OPC UA + gateway hardening (security, reconnect replay, multi-alarm, secure profile)#485
Draft
mfaferek93 wants to merge 5 commits into
Draft
OPC UA + gateway hardening (security, reconnect replay, multi-alarm, secure profile)#485mfaferek93 wants to merge 5 commits into
mfaferek93 wants to merge 5 commits into
Conversation
…klist Add gateway_params.secure.yaml turning on the existing JWT auth, TLS, restricted CORS and rate limiting for appliance / plant-network deployments, plus design/hardening.rst (checklist + credential/cert provisioning). The appliance image ships the preset; the demo params now point to it.
Extend OpcuaClientConfig + connect() with SecurityPolicy, MessageSecurityMode, a client application-instance certificate, a server trust store with reject-untrusted, and user identity (anonymous / username-password / X.509). Compile in the OpenSSL encryption backend. Anonymous + None stay the default.
Replay already-active conditions on (re)subscribe with a configurable strategy (ConditionRefresh, read-based fallback that browses sources and reconciles the fault set, auto, off) so servers rejecting ConditionRefresh still recover their alarms. Route one source's events to distinct faults by condition identity (ConditionName / SourceNode / EventType) and enrich descriptions with the event Message plus configured associated values (SD_n). Allow event-alarm-only maps.
Fail closed when auth/TLS is enabled but its config is invalid (throw instead of serving unauthenticated/plaintext). Warn loudly when OPC-UA credentials would cross an unencrypted channel. Stop the read-based replay from false-clearing active faults on a failed/disconnected scan, and keep conditions whose ActiveState read fails transiently. Refs #477 #478 #479 #480
Contributor
There was a problem hiding this comment.
Pull request overview
This PR hardens both the southbound OPC UA plugin and the northbound gateway by adding OPC UA SecureChannel/user-auth configuration, improving alarm handling across reconnects (including read-based replay), supporting multi-alarm routing per condition identity, and shipping an opt-in “secure field profile” for gateway deployments that fails closed on invalid auth/TLS config.
Changes:
- Add OPC UA client security configuration (SecurityPolicy/MessageSecurityMode, certs/trust store, user identity) plus logging of the effective security profile.
- Implement active-condition replay on (re)subscribe with a configurable strategy and read-based fallback, including reconciliation logic to avoid false clears on scan failures.
- Add a secure gateway parameter preset + hardening documentation, and make gateway startup fail closed when TLS/auth is enabled but misconfigured.
Reviewed changes
Copilot reviewed 19 out of 19 changed files in this pull request and generated 6 comments.
Show a summary per file
| File | Description |
|---|---|
| src/ros2_medkit_plugins/ros2_medkit_opcua/test/test_opcua_plugin.cpp | Adds unit tests for replay-strategy parsing and reconcile false-clear guard. |
| src/ros2_medkit_plugins/ros2_medkit_opcua/test/test_opcua_client.cpp | Adds unit tests for disconnected read-replay behavior and security parsing helpers. |
| src/ros2_medkit_plugins/ros2_medkit_opcua/test/test_node_map.cpp | Adds unit tests for multi-alarm mapping resolution and associated-values parsing. |
| src/ros2_medkit_plugins/ros2_medkit_opcua/src/opcua_poller.cpp | Adds per-source event select specs, multi-alarm routing, and reconnect replay (ConditionRefresh + read fallback) with reconcile logic. |
| src/ros2_medkit_plugins/ros2_medkit_opcua/src/opcua_plugin.cpp | Parses new security + replay settings; logs effective security profile; uses resolved severity override from deliveries. |
| src/ros2_medkit_plugins/ros2_medkit_opcua/src/opcua_client.cpp | Implements security config application (certs/trust, user identity) and read-based condition scanning. |
| src/ros2_medkit_plugins/ros2_medkit_opcua/src/node_map.cpp | Makes nodes: optional, adds multi-alarm mappings + associated values, expands collision checks and lookup behavior. |
| src/ros2_medkit_plugins/ros2_medkit_opcua/README.md | Documents multi-alarm mappings, associated values, security config, and replay strategies. |
| src/ros2_medkit_plugins/ros2_medkit_opcua/include/ros2_medkit_opcua/opcua_poller.hpp | Declares replay strategy, reconcile helpers, and expanded delivery/runtime metadata. |
| src/ros2_medkit_plugins/ros2_medkit_opcua/include/ros2_medkit_opcua/opcua_plugin.hpp | Declares security-profile logging helper. |
| src/ros2_medkit_plugins/ros2_medkit_opcua/include/ros2_medkit_opcua/opcua_client.hpp | Adds security enums/config fields and read-based condition snapshot API. |
| src/ros2_medkit_plugins/ros2_medkit_opcua/include/ros2_medkit_opcua/node_map.hpp | Adds mapping/associated-value config types and alarm resolution API. |
| src/ros2_medkit_plugins/ros2_medkit_opcua/docker/gateway_params.yaml | Clarifies demo config is insecure and points to secure profile for deployments. |
| src/ros2_medkit_plugins/ros2_medkit_opcua/docker/Dockerfile.gateway | Ships the gateway secure params profile into the container image. |
| src/ros2_medkit_plugins/ros2_medkit_opcua/CMakeLists.txt | Forces open62541 encryption backend (OpenSSL) to support secured OPC UA profiles. |
| src/ros2_medkit_gateway/test/test_gateway_node.cpp | Adds tests asserting fail-closed behavior for invalid auth/TLS when enabled. |
| src/ros2_medkit_gateway/src/gateway_node.cpp | Changes TLS/auth builder failures to fatal + throw (fail closed) instead of silently disabling. |
| src/ros2_medkit_gateway/design/hardening.rst | Adds gateway hardening guide describing the secure field profile and deployment checklist. |
| src/ros2_medkit_gateway/config/gateway_params.secure.yaml | Adds hardened parameter preset enabling auth/TLS/restricted CORS/rate limiting/locking. |
Fail loud on unrecognized OPC-UA security_policy/security_mode/user_auth instead of silently defaulting to an insecure profile. Keep read-replay observed-but-unmapped conditions in the seen set so reconcile does not clear them, and reject a non-sequence nodes: section in the node map. Drop unused locals in EXPECT_THROW, fix the hardening table syntax and bulk_data.max_upload_size name, and add hardening to the design toctree. Refs #477 #478 #479 #480
bd919de to
4c49f68
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Closes #477 #478 #479 #480
Tested: 196 unit tests pass. Real-PLC acceptance for the security/replay/alarm paths is pending hardware validation.