fix(server): resolve High code-review findings (Server-002, Server-009)

Server-002 — AuthorizationGate lax-mode no longer overrides explicit deny. IsAllowed now switches on the evaluator's AuthorizationVerdict: Allow -> true, Denied (an authored deny rule matched) -> false in BOTH strict and lax mode, and only the indeterminate NotGranted case falls through to !_strictMode. Previously `if (decision.IsAllowed) return true; return !_strictMode;` let lax mode (the default) nullify authored NodeAcl deny rules for fully-resolved sessions. The tri-state AuthorizationVerdict.Denied member is now honoured. Server-009 — LDAP is secure-by-default. LdapOptions.AllowInsecureLdap now defaults to false (was true) and Program.cs's config fallback reads `?? false` (was `?? true`), so an LDAP-enabled deployment will not bind credentials over an unencrypted socket unless an operator explicitly opts in. Program.cs also logs a startup warning when LDAP is enabled with UseTls=false and AllowInsecureLdap=true, flagging the clear-text server->LDAP credential hop. Regression tests: AuthorizationGateTests covers all four verdict x mode combinations via a fixed-verdict evaluator stub; new LdapOptionsTests asserts the secure defaults. Both Server and Server.Tests build clean; the 15 targeted tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-05-22 06:08:50 -04:00
parent 7bb21c2aa2
commit adf794f791
6 changed files with 121 additions and 10 deletions
--- a/tests/Server/ZB.MOM.WW.OtOpcUa.Server.Tests/AuthorizationGateTests.cs
+++ b/tests/Server/ZB.MOM.WW.OtOpcUa.Server.Tests/AuthorizationGateTests.cs
@@ -133,4 +133,52 @@ public sealed class AuthorizationGateTests

        gate.BuildSessionState(new UserIdentity(), "c1").ShouldBeNull();
    }
+
+    /// <summary>Evaluator stub that always returns a fixed verdict — lets the gate's
+    /// verdict handling be exercised independent of the trie evaluator (which only ever
+    /// produces Allow / NotGranted).</summary>
+    private sealed class FixedVerdictEvaluator(AuthorizationVerdict verdict) : IPermissionEvaluator
+    {
+        public AuthorizationDecision Authorize(UserAuthorizationState session, OpcUaOperation operation, NodeScope scope)
+            => new(verdict, []);
+    }
+
+    // Server-002 regression: an explicit Denied verdict must be honoured in BOTH modes —
+    // the lax-mode fallback covers only the indeterminate (NotGranted) case.
+
+    [Fact]
+    public void ExplicitDeny_LaxMode_Denies()
+    {
+        var gate = new AuthorizationGate(new FixedVerdictEvaluator(AuthorizationVerdict.Denied), strictMode: false);
+        var identity = new FakeIdentity("ops-user", ["cn=ops"]);
+
+        gate.IsAllowed(identity, OpcUaOperation.Read, Scope()).ShouldBeFalse();
+    }
+
+    [Fact]
+    public void ExplicitDeny_StrictMode_Denies()
+    {
+        var gate = new AuthorizationGate(new FixedVerdictEvaluator(AuthorizationVerdict.Denied), strictMode: true);
+        var identity = new FakeIdentity("ops-user", ["cn=ops"]);
+
+        gate.IsAllowed(identity, OpcUaOperation.Read, Scope()).ShouldBeFalse();
+    }
+
+    [Fact]
+    public void NotGranted_LaxMode_Allows()
+    {
+        var gate = new AuthorizationGate(new FixedVerdictEvaluator(AuthorizationVerdict.NotGranted), strictMode: false);
+        var identity = new FakeIdentity("ops-user", ["cn=ops"]);
+
+        gate.IsAllowed(identity, OpcUaOperation.Read, Scope()).ShouldBeTrue();
+    }
+
+    [Fact]
+    public void NotGranted_StrictMode_Denies()
+    {
+        var gate = new AuthorizationGate(new FixedVerdictEvaluator(AuthorizationVerdict.NotGranted), strictMode: true);
+        var identity = new FakeIdentity("ops-user", ["cn=ops"]);
+
+        gate.IsAllowed(identity, OpcUaOperation.Read, Scope()).ShouldBeFalse();
+    }
 }
--- a/tests/Server/ZB.MOM.WW.OtOpcUa.Server.Tests/LdapOptionsTests.cs
+++ b/tests/Server/ZB.MOM.WW.OtOpcUa.Server.Tests/LdapOptionsTests.cs
@@ -0,0 +1,31 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class LdapOptionsTests
+{
+    // Server-009 regression: the out-of-the-box posture must be secure. AllowInsecureLdap
+    // is a dev-only escape hatch — a deployment that enables LDAP without explicitly
+    // opting in must not bind credentials over an unencrypted socket.
+
+    [Fact]
+    public void AllowInsecureLdap_DefaultsToFalse()
+    {
+        new LdapOptions().AllowInsecureLdap.ShouldBeFalse();
+    }
+
+    [Fact]
+    public void UseTls_DefaultsToFalse_SoInsecureBindRequiresExplicitOptIn()
+    {
+        // UseTls=false on its own is fine — without AllowInsecureLdap the bind path
+        // refuses to send plaintext credentials. The two flags together are the only
+        // way to reach the insecure path, and both must be set deliberately.
+        var options = new LdapOptions();
+
+        options.UseTls.ShouldBeFalse();
+        options.AllowInsecureLdap.ShouldBeFalse();
+    }
+}