dohertj2/lmxopcua
1
0
Fork 0
Code Issues 2 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

feat(historian-sidecar): TcpFrameServer (TCP + optional TLS)

Browse Source
This commit is contained in:
Joseph Doherty
2026-06-12 11:16:28 -04:00
parent 35ac0b8c4e
commit 3528702185
2 changed files with 406 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
tests/Drivers/ZB.MOM.WW.OtOpcUa.Driver.Historian.Wonderware.Tests/Ipc/TcpRoundTripTests.cs
+235
View File
@@ -0,0 +1,235 @@
using System;
using System.IO;
using System.Net;
using System.Net.Security;
using System.Net.Sockets;
using System.Security.Authentication;
using System.Security.Cryptography;
using System.Security.Cryptography.X509Certificates;
using System.Threading;
using System.Threading.Tasks;
using MessagePack;
using Serilog;
using Serilog.Core;
using Shouldly;
using Xunit;
using ZB.MOM.WW.OtOpcUa.Driver.Historian.Wonderware.Ipc;
namespace ZB.MOM.WW.OtOpcUa.Driver.Historian.Wonderware.Tests.Ipc;
/// <summary>
/// Round-trip tests for <see cref="TcpFrameServer"/> added with the TCP transport. Each
/// scenario binds the server on <c>127.0.0.1:0</c>, connects a real <see cref="TcpClient"/>,
/// performs the Hello handshake, and exercises a request/reply over the wire framing — both
/// plaintext and over TLS. These target net48 and run on Windows in CI; on the macOS dev box
/// they only compile.
/// </summary>
public sealed class TcpRoundTripTests
{
private static readonly ILogger Quiet = Logger.None;
// Generous timeout so the deterministic tests don't hang CI if the server misbehaves.
private static readonly TimeSpan Timeout = TimeSpan.FromSeconds(10);
/// <summary>
/// Fake handler that echoes a fixed <see cref="ReadRawReply"/> when it sees a
/// <see cref="MessageKind.ReadRawRequest"/>, mirroring the client correlation id.
/// </summary>
private sealed class EchoHandler : IFrameHandler
{
public Task HandleAsync(MessageKind kind, byte[] body, FrameWriter writer, CancellationToken ct)
{
if (kind != MessageKind.ReadRawRequest)
return Task.CompletedTask;
var request = MessagePackSerializer.Deserialize<ReadRawRequest>(body);
var reply = new ReadRawReply
{
CorrelationId = request.CorrelationId,
Success = true,
Samples = new[]
{
new HistorianSampleDto
{
ValueBytes = MessagePackSerializer.Serialize(42.0),
Quality = 192,
TimestampUtcTicks = new DateTime(2026, 6, 12, 0, 0, 0, DateTimeKind.Utc).Ticks,
},
},
};
return writer.WriteAsync(MessageKind.ReadRawReply, reply, ct);
}
}
/// <summary>Generates an in-memory self-signed RSA cert with a serverAuth EKU and a private key.</summary>
private static X509Certificate2 MakeSelfSignedCert()
{
using var rsa = RSA.Create(2048);
var req = new CertificateRequest("CN=otopcua-historian-sidecar-test", rsa, HashAlgorithmName.SHA256, RSASignaturePadding.Pkcs1);
req.CertificateExtensions.Add(
new X509EnhancedKeyUsageExtension(
new OidCollection { new Oid("1.3.6.1.5.5.7.3.1") /* serverAuth */ }, critical: false));
using var ephemeral = req.CreateSelfSigned(DateTimeOffset.UtcNow.AddDays(-1), DateTimeOffset.UtcNow.AddYears(1));
// Round-trip through a PFX so the returned cert carries an exportable private key on net48.
var pfx = ephemeral.Export(X509ContentType.Pfx, "pw");
return new X509Certificate2(pfx, "pw", X509KeyStorageFlags.Exportable);
}
/// <summary>Performs the Hello handshake on the given stream and returns the deserialized ack.</summary>
private static async Task<HelloAck> HelloAsync(Stream stream, string secret, CancellationToken ct)
{
using var writer = new FrameWriter(stream, leaveOpen: true);
using var reader = new FrameReader(stream, leaveOpen: true);
await writer.WriteAsync(MessageKind.Hello,
new Hello { ProtocolMajor = Hello.CurrentMajor, PeerName = "test-client", SharedSecret = secret }, ct);
var ackFrame = await reader.ReadFrameAsync(ct);
ackFrame.ShouldNotBeNull();
ackFrame!.Value.Kind.ShouldBe(MessageKind.HelloAck);
return MessagePackSerializer.Deserialize<HelloAck>(ackFrame.Value.Body);
}
/// <summary>Wraps a connected client socket stream in an SslStream that pins the server cert thumbprint.</summary>
private static async Task<SslStream> ClientTlsAsync(NetworkStream inner, string expectedThumbprint, CancellationToken ct)
{
var ssl = new SslStream(inner, leaveInnerStreamOpen: false,
userCertificateValidationCallback: (_, cert, _, _) =>
cert is not null &&
string.Equals(
new X509Certificate2(cert).Thumbprint,
expectedThumbprint,
StringComparison.OrdinalIgnoreCase));
await ssl.AuthenticateAsClientAsync("otopcua-historian-sidecar-test", clientCertificates: null,
enabledSslProtocols: SslProtocols.Tls12, checkCertificateRevocation: false);
return ssl;
}
/// <summary>Plaintext: Hello (good secret) is accepted and a ReadRaw request is echoed back.</summary>
[Fact]
public async Task Plaintext_RoundTrip_HelloAcceptedAndRequestEchoed()
{
using var cts = new CancellationTokenSource(Timeout);
using var server = new TcpFrameServer(IPAddress.Loopback, 0, "shh", tlsCert: null, Quiet);
var serverTask = server.RunOneConnectionAsync(new EchoHandler(), cts.Token);
using var client = new TcpClient();
await client.ConnectAsync(IPAddress.Loopback, server.BoundPort);
var stream = client.GetStream();
var ack = await HelloAsync(stream, "shh", cts.Token);
ack.Accepted.ShouldBeTrue();
using var writer = new FrameWriter(stream, leaveOpen: true);
using var reader = new FrameReader(stream, leaveOpen: true);
await writer.WriteAsync(MessageKind.ReadRawRequest,
new ReadRawRequest { TagName = "Tank.Level", MaxValues = 10, CorrelationId = "corr-1" }, cts.Token);
var replyFrame = await reader.ReadFrameAsync(cts.Token);
replyFrame.ShouldNotBeNull();
replyFrame!.Value.Kind.ShouldBe(MessageKind.ReadRawReply);
var reply = MessagePackSerializer.Deserialize<ReadRawReply>(replyFrame.Value.Body);
reply.Success.ShouldBeTrue();
reply.CorrelationId.ShouldBe("corr-1");
reply.Samples.Length.ShouldBe(1);
MessagePackSerializer.Deserialize<double>(reply.Samples[0].ValueBytes!).ShouldBe(42.0);
client.Close();
await serverTask;
}
/// <summary>TLS: a self-signed server cert; the client pins its thumbprint; same exchange succeeds.</summary>
[Fact]
public async Task Tls_RoundTrip_HelloAcceptedAndRequestEchoed()
{
using var cts = new CancellationTokenSource(Timeout);
using var cert = MakeSelfSignedCert();
using var server = new TcpFrameServer(IPAddress.Loopback, 0, "shh", tlsCert: cert, Quiet);
var serverTask = server.RunOneConnectionAsync(new EchoHandler(), cts.Token);
using var client = new TcpClient();
await client.ConnectAsync(IPAddress.Loopback, server.BoundPort);
using var ssl = await ClientTlsAsync(client.GetStream(), cert.Thumbprint, cts.Token);
var ack = await HelloAsync(ssl, "shh", cts.Token);
ack.Accepted.ShouldBeTrue();
using var writer = new FrameWriter(ssl, leaveOpen: true);
using var reader = new FrameReader(ssl, leaveOpen: true);
await writer.WriteAsync(MessageKind.ReadRawRequest,
new ReadRawRequest { TagName = "Tank.Level", MaxValues = 10, CorrelationId = "tls-1" }, cts.Token);
var replyFrame = await reader.ReadFrameAsync(cts.Token);
replyFrame.ShouldNotBeNull();
replyFrame!.Value.Kind.ShouldBe(MessageKind.ReadRawReply);
var reply = MessagePackSerializer.Deserialize<ReadRawReply>(replyFrame.Value.Body);
reply.Success.ShouldBeTrue();
reply.CorrelationId.ShouldBe("tls-1");
client.Close();
await serverTask;
}
/// <summary>Bad secret: Hello is rejected with Accepted=false and the shared-secret-mismatch reason.</summary>
[Fact]
public async Task BadSecret_HelloRejected()
{
using var cts = new CancellationTokenSource(Timeout);
using var server = new TcpFrameServer(IPAddress.Loopback, 0, "right-secret", tlsCert: null, Quiet);
var serverTask = server.RunOneConnectionAsync(new EchoHandler(), cts.Token);
using var client = new TcpClient();
await client.ConnectAsync(IPAddress.Loopback, server.BoundPort);
var ack = await HelloAsync(client.GetStream(), "wrong-secret", cts.Token);
ack.Accepted.ShouldBeFalse();
ack.RejectReason.ShouldBe("shared-secret-mismatch");
client.Close();
await serverTask;
}
/// <summary>
/// Single-active serial accept: while client A is connected (Hello done), client B's
/// Hello does not complete until A disconnects. The server only accepts one connection
/// per <see cref="TcpFrameServer.RunOneConnectionAsync"/>, so B's handshake is served by
/// the second loop iteration that runs only after A's connection ends.
/// </summary>
[Fact]
public async Task SingleActive_SecondClientHelloCompletesOnlyAfterFirstCloses()
{
using var cts = new CancellationTokenSource(Timeout);
using var server = new TcpFrameServer(IPAddress.Loopback, 0, "shh", tlsCert: null, Quiet);
// Run the server loop: it accepts one connection at a time, serially.
var serverLoop = server.RunAsync(new EchoHandler(), cts.Token);
// Client A connects and completes its Hello — it now owns the single active slot.
using var clientA = new TcpClient();
await clientA.ConnectAsync(IPAddress.Loopback, server.BoundPort);
var ackA = await HelloAsync(clientA.GetStream(), "shh", cts.Token);
ackA.Accepted.ShouldBeTrue();
// Client B connects. The TCP connect may complete (OS backlog) but the server is still
// busy with A, so B's Hello round-trip must NOT complete yet.
using var clientB = new TcpClient();
await clientB.ConnectAsync(IPAddress.Loopback, server.BoundPort);
var bHelloTask = HelloAsync(clientB.GetStream(), "shh", cts.Token);
// Give B a chance to (wrongly) complete — it must remain pending while A is connected.
var earlyWinner = await Task.WhenAny(bHelloTask, Task.Delay(TimeSpan.FromMilliseconds(500), cts.Token));
earlyWinner.ShouldNotBe(bHelloTask, "client B's Hello completed while client A was still connected");
// Now disconnect A. The server's next loop iteration accepts B and serves its Hello.
clientA.Close();
var ackB = await bHelloTask;
ackB.Accepted.ShouldBeTrue();
// Tear down: cancel the loop and let it unwind.
cts.Cancel();
try { await serverLoop; } catch (OperationCanceledException) { /* expected */ }
}
}