdapOptions.SectionName); Transport replaces the
// old UseTls bool and AllowInsecure replaces AllowInsecureLdap (Task 1.4).
configOverrides["Security:Ldap:Enabled"] = "true";
configOverrides["Security:Ldap:Server"] = "localhost";
configOverrides["Security:Ldap:Port"] = "3894";
configOverrides["Security:Ldap:Transport"] = "None";
configOverrides["Security:Ldap:AllowInsecure"] = "true";
configOverrides["Security:Ldap:SearchBase"] = "dc=lmxopcua,dc=local";
configOverrides["Security:Ldap:ServiceAccountDn"] = "cn=admin,dc=lmxopcua,dc=local";
configOverrides["Security:Ldap:ServiceAccountPassword"] = "ldapadmin";
}
builder.Configuration.AddInMemoryCollection(configOverrides);
tests/Server/ZB.MOM.WW.OtOpcUa.Security.Tests/LdapHelperTests.cs
-46
View File
@@ -1,46 +0,0 @@
using Shouldly;
using Xunit;
using ZB.MOM.WW.OtOpcUa.Security.Ldap;
namespace ZB.MOM.WW.OtOpcUa.Security.Tests;
public sealed class LdapHelperTests
{
/// <summary>Verifies that LDAP filter special characters are properly escaped.</summary>
/// <param name="input">The input string.</param>
/// <param name="expected">The expected escaped output.</param>
[Theory]
[InlineData("joe", "joe")]
[InlineData("jo*e", "jo\\2ae")]
[InlineData("jo(e", "jo\\28e")]
[InlineData("jo)e", "jo\\29e")]
[InlineData("jo\\e", "jo\\5ce")]
public void EscapeLdapFilter_escapes_special_chars(string input, string expected)
{
LdapAuthService.EscapeLdapFilter(input).ShouldBe(expected);
}
/// <summary>Verifies that the first organizational unit segment is correctly extracted from a DN.</summary>
/// <param name="dn">The distinguished name.</param>
/// <param name="expected">The expected organizational unit value.</param>
[Theory]
[InlineData("cn=joe,ou=Admins,dc=lmxopcua,dc=local", "Admins")]
[InlineData("cn=alice,dc=lmxopcua,dc=local", null)]
[InlineData("ou=Admins,dc=lmxopcua,dc=local", "Admins")]
public void ExtractOuSegment_returns_first_ou(string dn, string? expected)
{
LdapAuthService.ExtractOuSegment(dn).ShouldBe(expected);
}
/// <summary>Verifies that the first RDN value is correctly extracted from various DN formats.</summary>
/// <param name="dn">The distinguished name.</param>
/// <param name="expected">The expected RDN value.</param>
[Theory]
[InlineData("cn=Admins,dc=lmxopcua,dc=local", "Admins")]
[InlineData("cn=Admins", "Admins")]
[InlineData("Admins", "Admins")]
public void ExtractFirstRdnValue_handles_full_and_short_dns(string dn, string expected)
{
LdapAuthService.ExtractFirstRdnValue(dn).ShouldBe(expected);
}
}
tests/Server/ZB.MOM.WW.OtOpcUa.Security.Tests/OtOpcUaLdapAuthServiceTests.cs
+135
View File
@@ -0,0 +1,135 @@
using Microsoft.Extensions.Logging.Abstractions;
using Shouldly;
using Xunit;
using ZB.MOM.WW.OtOpcUa.Security.Ldap;
using LdapTransport = ZB.MOM.WW.Auth.Abstractions.Ldap.LdapTransport;
using LdapAuthFailure = ZB.MOM.WW.Auth.Abstractions.Ldap.LdapAuthFailure;
using LibILdapAuthService = ZB.MOM.WW.Auth.Abstractions.Ldap.ILdapAuthService;
using LibLdapAuthResult = ZB.MOM.WW.Auth.Abstractions.Ldap.LdapAuthResult;
namespace ZB.MOM.WW.OtOpcUa.Security.Tests;
/// <summary>
/// Task 1.2 — proves <see cref="OtOpcUaLdapAuthService"/> (the app's ILdapAuthService wrapper over
/// the shared <c>ZB.MOM.WW.Auth.Ldap</c> service) preserves the two app-only concerns the library
/// does not model: the <c>Enabled</c> master switch and the <c>DevStubMode</c> bypass. Both must
/// short-circuit WITHOUT delegating to the library. On the real path it adapts the library result
/// (groups, never roles) onto the app result shape with roles left for the downstream mapper.
/// </summary>
public sealed class OtOpcUaLdapAuthServiceTests
{
private static OtOpcUaLdapAuthService Build(LdapOptions options, RecordingLibService inner) =>
new(options, inner, NullLogger<OtOpcUaLdapAuthService>.Instance);
/// <summary>DevStubMode on → stub FleetAdmin success WITHOUT hitting the library.</summary>
[Fact]
public async Task DevStubMode_grants_FleetAdmin_without_calling_the_library()
{
var inner = new RecordingLibService(LibLdapAuthResult.Fail(LdapAuthFailure.BadCredentials));
var sut = Build(new LdapOptions { Enabled = true, DevStubMode = true }, inner);
var result = await sut.AuthenticateAsync("anyone", "anything", CancellationToken.None);
result.Success.ShouldBeTrue();
result.Username.ShouldBe("anyone");
result.Groups.ShouldBe(new[] { "dev" });
result.Roles.ShouldBe(new[] { "FleetAdmin" });
inner.Called.ShouldBeFalse("DevStubMode must never reach the real directory client");
}
/// <summary>Enabled=false → denial, no library call (master switch wins over DevStubMode).</summary>
[Fact]
public async Task Disabled_denies_without_calling_the_library_even_with_devstub()
{
var inner = new RecordingLibService(LibLdapAuthResult.Success("x", "x", new[] { "g" }));
var sut = Build(new LdapOptions { Enabled = false, DevStubMode = true }, inner);
var result = await sut.AuthenticateAsync("user", "pw", CancellationToken.None);
result.Success.ShouldBeFalse();
result.Error.ShouldBe("LDAP authentication is disabled.");
inner.Called.ShouldBeFalse("a disabled provider must never touch the network");
}
/// <summary>Real path: a library success surfaces its Groups; Roles are left empty for the
/// downstream mapper (the library returns groups, not roles).</summary>
[Fact]
public async Task Real_path_success_surfaces_groups_and_leaves_roles_for_the_mapper()
{
var inner = new RecordingLibService(
LibLdapAuthResult.Success("alice", "Alice User", new[] { "ReadOnly", "Engineers" }));
var sut = Build(
new LdapOptions { Enabled = true, DevStubMode = false, Transport = LdapTransport.Ldaps },
inner);
var result = await sut.AuthenticateAsync("alice", "secret", CancellationToken.None);
inner.Called.ShouldBeTrue();
result.Success.ShouldBeTrue();
result.Username.ShouldBe("alice");
result.DisplayName.ShouldBe("Alice User");
result.Groups.ShouldBe(new[] { "ReadOnly", "Engineers" });
result.Roles.ShouldBeEmpty();
}
/// <summary>Real path: a library failure folds into a fail-closed error string.</summary>
[Fact]
public async Task Real_path_failure_folds_into_error()
{
var inner = new RecordingLibService(LibLdapAuthResult.Fail(LdapAuthFailure.BadCredentials));
var sut = Build(
new LdapOptions { Enabled = true, DevStubMode = false, Transport = LdapTransport.Ldaps },
inner);
var result = await sut.AuthenticateAsync("alice", "wrong", CancellationToken.None);
inner.Called.ShouldBeTrue();
result.Success.ShouldBeFalse();
result.Error.ShouldBe("Invalid username or password");
}
/// <summary>Insecure transport without AllowInsecure fails closed at the auth boundary WITHOUT
/// reaching the library — preserving the bespoke service's login-time guard after UseTls→Transport.</summary>
[Fact]
public async Task Insecure_transport_without_AllowInsecure_fails_closed_without_calling_library()
{
var inner = new RecordingLibService(LibLdapAuthResult.Success("x", "x", new[] { "g" }));
var sut = Build(
new LdapOptions { Enabled = true, DevStubMode = false, Transport = LdapTransport.None, AllowInsecure = false },
inner);
var result = await sut.AuthenticateAsync("alice", "secret", CancellationToken.None);
result.Success.ShouldBeFalse();
result.Error.ShouldNotBeNull();
result.Error!.ShouldContain("Insecure LDAP is disabled");
inner.Called.ShouldBeFalse();
}
/// <summary>Empty username/password are rejected up front without a library call.</summary>
[Theory]
[InlineData("", "pw")]
[InlineData("user", "")]
public async Task Empty_credentials_are_rejected_without_calling_library(string user, string pw)
{
var inner = new RecordingLibService(LibLdapAuthResult.Success("x", "x", new[] { "g" }));
var sut = Build(new LdapOptions { Enabled = true, Transport = LdapTransport.Ldaps }, inner);
var result = await sut.AuthenticateAsync(user, pw, CancellationToken.None);
result.Success.ShouldBeFalse();
inner.Called.ShouldBeFalse();
}
/// <summary>Records whether the library service was invoked and returns a canned result.</summary>
private sealed class RecordingLibService(LibLdapAuthResult result) : LibILdapAuthService
{
public bool Called { get; private set; }
public Task<LibLdapAuthResult> AuthenticateAsync(string username, string password, CancellationToken ct)
{
Called = true;
return Task.FromResult(result);
}
}
}