dohertj2/lmxopcua
1
0
Fork 0
Code Issues 2 Pull Requests 1 Actions Packages Projects Releases Wiki Activity
Files
chore/fixdocs-xml-doc-comments
lmxopcua/tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests/OpcUaApplicationHostImpersonationTests.cs
T
Joseph Doherty bd6c0b4d3d docs: complete XML doc comments via fixdocs (2757 to 131 findings) 
Add missing <returns>/<param>/<summary>/<typeparam> tags and clean up
misused inheritdoc across 481 files so the documented API surface is
complete. Documentation-only (zero code lines changed). The 131 remaining
findings are inheritdoc-style warnings deliberately left to preserve
hand-written implementation rationale (plan-decision notes, race-condition
explanations).
2026-06-03 12:34:34 -04:00

139 lines
6.9 KiB
C#
Raw Permalink Blame History

using Microsoft.Extensions.Logging.Abstractions;
using Opc.Ua;
using Opc.Ua.Server;
using Shouldly;
using Xunit;
using ZB.MOM.WW.OtOpcUa.OpcUaServer.Security;
namespace ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests;
/// <summary>
/// F13c — verifies the impersonation handler routes UserName tokens through
/// <see cref="IOpcUaUserAuthenticator"/> and translates its result into the SDK's
/// <see cref="ImpersonateEventArgs"/> shape (granted identity vs. rejection status).
/// </summary>
public sealed class OpcUaApplicationHostImpersonationTests
{
private static readonly UserTokenPolicy UserNamePolicy = new(UserTokenType.UserName) { PolicyId = "username_basic256sha256" };
private static readonly UserTokenPolicy AnonPolicy = new(UserTokenType.Anonymous) { PolicyId = "anonymous" };
/// <summary>Verifies successful UserName token impersonation sets identity and clears validation error.</summary>
[Fact]
public void HandleImpersonation_username_success_sets_identity_and_no_validation_error()
{
var token = new UserNameIdentityToken { UserName = "alice", DecryptedPassword = "secret" };
var args = new ImpersonateEventArgs(token, UserNamePolicy, new EndpointDescription());
var authenticator = new RecordingAuthenticator(
OpcUaUserAuthResult.Allow("Alice", new[] { "ReadOnly", "WriteOperate" }));
OpcUaApplicationHost.HandleImpersonation(authenticator, args, NullLogger<object>.Instance);
args.Identity.ShouldNotBeNull();
args.IdentityValidationError.ShouldBeNull();
authenticator.LastUsername.ShouldBe("alice");
authenticator.LastPassword.ShouldBe("secret");
}
/// <summary>Verifies failed UserName token impersonation sets validation error and clears identity.</summary>
[Fact]
public void HandleImpersonation_username_denial_sets_validation_error_and_no_identity()
{
var token = new UserNameIdentityToken { UserName = "mallory", DecryptedPassword = "wrong" };
var args = new ImpersonateEventArgs(token, UserNamePolicy, new EndpointDescription());
var authenticator = new RecordingAuthenticator(OpcUaUserAuthResult.Deny("Invalid credentials"));
OpcUaApplicationHost.HandleImpersonation(authenticator, args, NullLogger<object>.Instance);
args.Identity.ShouldBeNull();
args.IdentityValidationError.Code.ShouldBe(StatusCodes.BadIdentityTokenRejected);
args.IdentityValidationError.LocalizedText.Text.ShouldContain("Invalid credentials");
}
/// <summary>Verifies anonymous identity tokens are passed through to the SDK default handler.</summary>
[Fact]
public void HandleImpersonation_anonymous_token_falls_through_to_sdk_default()
{
var args = new ImpersonateEventArgs(new AnonymousIdentityToken(), AnonPolicy, new EndpointDescription());
var authenticator = new RecordingAuthenticator(OpcUaUserAuthResult.Allow("x", Array.Empty<string>()));
OpcUaApplicationHost.HandleImpersonation(authenticator, args, NullLogger<object>.Instance);
// Handler leaves anonymous tokens untouched — no identity, no validation error.
args.Identity.ShouldBeNull();
args.IdentityValidationError.ShouldBeNull();
authenticator.LastUsername.ShouldBeNull("anonymous tokens must not hit the authenticator");
}
/// <summary>Verifies authenticator exceptions result in rejection with validation error.</summary>
[Fact]
public void HandleImpersonation_authenticator_throwing_results_in_rejection()
{
var token = new UserNameIdentityToken { UserName = "bob", DecryptedPassword = "x" };
var args = new ImpersonateEventArgs(token, UserNamePolicy, new EndpointDescription());
var authenticator = new ThrowingAuthenticator(new InvalidOperationException("LDAP unreachable"));
OpcUaApplicationHost.HandleImpersonation(authenticator, args, NullLogger<object>.Instance);
args.Identity.ShouldBeNull();
args.IdentityValidationError.Code.ShouldBe(StatusCodes.BadIdentityTokenRejected);
}
/// <summary>Verifies null username is normalized to empty string before authenticator call.</summary>
[Fact]
public void HandleImpersonation_null_username_treated_as_empty_string()
{
var token = new UserNameIdentityToken { UserName = null, DecryptedPassword = "abc" };
var args = new ImpersonateEventArgs(token, UserNamePolicy, new EndpointDescription());
var authenticator = new RecordingAuthenticator(OpcUaUserAuthResult.Deny("no user"));
OpcUaApplicationHost.HandleImpersonation(authenticator, args, NullLogger<object>.Instance);
authenticator.LastUsername.ShouldBe(string.Empty);
}
/// <summary>Verifies NullOpcUaUserAuthenticator always returns denial result.</summary>
/// <returns>A task that represents the asynchronous operation.</returns>
[Fact]
public async Task NullOpcUaUserAuthenticator_always_denies()
{
var result = await NullOpcUaUserAuthenticator.Instance
.AuthenticateUserNameAsync("anyone", "anything", CancellationToken.None);
result.Success.ShouldBeFalse();
result.Error.ShouldNotBeNull();
result.Roles.ShouldBeEmpty();
}
private sealed class RecordingAuthenticator(OpcUaUserAuthResult outcome) : IOpcUaUserAuthenticator
{
/// <summary>Gets the username passed to the last authentication call.</summary>
public string? LastUsername { get; private set; }
/// <summary>Gets the password passed to the last authentication call.</summary>
public string? LastPassword { get; private set; }
/// <summary>Authenticates a username and password, recording them for inspection by tests.</summary>
/// <param name="username">The username to authenticate.</param>
/// <param name="password">The password to authenticate.</param>
/// <param name="ct">The cancellation token.</param>
/// <returns>The predefined authentication result.</returns>
public Task<OpcUaUserAuthResult> AuthenticateUserNameAsync(string username, string password, CancellationToken ct)
{
LastUsername = username;
LastPassword = password;
return Task.FromResult(outcome);
}
}
/// <summary>Test authenticator that throws an exception during authentication.</summary>
private sealed class ThrowingAuthenticator(Exception ex) : IOpcUaUserAuthenticator
{
/// <summary>Authenticates by throwing the configured exception.</summary>
/// <param name="username">The username to authenticate.</param>
/// <param name="password">The password to authenticate.</param>
/// <param name="ct">The cancellation token.</param>
/// <returns>Never returns; always throws the configured exception.</returns>
public Task<OpcUaUserAuthResult> AuthenticateUserNameAsync(string username, string password, CancellationToken ct)
=> Task.FromException<OpcUaUserAuthResult>(ex);
}
}
Reference in New Issue View Git Blame Copy Permalink