dohertj2/lmxopcua
1
0
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(server): resolve High code-review findings (Server-002, Server-009)

Browse Source 
Server-002 — AuthorizationGate lax-mode no longer overrides explicit deny.
IsAllowed now switches on the evaluator's AuthorizationVerdict: Allow -> true,
Denied (an authored deny rule matched) -> false in BOTH strict and lax mode,
and only the indeterminate NotGranted case falls through to !_strictMode.
Previously `if (decision.IsAllowed) return true; return !_strictMode;` let lax
mode (the default) nullify authored NodeAcl deny rules for fully-resolved
sessions. The tri-state AuthorizationVerdict.Denied member is now honoured.

Server-009 — LDAP is secure-by-default. LdapOptions.AllowInsecureLdap now
defaults to false (was true) and Program.cs's config fallback reads `?? false`
(was `?? true`), so an LDAP-enabled deployment will not bind credentials over
an unencrypted socket unless an operator explicitly opts in. Program.cs also
logs a startup warning when LDAP is enabled with UseTls=false and
AllowInsecureLdap=true, flagging the clear-text server->LDAP credential hop.

Regression tests: AuthorizationGateTests covers all four verdict x mode
combinations via a fixed-verdict evaluator stub; new LdapOptionsTests asserts
the secure defaults. Both Server and Server.Tests build clean; the 15 targeted
tests pass.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Joseph Doherty
2026-05-22 06:08:50 -04:00
parent 7bb21c2aa2
commit adf794f791
6 changed files with 121 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

31
tests/Server/ZB.MOM.WW.OtOpcUa.Server.Tests/LdapOptionsTests.cs Normal file
View File

@@ -0,0 +1,31 @@
using Shouldly;
using Xunit;
using ZB.MOM.WW.OtOpcUa.Server.Security;
namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
[Trait("Category", "Unit")]
public sealed class LdapOptionsTests
{
// Server-009 regression: the out-of-the-box posture must be secure. AllowInsecureLdap
// is a dev-only escape hatch — a deployment that enables LDAP without explicitly
// opting in must not bind credentials over an unencrypted socket.
[Fact]
public void AllowInsecureLdap_DefaultsToFalse()
{
new LdapOptions().AllowInsecureLdap.ShouldBeFalse();
}
[Fact]
public void UseTls_DefaultsToFalse_SoInsecureBindRequiresExplicitOptIn()
{
// UseTls=false on its own is fine — without AllowInsecureLdap the bind path
// refuses to send plaintext credentials. The two flags together are the only
// way to reach the insecure path, and both must be set deliberately.
var options = new LdapOptions();
options.UseTls.ShouldBeFalse();
options.AllowInsecureLdap.ShouldBeFalse();
}
}