Joseph Doherty
a5c0c82661
v2-ci / build (push) Failing after 35s
v2-ci / unit-tests (tests/Core/ZB.MOM.WW.OtOpcUa.Cluster.Tests) (push) Has been skipped
v2-ci / unit-tests (tests/Server/ZB.MOM.WW.OtOpcUa.ControlPlane.Tests) (push) Has been skipped
v2-ci / unit-tests (tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests) (push) Has been skipped
v2-ci / unit-tests (tests/Server/ZB.MOM.WW.OtOpcUa.Runtime.Tests) (push) Has been skipped
v2-ci / unit-tests (tests/Server/ZB.MOM.WW.OtOpcUa.Security.Tests) (push) Has been skipped
v2-ci / integration (tests/Server/ZB.MOM.WW.OtOpcUa.Host.IntegrationTests) (push) Has been skipped
v2-ci / integration (tests/Server/ZB.MOM.WW.OtOpcUa.OpcUaServer.IntegrationTests) (push) Has been skipped
- A.1 (false-rejection safety): restrict the structural fail-fast's confident-mismatch check to the CLOSED set of built-in types ResolveBuiltInDataType emits (numeric families + Boolean/ String/DateTime/ByteString). Any other expected type (Enumeration, Guid, …) now defers to the SDK, so a coercible write (Int32→Enumeration) is never false-rejected. + A7/A8 regression tests. - C.1: guard BuildWriteFailureAuditEvent (under Lock) in try/catch like ReportAuditEvent, so a SetChildValue surprise is swallowed+logged, never thrown out of the fire-and-forget continuation.
204 lines
9.8 KiB
C#
204 lines
9.8 KiB
C#
using Opc.Ua;
|
|
using Shouldly;
|
|
using Xunit;
|
|
using ZB.MOM.WW.OtOpcUa.Commons.OpcUa;
|
|
using ZB.MOM.WW.OtOpcUa.OpcUaServer.Security;
|
|
|
|
namespace ZB.MOM.WW.OtOpcUa.OpcUaServer.Tests;
|
|
|
|
/// <summary>
|
|
/// Task 11 + write-outcome self-correction — the inbound operator-write authz/availability gate and the
|
|
/// compare-and-revert decision. The OnWriteValue handler on a writable equipment-tag node extracts the
|
|
/// caller's <see cref="RoleCarryingUserIdentity"/>, gates on the
|
|
/// <see cref="OpcUaDataPlaneRoles.WriteOperate"/> role (deny otherwise) AND on the gateway being wired
|
|
/// (BadNotWritable otherwise), then returns <c>Good</c> (optimistic write) and dispatches the write
|
|
/// fire-and-forget through the <see cref="OtOpcUaNodeManager.NodeWriteGateway"/>. When the async device
|
|
/// outcome comes back FAILED, the node self-corrects back to its real pre-write value — but only while the
|
|
/// node still holds the optimistic value (so a fresh poll isn't clobbered).
|
|
///
|
|
/// Both decisions are extracted as pure statics so they're unit-testable without booting an SDK server:
|
|
/// <see cref="OtOpcUaNodeManager.EvaluateEquipmentWriteGate"/> (role + availability) and
|
|
/// <see cref="OtOpcUaNodeManager.ShouldRevert"/> (compare-and-revert).
|
|
/// </summary>
|
|
public sealed class EquipmentWriteGateTests
|
|
{
|
|
/// <summary>(a) A null identity (anonymous / no role-carrying identity on the context) is denied with
|
|
/// <c>BadUserAccessDenied</c> — the gate fails closed.</summary>
|
|
[Fact]
|
|
public void Null_identity_is_denied()
|
|
{
|
|
var result = OtOpcUaNodeManager.EvaluateEquipmentWriteGate(
|
|
identity: null,
|
|
gatewayWired: true);
|
|
|
|
result.ShouldNotBeNull();
|
|
result!.StatusCode.Code.ShouldBe(StatusCodes.BadUserAccessDenied);
|
|
}
|
|
|
|
/// <summary>(b) An identity WITHOUT the <c>WriteOperate</c> role is denied with
|
|
/// <c>BadUserAccessDenied</c>.</summary>
|
|
[Fact]
|
|
public void Identity_without_WriteOperate_is_denied()
|
|
{
|
|
var identity = IdentityWith("ReadOnly", OpcUaDataPlaneRoles.AlarmAck); // no WriteOperate
|
|
var result = OtOpcUaNodeManager.EvaluateEquipmentWriteGate(
|
|
identity,
|
|
gatewayWired: true);
|
|
|
|
result.ShouldNotBeNull();
|
|
result!.StatusCode.Code.ShouldBe(StatusCodes.BadUserAccessDenied);
|
|
}
|
|
|
|
/// <summary>(c) An identity WITH the <c>WriteOperate</c> role and a wired gateway passes the gate
|
|
/// (returns <c>null</c> — proceed). The role match is case-insensitive (the role set + gate both use
|
|
/// <c>OrdinalIgnoreCase</c>).</summary>
|
|
[Fact]
|
|
public void Identity_with_WriteOperate_and_gateway_passes()
|
|
{
|
|
var identity = IdentityWith("readonly", "writeoperate"); // lower-cased: case-insensitive match
|
|
var result = OtOpcUaNodeManager.EvaluateEquipmentWriteGate(
|
|
identity,
|
|
gatewayWired: true);
|
|
|
|
result.ShouldBeNull();
|
|
}
|
|
|
|
/// <summary>(d) An identity WITH the <c>WriteOperate</c> role but no gateway wired maps to
|
|
/// <c>BadNotWritable</c> ("writes unavailable") — the gate passes but there is nowhere to route.</summary>
|
|
[Fact]
|
|
public void Identity_with_WriteOperate_and_no_gateway_maps_to_bad_not_writable()
|
|
{
|
|
var identity = IdentityWith(OpcUaDataPlaneRoles.WriteOperate);
|
|
var result = OtOpcUaNodeManager.EvaluateEquipmentWriteGate(
|
|
identity,
|
|
gatewayWired: false);
|
|
|
|
result.ShouldNotBeNull();
|
|
result!.StatusCode.Code.ShouldBe(StatusCodes.BadNotWritable);
|
|
result.LocalizedText.Text.ShouldContain("writes unavailable");
|
|
}
|
|
|
|
/// <summary>
|
|
/// <see cref="OtOpcUaNodeManager.ShouldRevert"/> decision table. Revert ONLY on a failed outcome AND
|
|
/// only while the node still holds the optimistic value (a fresh poll that moved the node on must not
|
|
/// be clobbered). The first <c>bool</c> is the outcome's Success flag.
|
|
/// </summary>
|
|
[Theory]
|
|
[InlineData(true, "v", "v", false)] // success → never revert (even though still-optimistic)
|
|
[InlineData(false, "v", "v", true)] // fail + node still holds optimistic → revert
|
|
[InlineData(false, "w", "v", false)] // fail + a poll moved the node on → no revert
|
|
[InlineData(true, "w", "v", false)] // success + moved on → no revert
|
|
public void ShouldRevert_decision_table(bool success, object currentNodeValue, object optimisticValue, bool expected)
|
|
{
|
|
var outcome = new NodeWriteOutcome(success, success ? null : "device rejected");
|
|
|
|
OtOpcUaNodeManager.ShouldRevert(outcome, currentNodeValue, optimisticValue).ShouldBe(expected);
|
|
}
|
|
|
|
/// <summary>Null-value edges: a failed write whose node still holds the optimistic <c>null</c> reverts;
|
|
/// a failed write whose node moved off <c>null</c> does not.</summary>
|
|
[Fact]
|
|
public void ShouldRevert_null_value_edges()
|
|
{
|
|
var fail = new NodeWriteOutcome(false, "device rejected");
|
|
|
|
OtOpcUaNodeManager.ShouldRevert(fail, currentNodeValue: null, optimisticValue: null).ShouldBeTrue();
|
|
OtOpcUaNodeManager.ShouldRevert(fail, currentNodeValue: null, optimisticValue: "v").ShouldBeFalse();
|
|
}
|
|
|
|
// ───────────────────────────── Item A — EvaluateEquipmentWriteStructure ─────────────────────────────
|
|
|
|
/// <summary>(A1) A <c>null</c> value write to a value variable is rejected synchronously with
|
|
/// <c>BadTypeMismatch</c> (the minimum sensible structural check — a value node always holds a typed
|
|
/// payload, so a null write is never valid and fails fast inline rather than optimistic-then-revert).</summary>
|
|
[Fact]
|
|
public void Structure_null_value_is_rejected_with_type_mismatch()
|
|
{
|
|
var node = ValueNode(DataTypeIds.Int32);
|
|
var result = OtOpcUaNodeManager.EvaluateEquipmentWriteStructure(value: null, node);
|
|
|
|
result.ShouldNotBeNull();
|
|
result!.StatusCode.Code.ShouldBe(StatusCodes.BadTypeMismatch);
|
|
}
|
|
|
|
/// <summary>(A2) A type-matching value (Int32 payload into an Int32 node) proceeds (returns <c>null</c>).</summary>
|
|
[Fact]
|
|
public void Structure_matching_type_proceeds()
|
|
{
|
|
var node = ValueNode(DataTypeIds.Int32);
|
|
OtOpcUaNodeManager.EvaluateEquipmentWriteStructure(value: 42, node).ShouldBeNull();
|
|
}
|
|
|
|
/// <summary>(A3) Numeric-to-numeric is treated as compatible (the SDK widens/narrows numerics) — a
|
|
/// Double payload into an Int32 node proceeds rather than being rejected here.</summary>
|
|
[Fact]
|
|
public void Structure_numeric_to_numeric_proceeds()
|
|
{
|
|
var node = ValueNode(DataTypeIds.Int32);
|
|
OtOpcUaNodeManager.EvaluateEquipmentWriteStructure(value: 3.5d, node).ShouldBeNull();
|
|
}
|
|
|
|
/// <summary>(A4) A confident cross-family mismatch (a String payload into a Boolean node) is rejected
|
|
/// with <c>BadTypeMismatch</c> via the cheap built-in-type compatibility check.</summary>
|
|
[Fact]
|
|
public void Structure_cross_family_mismatch_is_rejected()
|
|
{
|
|
var node = ValueNode(DataTypeIds.Boolean);
|
|
var result = OtOpcUaNodeManager.EvaluateEquipmentWriteStructure(value: "not-a-bool", node);
|
|
|
|
result.ShouldNotBeNull();
|
|
result!.StatusCode.Code.ShouldBe(StatusCodes.BadTypeMismatch);
|
|
}
|
|
|
|
/// <summary>(A5) Confidence-gated defer: a node whose DataType is the abstract <c>BaseDataType</c>
|
|
/// wildcard (unresolved built-in type) proceeds for ANY non-null payload — the SDK's own coercion stays
|
|
/// authoritative. A "fallback" equipment tag (unknown DataType string) materialises as exactly this.</summary>
|
|
[Fact]
|
|
public void Structure_unresolved_datatype_defers_to_sdk()
|
|
{
|
|
var node = ValueNode(DataTypeIds.BaseDataType);
|
|
OtOpcUaNodeManager.EvaluateEquipmentWriteStructure(value: "anything", node).ShouldBeNull();
|
|
}
|
|
|
|
/// <summary>(A6) A non-variable node (defensive) is never rejected on type — only the null-payload check
|
|
/// applies. A non-null write to a plain <see cref="NodeState"/> proceeds.</summary>
|
|
[Fact]
|
|
public void Structure_non_variable_node_defers()
|
|
{
|
|
var folder = new FolderState(null) { NodeId = new NodeId("f", 2), BrowseName = new QualifiedName("f", 2) };
|
|
OtOpcUaNodeManager.EvaluateEquipmentWriteStructure(value: 1, folder).ShouldBeNull();
|
|
}
|
|
|
|
/// <summary>(A7) Closed-set safety boundary: an Enumeration-typed node with an Int32 payload DEFERS
|
|
/// (returns null) rather than false-rejecting — an enum write normally carries an Int32 the SDK coerces.
|
|
/// Before the closed-set gate this returned <c>BadTypeMismatch</c> — a false rejection of a valid write.</summary>
|
|
[Fact]
|
|
public void Structure_enumeration_datatype_defers_to_sdk()
|
|
{
|
|
var node = ValueNode(DataTypeIds.Enumeration);
|
|
OtOpcUaNodeManager.EvaluateEquipmentWriteStructure(value: 2, node).ShouldBeNull();
|
|
}
|
|
|
|
/// <summary>(A8) Closed-set safety boundary: any expected built-in type outside the materialiser's emitted
|
|
/// set (here Guid) DEFERS — only the numeric families + Boolean/String/DateTime/ByteString are ever rejected,
|
|
/// so the fail-fast can never reject a write the SDK would coerce.</summary>
|
|
[Fact]
|
|
public void Structure_noncheckable_expected_type_defers()
|
|
{
|
|
var node = ValueNode(DataTypeIds.Guid);
|
|
OtOpcUaNodeManager.EvaluateEquipmentWriteStructure(value: "any", node).ShouldBeNull();
|
|
}
|
|
|
|
private static BaseDataVariableState ValueNode(NodeId dataType) => new(null)
|
|
{
|
|
NodeId = new NodeId("eq/x", 2),
|
|
BrowseName = new QualifiedName("x", 2),
|
|
DisplayName = "x",
|
|
DataType = dataType,
|
|
ValueRank = ValueRanks.Scalar,
|
|
};
|
|
|
|
private static RoleCarryingUserIdentity IdentityWith(params string[] roles) =>
|
|
new(new UserNameIdentityToken { UserName = "op" }, roles);
|
|
}
|