Phase 6.2 Stream C — CreateMonitoredItems per-item gating

Closes task #121 (partial — creation-time gate; decision #153 per-item revocation stamp is a follow-up). Before this commit a session could subscribe to any node via CreateMonitoredItems, even nodes where Read was denied — the subscription would surface BadUserAccessDenied on each data-change read, but the client saw a successful CreateMonitoredItems response and held the subscription open, wasting resources and leaking the address-space shape through the item metadata. New override on DriverNodeManager.CreateMonitoredItems: - Pre-iterates itemsToCreate, gates each through AuthorizationGate with OpcUaOperation.CreateMonitoredItems at the target node's scope. - For denied slots: sets errors[i] = new ServiceResult( StatusCodes.BadUserAccessDenied). The OPC Foundation base stack honours pre-populated non-success errors and skips item creation for those slots — the subscription never holds a handle to a denied node. - Preserves prior errors (e.g. BadNodeIdUnknown) — first diagnosis wins. - Non-string-identifier references (stack-synthesized numeric ids) bypass the gate. Extracted the pure filter logic into GateMonitoredItemCreateRequests(items, errors, identity, gate, scopeResolver) — static internal, unit-testable without the OPC UA server stack. Tests — 6 new in MonitoredItemGatingTests.cs (gate-null no-op, denied-gets-BadUserAccessDenied, allowed-passes, mixed-batch-denies- per-item, pre-populated-error-preserved, numeric-id-bypass). Server.Tests 263 → 269. Known follow-ups: - Per-item (AuthGenerationId, MembershipVersion) stamp (decision #153) for detecting revocation mid-subscription — needs subscription-layer plumbing. - TransferSubscriptions not yet wired (same pattern, smaller scope). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 15:17:40 -04:00
parent e8b8541554
commit 6a6b0f56f2
3 changed files with 217 additions and 1 deletions
--- a/src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/DriverNodeManager.cs
+++ b/src/ZB.MOM.WW.OtOpcUa.Server/OpcUa/DriverNodeManager.cs
@@ -312,6 +312,76 @@ public sealed class DriverNodeManager : CustomNodeManager2, IAddressSpaceBuilder
        FilterBrowseReferences(references, context.UserIdentity, _authzGate, _scopeResolver);
    }

+    /// <summary>
+    ///     Phase 6.2 Stream C — Subscribe/MonitoredItems gating. Pre-populates
+    ///     <paramref name="errors"/> slots with <see cref="StatusCodes.BadUserAccessDenied"/>
+    ///     for any monitored-item request whose target node the session can't
+    ///     <see cref="OpcUaOperation.CreateMonitoredItems"/> on, then delegates to the base
+    ///     implementation. The OPC Foundation stack honours pre-populated non-success error
+    ///     slots and skips creation for those items.
+    /// </summary>
+    /// <remarks>
+    ///     <para>
+    ///         Decision #153 per-item ACL stamping (so a revoked grant on a running
+    ///         subscription surfaces <c>BadUserAccessDenied</c> on the next publish cycle
+    ///         rather than continuing to stream data) is a follow-up — it needs the
+    ///         subscription layer to plumb <c>(AuthGenerationId, MembershipVersion)</c>
+    ///         through per monitored item + re-evaluate on every publish. The current
+    ///         filter catches creation-time denials, which is the common case.
+    ///     </para>
+    /// </remarks>
+    public override void CreateMonitoredItems(
+        OperationContext context,
+        uint subscriptionId,
+        double publishingInterval,
+        TimestampsToReturn timestampsToReturn,
+        IList<MonitoredItemCreateRequest> itemsToCreate,
+        IList<ServiceResult> errors,
+        IList<MonitoringFilterResult> filterResults,
+        IList<IMonitoredItem> monitoredItems,
+        ref long globalIdCounter)
+    {
+        GateMonitoredItemCreateRequests(
+            itemsToCreate, errors, context.UserIdentity, _authzGate, _scopeResolver);
+
+        base.CreateMonitoredItems(
+            context, subscriptionId, publishingInterval, timestampsToReturn,
+            itemsToCreate, errors, filterResults, monitoredItems, ref globalIdCounter);
+    }
+
+    /// <summary>
+    ///     Pure-function gate for a batch of <see cref="MonitoredItemCreateRequest"/>.
+    ///     Sets <paramref name="errors"/>[i] to <see cref="StatusCodes.BadUserAccessDenied"/>
+    ///     for every slot whose target node's scope the session isn't allowed to
+    ///     <see cref="OpcUaOperation.CreateMonitoredItems"/> on. No-op when
+    ///     <paramref name="gate"/> or <paramref name="scopeResolver"/> is null (matches the
+    ///     pre-Phase-6.2 no-authz dispatch). Extracted for unit-testability without the
+    ///     full OPC UA server stack.
+    /// </summary>
+    internal static void GateMonitoredItemCreateRequests(
+        IList<MonitoredItemCreateRequest> itemsToCreate,
+        IList<ServiceResult> errors,
+        IUserIdentity? userIdentity,
+        AuthorizationGate? gate,
+        NodeScopeResolver? scopeResolver)
+    {
+        if (gate is null || scopeResolver is null) return;
+        if (itemsToCreate.Count == 0) return;
+
+        for (var i = 0; i < itemsToCreate.Count; i++)
+        {
+            // Only slots the caller has't already flagged — preserve earlier per-item
+            // errors (e.g. BadNodeIdUnknown the stack might have filled in).
+            if (errors[i] is not null && ServiceResult.IsBad(errors[i])) continue;
+
+            if (itemsToCreate[i].ItemToMonitor.NodeId.Identifier is not string fullRef) continue;
+
+            var scope = scopeResolver.Resolve(fullRef);
+            if (!gate.IsAllowed(userIdentity, OpcUaOperation.CreateMonitoredItems, scope))
+                errors[i] = new ServiceResult(StatusCodes.BadUserAccessDenied);
+        }
+    }
+
    /// <summary>
    ///     Pure-function filter over a <see cref="ReferenceDescription"/> list. Extracted so
    ///     the Browse-gate policy is unit-testable without standing up the OPC UA server