dohertj2/lmxopcua
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Consolidate LDAP roles into OPC UA session roles with granular write permissions

Browse Source 
Map LDAP groups to custom OPC UA role NodeIds on RoleBasedIdentity.GrantedRoleIds
during authentication, replacing the username-to-role side cache. Split ReadWrite
into WriteOperate/WriteTune/WriteConfigure so write access is gated per Galaxy
security classification. AnonymousCanWrite now behaves consistently regardless
of LDAP state.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Joseph Doherty
2026-03-29 01:50:16 -04:00
parent 50b9603465
commit 50b85d41bd
21 changed files with 549 additions and 94 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
tests/ZB.MOM.WW.LmxOpcUa.Tests/Authentication/UserAuthenticationTests.cs
View File

@@ -27,7 +27,9 @@ namespace ZB.MOM.WW.LmxOpcUa.Tests.Authentication
config.Ldap.Port.ShouldBe(3893);
config.Ldap.BaseDN.ShouldBe("dc=lmxopcua,dc=local");
config.Ldap.ReadOnlyGroup.ShouldBe("ReadOnly");
config.Ldap.ReadWriteGroup.ShouldBe("ReadWrite");
config.Ldap.WriteOperateGroup.ShouldBe("WriteOperate");
config.Ldap.WriteTuneGroup.ShouldBe("WriteTune");
config.Ldap.WriteConfigureGroup.ShouldBe("WriteConfigure");
config.Ldap.AlarmAckGroup.ShouldBe("AlarmAck");
config.Ldap.TimeoutSeconds.ShouldBe(5);
}
@@ -101,7 +103,7 @@ namespace ZB.MOM.WW.LmxOpcUa.Tests.Authentication
provider.ValidateCredentials("readonly", "readonly123").ShouldBeTrue();
var roles = provider.GetUserRoles("readonly");
roles.ShouldContain("ReadOnly");
roles.ShouldNotContain("ReadWrite");
roles.ShouldNotContain("WriteOperate");
roles.ShouldNotContain("AlarmAck");
}
catch (System.Exception)
@@ -111,16 +113,16 @@ namespace ZB.MOM.WW.LmxOpcUa.Tests.Authentication
}
[Fact]
public void LdapAuthenticationProvider_ReadWriteUser_HasReadWriteRole()
public void LdapAuthenticationProvider_WriteOperateUser_HasWriteOperateRole()
{
var ldapConfig = CreateGlAuthConfig();
var provider = new LdapAuthenticationProvider(ldapConfig);
try
{
provider.ValidateCredentials("readwrite", "readwrite123").ShouldBeTrue();
var roles = provider.GetUserRoles("readwrite");
roles.ShouldContain("ReadWrite");
provider.ValidateCredentials("writeop", "writeop123").ShouldBeTrue();
var roles = provider.GetUserRoles("writeop");
roles.ShouldContain("WriteOperate");
roles.ShouldNotContain("AlarmAck");
}
catch (System.Exception)
@@ -140,7 +142,7 @@ namespace ZB.MOM.WW.LmxOpcUa.Tests.Authentication
provider.ValidateCredentials("alarmack", "alarmack123").ShouldBeTrue();
var roles = provider.GetUserRoles("alarmack");
roles.ShouldContain("AlarmAck");
roles.ShouldNotContain("ReadWrite");
roles.ShouldNotContain("WriteOperate");
}
catch (System.Exception)
{
@@ -159,7 +161,9 @@ namespace ZB.MOM.WW.LmxOpcUa.Tests.Authentication
provider.ValidateCredentials("admin", "admin123").ShouldBeTrue();
var roles = provider.GetUserRoles("admin");
roles.ShouldContain("ReadOnly");
roles.ShouldContain("ReadWrite");
roles.ShouldContain("WriteOperate");
roles.ShouldContain("WriteTune");
roles.ShouldContain("WriteConfigure");
roles.ShouldContain("AlarmAck");
}
catch (System.Exception)
@@ -223,7 +227,9 @@ namespace ZB.MOM.WW.LmxOpcUa.Tests.Authentication
ServiceAccountPassword = "serviceaccount123",
TimeoutSeconds = 5,
ReadOnlyGroup = "ReadOnly",
ReadWriteGroup = "ReadWrite",
WriteOperateGroup = "WriteOperate",
WriteTuneGroup = "WriteTune",
WriteConfigureGroup = "WriteConfigure",
AlarmAckGroup = "AlarmAck"
};
}

36
tests/ZB.MOM.WW.LmxOpcUa.Tests/Helpers/FakeAuthenticationProvider.cs Normal file
View File

@@ -0,0 +1,36 @@
using System;
using System.Collections.Generic;
using ZB.MOM.WW.LmxOpcUa.Host.Domain;
namespace ZB.MOM.WW.LmxOpcUa.Tests.Helpers
{
/// <summary>
/// Deterministic authentication provider for integration tests.
/// Validates credentials against hardcoded username/password pairs
/// and returns configured role sets per user.
/// </summary>
internal class FakeAuthenticationProvider : IUserAuthenticationProvider, IRoleProvider
{
private readonly Dictionary<string, string> _credentials =
new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
private readonly Dictionary<string, IReadOnlyList<string>> _roles =
new Dictionary<string, IReadOnlyList<string>>(StringComparer.OrdinalIgnoreCase);
public FakeAuthenticationProvider AddUser(string username, string password, params string[] roles)
{
_credentials[username] = password;
_roles[username] = roles;
return this;
}
public bool ValidateCredentials(string username, string password)
{
return _credentials.TryGetValue(username, out var expected) && expected == password;
}
public IReadOnlyList<string> GetUserRoles(string username)
{
return _roles.TryGetValue(username, out var roles) ? roles : new[] { AppRoles.ReadOnly };
}
}
}

9
tests/ZB.MOM.WW.LmxOpcUa.Tests/Helpers/OpcUaServerFixture.cs
View File

@@ -3,6 +3,7 @@ using System.Threading.Tasks;
using Xunit;
using ZB.MOM.WW.LmxOpcUa.Host;
using ZB.MOM.WW.LmxOpcUa.Host.Configuration;
using ZB.MOM.WW.LmxOpcUa.Host.Domain;
namespace ZB.MOM.WW.LmxOpcUa.Tests.Helpers
{
@@ -120,7 +121,9 @@ namespace ZB.MOM.WW.LmxOpcUa.Tests.Helpers
SecurityProfileConfiguration? security = null,
RedundancyConfiguration? redundancy = null,
string? applicationUri = null,
string? serverName = null)
string? serverName = null,
AuthenticationConfiguration? authConfig = null,
IUserAuthenticationProvider? authProvider = null)
{
var client = mxClient ?? new FakeMxAccessClient();
var r = repo ?? new FakeGalaxyRepository
@@ -142,6 +145,10 @@ namespace ZB.MOM.WW.LmxOpcUa.Tests.Helpers
builder.WithApplicationUri(applicationUri);
if (serverName != null)
builder.WithGalaxyName(serverName);
if (authConfig != null)
builder.WithAuthentication(authConfig);
if (authProvider != null)
builder.WithAuthProvider(authProvider);
return new OpcUaServerFixture(builder, repo: r, mxClient: client);
}

188
tests/ZB.MOM.WW.LmxOpcUa.Tests/Integration/PermissionEnforcementTests.cs Normal file
View File

@@ -0,0 +1,188 @@
using System.Threading.Tasks;
using Opc.Ua;
using Shouldly;
using Xunit;
using ZB.MOM.WW.LmxOpcUa.Host.Configuration;
using ZB.MOM.WW.LmxOpcUa.Host.Domain;
using ZB.MOM.WW.LmxOpcUa.Tests.Helpers;
namespace ZB.MOM.WW.LmxOpcUa.Tests.Integration
{
public class PermissionEnforcementTests
{
private static FakeAuthenticationProvider CreateTestAuthProvider()
{
return new FakeAuthenticationProvider()
.AddUser("readonly", "readonly123", AppRoles.ReadOnly)
.AddUser("writeop", "writeop123", AppRoles.WriteOperate)
.AddUser("writetune", "writetune123", AppRoles.WriteTune)
.AddUser("writeconfig", "writeconfig123", AppRoles.WriteConfigure)
.AddUser("alarmack", "alarmack123", AppRoles.AlarmAck)
.AddUser("admin", "admin123", AppRoles.ReadOnly, AppRoles.WriteOperate, AppRoles.WriteTune, AppRoles.WriteConfigure, AppRoles.AlarmAck);
}
private static AuthenticationConfiguration CreateAuthConfig(bool anonymousCanWrite = false)
{
return new AuthenticationConfiguration
{
AllowAnonymous = true,
AnonymousCanWrite = anonymousCanWrite
};
}
[Fact]
public async Task AnonymousRead_Allowed()
{
var mxClient = new FakeMxAccessClient();
mxClient.TagValues["TestMachine_001.MachineID"] = Vtq.Good("hello");
var fixture = OpcUaServerFixture.WithFakeMxAccessClient(
mxClient: mxClient,
authConfig: CreateAuthConfig(),
authProvider: CreateTestAuthProvider());
await fixture.InitializeAsync();
try
{
using var client = new OpcUaTestClient();
await client.ConnectAsync(fixture.EndpointUrl);
var result = client.Read(client.MakeNodeId("TestMachine_001.MachineID"));
result.StatusCode.ShouldNotBe(StatusCodes.BadUserAccessDenied);
}
finally { await fixture.DisposeAsync(); }
}
[Fact]
public async Task AnonymousWrite_Denied_WhenAnonymousCanWriteFalse()
{
var fixture = OpcUaServerFixture.WithFakeMxAccessClient(
authConfig: CreateAuthConfig(anonymousCanWrite: false),
authProvider: CreateTestAuthProvider());
await fixture.InitializeAsync();
try
{
using var client = new OpcUaTestClient();
await client.ConnectAsync(fixture.EndpointUrl);
var status = client.Write(client.MakeNodeId("TestMachine_001.MachineID"), "test");
status.Code.ShouldBe(StatusCodes.BadUserAccessDenied);
}
finally { await fixture.DisposeAsync(); }
}
[Fact]
public async Task AnonymousWrite_Allowed_WhenAnonymousCanWriteTrue()
{
var mxClient = new FakeMxAccessClient();
mxClient.TagValues["TestMachine_001.MachineID"] = Vtq.Good("initial");
var fixture = OpcUaServerFixture.WithFakeMxAccessClient(
mxClient: mxClient,
authConfig: CreateAuthConfig(anonymousCanWrite: true),
authProvider: CreateTestAuthProvider());
await fixture.InitializeAsync();
try
{
using var client = new OpcUaTestClient();
await client.ConnectAsync(fixture.EndpointUrl);
var status = client.Write(client.MakeNodeId("TestMachine_001.MachineID"), "test");
status.Code.ShouldNotBe(StatusCodes.BadUserAccessDenied);
}
finally { await fixture.DisposeAsync(); }
}
[Fact]
public async Task ReadOnlyUser_Write_Denied()
{
var fixture = OpcUaServerFixture.WithFakeMxAccessClient(
authConfig: CreateAuthConfig(),
authProvider: CreateTestAuthProvider());
await fixture.InitializeAsync();
try
{
using var client = new OpcUaTestClient();
await client.ConnectAsync(fixture.EndpointUrl, username: "readonly", password: "readonly123");
var status = client.Write(client.MakeNodeId("TestMachine_001.MachineID"), "test");
status.Code.ShouldBe(StatusCodes.BadUserAccessDenied);
}
finally { await fixture.DisposeAsync(); }
}
[Fact]
public async Task WriteOperateUser_Write_Allowed()
{
var mxClient = new FakeMxAccessClient();
mxClient.TagValues["TestMachine_001.MachineID"] = Vtq.Good("initial");
var fixture = OpcUaServerFixture.WithFakeMxAccessClient(
mxClient: mxClient,
authConfig: CreateAuthConfig(),
authProvider: CreateTestAuthProvider());
await fixture.InitializeAsync();
try
{
using var client = new OpcUaTestClient();
await client.ConnectAsync(fixture.EndpointUrl, username: "writeop", password: "writeop123");
var status = client.Write(client.MakeNodeId("TestMachine_001.MachineID"), "test");
status.Code.ShouldNotBe(StatusCodes.BadUserAccessDenied);
}
finally { await fixture.DisposeAsync(); }
}
[Fact]
public async Task AlarmAckOnlyUser_Write_Denied()
{
var fixture = OpcUaServerFixture.WithFakeMxAccessClient(
authConfig: CreateAuthConfig(),
authProvider: CreateTestAuthProvider());
await fixture.InitializeAsync();
try
{
using var client = new OpcUaTestClient();
await client.ConnectAsync(fixture.EndpointUrl, username: "alarmack", password: "alarmack123");
var status = client.Write(client.MakeNodeId("TestMachine_001.MachineID"), "test");
status.Code.ShouldBe(StatusCodes.BadUserAccessDenied);
}
finally { await fixture.DisposeAsync(); }
}
[Fact]
public async Task AdminUser_Write_Allowed()
{
var mxClient = new FakeMxAccessClient();
mxClient.TagValues["TestMachine_001.MachineID"] = Vtq.Good("initial");
var fixture = OpcUaServerFixture.WithFakeMxAccessClient(
mxClient: mxClient,
authConfig: CreateAuthConfig(),
authProvider: CreateTestAuthProvider());
await fixture.InitializeAsync();
try
{
using var client = new OpcUaTestClient();
await client.ConnectAsync(fixture.EndpointUrl, username: "admin", password: "admin123");
var status = client.Write(client.MakeNodeId("TestMachine_001.MachineID"), "test");
status.Code.ShouldNotBe(StatusCodes.BadUserAccessDenied);
}
finally { await fixture.DisposeAsync(); }
}
[Fact]
public async Task InvalidPassword_ConnectionRejected()
{
var fixture = OpcUaServerFixture.WithFakeMxAccessClient(
authConfig: CreateAuthConfig(),
authProvider: CreateTestAuthProvider());
await fixture.InitializeAsync();
try
{
using var client = new OpcUaTestClient();
await Should.ThrowAsync<ServiceResultException>(async () =>
await client.ConnectAsync(fixture.EndpointUrl, username: "readonly", password: "wrongpassword"));
}
finally { await fixture.DisposeAsync(); }
}
}
}