fix(server): resolve High code-review findings (Server-002, Server-009)

Server-002 — AuthorizationGate lax-mode no longer overrides explicit deny. IsAllowed now switches on the evaluator's AuthorizationVerdict: Allow -> true, Denied (an authored deny rule matched) -> false in BOTH strict and lax mode, and only the indeterminate NotGranted case falls through to !_strictMode. Previously `if (decision.IsAllowed) return true; return !_strictMode;` let lax mode (the default) nullify authored NodeAcl deny rules for fully-resolved sessions. The tri-state AuthorizationVerdict.Denied member is now honoured. Server-009 — LDAP is secure-by-default. LdapOptions.AllowInsecureLdap now defaults to false (was true) and Program.cs's config fallback reads `?? false` (was `?? true`), so an LDAP-enabled deployment will not bind credentials over an unencrypted socket unless an operator explicitly opts in. Program.cs also logs a startup warning when LDAP is enabled with UseTls=false and AllowInsecureLdap=true, flagging the clear-text server->LDAP credential hop. Regression tests: AuthorizationGateTests covers all four verdict x mode combinations via a fixed-verdict evaluator stub; new LdapOptionsTests asserts the secure defaults. Both Server and Server.Tests build clean; the 15 targeted tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-22 06:08:50 -04:00
parent 7bb21c2aa2
commit adf794f791
6 changed files with 121 additions and 10 deletions
--- a/src/Server/ZB.MOM.WW.OtOpcUa.Server/Program.cs
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.Server/Program.cs
@@ -71,13 +71,24 @@ var ldapOptions = new LdapOptions
    Server = ldapSection.GetValue<string>("Server") ?? "localhost",
    Port = ldapSection.GetValue<int?>("Port") ?? 3893,
    UseTls = ldapSection.GetValue<bool?>("UseTls") ?? false,
-    AllowInsecureLdap = ldapSection.GetValue<bool?>("AllowInsecureLdap") ?? true,
+    AllowInsecureLdap = ldapSection.GetValue<bool?>("AllowInsecureLdap") ?? false,
    SearchBase = ldapSection.GetValue<string>("SearchBase") ?? "dc=lmxopcua,dc=local",
    ServiceAccountDn = ldapSection.GetValue<string>("ServiceAccountDn") ?? string.Empty,
    ServiceAccountPassword = ldapSection.GetValue<string>("ServiceAccountPassword") ?? string.Empty,
    GroupToRole = ldapSection.GetSection("GroupToRole").Get<Dictionary<string, string>>() ?? new(StringComparer.OrdinalIgnoreCase),
 };

+// Security: an LDAP bind without TLS sends usernames + plaintext passwords in clear
+// text on the server→LDAP hop. AllowInsecureLdap is a dev-only escape hatch; warn
+// loudly when a deployment has enabled LDAP and opted into the insecure path.
+if (ldapOptions.Enabled && !ldapOptions.UseTls && ldapOptions.AllowInsecureLdap)
+{
+    Log.Warning(
+        "LDAP authentication is enabled with UseTls=false and AllowInsecureLdap=true — "
+        + "credentials are sent in clear text on the server→LDAP hop. Set Ldap:UseTls=true "
+        + "(LDAPS) for production deployments.");
+}
+
 var opcUaOptions = new OpcUaServerOptions
 {
    EndpointUrl = opcUaSection.GetValue<string>("EndpointUrl") ?? "opc.tcp://0.0.0.0:4840/OtOpcUa",
--- a/src/Server/ZB.MOM.WW.OtOpcUa.Server/Security/AuthorizationGate.cs
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.Server/Security/AuthorizationGate.cs
@@ -22,6 +22,12 @@ namespace ZB.MOM.WW.OtOpcUa.Server.Security;
 ///     <c>StrictMode = false</c>, missing cluster tries OR sessions without resolved
 ///     LDAP groups get <c>true</c> so existing deployments keep working while ACLs are
 ///     populated. Flip to strict via <c>Authorization:StrictMode = true</c> in production.</para>
+///
+///     <para>The lax-mode fallback only covers the <i>indeterminate</i> case
+///     (<see cref="AuthorizationVerdict.NotGranted"/> — no grant matched). An explicit
+///     <see cref="AuthorizationVerdict.Denied"/> verdict from an authored deny rule is a
+///     definite decision and is honoured in both strict and lax mode — lax mode never
+///     overrides a deny.</para>
 /// </remarks>
 public sealed class AuthorizationGate
 {
@@ -58,9 +64,20 @@ public sealed class AuthorizationGate
        }

        var decision = _evaluator.Authorize(session, operation, scope);
-        if (decision.IsAllowed) return true;
+        return decision.Verdict switch
+        {
+            // At least one grant matched — allow regardless of mode.
+            AuthorizationVerdict.Allow => true,

-        return !_strictMode;
+            // An authored deny rule matched. This is a definite verdict, not a gap in
+            // the ACLs, so the lax-mode fallback must NOT override it — an explicit
+            // deny denies in both strict and lax mode.
+            AuthorizationVerdict.Denied => false,
+
+            // No grant matched (indeterminate). Strict mode denies; lax mode lets the
+            // dispatch proceed so deployments keep working while ACLs are populated.
+            _ => !_strictMode,
+        };
    }

    /// <summary>
--- a/src/Server/ZB.MOM.WW.OtOpcUa.Server/Security/LdapOptions.cs
+++ b/src/Server/ZB.MOM.WW.OtOpcUa.Server/Security/LdapOptions.cs
@@ -40,8 +40,12 @@ public sealed class LdapOptions
    public int Port { get; init; } = 3893;
    public bool UseTls { get; init; } = false;

-    /// <summary>Dev-only escape hatch — must be false in production.</summary>
-    public bool AllowInsecureLdap { get; init; } = true;
+    /// <summary>
+    ///     Dev-only escape hatch that permits an unencrypted LDAP bind (plaintext credentials on
+    ///     the server→LDAP hop) when <see cref="UseTls"/> is <c>false</c>. Defaults to <c>false</c> —
+    ///     production deployments are secure-by-default and must opt in explicitly to run insecure.
+    /// </summary>
+    public bool AllowInsecureLdap { get; init; } = false;

    public string SearchBase { get; init; } = "dc=lmxopcua,dc=local";
    public string ServiceAccountDn { get; init; } = string.Empty;