Joseph Doherty
adf794f791
Server-002 — AuthorizationGate lax-mode no longer overrides explicit deny. IsAllowed now switches on the evaluator's AuthorizationVerdict: Allow -> true, Denied (an authored deny rule matched) -> false in BOTH strict and lax mode, and only the indeterminate NotGranted case falls through to !_strictMode. Previously `if (decision.IsAllowed) return true; return !_strictMode;` let lax mode (the default) nullify authored NodeAcl deny rules for fully-resolved sessions. The tri-state AuthorizationVerdict.Denied member is now honoured. Server-009 — LDAP is secure-by-default. LdapOptions.AllowInsecureLdap now defaults to false (was true) and Program.cs's config fallback reads `?? false` (was `?? true`), so an LDAP-enabled deployment will not bind credentials over an unencrypted socket unless an operator explicitly opts in. Program.cs also logs a startup warning when LDAP is enabled with UseTls=false and AllowInsecureLdap=true, flagging the clear-text server->LDAP credential hop. Regression tests: AuthorizationGateTests covers all four verdict x mode combinations via a fixed-verdict evaluator stub; new LdapOptionsTests asserts the secure defaults. Both Server and Server.Tests build clean; the 15 targeted tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
264 lines
14 KiB
C#
264 lines
14 KiB
C#
using Microsoft.EntityFrameworkCore;
|
|
using Microsoft.Extensions.Configuration;
|
|
using Microsoft.Extensions.DependencyInjection;
|
|
using Microsoft.Extensions.Hosting;
|
|
using Microsoft.Extensions.Logging;
|
|
using Serilog;
|
|
using Serilog.Formatting.Compact;
|
|
using ZB.MOM.WW.OtOpcUa.Configuration;
|
|
using ZB.MOM.WW.OtOpcUa.Configuration.LocalCache;
|
|
using ZB.MOM.WW.OtOpcUa.Core.Hosting;
|
|
using ZB.MOM.WW.OtOpcUa.Core.AlarmHistorian;
|
|
using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
|
|
using ZB.MOM.WW.OtOpcUa.Driver.Historian.Wonderware.Client;
|
|
using ZB.MOM.WW.OtOpcUa.Driver.AbCip;
|
|
using ZB.MOM.WW.OtOpcUa.Driver.AbLegacy;
|
|
using ZB.MOM.WW.OtOpcUa.Driver.FOCAS;
|
|
using ZB.MOM.WW.OtOpcUa.Driver.Modbus;
|
|
using ZB.MOM.WW.OtOpcUa.Driver.S7;
|
|
using ZB.MOM.WW.OtOpcUa.Driver.TwinCAT;
|
|
using ZB.MOM.WW.OtOpcUa.Server;
|
|
using ZB.MOM.WW.OtOpcUa.Server.Alarms;
|
|
using ZB.MOM.WW.OtOpcUa.Server.History;
|
|
using ZB.MOM.WW.OtOpcUa.Server.Hosting;
|
|
using ZB.MOM.WW.OtOpcUa.Server.OpcUa;
|
|
using ZB.MOM.WW.OtOpcUa.Server.Phase7;
|
|
using ZB.MOM.WW.OtOpcUa.Server.Redundancy;
|
|
using ZB.MOM.WW.OtOpcUa.Server.Security;
|
|
|
|
var builder = Host.CreateApplicationBuilder(args);
|
|
|
|
// Per Phase 6.1 Stream C.3: SIEMs (Splunk, Datadog) ingest the JSON file without a
|
|
// regex parser. Plain-text rolling file stays on by default for human readability;
|
|
// JSON file is opt-in via appsetting `Serilog:WriteJson = true`.
|
|
var writeJson = builder.Configuration.GetValue<bool>("Serilog:WriteJson");
|
|
var loggerBuilder = new LoggerConfiguration()
|
|
.ReadFrom.Configuration(builder.Configuration)
|
|
.Enrich.FromLogContext()
|
|
.WriteTo.Console()
|
|
.WriteTo.File("logs/otopcua-.log", rollingInterval: RollingInterval.Day);
|
|
|
|
if (writeJson)
|
|
{
|
|
loggerBuilder = loggerBuilder.WriteTo.File(
|
|
new CompactJsonFormatter(),
|
|
"logs/otopcua-.json.log",
|
|
rollingInterval: RollingInterval.Day);
|
|
}
|
|
|
|
Log.Logger = loggerBuilder.CreateLogger();
|
|
|
|
builder.Services.AddSerilog();
|
|
builder.Services.AddWindowsService(o => o.ServiceName = "OtOpcUa");
|
|
|
|
var nodeSection = builder.Configuration.GetSection(NodeOptions.SectionName);
|
|
var options = new NodeOptions
|
|
{
|
|
NodeId = nodeSection.GetValue<string>("NodeId")
|
|
?? throw new InvalidOperationException("Node:NodeId not configured"),
|
|
ClusterId = nodeSection.GetValue<string>("ClusterId")
|
|
?? throw new InvalidOperationException("Node:ClusterId not configured"),
|
|
ConfigDbConnectionString = nodeSection.GetValue<string>("ConfigDbConnectionString")
|
|
?? throw new InvalidOperationException("Node:ConfigDbConnectionString not configured"),
|
|
LocalCachePath = nodeSection.GetValue<string>("LocalCachePath") ?? "config_cache.db",
|
|
};
|
|
|
|
var opcUaSection = builder.Configuration.GetSection(OpcUaServerOptions.SectionName);
|
|
var ldapSection = opcUaSection.GetSection("Ldap");
|
|
var ldapOptions = new LdapOptions
|
|
{
|
|
Enabled = ldapSection.GetValue<bool?>("Enabled") ?? false,
|
|
Server = ldapSection.GetValue<string>("Server") ?? "localhost",
|
|
Port = ldapSection.GetValue<int?>("Port") ?? 3893,
|
|
UseTls = ldapSection.GetValue<bool?>("UseTls") ?? false,
|
|
AllowInsecureLdap = ldapSection.GetValue<bool?>("AllowInsecureLdap") ?? false,
|
|
SearchBase = ldapSection.GetValue<string>("SearchBase") ?? "dc=lmxopcua,dc=local",
|
|
ServiceAccountDn = ldapSection.GetValue<string>("ServiceAccountDn") ?? string.Empty,
|
|
ServiceAccountPassword = ldapSection.GetValue<string>("ServiceAccountPassword") ?? string.Empty,
|
|
GroupToRole = ldapSection.GetSection("GroupToRole").Get<Dictionary<string, string>>() ?? new(StringComparer.OrdinalIgnoreCase),
|
|
};
|
|
|
|
// Security: an LDAP bind without TLS sends usernames + plaintext passwords in clear
|
|
// text on the server→LDAP hop. AllowInsecureLdap is a dev-only escape hatch; warn
|
|
// loudly when a deployment has enabled LDAP and opted into the insecure path.
|
|
if (ldapOptions.Enabled && !ldapOptions.UseTls && ldapOptions.AllowInsecureLdap)
|
|
{
|
|
Log.Warning(
|
|
"LDAP authentication is enabled with UseTls=false and AllowInsecureLdap=true — "
|
|
+ "credentials are sent in clear text on the server→LDAP hop. Set Ldap:UseTls=true "
|
|
+ "(LDAPS) for production deployments.");
|
|
}
|
|
|
|
var opcUaOptions = new OpcUaServerOptions
|
|
{
|
|
EndpointUrl = opcUaSection.GetValue<string>("EndpointUrl") ?? "opc.tcp://0.0.0.0:4840/OtOpcUa",
|
|
ApplicationName = opcUaSection.GetValue<string>("ApplicationName") ?? "OtOpcUa Server",
|
|
ApplicationUri = opcUaSection.GetValue<string>("ApplicationUri") ?? "urn:OtOpcUa:Server",
|
|
PkiStoreRoot = opcUaSection.GetValue<string>("PkiStoreRoot")
|
|
?? Path.Combine(Environment.GetFolderPath(Environment.SpecialFolder.CommonApplicationData), "OtOpcUa", "pki"),
|
|
AutoAcceptUntrustedClientCertificates = opcUaSection.GetValue<bool?>("AutoAcceptUntrustedClientCertificates") ?? true,
|
|
SecurityProfile = Enum.TryParse<OpcUaSecurityProfile>(opcUaSection.GetValue<string>("SecurityProfile"), true, out var p)
|
|
? p : OpcUaSecurityProfile.None,
|
|
Ldap = ldapOptions,
|
|
AnonymousRoles = opcUaSection.GetSection("AnonymousRoles").Get<string[]>() ?? [],
|
|
};
|
|
|
|
builder.Services.AddSingleton(options);
|
|
builder.Services.AddSingleton(opcUaOptions);
|
|
builder.Services.AddSingleton(ldapOptions);
|
|
builder.Services.AddSingleton<IUserAuthenticator>(sp => ldapOptions.Enabled
|
|
? new LdapUserAuthenticator(ldapOptions, sp.GetRequiredService<ILogger<LdapUserAuthenticator>>())
|
|
: new DenyAllUserAuthenticator());
|
|
builder.Services.AddSingleton<ILocalConfigCache>(_ => new LiteDbConfigCache(options.LocalCachePath));
|
|
builder.Services.AddSingleton<DriverHost>();
|
|
builder.Services.AddSingleton<NodeBootstrap>();
|
|
|
|
// Task #248 — driver-instance bootstrap pipeline. DriverFactoryRegistry is the
|
|
// type-name → factory map; each driver project's static Register call pre-loads
|
|
// its factory so the bootstrapper can materialise DriverInstance rows from the
|
|
// central DB into live IDriver instances.
|
|
builder.Services.AddSingleton<DriverFactoryRegistry>(_ =>
|
|
{
|
|
var registry = new DriverFactoryRegistry();
|
|
// Galaxy access flows through the in-process GalaxyDriver (DriverType =
|
|
// "GalaxyMxGateway") talking gRPC to the mxaccessgw worker. The legacy
|
|
// out-of-process GalaxyProxyDriver retired in PR 7.2 once the parity matrix
|
|
// (docs/v2/Galaxy.ParityMatrix.md) verified equivalence.
|
|
ZB.MOM.WW.OtOpcUa.Driver.Galaxy.GalaxyDriverFactoryExtensions.Register(registry);
|
|
FocasDriverFactoryExtensions.Register(registry);
|
|
ModbusDriverFactoryExtensions.Register(registry);
|
|
AbCipDriverFactoryExtensions.Register(registry);
|
|
AbLegacyDriverFactoryExtensions.Register(registry);
|
|
S7DriverFactoryExtensions.Register(registry);
|
|
TwinCATDriverFactoryExtensions.Register(registry);
|
|
return registry;
|
|
});
|
|
builder.Services.AddSingleton<DriverInstanceBootstrapper>();
|
|
|
|
// Phase 6.1 Stream B.4 (task #137) — ScheduledRecycleHostedService. Empty scheduler
|
|
// list by default; DriverInstanceBootstrapper calls AddScheduler for any Tier C driver
|
|
// whose ResilienceConfig carries a RecycleIntervalSeconds AND has an IDriverSupervisor
|
|
// registered in DI. Registered as singleton so DriverInstanceBootstrapper can inject
|
|
// the same instance that the BackgroundService loop drives.
|
|
builder.Services.AddSingleton<ScheduledRecycleHostedService>();
|
|
builder.Services.AddHostedService(sp => sp.GetRequiredService<ScheduledRecycleHostedService>());
|
|
|
|
// ADR-001 Option A wiring — the registry is the handoff between OpcUaServerService's
|
|
// bootstrap-time population pass + OpcUaApplicationHost's StartAsync walker invocation.
|
|
// DriverEquipmentContentRegistry.Get is the equipmentContentLookup delegate that PR #155
|
|
// added to OpcUaApplicationHost's ctor seam.
|
|
builder.Services.AddSingleton<DriverEquipmentContentRegistry>();
|
|
builder.Services.AddScoped<EquipmentNamespaceContentLoader>();
|
|
// Phase 6.2 Stream C wiring — constructs AuthorizationGate + NodeScopeResolver from the
|
|
// published generation's NodeAcl rows + per-driver EquipmentNamespaceContent. Gated by
|
|
// NodeOptions.Authorization.Enabled (default false) so existing deployments don't flip
|
|
// to ACL enforcement accidentally on upgrade.
|
|
builder.Services.AddSingleton<AuthorizationBootstrap>();
|
|
|
|
// PR 1+2.W — server-level history routing + alarm-condition state machine. Singletons
|
|
// shared across every DriverNodeManager. The alarm service runs the Active /
|
|
// Acknowledged / Inactive state machine for any driver that declares alarms via
|
|
// AlarmConditionInfo's sub-attribute refs.
|
|
builder.Services.AddSingleton<IHistoryRouter, HistoryRouter>();
|
|
builder.Services.AddSingleton<AlarmConditionService>();
|
|
|
|
// PR 3.W — Wonderware historian sidecar wiring. Reads Historian:Wonderware:* from
|
|
// configuration; when Enabled=true, registers the .NET 10 client as both an
|
|
// IHistorianDataSource (via IHistoryRouter under the configured driver instance
|
|
// prefix; defaults to "galaxy") and an IAlarmHistorianWriter (consumed by the
|
|
// SqliteStoreAndForwardSink drain worker once task #248 wires it). Disabled
|
|
// deployments fall back to DriverNodeManager's legacy IHistoryProvider adapter
|
|
// for the read path and NullAlarmHistorianSink for the write path — keeping the
|
|
// sidecar fully optional until the legacy paths retire in PR 7.2.
|
|
var wonderwareSection = builder.Configuration.GetSection("Historian:Wonderware");
|
|
var wonderwareEnabled = wonderwareSection.GetValue("Enabled", false);
|
|
if (wonderwareEnabled)
|
|
{
|
|
var wonderwarePrefix = wonderwareSection.GetValue("DriverInstancePrefix", "galaxy")
|
|
?? throw new InvalidOperationException("Historian:Wonderware:DriverInstancePrefix must be a string when configured.");
|
|
var wonderwareOptions = new WonderwareHistorianClientOptions(
|
|
PipeName: wonderwareSection.GetValue<string>("PipeName")
|
|
?? throw new InvalidOperationException("Historian:Wonderware:PipeName must be set when Enabled=true."),
|
|
SharedSecret: wonderwareSection.GetValue<string>("SharedSecret")
|
|
?? throw new InvalidOperationException("Historian:Wonderware:SharedSecret must be set when Enabled=true."),
|
|
PeerName: wonderwareSection.GetValue("PeerName", $"OtOpcUa-{options.NodeId}") ?? "OtOpcUa",
|
|
ConnectTimeout: TimeSpan.FromSeconds(wonderwareSection.GetValue("ConnectTimeoutSeconds", 10)),
|
|
CallTimeout: TimeSpan.FromSeconds(wonderwareSection.GetValue("CallTimeoutSeconds", 30)));
|
|
builder.Services.AddSingleton(wonderwareOptions);
|
|
builder.Services.AddSingleton<WonderwareHistorianClient>();
|
|
builder.Services.AddSingleton<IAlarmHistorianWriter>(sp => sp.GetRequiredService<WonderwareHistorianClient>());
|
|
builder.Services.AddHostedService(sp => new WonderwareHistorianBootstrap(
|
|
sp.GetRequiredService<IHistoryRouter>(),
|
|
sp.GetRequiredService<WonderwareHistorianClient>(),
|
|
wonderwarePrefix,
|
|
sp.GetRequiredService<ILogger<WonderwareHistorianBootstrap>>()));
|
|
}
|
|
|
|
builder.Services.AddSingleton<OpcUaApplicationHost>(sp =>
|
|
{
|
|
var registry = sp.GetRequiredService<DriverEquipmentContentRegistry>();
|
|
return new OpcUaApplicationHost(
|
|
sp.GetRequiredService<OpcUaServerOptions>(),
|
|
sp.GetRequiredService<DriverHost>(),
|
|
sp.GetRequiredService<IUserAuthenticator>(),
|
|
sp.GetRequiredService<ILoggerFactory>(),
|
|
sp.GetRequiredService<ILogger<OpcUaApplicationHost>>(),
|
|
equipmentContentLookup: registry.Get,
|
|
historyRouter: sp.GetRequiredService<IHistoryRouter>(),
|
|
alarmConditionService: sp.GetRequiredService<AlarmConditionService>());
|
|
});
|
|
builder.Services.AddHostedService<OpcUaServerService>();
|
|
|
|
// Central-config DB access for the host-status publisher (LMX follow-up #7). Scoped context
|
|
// so per-heartbeat change-tracking stays isolated; publisher opens one scope per tick.
|
|
builder.Services.AddDbContext<OtOpcUaConfigDbContext>(opt =>
|
|
opt.UseSqlServer(options.ConfigDbConnectionString));
|
|
// Additional pooled factory so Phase 6.3 RedundancyCoordinator (singleton) can create its
|
|
// own scoped DbContext for topology loading without fighting the scoped HostStatusPublisher.
|
|
builder.Services.AddDbContextFactory<OtOpcUaConfigDbContext>(opt =>
|
|
opt.UseSqlServer(options.ConfigDbConnectionString));
|
|
builder.Services.AddHostedService<HostStatusPublisher>();
|
|
|
|
// Phase 6.3 Stream C (task #147) — ServiceLevel + ServerUriArray + RedundancySupport node
|
|
// wiring. Coordinator holds topology; publisher computes ServiceLevel byte + ServerUriArray;
|
|
// hosted service ticks publisher + pushes values onto the Server object via the node writer.
|
|
builder.Services.AddSingleton(sp => new RedundancyCoordinator(
|
|
sp.GetRequiredService<IDbContextFactory<OtOpcUaConfigDbContext>>(),
|
|
sp.GetRequiredService<ILogger<RedundancyCoordinator>>(),
|
|
options.NodeId, options.ClusterId));
|
|
builder.Services.AddSingleton<ApplyLeaseRegistry>();
|
|
builder.Services.AddSingleton<RecoveryStateManager>();
|
|
builder.Services.AddSingleton<PeerReachabilityTracker>();
|
|
builder.Services.AddSingleton(sp => new RedundancyStatePublisher(
|
|
sp.GetRequiredService<RedundancyCoordinator>(),
|
|
sp.GetRequiredService<ApplyLeaseRegistry>(),
|
|
sp.GetRequiredService<RecoveryStateManager>(),
|
|
sp.GetRequiredService<PeerReachabilityTracker>()));
|
|
builder.Services.AddHostedService<RedundancyPublisherHostedService>();
|
|
|
|
// Phase 6.3 Stream B — two-layer peer-probe loops populating PeerReachabilityTracker.
|
|
// Without these the publisher sees PeerReachability.Unknown for every peer and degrades
|
|
// to the Isolated-Primary band (230) even when the peer is up. Safe default but not the
|
|
// full non-transparent-redundancy UX.
|
|
builder.Services.AddSingleton<PeerProbeOptions>();
|
|
builder.Services.AddHttpClient(PeerHttpProbeLoop.HttpClientName);
|
|
builder.Services.AddHostedService<PeerHttpProbeLoop>();
|
|
builder.Services.AddHostedService<PeerUaProbeLoop>();
|
|
|
|
// Phase 6.3 A.2 + 6.1 Stream D — periodic generation refresh. Detects peer-published
|
|
// generations, opens an ApplyLeaseRegistry lease during the refresh window (so the
|
|
// publisher surfaces PrimaryMidApply=200 instead of sitting at PrimaryHealthy=255
|
|
// through the apply), and calls coordinator.RefreshAsync to pick up topology changes.
|
|
builder.Services.AddHostedService<GenerationRefreshHostedService>();
|
|
|
|
// Phase 7 follow-up #246 — historian sink + engine composer. NullAlarmHistorianSink
|
|
// is the default until the Galaxy.Host SqliteStoreAndForwardSink writer adapter
|
|
// lands (task #248). The composer reads Script/VirtualTag/ScriptedAlarm rows on
|
|
// generation bootstrap, builds the engines, and starts the driver-bridge feed.
|
|
builder.Services.AddSingleton<IAlarmHistorianSink>(NullAlarmHistorianSink.Instance);
|
|
builder.Services.AddSingleton(Log.Logger); // Serilog root for ScriptLoggerFactory
|
|
builder.Services.AddSingleton<Phase7Composer>();
|
|
|
|
var host = builder.Build();
|
|
await host.RunAsync();
|