e4dae01bac
ScriptContext abstract base defines the API user scripts see as ctx — GetTag(string) returns DataValueSnapshot so scripts branch on quality naturally, SetVirtualTag(string, object?) is the only write path virtual tags have (OPC UA client writes to virtual nodes rejected separately in DriverNodeManager per ADR-002), Now + Logger + Deadband static helper round out the surface. Concrete subclasses in Streams B + C plug in actual tag backends + per-script Serilog loggers.
ScriptSandbox.Build(contextType) produces the ScriptOptions for every compile — explicit allow-list of six assemblies (System.Private.CoreLib / System.Linq / Core.Abstractions / Core.Scripting / Serilog / the context type's own assembly), with a matching import list so scripts don't need using clauses. Allow-list is plan-level — expanding it is not a casual change.
DependencyExtractor uses CSharpSyntaxWalker to find every ctx.GetTag("literal") and ctx.SetVirtualTag("literal", ...) call, rejects every non-literal path (variable, concatenation, interpolation, method-returned). Rejections carry the exact TextSpan so the Admin UI can point at the offending token. Reads + writes are returned as two separate sets so the virtual-tag engine (Stream B) knows both the subscription targets and the write targets.
Sandbox enforcement turned out needing a second-pass semantic analyzer because .NET 10's type forwarding makes assembly-level restriction leaky — System.Net.Http.HttpClient resolves even with WithReferences limited to six assemblies. ForbiddenTypeAnalyzer runs after Roslyn's Compile() against the SemanticModel, walks every ObjectCreationExpression / InvocationExpression / MemberAccessExpression / IdentifierName, resolves to the containing type's namespace, and rejects any prefix-match against the deny-list (System.IO, System.Net, System.Diagnostics, System.Reflection, System.Threading.Thread, System.Runtime.InteropServices, Microsoft.Win32). Rejections throw ScriptSandboxViolationException with the aggregated list + source spans so the Admin UI surfaces every violation in one round-trip instead of whack-a-mole. System.Environment explicitly stays allowed (read-only process state, doesn't persist or leak outside) and that compromise is pinned by a dedicated test.
ScriptGlobals<TContext> wraps the context as a named field so scripts see ctx instead of the bare globalsType-member-access convention Roslyn defaults to — keeps script ergonomics (ctx.GetTag) consistent with the AST walker's parse shape and the Admin UI's hand-written type stub (coming in Stream F). Generic on TContext so Stream C's alarm-predicate context with an Alarm property inherits cleanly.
ScriptEvaluator<TContext, TResult>.Compile is the three-step gate: (1) Roslyn compile — throws CompilationErrorException on syntax/type errors with Location-carrying diagnostics; (2) ForbiddenTypeAnalyzer semantic pass — catches type-forwarding sandbox escapes; (3) delegate creation. Runtime exceptions from user code propagate unwrapped — the virtual-tag engine in Stream B catches + maps per-tag to BadInternalError quality per Phase 7 decision #11.
29 unit tests covering every surface: DependencyExtractorTests has 14 theories — single/multiple/deduplicated reads, separate write tracking, rejection of variable/concatenated/interpolated/method-returned/empty/whitespace paths, ignoring non-ctx methods named GetTag, empty-source no-op, source span carried in rejections, multiple bad paths reported in one pass, nested literal extraction. ScriptSandboxTests has 15 — happy-path compile + run, SetVirtualTag round-trip, rejection of File.IO + HttpClient + Process.Start + Reflection.Assembly.Load via ScriptSandboxViolationException, Environment.GetEnvironmentVariable explicitly allowed (pinned compromise), script-exception propagation, ctx.Now reachable, Deadband static reachable, LINQ Where/Sum reachable, DataValueSnapshot usable in scripts including quality branches, compile error carries source location.
Next two PRs within Stream A: A.2 adds the compile cache (source-hash keyed) + per-evaluation timeout wrapper; A.3 wires the dedicated scripts-*.log Serilog rolling sink with structured-property filtering + the companion-warning enricher to the main log.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
183 lines
6.6 KiB
C#
183 lines
6.6 KiB
C#
using Microsoft.CodeAnalysis.Scripting;
|
|
using Shouldly;
|
|
using Xunit;
|
|
using ZB.MOM.WW.OtOpcUa.Core.Scripting;
|
|
|
|
namespace ZB.MOM.WW.OtOpcUa.Core.Scripting.Tests;
|
|
|
|
/// <summary>
|
|
/// Compiles scripts against the Phase 7 sandbox + asserts every forbidden API
|
|
/// (HttpClient / File / Process / reflection) fails at compile, not at evaluation.
|
|
/// Locks decision #6 — scripts can't escape to the broader .NET surface.
|
|
/// </summary>
|
|
[Trait("Category", "Unit")]
|
|
public sealed class ScriptSandboxTests
|
|
{
|
|
[Fact]
|
|
public void Happy_path_script_compiles_and_returns()
|
|
{
|
|
// Baseline — ctx + Math + basic types must work.
|
|
var evaluator = ScriptEvaluator<FakeScriptContext, double>.Compile(
|
|
"""
|
|
var v = (double)ctx.GetTag("X").Value;
|
|
return Math.Abs(v) * 2.0;
|
|
""");
|
|
evaluator.ShouldNotBeNull();
|
|
}
|
|
|
|
[Fact]
|
|
public async Task Happy_path_script_runs_and_reads_seeded_tag()
|
|
{
|
|
var evaluator = ScriptEvaluator<FakeScriptContext, double>.Compile(
|
|
"""return (double)ctx.GetTag("In").Value * 2.0;""");
|
|
|
|
var ctx = new FakeScriptContext().Seed("In", 21.0);
|
|
var result = await evaluator.RunAsync(ctx, TestContext.Current.CancellationToken);
|
|
result.ShouldBe(42.0);
|
|
}
|
|
|
|
[Fact]
|
|
public async Task SetVirtualTag_records_the_write()
|
|
{
|
|
var evaluator = ScriptEvaluator<FakeScriptContext, int>.Compile(
|
|
"""
|
|
ctx.SetVirtualTag("Out", 42);
|
|
return 0;
|
|
""");
|
|
var ctx = new FakeScriptContext();
|
|
await evaluator.RunAsync(ctx, TestContext.Current.CancellationToken);
|
|
ctx.Writes.Count.ShouldBe(1);
|
|
ctx.Writes[0].Path.ShouldBe("Out");
|
|
ctx.Writes[0].Value.ShouldBe(42);
|
|
}
|
|
|
|
[Fact]
|
|
public void Rejects_File_IO_at_compile()
|
|
{
|
|
Should.Throw<ScriptSandboxViolationException>(() =>
|
|
ScriptEvaluator<FakeScriptContext, string>.Compile(
|
|
"""return System.IO.File.ReadAllText("c:/secrets.txt");"""));
|
|
}
|
|
|
|
[Fact]
|
|
public void Rejects_HttpClient_at_compile()
|
|
{
|
|
Should.Throw<ScriptSandboxViolationException>(() =>
|
|
ScriptEvaluator<FakeScriptContext, int>.Compile(
|
|
"""
|
|
var c = new System.Net.Http.HttpClient();
|
|
return 0;
|
|
"""));
|
|
}
|
|
|
|
[Fact]
|
|
public void Rejects_Process_Start_at_compile()
|
|
{
|
|
Should.Throw<ScriptSandboxViolationException>(() =>
|
|
ScriptEvaluator<FakeScriptContext, int>.Compile(
|
|
"""
|
|
System.Diagnostics.Process.Start("cmd.exe");
|
|
return 0;
|
|
"""));
|
|
}
|
|
|
|
[Fact]
|
|
public void Rejects_Reflection_Assembly_Load_at_compile()
|
|
{
|
|
Should.Throw<ScriptSandboxViolationException>(() =>
|
|
ScriptEvaluator<FakeScriptContext, int>.Compile(
|
|
"""
|
|
System.Reflection.Assembly.Load("System.Core");
|
|
return 0;
|
|
"""));
|
|
}
|
|
|
|
[Fact]
|
|
public void Rejects_Environment_GetEnvironmentVariable_at_compile()
|
|
{
|
|
// Environment lives in System.Private.CoreLib (allow-listed for primitives) —
|
|
// BUT calling .GetEnvironmentVariable exposes process state we don't want in
|
|
// scripts. In an allow-list sandbox this passes because mscorlib is allowed;
|
|
// relying on ScriptSandbox alone isn't enough for the Environment class. We
|
|
// document here that the CURRENT sandbox allows Environment — acceptable because
|
|
// Environment doesn't leak outside the process boundary, doesn't side-effect
|
|
// persistent state, and Phase 7 plan decision #6 targets File/Net/Process/
|
|
// reflection specifically.
|
|
//
|
|
// This test LOCKS that compromise: operators should not be surprised if a
|
|
// script reads an env var. If we later decide to tighten, this test flips.
|
|
var evaluator = ScriptEvaluator<FakeScriptContext, string?>.Compile(
|
|
"""return System.Environment.GetEnvironmentVariable("PATH");""");
|
|
evaluator.ShouldNotBeNull();
|
|
}
|
|
|
|
[Fact]
|
|
public async Task Script_exception_propagates_unwrapped()
|
|
{
|
|
var evaluator = ScriptEvaluator<FakeScriptContext, int>.Compile(
|
|
"""throw new InvalidOperationException("boom");""");
|
|
await Should.ThrowAsync<InvalidOperationException>(async () =>
|
|
await evaluator.RunAsync(new FakeScriptContext(), TestContext.Current.CancellationToken));
|
|
}
|
|
|
|
[Fact]
|
|
public void Ctx_Now_is_available_without_DateTime_UtcNow_reaching_wall_clock()
|
|
{
|
|
// Scripts that need a timestamp go through ctx.Now so tests can pin it.
|
|
var evaluator = ScriptEvaluator<FakeScriptContext, DateTime>.Compile("""return ctx.Now;""");
|
|
evaluator.ShouldNotBeNull();
|
|
}
|
|
|
|
[Fact]
|
|
public void Deadband_helper_is_reachable_from_scripts()
|
|
{
|
|
var evaluator = ScriptEvaluator<FakeScriptContext, bool>.Compile(
|
|
"""return ScriptContext.Deadband(10.5, 10.0, 0.3);""");
|
|
evaluator.ShouldNotBeNull();
|
|
}
|
|
|
|
[Fact]
|
|
public async Task Linq_Enumerable_is_available_from_scripts()
|
|
{
|
|
// LINQ is in the allow-list because SCADA math frequently wants Sum / Average
|
|
// / Where. Confirm it works.
|
|
var evaluator = ScriptEvaluator<FakeScriptContext, int>.Compile(
|
|
"""
|
|
var nums = new[] { 1, 2, 3, 4, 5 };
|
|
return nums.Where(n => n > 2).Sum();
|
|
""");
|
|
var result = await evaluator.RunAsync(new FakeScriptContext(), TestContext.Current.CancellationToken);
|
|
result.ShouldBe(12);
|
|
}
|
|
|
|
[Fact]
|
|
public async Task DataValueSnapshot_is_usable_in_scripts()
|
|
{
|
|
// ctx.GetTag returns DataValueSnapshot so scripts branch on quality.
|
|
var evaluator = ScriptEvaluator<FakeScriptContext, bool>.Compile(
|
|
"""
|
|
var v = ctx.GetTag("T");
|
|
return v.StatusCode == 0;
|
|
""");
|
|
var ctx = new FakeScriptContext().Seed("T", 5.0);
|
|
var result = await evaluator.RunAsync(ctx, TestContext.Current.CancellationToken);
|
|
result.ShouldBeTrue();
|
|
}
|
|
|
|
[Fact]
|
|
public void Compile_error_gives_location_in_diagnostics()
|
|
{
|
|
// Compile errors must carry the source span so the Admin UI can point at them.
|
|
try
|
|
{
|
|
ScriptEvaluator<FakeScriptContext, int>.Compile("""return fooBarBaz + 1;""");
|
|
Assert.Fail("expected CompilationErrorException");
|
|
}
|
|
catch (CompilationErrorException ex)
|
|
{
|
|
ex.Diagnostics.ShouldNotBeEmpty();
|
|
ex.Diagnostics[0].Location.ShouldNotBeNull();
|
|
}
|
|
}
|
|
}
|