adf794f791
Server-002 — AuthorizationGate lax-mode no longer overrides explicit deny. IsAllowed now switches on the evaluator's AuthorizationVerdict: Allow -> true, Denied (an authored deny rule matched) -> false in BOTH strict and lax mode, and only the indeterminate NotGranted case falls through to !_strictMode. Previously `if (decision.IsAllowed) return true; return !_strictMode;` let lax mode (the default) nullify authored NodeAcl deny rules for fully-resolved sessions. The tri-state AuthorizationVerdict.Denied member is now honoured. Server-009 — LDAP is secure-by-default. LdapOptions.AllowInsecureLdap now defaults to false (was true) and Program.cs's config fallback reads `?? false` (was `?? true`), so an LDAP-enabled deployment will not bind credentials over an unencrypted socket unless an operator explicitly opts in. Program.cs also logs a startup warning when LDAP is enabled with UseTls=false and AllowInsecureLdap=true, flagging the clear-text server->LDAP credential hop. Regression tests: AuthorizationGateTests covers all four verdict x mode combinations via a fixed-verdict evaluator stub; new LdapOptionsTests asserts the secure defaults. Both Server and Server.Tests build clean; the 15 targeted tests pass. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
185 lines
6.1 KiB
C#
185 lines
6.1 KiB
C#
using Opc.Ua;
|
|
using Shouldly;
|
|
using Xunit;
|
|
using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
|
|
using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
|
|
using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
|
|
using ZB.MOM.WW.OtOpcUa.Core.Authorization;
|
|
using ZB.MOM.WW.OtOpcUa.Server.Security;
|
|
|
|
namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
|
|
|
|
[Trait("Category", "Unit")]
|
|
public sealed class AuthorizationGateTests
|
|
{
|
|
private static NodeScope Scope(string cluster = "c1", string? tag = "tag1") => new()
|
|
{
|
|
ClusterId = cluster,
|
|
NamespaceId = "ns",
|
|
UnsAreaId = "area",
|
|
UnsLineId = "line",
|
|
EquipmentId = "eq",
|
|
TagId = tag,
|
|
Kind = NodeHierarchyKind.Equipment,
|
|
};
|
|
|
|
private static NodeAcl Row(string group, NodePermissions flags) => new()
|
|
{
|
|
NodeAclRowId = Guid.NewGuid(),
|
|
NodeAclId = Guid.NewGuid().ToString(),
|
|
GenerationId = 1,
|
|
ClusterId = "c1",
|
|
LdapGroup = group,
|
|
ScopeKind = NodeAclScopeKind.Cluster,
|
|
ScopeId = null,
|
|
PermissionFlags = flags,
|
|
};
|
|
|
|
private static AuthorizationGate MakeGate(bool strict, NodeAcl[] rows)
|
|
{
|
|
var cache = new PermissionTrieCache();
|
|
cache.Install(PermissionTrieBuilder.Build("c1", 1, rows));
|
|
var evaluator = new TriePermissionEvaluator(cache);
|
|
return new AuthorizationGate(evaluator, strictMode: strict);
|
|
}
|
|
|
|
private sealed class FakeIdentity : UserIdentity, ILdapGroupsBearer
|
|
{
|
|
public FakeIdentity(string name, IReadOnlyList<string> groups)
|
|
{
|
|
DisplayName = name;
|
|
LdapGroups = groups;
|
|
}
|
|
public new string DisplayName { get; }
|
|
public IReadOnlyList<string> LdapGroups { get; }
|
|
}
|
|
|
|
[Fact]
|
|
public void NullIdentity_StrictMode_Denies()
|
|
{
|
|
var gate = MakeGate(strict: true, rows: []);
|
|
gate.IsAllowed(null, OpcUaOperation.Read, Scope()).ShouldBeFalse();
|
|
}
|
|
|
|
[Fact]
|
|
public void NullIdentity_LaxMode_Allows()
|
|
{
|
|
var gate = MakeGate(strict: false, rows: []);
|
|
gate.IsAllowed(null, OpcUaOperation.Read, Scope()).ShouldBeTrue();
|
|
}
|
|
|
|
[Fact]
|
|
public void IdentityWithoutLdapGroups_StrictMode_Denies()
|
|
{
|
|
var gate = MakeGate(strict: true, rows: []);
|
|
var identity = new UserIdentity(); // anonymous, no LDAP groups
|
|
|
|
gate.IsAllowed(identity, OpcUaOperation.Read, Scope()).ShouldBeFalse();
|
|
}
|
|
|
|
[Fact]
|
|
public void IdentityWithoutLdapGroups_LaxMode_Allows()
|
|
{
|
|
var gate = MakeGate(strict: false, rows: []);
|
|
var identity = new UserIdentity();
|
|
|
|
gate.IsAllowed(identity, OpcUaOperation.Read, Scope()).ShouldBeTrue();
|
|
}
|
|
|
|
[Fact]
|
|
public void LdapGroupWithGrant_Allows()
|
|
{
|
|
var gate = MakeGate(strict: true, rows: [Row("cn=ops", NodePermissions.Read)]);
|
|
var identity = new FakeIdentity("ops-user", ["cn=ops"]);
|
|
|
|
gate.IsAllowed(identity, OpcUaOperation.Read, Scope()).ShouldBeTrue();
|
|
}
|
|
|
|
[Fact]
|
|
public void LdapGroupWithoutGrant_StrictMode_Denies()
|
|
{
|
|
var gate = MakeGate(strict: true, rows: [Row("cn=ops", NodePermissions.Read)]);
|
|
var identity = new FakeIdentity("other-user", ["cn=other"]);
|
|
|
|
gate.IsAllowed(identity, OpcUaOperation.Read, Scope()).ShouldBeFalse();
|
|
}
|
|
|
|
[Fact]
|
|
public void WrongOperation_Denied()
|
|
{
|
|
var gate = MakeGate(strict: true, rows: [Row("cn=ops", NodePermissions.Read)]);
|
|
var identity = new FakeIdentity("ops-user", ["cn=ops"]);
|
|
|
|
gate.IsAllowed(identity, OpcUaOperation.WriteOperate, Scope()).ShouldBeFalse();
|
|
}
|
|
|
|
[Fact]
|
|
public void BuildSessionState_IncludesLdapGroups()
|
|
{
|
|
var gate = MakeGate(strict: true, rows: []);
|
|
var identity = new FakeIdentity("u", ["cn=a", "cn=b"]);
|
|
|
|
var state = gate.BuildSessionState(identity, "c1");
|
|
|
|
state.ShouldNotBeNull();
|
|
state!.LdapGroups.Count.ShouldBe(2);
|
|
state.ClusterId.ShouldBe("c1");
|
|
}
|
|
|
|
[Fact]
|
|
public void BuildSessionState_ReturnsNull_ForIdentityWithoutLdapGroups()
|
|
{
|
|
var gate = MakeGate(strict: true, rows: []);
|
|
|
|
gate.BuildSessionState(new UserIdentity(), "c1").ShouldBeNull();
|
|
}
|
|
|
|
/// <summary>Evaluator stub that always returns a fixed verdict — lets the gate's
|
|
/// verdict handling be exercised independent of the trie evaluator (which only ever
|
|
/// produces Allow / NotGranted).</summary>
|
|
private sealed class FixedVerdictEvaluator(AuthorizationVerdict verdict) : IPermissionEvaluator
|
|
{
|
|
public AuthorizationDecision Authorize(UserAuthorizationState session, OpcUaOperation operation, NodeScope scope)
|
|
=> new(verdict, []);
|
|
}
|
|
|
|
// Server-002 regression: an explicit Denied verdict must be honoured in BOTH modes —
|
|
// the lax-mode fallback covers only the indeterminate (NotGranted) case.
|
|
|
|
[Fact]
|
|
public void ExplicitDeny_LaxMode_Denies()
|
|
{
|
|
var gate = new AuthorizationGate(new FixedVerdictEvaluator(AuthorizationVerdict.Denied), strictMode: false);
|
|
var identity = new FakeIdentity("ops-user", ["cn=ops"]);
|
|
|
|
gate.IsAllowed(identity, OpcUaOperation.Read, Scope()).ShouldBeFalse();
|
|
}
|
|
|
|
[Fact]
|
|
public void ExplicitDeny_StrictMode_Denies()
|
|
{
|
|
var gate = new AuthorizationGate(new FixedVerdictEvaluator(AuthorizationVerdict.Denied), strictMode: true);
|
|
var identity = new FakeIdentity("ops-user", ["cn=ops"]);
|
|
|
|
gate.IsAllowed(identity, OpcUaOperation.Read, Scope()).ShouldBeFalse();
|
|
}
|
|
|
|
[Fact]
|
|
public void NotGranted_LaxMode_Allows()
|
|
{
|
|
var gate = new AuthorizationGate(new FixedVerdictEvaluator(AuthorizationVerdict.NotGranted), strictMode: false);
|
|
var identity = new FakeIdentity("ops-user", ["cn=ops"]);
|
|
|
|
gate.IsAllowed(identity, OpcUaOperation.Read, Scope()).ShouldBeTrue();
|
|
}
|
|
|
|
[Fact]
|
|
public void NotGranted_StrictMode_Denies()
|
|
{
|
|
var gate = new AuthorizationGate(new FixedVerdictEvaluator(AuthorizationVerdict.NotGranted), strictMode: true);
|
|
var identity = new FakeIdentity("ops-user", ["cn=ops"]);
|
|
|
|
gate.IsAllowed(identity, OpcUaOperation.Read, Scope()).ShouldBeFalse();
|
|
}
|
|
}
|