Galaxy IPC unblock — live dev-box E2E path

Three root-cause fixes to get an elevated dev-box shell past session open through to real MXAccess reads: 1. PipeAcl — drop BUILTIN\Administrators deny ACE. UAC's filtered token carries the Admins SID as deny-only, so the deny fired even from non-elevated admin-account shells. The per-connection SID check in PipeServer.VerifyCaller remains the real authorization boundary. 2. PipeServer — swap the Hello-read / VerifyCaller order. ImpersonateNamedPipeClient returns ERROR_CANNOT_IMPERSONATE until at least one frame has been read from the pipe; reading Hello first satisfies that rule. Previously the ACL deny-first path masked this race — removing the deny ACE exposed it. 3. GalaxyIpcClient — add a background reader + single pending-response slot. A RuntimeStatusChange event between OpenSessionRequest and OpenSessionResponse used to satisfy the caller's single ReadFrameAsync and fail CallAsync with "Expected OpenSessionResponse, got RuntimeStatusChange". The reader now routes response kinds (and ErrorResponse) to the pending TCS and everything else to a handler the driver registers in InitializeAsync. The Proxy was already set up to raise managed events from RaiseDataChange / RaiseAlarmEvent / OnHostConnectivityUpdate — those helpers had no caller until now. 4. RedundancyPublisherHostedService — swallow BadServerHalted while polling host.Server.CurrentInstance. StandardServer throws that code during startup rather than returning null, so the first poll attempt crashed the BackgroundService (and the host) before OnServerStarted ran. This race was latent behind the Galaxy init failure above. Updates docs that described the Admins deny ACE + mandatory non-elevated shells, and drops the admin-skip guards from every Galaxy integration + E2E fixture that had them (IpcHandshakeIntegrationTests, EndToEndIpcTests, ParityFixture, LiveStackFixture, HostSubprocessParityTests). Adds GalaxyIpcClientRoutingTests covering the router's request/response match, ErrorResponse, event-between-call, idle event, and peer-close paths. Verified live on the dev box against the p7-smoke cluster (gen 6): driver registered=1 failedInit=0, Phase 7 bridge subscribed, OPC UA server up on 4840, MXAccess read round-trip returns real data with Status=0x00000000. Task #112 — partial: Galaxy live stack is functional end-to-end. The supplied test-galaxy.ps1 script still fails because the UNS walker encodes TagConfig JSON as the tag's NodeId instead of the seeded TagId (pre-existing; separate issue from this commit). Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-24 16:30:16 -04:00
parent fb6dd3478d
commit d11dd0520b
17 changed files with 443 additions and 130 deletions
--- a/tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests/LiveStack/LiveStackFixture.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Driver.Galaxy.Proxy.Tests/LiveStack/LiveStackFixture.cs
@@ -1,8 +1,3 @@
-using System.Runtime.InteropServices;
-using System.Runtime.Versioning;
-using System.Security.Principal;
-using System.Threading;
-using System.Threading.Tasks;
 using Xunit;
 using ZB.MOM.WW.OtOpcUa.Driver.Galaxy.TestSupport;

@@ -43,25 +38,6 @@ public sealed class LiveStackFixture : IAsyncLifetime

    public async ValueTask InitializeAsync()
    {
-        // 0. Elevated-shell short-circuit. The OtOpcUaGalaxyHost pipe ACL allows the configured
-        //    SID but explicitly DENIES Administrators (decision #76 — production hardening).
-        //    A test process running with a high-integrity token (any elevated shell) carries the
-        //    Admins group in its security context, so the deny rule trumps the user's allow and
-        //    the pipe connect returns UnauthorizedAccessException — technically correct but
-        //    the operationally confusing failure mode that ate most of the PR 37 install
-        //    debugging session. Surfacing it explicitly here saves the next operator the same
-        //    five-step diagnosis. ParityFixture has the same skip with the same rationale.
-        if (IsElevatedAdministratorOnWindows())
-        {
-            SkipReason =
-                "Test host is running with elevated (Administrators) privileges, but the " +
-                "OtOpcUaGalaxyHost named-pipe ACL explicitly denies Administrators per the IPC " +
-                "security design (decision #76 / PipeAcl.cs). Re-run from a NORMAL (non-admin) " +
-                "PowerShell window — even when your user is already in the pipe's allow list, " +
-                "the elevated token's Admins group membership trumps the allow rule.";
-            return;
-        }
-
        // 1. AVEVA + OtOpcUa service state — actionable diagnostic if anything is missing.
        using var cts = new CancellationTokenSource(TimeSpan.FromSeconds(10));
        PrerequisiteReport = await AvevaPrerequisites.CheckAllAsync(
@@ -134,27 +110,6 @@ public sealed class LiveStackFixture : IAsyncLifetime
        if (SkipReason is not null) Assert.Skip(SkipReason);
    }

-    private static bool IsElevatedAdministratorOnWindows()
-    {
-        if (!RuntimeInformation.IsOSPlatform(OSPlatform.Windows)) return false;
-        return CheckWindowsAdminToken();
-    }
-
-    [SupportedOSPlatform("windows")]
-    private static bool CheckWindowsAdminToken()
-    {
-        try
-        {
-            using var identity = WindowsIdentity.GetCurrent();
-            return new WindowsPrincipal(identity).IsInRole(WindowsBuiltInRole.Administrator);
-        }
-        catch
-        {
-            // Probe shouldn't crash the test; if we can't determine elevation, optimistically
-            // continue and let the actual pipe connect surface its own error.
-            return false;
-        }
-    }
 }

 [CollectionDefinition(Name)]