Phase 6.2 Stream C follow-up — wire AuthorizationGate into DriverNodeManager Read / Write / HistoryRead dispatch

Closes the Phase 6.2 security gap the v2 release-readiness dashboard flagged: the evaluator + trie + gate shipped as code in PRs #84-88 but no dispatch path called them. This PR threads the gate end-to-end from OpcUaApplicationHost → OtOpcUaServer → DriverNodeManager and calls it on every Read / Write / 4 HistoryRead paths. Server.Security additions: - NodeScopeResolver — maps driver fullRef → Core.Authorization NodeScope. Phase 1 shape: populates ClusterId + TagId; leaves NamespaceId / UnsArea / UnsLine / Equipment null. The cluster-level ACL cascade covers this configuration (decision #129 additive grants). Finer-grained scope resolution (joining against the live Configuration DB for UnsArea / UnsLine path) lands as Stream C.12 follow-up. - WriteAuthzPolicy.ToOpcUaOperation — maps SecurityClassification → the OpcUaOperation the gate evaluator consults (Operate/SecuredWrite → WriteOperate; Tune → WriteTune; Configure/VerifiedWrite → WriteConfigure). DriverNodeManager wiring: - Ctor gains optional AuthorizationGate + NodeScopeResolver; both null means the pre-Phase-6.2 dispatch runs unchanged (backwards-compat for every integration test that constructs DriverNodeManager directly). - OnReadValue: ahead of the invoker call, builds NodeScope + calls gate.IsAllowed(identity, Read, scope). Denied reads return BadUserAccessDenied without hitting the driver. - OnWriteValue: preserves the existing WriteAuthzPolicy check (classification vs session roles) + adds an additive gate check using WriteAuthzPolicy.ToOpcUaOperation(classification) to pick the right WriteOperate/Tune/Configure surface. Lax mode falls through for identities without LDAP groups. - Four HistoryRead paths (Raw / Processed / AtTime / Events): gate check runs per-node before the invoker. Events path tolerates fullRef=null (event-history queries can target a notifier / driver-root; those are cluster-wide reads that need a different scope shape — deferred). - New WriteAccessDenied helper surfaces BadUserAccessDenied in the OpcHistoryReadResult slot + errors list, matching the shape of the existing WriteUnsupported / WriteInternalError helpers. OtOpcUaServer + OpcUaApplicationHost: gate + resolver thread through as optional constructor parameters (same pattern as DriverResiliencePipelineBuilder in Phase 6.1). Null defaults keep the existing 3 OpcUaApplicationHost integration tests constructing without them unchanged. Tests (5 new in NodeScopeResolverTests): - Resolve populates ClusterId + TagId + Equipment Kind. - Resolve leaves finer path null per Phase 1 shape (doc'd as follow-up). - Empty fullReference throws. - Empty clusterId throws at ctor. - Resolver is stateless across calls. The existing 9 AuthorizationGate tests (shipped in PR #86) continue to cover the gate's allow/deny semantics under strict + lax mode. Full solution dotnet test: 1164 passing (was 1159, +5). Pre-existing Client.CLI Subscribe flake unchanged. Existing OpcUaApplicationHost + HealthEndpointsHost + driver integration tests continue to pass because the gate defaults to null → no enforcement, and the lax-mode fallback returns true for identities without LDAP groups (the anonymous test path). Production deployments flip the gate on by constructing it via OpcUaApplicationHost's new authzGate parameter + setting `Authorization:StrictMode = true` once ACL data is populated. Flipping the switch post-seed turns the evaluator + trie from scaffolded code into actual enforcement. This closes release blocker #1 listed in docs/v2/v2-release-readiness.md. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-19 11:02:17 -04:00
parent cc069509cd
commit f8d5b0fdbb
6 changed files with 239 additions and 5 deletions
--- a/tests/ZB.MOM.WW.OtOpcUa.Server.Tests/NodeScopeResolverTests.cs
+++ b/tests/ZB.MOM.WW.OtOpcUa.Server.Tests/NodeScopeResolverTests.cs
@@ -0,0 +1,64 @@
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.OtOpcUa.Core.Authorization;
+using ZB.MOM.WW.OtOpcUa.Server.Security;
+
+namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
+
+[Trait("Category", "Unit")]
+public sealed class NodeScopeResolverTests
+{
+    [Fact]
+    public void Resolve_PopulatesClusterAndTag()
+    {
+        var resolver = new NodeScopeResolver("c-warsaw");
+
+        var scope = resolver.Resolve("TestMachine_001/Oven/SetPoint");
+
+        scope.ClusterId.ShouldBe("c-warsaw");
+        scope.TagId.ShouldBe("TestMachine_001/Oven/SetPoint");
+        scope.Kind.ShouldBe(NodeHierarchyKind.Equipment);
+    }
+
+    [Fact]
+    public void Resolve_Leaves_UnsPath_Null_For_Phase1()
+    {
+        var resolver = new NodeScopeResolver("c-1");
+
+        var scope = resolver.Resolve("tag-1");
+
+        // Phase 1 flat scope — finer resolution tracked as Stream C.12 follow-up.
+        scope.NamespaceId.ShouldBeNull();
+        scope.UnsAreaId.ShouldBeNull();
+        scope.UnsLineId.ShouldBeNull();
+        scope.EquipmentId.ShouldBeNull();
+    }
+
+    [Fact]
+    public void Resolve_Throws_OnEmptyFullReference()
+    {
+        var resolver = new NodeScopeResolver("c-1");
+
+        Should.Throw<ArgumentException>(() => resolver.Resolve(""));
+        Should.Throw<ArgumentException>(() => resolver.Resolve("   "));
+    }
+
+    [Fact]
+    public void Ctor_Throws_OnEmptyClusterId()
+    {
+        Should.Throw<ArgumentException>(() => new NodeScopeResolver(""));
+    }
+
+    [Fact]
+    public void Resolver_IsStateless_AcrossCalls()
+    {
+        var resolver = new NodeScopeResolver("c");
+        var s1 = resolver.Resolve("tag-a");
+        var s2 = resolver.Resolve("tag-b");
+
+        s1.TagId.ShouldBe("tag-a");
+        s2.TagId.ShouldBe("tag-b");
+        s1.ClusterId.ShouldBe("c");
+        s2.ClusterId.ShouldBe("c");
+    }
+}