[Server] Fix generation of UserTokenPolicyIDs

[raserle]

Proposed changes

Change generation of UserTokenPolicyId's
Add IEquatable to UserTokenPolicy.cs

Related Issues

• Fixes Incorrect UserTokenPolicyId generation on servers listening on multiple IP addresses #3522

Types of changes

• Bugfix (non-breaking change which fixes an issue)
• Enhancement (non-breaking change which adds functionality)
• Test enhancement (non-breaking change to increase test coverage)
• Breaking change (fix or feature that would cause existing functionality to not work as expected, requires version increase of Nuget packages)
• Documentation Update (if none of the other choices apply)

Checklist

Put an x in the boxes that apply. You can also fill these out after creating the PR. If you're unsure about any of them, don't hesitate to ask. We're here to help! This is simply a reminder of what we are going to look for before merging your code.

• I have read the CONTRIBUTING doc.
• I have signed the CLA.
• I ran tests locally with my changes, all passed.
• I fixed all failing tests in the CI pipelines.
• I fixed all introduced issues with CodeQL and LGTM.
• I have added tests that prove my fix is effective or that my feature works and increased code coverage.
• I have added necessary documentation (if appropriate).
• Any dependent changes have been merged and published in downstream modules.

[CLAassistant]

Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you all sign our Contributor License Agreement before we can accept your contribution.
1 out of 2 committers have signed the CLA.

✅ romanett
❌ raserle
_{You have signed the CLA already but the status is still pending? Let us recheck it.}

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 59.98%. Comparing base (d25caff) to head (9ab4404).
⚠️ Report is 111 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master    #3525      +/-   ##
==========================================
+ Coverage   51.86%   59.98%   +8.11%     
==========================================
  Files         370      378       +8     
  Lines       78618    78978     +360     
  Branches    13650    13812     +162     
==========================================
+ Hits        40779    47376    +6597     
+ Misses      33705    27180    -6525     
- Partials     4134     4422     +288     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

This pull request addresses issue #3522, which involves incorrect UserTokenPolicyId generation when an OPC UA server listens on multiple IP addresses. The fix changes the ID generation strategy from using a simple global counter to using semantic equality-based deduplication of UserTokenPolicy objects.

Changes:

• Adds IEquatable<UserTokenPolicy> implementation to enable semantic equality comparison based on TokenType, SecurityPolicyUri, IssuedTokenType, and IssuerEndpointUrl (intentionally excluding PolicyId)
• Modifies ServerBase.GetUserTokenPolicies to maintain a server-wide collection of unique policies and reuse existing PolicyIds for semantically equivalent policies
• Ensures PolicyIds remain consistent regardless of the order in which endpoints are processed

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 7 comments.

File	Description
Stack/Opc.Ua.Core/Stack/Types/UserTokenPolicy.cs	Implements IEquatable with Equals, GetHashCode, and operator overloads to enable semantic equality comparison
Stack/Opc.Ua.Core/Stack/Server/ServerBase.cs	Adds UserTokenPolicys collection for deduplicating policies and modifies GetUserTokenPolicies to assign consistent PolicyIds based on semantic equality

[Copilot]

The new Equals, GetHashCode, and operator overloads added to UserTokenPolicy lack test coverage. Given that this implementation is critical for the bug fix (ensuring correct PolicyId generation), tests should be added to verify:

1. Equality comparison works correctly for policies with the same semantic properties (TokenType, SecurityPolicyUri, IssuedTokenType, IssuerEndpointUrl) but different PolicyIds
2. Hash codes are consistent for equal objects
3. Operator overloads (== and !=) work as expected
4. Edge cases like null values for optional string properties

[marcschier]

@copilot open a new pull request to apply changes based on this feedback

[Copilot]

The modified logic in GetUserTokenPolicies that uses the UserTokenPolicys collection to deduplicate policies based on semantic equality should have test coverage. Tests should verify:

1. That policies with the same semantic properties receive the same PolicyId
2. That PolicyIds are stable across multiple calls to GetUserTokenPolicies with different endpoint descriptions
3. That the SecurityPolicyUri modifications (lines 906, 911) are handled correctly
4. That the fix resolves the original issue where servers with multiple IP addresses had inconsistent PolicyIds

[marcschier]

@copilot open a new pull request to apply changes based on this feedback

[Copilot]

The UserTokenPolicys collection uses IList<UserTokenPolicy> which is not thread-safe. While GetUserTokenPolicies is likely only called during server initialization, there's no explicit documentation or synchronization to prevent concurrent calls. The code uses FirstOrDefault (read), Count (read), and Add (write) operations on lines 915, 920-921 which could result in race conditions if called concurrently.

Consider either:

1. Documenting that this method should only be called during initialization, or
2. Adding proper synchronization (e.g., using a concurrent collection or locking) if concurrent access is possible.

[Copilot]

Class 'UserTokenPolicy' implements 'ICloneable'.

[romanett]

@raserle Thank you very much for your fix, with this proper Ids are generated and the ctt can properly run tests requiring user auth. Also GetEndpoints returns the same Ids for same UserTokenPolicies

[raserle]

The changes have already been approved by another reviewer, but it seems that the license agreement is still not being recognized.
I’m not sure if any additional action is required from my side, or if this will resolve automatically.
Could you please let me know how to proceed?

[romanett]

@raserle you need to register the Email configured in your local git as commit Email in your GitHub Account. Then the license cla will work

[romanett]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).

[raserle]

I can only approve and accept the CLA using my GitHub account raserle, which is associated with the verified email address.
I confirm that I am the author of the changes in this pull request and that I agree to the license terms.

[romanett]

@raserle some Tests in the Opc.Ua.Core.Stack.Server area are now failing (e.g. TranslateEndpointDescriptionsTest), can you check it out?

[romanett]

@raserle I provided a fix, so we can get this into the next update

[romanett]

/azp run

[azure-pipelines]

Azure Pipelines successfully started running 1 pipeline(s).