Fix user token policy IDs for endpoint variants#1787
Merged
Conversation
Derive advertised user token policies from each endpoint's effective security policy so reused configured policy IDs are disambiguated when they would otherwise describe different token policies.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Milo now advertises user token policies with IDs that remain unique when the same configured policy is reused across endpoint variants with different effective security policies. This addresses the Standard 2025 CTT
Security User Token / Security User Name Password 2 / 015.jsfailure without mutating configuredEndpointConfigpolicies or shared token constants.UserTokenPolicycopies inEndpointDescription.Key Changes
anonymous-Basic256Sha256.EndpointDescription, the remapped policy IDs advertised byGetEndpointsare accepted by the activation policy lookup path.Testing
OpcUaServerEndpointDescriptionTestcovers reused anonymous token policies overNoneandBasic256Sha256endpoint variants, verifies configured policies/constants remain unchanged, and checks the suffixed advertised policy ID passesSessionManagerpolicy validation.mvn -q spotless:applymvn -q -pl opc-ua-sdk/sdk-server -am test -Dtest=OpcUaServerEndpointDescriptionTest -Dsurefire.failIfNoSpecifiedTests=falsemvn -q clean compileLive CTT was not run from this worker thread per the shared endpoint/project lock. The focused CTT selection was generated at
/Users/kevin/Documents/CTT/milo-demo-server-105/codex-runs/user-token-policy-id-uniqueness.selection.xmlfor the orchestrator's serialized train rerun.References
UserTokenPolicy: https://reference.opcfoundation.org/specs/OPC-10000-4/7.41