GDS: implement ApplicationSelfAdmin privilege in GlobalDiscoverySampleServer

[romanett]

Proposed changes

Many OPC UA Pull Clients rely on the GDS implementing the ApplicationSelfAdmin privilege, to pull the trust list after sucessfully receiving a gds signed certificate. This pull request implements this authorization mehtod.
This authorization is described here in the OPC Spec:
https://reference.opcfoundation.org/GDS/v105/docs/7.6

Related Issues

• Fixes / Implements GDS pull model method authorization UA-.NETStandard-Samples#231
  (GDS pull model method authorization)

Types of changes

• Bugfix (non-breaking change which fixes an issue)
• Enhancement (non-breaking change which adds functionality)
• Test enhancement (non-breaking change to increase test coverage)
• Breaking change (fix or feature that would cause existing functionality to not work as expected, requires version increase of Nuget packages)
• Documentation Update (if none of the other choices apply)

Checklist

• I have read the CONTRIBUTING doc.
• I have signed the CLA.
• I ran tests locally with my changes, all passed.
• I fixed all failing tests in the CI pipelines.
• I fixed all introduced issues with CodeQL and LGTM.
• I have added tests that prove my fix is effective or that my feature works and increased code coverage.
• I have added necessary documentation (if appropriate).
• Any dependent changes have been merged and published in downstream modules.

Further comments

[codecov]

Codecov Report

Attention: Patch coverage is 86.66667% with 20 lines in your changes are missing coverage. Please review.

Project coverage is 53.92%. Comparing base (f91644e) to head (065b392).
Report is 3 commits behind head on master.

Files	Patch %	Lines
...mon/RoleBasedUserManagement/AuthorizationHelper.cs	79.06%	4 Missing and 5 partials ⚠️
...a.Gds.Server.Common/GlobalDiscoverySampleServer.cs	86.04%	4 Missing and 2 partials ⚠️
...pc.Ua.Gds.Server.Common/ApplicationsNodeManager.cs	88.00%	2 Missing and 1 partial ⚠️
...s.Server.Common/RoleBasedUserManagement/GdsRole.cs	83.33%	2 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #2338      +/-   ##
==========================================
- Coverage   54.08%   53.92%   -0.17%     
==========================================
  Files         334      335       +1     
  Lines       64430    64509      +79     
  Branches    13241    13265      +24     
==========================================
- Hits        34850    34787      -63     
- Misses      25840    25955     +115     
- Partials     3740     3767      +27     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[ThomasNehring]

The functionality of this pull request was in parts successfully tested with the UAExpert as a client and the NetCoreGlobalDiscoveryServer from the Samples as a GDS (with the changes of the PR applied to the GDS server library). After registering the UAExpert to the NetCoreGlobalDicoveryServer by manually adding the UAExperts certificate to the trust and applications folder, the UAExpert could issue a certificate signing request and finish it on behalf of itself. Alse the GetTrustList method could be called.

[romanett]

Pleased to hear that. For a fully automatic workflow the changes from this pull request are needed as well:
#2333

You need to call the Method AddOwnCertificateToTrustedStoreAsync() with the GDS CA as parameter, so that the GDS trusts the CA signed Certificate of the UAExpert.

Then the UAExpert can receive the TrustList as well using the GDS Pull registration.

[mregen]

Hi @romanett, I started playing with your implementation and I would really like to see a positive/negative tests where a non registered or registered application try to walk through the permitted steps like self renew etc. and pass / fail. Its a security feature so we need to ensure all pieces positive/negative cases are covered.

[mregen]

@romaett , is there a conflict with #2444?
Should we wait before merging this one?

[romanett]

@mregen you can merge #2444

I still have some issues, after exchanging the cert the Server refuses the Connection.

[mregen]

Hi @romanett, please fix the merge conflict. With the coming 1.5 nodeset --> #2423 there are also some new GDS methods available.

[mregen]

@mregen ready for review. Tests will pass as soon as #2478 is merged.

To manually test set breakpoint at ClientTest Line 995 ConnectGds(false,true). On this breakpoint copy everything from Appdata/local/opc/gds/ca/trusted to Appdata/local/opc/gds/issuers.

Then all tests will pass inlc reading out trust list

Hi @romanett, can I take another look?

[romanett]

@mregen yes, well known roles are implemented now

[mregen]

[mregen]

looks like I broke some tests, but the problem may have been hidden before due to some async code which was not awaited.

[romanett]

looks like I broke some tests, but the problem may have been hidden before due to some async code which was not awaited.

fails because GDS CA is not trusted by the Client, this error was hidden before.

We don´t need the validation here because it is test code, i changed the code to directly apply the certificate:

Or should I add the CA to the Issuer store?

02/26/2024 17:20:31.158 Checking application instance certificate.
02/26/2024 17:20:31.172 Imported the PFX private key for [6DA110E17C62FF415A7DCDCE326ACD4F026270BF].
02/26/2024 17:20:31.174 Check certificate: [CN=Global Discovery Client, DC=unserlaptop, O=OPC Foundation] [6DA110E17C62FF415A7DCDCE326ACD4F026270BF]
02/26/2024 17:20:31.175 Check application instance certificate. [CN=Global Discovery Client, DC=unserlaptop, O=OPC Foundation] [6DA110E17C62FF415A7DCDCE326ACD4F026270BF]
02/26/2024 17:20:31.183 Certificate validation failed with suppressible errors but was rejected. Reason=BadCertificateChainIncomplete. [CN=Global Discovery Client, DC=unserlaptop, O=OPC Foundation] [6DA110E17C62FF415A7DCDCE326ACD4F026270BF]
02/26/2024 17:20:31.184 -- BadCertificateUntrusted 'Certificate is not trusted.'
02/26/2024 17:20:31.184 -- BadCertificateUntrusted 'Certificate Issuer is not trusted.'
02/26/2024 17:20:31.188 Error validating certificate. Exception: Certificate chain validation incomplete.. Use certificate anyway?
02/26/2024 17:20:31.215 Subscription - ConditionRefresh Thread 00000013 Exited Normally.
02/26/2024 17:20:31.215 Subscription - Publish Thread 00000012 Exited Normally.