chore: organize solution into module folders (Core/Server/Drivers/Client/Tooling)

Group all 69 projects into category subfolders under src/ and tests/ so the Rider Solution Explorer mirrors the module structure. Folders: Core, Server, Drivers (with a nested Driver CLIs subfolder), Client, Tooling. - Move every project folder on disk with git mv (history preserved as renames). - Recompute relative paths in 57 .csproj files: cross-category ProjectReferences, the lib/ HintPath+None refs in Driver.Historian.Wonderware, and the external mxaccessgw refs in Driver.Galaxy and its test project. - Rebuild ZB.MOM.WW.OtOpcUa.slnx with nested solution folders. - Re-prefix project paths in functional scripts (e2e, compliance, smoke SQL, integration, install). Build green (0 errors); unit tests pass. Docs left for a separate pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-17 01:55:28 -04:00
parent 69f02fed7f
commit a25593a9c6
1044 changed files with 365 additions and 343 deletions
--- a/tests/Server/ZB.MOM.WW.OtOpcUa.Server.Tests/MonitoredItemGatingTests.cs
+++ b/tests/Server/ZB.MOM.WW.OtOpcUa.Server.Tests/MonitoredItemGatingTests.cs
@@ -0,0 +1,146 @@
+using Opc.Ua;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
+using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
+using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
+using ZB.MOM.WW.OtOpcUa.Core.Authorization;
+using ZB.MOM.WW.OtOpcUa.Server.OpcUa;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+/// <summary>
+///     Unit tests for <see cref="DriverNodeManager.GateMonitoredItemCreateRequests"/> —
+///     Phase 6.2 Stream C per-item subscription gating. Pre-populates the errors array
+///     with <see cref="StatusCodes.BadUserAccessDenied"/> for denied items; base stack
+///     honours the pre-set error and skips the item.
+/// </summary>
+[Trait("Category", "Unit")]
+public sealed class MonitoredItemGatingTests
+{
+    [Fact]
+    public void Gate_null_leaves_errors_untouched()
+    {
+        var items = new List<MonitoredItemCreateRequest> { NewRequest("c1/area/line/eq/tag1") };
+        var errors = new List<ServiceResult> { (ServiceResult)null! };
+
+        DriverNodeManager.GateMonitoredItemCreateRequests(items, errors, new UserIdentity(), gate: null, scopeResolver: null);
+
+        errors[0].ShouldBeNull();
+    }
+
+    [Fact]
+    public void Denied_item_gets_BadUserAccessDenied()
+    {
+        var items = new List<MonitoredItemCreateRequest> { NewRequest("c1/area/line/eq/tag1") };
+        var errors = new List<ServiceResult> { (ServiceResult)null! };
+        var gate = MakeGate(strict: true, rows: []); // no grants → deny
+
+        DriverNodeManager.GateMonitoredItemCreateRequests(items, errors, NewIdentity("alice"), gate, new NodeScopeResolver("c1"));
+
+        ServiceResult.IsBad(errors[0]).ShouldBeTrue();
+        errors[0].StatusCode.ShouldBe((StatusCode)StatusCodes.BadUserAccessDenied);
+    }
+
+    [Fact]
+    public void Allowed_item_is_not_touched()
+    {
+        var items = new List<MonitoredItemCreateRequest> { NewRequest("c1/area/line/eq/tag1") };
+        var errors = new List<ServiceResult> { (ServiceResult)null! };
+        var gate = MakeGate(strict: true, rows: [Row("grp-ops", NodePermissions.Subscribe)]);
+
+        DriverNodeManager.GateMonitoredItemCreateRequests(items, errors, NewIdentity("alice", "grp-ops"), gate, new NodeScopeResolver("c1"));
+
+        errors[0].ShouldBeNull();
+    }
+
+    [Fact]
+    public void Mixed_batch_denies_per_item()
+    {
+        var items = new List<MonitoredItemCreateRequest>
+        {
+            NewRequest("c1/area/line/eq/tagA"),
+            NewRequest("c1/area/line/eq/tagB"),
+        };
+        var errors = new List<ServiceResult> { (ServiceResult)null!, (ServiceResult)null! };
+        // Grant Browse not CreateMonitoredItems → still denied for this op
+        var gate = MakeGate(strict: true, rows: [Row("grp-ops", NodePermissions.Browse)]);
+
+        DriverNodeManager.GateMonitoredItemCreateRequests(items, errors, NewIdentity("alice", "grp-ops"), gate, new NodeScopeResolver("c1"));
+
+        ServiceResult.IsBad(errors[0]).ShouldBeTrue();
+        ServiceResult.IsBad(errors[1]).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void Pre_populated_error_is_preserved()
+    {
+        // Base stack may have already flagged an item (e.g. BadNodeIdUnknown). The gate
+        // must not overwrite that with a generic BadUserAccessDenied — the first diagnosis
+        // wins.
+        var items = new List<MonitoredItemCreateRequest> { NewRequest("c1/area/line/eq/tag1") };
+        var errors = new List<ServiceResult> { new(StatusCodes.BadNodeIdUnknown) };
+        var gate = MakeGate(strict: true, rows: []);
+
+        DriverNodeManager.GateMonitoredItemCreateRequests(items, errors, NewIdentity("alice"), gate, new NodeScopeResolver("c1"));
+
+        errors[0].StatusCode.ShouldBe((StatusCode)StatusCodes.BadNodeIdUnknown);
+    }
+
+    [Fact]
+    public void Non_string_identifier_bypasses_the_gate()
+    {
+        // Numeric-id references (standard-type nodes) aren't keyed into the authz trie.
+        var items = new List<MonitoredItemCreateRequest>
+        {
+            new() { ItemToMonitor = new ReadValueId { NodeId = new NodeId(62u) } },
+        };
+        var errors = new List<ServiceResult> { (ServiceResult)null! };
+        var gate = MakeGate(strict: true, rows: []);
+
+        DriverNodeManager.GateMonitoredItemCreateRequests(items, errors, NewIdentity("alice"), gate, new NodeScopeResolver("c1"));
+
+        errors[0].ShouldBeNull("numeric-id references bypass the gate");
+    }
+
+    // ---- helpers -----------------------------------------------------------
+
+    private static MonitoredItemCreateRequest NewRequest(string fullRef) => new()
+    {
+        ItemToMonitor = new ReadValueId { NodeId = new NodeId(fullRef, 2) },
+    };
+
+    private static NodeAcl Row(string group, NodePermissions flags) => new()
+    {
+        NodeAclRowId = Guid.NewGuid(),
+        NodeAclId = Guid.NewGuid().ToString(),
+        GenerationId = 1,
+        ClusterId = "c1",
+        LdapGroup = group,
+        ScopeKind = NodeAclScopeKind.Cluster,
+        ScopeId = null,
+        PermissionFlags = flags,
+    };
+
+    private static AuthorizationGate MakeGate(bool strict, NodeAcl[] rows)
+    {
+        var cache = new PermissionTrieCache();
+        cache.Install(PermissionTrieBuilder.Build("c1", 1, rows));
+        var evaluator = new TriePermissionEvaluator(cache);
+        return new AuthorizationGate(evaluator, strictMode: strict);
+    }
+
+    private static IUserIdentity NewIdentity(string name, params string[] groups) => new FakeIdentity(name, groups);
+
+    private sealed class FakeIdentity : UserIdentity, ILdapGroupsBearer
+    {
+        public FakeIdentity(string name, IReadOnlyList<string> groups)
+        {
+            DisplayName = name;
+            LdapGroups = groups;
+        }
+        public new string DisplayName { get; }
+        public IReadOnlyList<string> LdapGroups { get; }
+    }
+}