dohertj2/lmxopcua
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(server): resolve High code-review findings (Server-002, Server-009)

Browse Source 
Server-002 — AuthorizationGate lax-mode no longer overrides explicit deny.
IsAllowed now switches on the evaluator's AuthorizationVerdict: Allow -> true,
Denied (an authored deny rule matched) -> false in BOTH strict and lax mode,
and only the indeterminate NotGranted case falls through to !_strictMode.
Previously `if (decision.IsAllowed) return true; return !_strictMode;` let lax
mode (the default) nullify authored NodeAcl deny rules for fully-resolved
sessions. The tri-state AuthorizationVerdict.Denied member is now honoured.

Server-009 — LDAP is secure-by-default. LdapOptions.AllowInsecureLdap now
defaults to false (was true) and Program.cs's config fallback reads `?? false`
(was `?? true`), so an LDAP-enabled deployment will not bind credentials over
an unencrypted socket unless an operator explicitly opts in. Program.cs also
logs a startup warning when LDAP is enabled with UseTls=false and
AllowInsecureLdap=true, flagging the clear-text server->LDAP credential hop.

Regression tests: AuthorizationGateTests covers all four verdict x mode
combinations via a fixed-verdict evaluator stub; new LdapOptionsTests asserts
the secure defaults. Both Server and Server.Tests build clean; the 15 targeted
tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Joseph Doherty
2026-05-22 06:08:50 -04:00
parent 7bb21c2aa2
commit adf794f791
6 changed files with 121 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/Server/ZB.MOM.WW.OtOpcUa.Server/Program.cs
+12 -1
View File
@@ -71,13 +71,24 @@ var ldapOptions = new LdapOptions
Server = ldapSection.GetValue<string>("Server") ?? "localhost",
Port = ldapSection.GetValue<int?>("Port") ?? 3893,
UseTls = ldapSection.GetValue<bool?>("UseTls") ?? false,
AllowInsecureLdap = ldapSection.GetValue<bool?>("AllowInsecureLdap") ?? true,
AllowInsecureLdap = ldapSection.GetValue<bool?>("AllowInsecureLdap") ?? false,
SearchBase = ldapSection.GetValue<string>("SearchBase") ?? "dc=lmxopcua,dc=local",
ServiceAccountDn = ldapSection.GetValue<string>("ServiceAccountDn") ?? string.Empty,
ServiceAccountPassword = ldapSection.GetValue<string>("ServiceAccountPassword") ?? string.Empty,
GroupToRole = ldapSection.GetSection("GroupToRole").Get<Dictionary<string, string>>() ?? new(StringComparer.OrdinalIgnoreCase),
};
// Security: an LDAP bind without TLS sends usernames + plaintext passwords in clear
// text on the server→LDAP hop. AllowInsecureLdap is a dev-only escape hatch; warn
// loudly when a deployment has enabled LDAP and opted into the insecure path.
if (ldapOptions.Enabled && !ldapOptions.UseTls && ldapOptions.AllowInsecureLdap)
{
Log.Warning(
"LDAP authentication is enabled with UseTls=false and AllowInsecureLdap=true — "
+ "credentials are sent in clear text on the server→LDAP hop. Set Ldap:UseTls=true "
+ "(LDAPS) for production deployments.");
}
var opcUaOptions = new OpcUaServerOptions
{
EndpointUrl = opcUaSection.GetValue<string>("EndpointUrl") ?? "opc.tcp://0.0.0.0:4840/OtOpcUa",