Skip to content

Fix user token policy IDs for endpoint variants#1787

Merged
kevinherron merged 1 commit into
mainfrom
ctt/fix/user-token-policy-id-uniqueness
Jul 1, 2026
Merged

Fix user token policy IDs for endpoint variants#1787
kevinherron merged 1 commit into
mainfrom
ctt/fix/user-token-policy-id-uniqueness

Conversation

@kevinherron

Copy link
Copy Markdown
Contributor

Summary

Milo now advertises user token policies with IDs that remain unique when the same configured policy is reused across endpoint variants with different effective security policies. This addresses the Standard 2025 CTT Security User Token / Security User Name Password 2 / 015.js failure without mutating configured EndpointConfig policies or shared token constants.

  • Derives advertised user token policies from each endpoint's effective security policy so null or empty token security policy URIs are treated as the endpoint security policy.
  • Preserves existing configuration objects and public constants while emitting adjusted UserTokenPolicy copies in EndpointDescription.
  • Adds focused regression coverage for both discovery output and activation policy lookup.

Key Changes

  • Endpoint description generation: User token policies are keyed across all configured endpoints before endpoint descriptions are built. Existing policy IDs are preserved when they describe one effective token policy, and conflicting variants receive deterministic suffixes such as anonymous-Basic256Sha256.
  • Session compatibility: Because sessions use the generated EndpointDescription, the remapped policy IDs advertised by GetEndpoints are accepted by the activation policy lookup path.

Testing

  • OpcUaServerEndpointDescriptionTest covers reused anonymous token policies over None and Basic256Sha256 endpoint variants, verifies configured policies/constants remain unchanged, and checks the suffixed advertised policy ID passes SessionManager policy validation.
  • mvn -q spotless:apply
  • mvn -q -pl opc-ua-sdk/sdk-server -am test -Dtest=OpcUaServerEndpointDescriptionTest -Dsurefire.failIfNoSpecifiedTests=false
  • mvn -q clean compile

Live CTT was not run from this worker thread per the shared endpoint/project lock. The focused CTT selection was generated at /Users/kevin/Documents/CTT/milo-demo-server-105/codex-runs/user-token-policy-id-uniqueness.selection.xml for the orchestrator's serialized train rerun.

References

Derive advertised user token policies from each endpoint's effective security policy so reused configured policy IDs are disambiguated when they would otherwise describe different token policies.
@kevinherron kevinherron added this to the 1.1.5 milestone Jul 1, 2026
@kevinherron kevinherron merged commit 484ec11 into main Jul 1, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant