Skip to content

Restrict session security diagnostics access#1803

Merged
kevinherron merged 1 commit into
mainfrom
codex/restrict-session-security-diagnostics
Jul 16, 2026
Merged

Restrict session security diagnostics access#1803
kevinherron merged 1 commit into
mainfrom
codex/restrict-session-security-diagnostics

Conversation

@kevinherron

@kevinherron kevinherron commented Jul 13, 2026

Copy link
Copy Markdown
Contributor

Summary

  • enforce the standard RolePermissions for cross-session security diagnostics and diagnostics EnabledFlag writes in the default RESTRICTED mode
  • propagate RolePermissions, UserRolePermissions, and protected-channel AccessRestrictions to runtime-created security-diagnostics nodes
  • add an explicit LEGACY access mode for servers that need the previous diagnostics authorization behavior without configuring a RoleMapper
  • keep ordinary SessionDiagnostics behavior and DefaultAccessController unchanged

Behavior

In RESTRICTED mode, session-specific UserAccessLevel and UserRolePermissions are derived from the standard node metadata. SecurityAdmin or an explicitly configured equivalent role can read session security diagnostics; ConfigureAdmin, SecurityAdmin, or an explicitly configured equivalent role can write the diagnostics enabled flag. Without a RoleMapper, sensitive Value reads fail closed and the enabled flag remains read-only.

LEGACY mode preserves the previous authorization behavior without requiring role mapping. Signing and encryption restrictions continue to be propagated to runtime-created security-diagnostics nodes in both modes.

Role-based Browse behavior continues to follow the generic access controller's existing RoleMapper semantics; this change adds no diagnostics-specific controller behavior.

Regression coverage

Focused tests cover:

  • restricted access for unmapped and non-admin sessions
  • SecurityAdmin, ConfigureAdmin, and explicitly authorized equivalent roles
  • legacy access without a RoleMapper
  • access-mode config defaults and copy behavior
  • metadata propagation to dynamic array elements and per-session security subtrees
  • separation from ordinary session diagnostics
  • signing and encryption restrictions

Verification

  • mise exec -- mvn -q spotless:apply
  • mise exec -- mvn -q -pl opc-ua-sdk/sdk-server -am test -Dtest=SessionSecurityDiagnosticsAccessModeTest,UtilTest,SessionsDiagnosticsSummaryObjectTest,SessionSecurityDiagnosticsVariableArrayTest -Dsurefire.failIfNoSpecifiedTests=false
  • mise exec -- mvn -q clean compile

@kevinherron
kevinherron force-pushed the codex/restrict-session-security-diagnostics branch from e9f2b9e to 88f7b8b Compare July 16, 2026 02:31
Enforce standard role permissions for security diagnostics and the
diagnostics enabled flag, and propagate role and channel restrictions
to dynamically created security nodes. Keep ordinary session
diagnostics and generic access control unchanged.

Provide an explicit legacy access mode so upgrading servers can
preserve the previous authorization behavior without configuring a
RoleMapper.
@kevinherron
kevinherron force-pushed the codex/restrict-session-security-diagnostics branch from ecf63b0 to 6bc1aaa Compare July 16, 2026 02:46
@kevinherron
kevinherron marked this pull request as ready for review July 16, 2026 11:43
@kevinherron kevinherron added this to the 1.1.5 milestone Jul 16, 2026
@kevinherron
kevinherron merged commit a5dae1b into main Jul 16, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant