Galaxy IPC unblock — live dev-box E2E path

Three root-cause fixes to get an elevated dev-box shell past session open through to real MXAccess reads: 1. PipeAcl — drop BUILTIN\Administrators deny ACE. UAC's filtered token carries the Admins SID as deny-only, so the deny fired even from non-elevated admin-account shells. The per-connection SID check in PipeServer.VerifyCaller remains the real authorization boundary. 2. PipeServer — swap the Hello-read / VerifyCaller order. ImpersonateNamedPipeClient returns ERROR_CANNOT_IMPERSONATE until at least one frame has been read from the pipe; reading Hello first satisfies that rule. Previously the ACL deny-first path masked this race — removing the deny ACE exposed it. 3. GalaxyIpcClient — add a background reader + single pending-response slot. A RuntimeStatusChange event between OpenSessionRequest and OpenSessionResponse used to satisfy the caller's single ReadFrameAsync and fail CallAsync with "Expected OpenSessionResponse, got RuntimeStatusChange". The reader now routes response kinds (and ErrorResponse) to the pending TCS and everything else to a handler the driver registers in InitializeAsync. The Proxy was already set up to raise managed events from RaiseDataChange / RaiseAlarmEvent / OnHostConnectivityUpdate — those helpers had no caller until now. 4. RedundancyPublisherHostedService — swallow BadServerHalted while polling host.Server.CurrentInstance. StandardServer throws that code during startup rather than returning null, so the first poll attempt crashed the BackgroundService (and the host) before OnServerStarted ran. This race was latent behind the Galaxy init failure above. Updates docs that described the Admins deny ACE + mandatory non-elevated shells, and drops the admin-skip guards from every Galaxy integration + E2E fixture that had them (IpcHandshakeIntegrationTests, EndToEndIpcTests, ParityFixture, LiveStackFixture, HostSubprocessParityTests). Adds GalaxyIpcClientRoutingTests covering the router's request/response match, ErrorResponse, event-between-call, idle event, and peer-close paths. Verified live on the dev box against the p7-smoke cluster (gen 6): driver registered=1 failedInit=0, Phase 7 bridge subscribed, OPC UA server up on 4840, MXAccess read round-trip returns real data with Status=0x00000000. Task #112 — partial: Galaxy live stack is functional end-to-end. The supplied test-galaxy.ps1 script still fails because the UNS walker encodes TagConfig JSON as the tag's NodeId instead of the seeded TagId (pre-existing; separate issue from this commit). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 16:30:16 -04:00
parent fb6dd3478d
commit d11dd0520b
17 changed files with 443 additions and 130 deletions
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests/EndToEndIpcTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests/EndToEndIpcTests.cs
@@ -28,12 +28,6 @@ namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests
    [Trait("Category", "Integration")]
    public sealed class EndToEndIpcTests
    {
-        private static bool IsAdministrator()
-        {
-            using var identity = WindowsIdentity.GetCurrent();
-            return new WindowsPrincipal(identity).IsInRole(WindowsBuiltInRole.Administrator);
-        }
-
        private sealed class TestStack : IDisposable
        {
            public PipeServer Server = null!;
@@ -102,7 +96,6 @@ namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests
        [Fact]
        public async Task OpenSession_succeeds_with_an_assigned_session_id()
        {
-            if (IsAdministrator()) return;
            using var s = await StartAsync();

            var resp = await RoundTripAsync<OpenSessionRequest, OpenSessionResponse>(
@@ -117,7 +110,6 @@ namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests
        [Fact]
        public async Task Discover_against_stub_returns_an_error_response()
        {
-            if (IsAdministrator()) return;
            using var s = await StartAsync();

            var resp = await RoundTripAsync<DiscoverHierarchyRequest, DiscoverHierarchyResponse>(
@@ -132,7 +124,6 @@ namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests
        [Fact]
        public async Task WriteValues_returns_per_tag_BadInternalError_status()
        {
-            if (IsAdministrator()) return;
            using var s = await StartAsync();

            var resp = await RoundTripAsync<WriteValuesRequest, WriteValuesResponse>(
@@ -151,7 +142,6 @@ namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests
        [Fact]
        public async Task Subscribe_returns_a_subscription_id()
        {
-            if (IsAdministrator()) return;
            using var s = await StartAsync();

            var sub = await RoundTripAsync<SubscribeRequest, SubscribeResponse>(
@@ -166,7 +156,6 @@ namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests
        [Fact]
        public async Task Recycle_returns_the_grace_window_from_the_backend()
        {
-            if (IsAdministrator()) return;
            using var s = await StartAsync();

            var resp = await RoundTripAsync<RecycleHostRequest, RecycleStatusResponse>(
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests/IpcHandshakeIntegrationTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests/IpcHandshakeIntegrationTests.cs
@@ -22,17 +22,10 @@ namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests
    ///     net48 x86 alongside the Host (the Proxy's <c>GalaxyIpcClient</c> is net10 only and
    ///     cannot be loaded into this process). Functionally equivalent to going through
    ///     <c>GalaxyIpcClient</c> — proves the wire protocol + ACL + shared-secret enforcement.
-    ///     Skipped on Administrator shells per the same PipeAcl-denies-Administrators guard.
    /// </summary>
    [Trait("Category", "Integration")]
    public sealed class IpcHandshakeIntegrationTests
    {
-        private static bool IsAdministrator()
-        {
-            using var identity = WindowsIdentity.GetCurrent();
-            return new WindowsPrincipal(identity).IsInRole(WindowsBuiltInRole.Administrator);
-        }
-
        private static async Task<(NamedPipeClientStream Stream, FrameReader Reader, FrameWriter Writer)>
            ConnectAndHelloAsync(string pipeName, string secret, CancellationToken ct)
        {
@@ -56,8 +49,6 @@ namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests
        [Fact]
        public async Task Handshake_with_correct_secret_succeeds_and_heartbeat_round_trips()
        {
-            if (IsAdministrator()) return;
-
            using var identity = WindowsIdentity.GetCurrent();
            var sid = identity.User!;
            var pipe = $"OtOpcUaGalaxyTest-{Guid.NewGuid():N}";
@@ -91,8 +82,6 @@ namespace ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Host.Tests
        [Fact]
        public async Task Handshake_with_wrong_secret_is_rejected()
        {
-            if (IsAdministrator()) return;
-
            using var identity = WindowsIdentity.GetCurrent();
            var sid = identity.User!;
            var pipe = $"OtOpcUaGalaxyTest-{Guid.NewGuid():N}";