dohertj2/lmxopcua
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Phase 3 PR 70 -- Apply SecurityPolicy + expand to standard OPC UA policies #69

Merged
dohertj2 merged 1 commits from phase-3-pr70-opcua-client-security-policy into v2 2026-04-19 01:46:15 -04:00
Conversation 0 Commits 1 Files Changed 4 +156 -11
dohertj2 commented 2026-04-19 01:46:09 -04:00
Owner
Copy Link

Summary

SecurityPolicy was previously a string that got ignored — the driver only passed useSecurity=bool to endpoint selection, so an operator asking for Basic256Sha256 on a server that also advertised Basic128Rsa15 could silently end up on the weaker cipher.

  • New OpcUaSecurityPolicy enum: None, Basic128Rsa15 (deprecated), Basic256 (deprecated), Basic256Sha256 (recommended baseline), Aes128_Sha256_RsaOaep, Aes256_Sha256_RsaPss.
  • MapSecurityPolicy → SDK SecurityPolicies.* URIs.
  • SelectMatchingEndpointAsync replaces CoreClientUtils.SelectEndpointAsync: opens a DiscoveryClient, enumerates endpoints, filters by policy AND mode client-side. Fail-loud on no match — throws with the full list of what the server advertised.

Validation

  • 23/23 OpcUaClient.Tests pass (5 new policy tests)
  • dotnet build: 0 errors

Test plan

  • Every enum value has a URI mapping
  • URIs cross-checked against SDK SecurityPolicies.* constants
  • URI contains enum name for grep-back from logs
## Summary `SecurityPolicy` was previously a string that got ignored — the driver only passed `useSecurity=bool` to endpoint selection, so an operator asking for `Basic256Sha256` on a server that also advertised `Basic128Rsa15` could silently end up on the weaker cipher. - New `OpcUaSecurityPolicy` enum: `None`, `Basic128Rsa15` (deprecated), `Basic256` (deprecated), `Basic256Sha256` (recommended baseline), `Aes128_Sha256_RsaOaep`, `Aes256_Sha256_RsaPss`. - `MapSecurityPolicy` → SDK `SecurityPolicies.*` URIs. - `SelectMatchingEndpointAsync` replaces `CoreClientUtils.SelectEndpointAsync`: opens a `DiscoveryClient`, enumerates endpoints, filters by policy AND mode client-side. Fail-loud on no match — throws with the full list of what the server advertised. ## Validation - 23/23 OpcUaClient.Tests pass (5 new policy tests) - `dotnet build`: 0 errors ## Test plan - [x] Every enum value has a URI mapping - [x] URIs cross-checked against SDK `SecurityPolicies.*` constants - [x] URI contains enum name for grep-back from logs
dohertj2 added 1 commit 2026-04-19 01:46:11 -04:00
Phase 3 PR 70 -- Apply SecurityPolicy explicitly + expand to standard OPC UA policy list. Before this PR SecurityPolicy was a string field that got ignored -- the driver only passed useSecurity=SecurityMode!=None to SelectEndpointAsync, so an operator asking for Basic256Sha256 on a server that also advertised Basic128Rsa15 could silently end up on the weaker cipher (the SDK's SelectEndpoint returns whichever matching endpoint the server listed first). PR 70 makes policy matching explicit. SecurityPolicy is now an OpcUaSecurityPolicy enum covering the six standard policies documented in OPC UA 1.04: None, Basic128Rsa15 (deprecated, brownfield interop only), Basic256 (deprecated), Basic256Sha256 (recommended baseline), Aes128_Sha256_RsaOaep, Aes256_Sha256_RsaPss. Each maps through MapSecurityPolicy to the SecurityPolicies URI constant the SDK uses for endpoint matching. New SelectMatchingEndpointAsync replaces CoreClientUtils.SelectEndpointAsync. Flow: opens a DiscoveryClient via the non-obsolete DiscoveryClient.CreateAsync(ApplicationConfiguration, Uri, DiagnosticsMasks, ct) path, calls GetEndpointsAsync to enumerate every endpoint the server advertises, filters client-side by policy URI AND mode. When no endpoint matches, throws InvalidOperationException with the full list of what the server DID advertise formatted as 'Policy/Mode' pairs so the operator sees exactly what to fix in their config without a Wireshark trace. Fail-loud behaviour intentional -- a silent fall-through to weaker crypto is worse than a clear config error. MapSecurityPolicy is internal-visible to tests via InternalsVisibleTo from PR 66. Unit tests (OpcUaClientSecurityPolicyTests, 5 facts): MapSecurityPolicy_returns_known_non_empty_uri_for_every_enum_value theory covers all 6 policies; URI contains the enum name for non-None so operators can grep logs back to the config value; MapSecurityPolicy_None_matches_SDK_None_URI, MapSecurityPolicy_Basic256Sha256_matches_SDK_URI, MapSecurityPolicy_Aes256_Sha256_RsaPss_matches_SDK_URI all cross-check against the SDK's SecurityPolicies.* constants to catch a future enum-vs-URI drift; Every_enum_value_has_a_mapping walks Enum.GetValues to ensure adding a new case doesn't silently fall through the switch. Scaffold test updated to assert SecurityPolicy default = None (was previously unchecked). 23/23 OpcUaClient.Tests pass (13 prior + 5 scaffold + 5 new policy). dotnet build clean. Note on DiscoveryClient: the synchronous DiscoveryClient.Create(...) overloads are all [Obsolete] in SDK 1.5.378; must use DiscoveryClient.CreateAsync. GetEndpointsAsync(null, ct) returns EndpointDescriptionCollection directly (not a wrapper). a65215684c
dohertj2 merged commit a5299a2fee into v2 2026-04-19 01:46:15 -04:00
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
dohertj2
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: dohertj2/lmxopcua#69
Delete Branch "phase-3-pr70-opcua-client-security-policy"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?