dohertj2/lmxopcua
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c4824bea12d69af9e98ae363e9058116c9d13b08
lmxopcua/tests/ZB.MOM.WW.OtOpcUa.Server.Tests/AuthorizationGateTests.cs
Joseph Doherty 8efb99b6be Phase 6.2 Stream C (foundation) — AuthorizationGate + ILdapGroupsBearer 
Lands the integration seam between the Server project's OPC UA stack and the
Core.Authorization evaluator. Actual DriverNodeManager dispatch-path wiring
(Read/Write/HistoryRead/Browse/Call/Subscribe/Alarm surfaces) lands in the
follow-up PR on this branch — covered by Task #143 below.

Server.Security additions:
- ILdapGroupsBearer — marker interface a custom IUserIdentity implements to
  expose its resolved LDAP group DNs. Parallel to the existing IRoleBearer
  (admin roles) — control/data-plane separation per decision #150.
- AuthorizationGate — stateless bridge between Opc.Ua.IUserIdentity and
  IPermissionEvaluator. IsAllowed(identity, operation, scope) materializes a
  UserAuthorizationState from the identity's LDAP groups, delegates to the
  evaluator, and returns a single bool the dispatch paths use to decide
  whether to surface BadUserAccessDenied.
- StrictMode knob controls fail-open-during-transition vs fail-closed:
  - strict=false (default during rollout) — null identity, identity without
    ILdapGroupsBearer, or NotGranted outcome all return true so older
    deployments without ACL data keep working.
  - strict=true (production target) — any of the above returns false.
  The appsetting `Authorization:StrictMode = true` flips deployments over
  once their ACL data is populated.

Tests (9 new in Server.Tests/AuthorizationGateTests):
- Null identity — strict denies, lax allows.
- Identity without LDAP groups — strict denies, lax allows.
- LDAP group with matching grant allows.
- LDAP group without grant — strict denies.
- Wrong operation denied (Read-only grant, WriteOperate requested).
- BuildSessionState returns materialized state with LDAP groups + null when
  identity doesn't carry them.

Full solution dotnet test: 1087 passing (Phase 6.1 = 1042, Phase 6.2 A = +9,
B = +27, C foundation = +9 = 1087). Pre-existing Client.CLI Subscribe flake
unchanged.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-04-19 09:33:51 -04:00

137 lines
4.1 KiB
C#
Raw Blame History

using Opc.Ua;
using Shouldly;
using Xunit;
using ZB.MOM.WW.OtOpcUa.Configuration.Entities;
using ZB.MOM.WW.OtOpcUa.Configuration.Enums;
using ZB.MOM.WW.OtOpcUa.Core.Abstractions;
using ZB.MOM.WW.OtOpcUa.Core.Authorization;
using ZB.MOM.WW.OtOpcUa.Server.Security;
namespace ZB.MOM.WW.OtOpcUa.Server.Tests;
[Trait("Category", "Unit")]
public sealed class AuthorizationGateTests
{
private static NodeScope Scope(string cluster = "c1", string? tag = "tag1") => new()
{
ClusterId = cluster,
NamespaceId = "ns",
UnsAreaId = "area",
UnsLineId = "line",
EquipmentId = "eq",
TagId = tag,
Kind = NodeHierarchyKind.Equipment,
};
private static NodeAcl Row(string group, NodePermissions flags) => new()
{
NodeAclRowId = Guid.NewGuid(),
NodeAclId = Guid.NewGuid().ToString(),
GenerationId = 1,
ClusterId = "c1",
LdapGroup = group,
ScopeKind = NodeAclScopeKind.Cluster,
ScopeId = null,
PermissionFlags = flags,
};
private static AuthorizationGate MakeGate(bool strict, NodeAcl[] rows)
{
var cache = new PermissionTrieCache();
cache.Install(PermissionTrieBuilder.Build("c1", 1, rows));
var evaluator = new TriePermissionEvaluator(cache);
return new AuthorizationGate(evaluator, strictMode: strict);
}
private sealed class FakeIdentity : UserIdentity, ILdapGroupsBearer
{
public FakeIdentity(string name, IReadOnlyList<string> groups)
{
DisplayName = name;
LdapGroups = groups;
}
public new string DisplayName { get; }
public IReadOnlyList<string> LdapGroups { get; }
}
[Fact]
public void NullIdentity_StrictMode_Denies()
{
var gate = MakeGate(strict: true, rows: []);
gate.IsAllowed(null, OpcUaOperation.Read, Scope()).ShouldBeFalse();
}
[Fact]
public void NullIdentity_LaxMode_Allows()
{
var gate = MakeGate(strict: false, rows: []);
gate.IsAllowed(null, OpcUaOperation.Read, Scope()).ShouldBeTrue();
}
[Fact]
public void IdentityWithoutLdapGroups_StrictMode_Denies()
{
var gate = MakeGate(strict: true, rows: []);
var identity = new UserIdentity(); // anonymous, no LDAP groups
gate.IsAllowed(identity, OpcUaOperation.Read, Scope()).ShouldBeFalse();
}
[Fact]
public void IdentityWithoutLdapGroups_LaxMode_Allows()
{
var gate = MakeGate(strict: false, rows: []);
var identity = new UserIdentity();
gate.IsAllowed(identity, OpcUaOperation.Read, Scope()).ShouldBeTrue();
}
[Fact]
public void LdapGroupWithGrant_Allows()
{
var gate = MakeGate(strict: true, rows: [Row("cn=ops", NodePermissions.Read)]);
var identity = new FakeIdentity("ops-user", ["cn=ops"]);
gate.IsAllowed(identity, OpcUaOperation.Read, Scope()).ShouldBeTrue();
}
[Fact]
public void LdapGroupWithoutGrant_StrictMode_Denies()
{
var gate = MakeGate(strict: true, rows: [Row("cn=ops", NodePermissions.Read)]);
var identity = new FakeIdentity("other-user", ["cn=other"]);
gate.IsAllowed(identity, OpcUaOperation.Read, Scope()).ShouldBeFalse();
}
[Fact]
public void WrongOperation_Denied()
{
var gate = MakeGate(strict: true, rows: [Row("cn=ops", NodePermissions.Read)]);
var identity = new FakeIdentity("ops-user", ["cn=ops"]);
gate.IsAllowed(identity, OpcUaOperation.WriteOperate, Scope()).ShouldBeFalse();
}
[Fact]
public void BuildSessionState_IncludesLdapGroups()
{
var gate = MakeGate(strict: true, rows: []);
var identity = new FakeIdentity("u", ["cn=a", "cn=b"]);
var state = gate.BuildSessionState(identity, "c1");
state.ShouldNotBeNull();
state!.LdapGroups.Count.ShouldBe(2);
state.ClusterId.ShouldBe("c1");
}
[Fact]
public void BuildSessionState_ReturnsNull_ForIdentityWithoutLdapGroups()
{
var gate = MakeGate(strict: true, rows: []);
gate.BuildSessionState(new UserIdentity(), "c1").ShouldBeNull();
}
}
Reference in New Issue View Git Blame Copy Permalink