feat(opcua,host): F13c LDAP-bound UserName validator

Adds IOpcUaUserAuthenticator seam in OpcUaServer.Security with a deny-all NullOpcUaUserAuthenticator default. OpcUaApplicationHost subscribes to SessionManager.ImpersonateUser after _application.Start so UserName tokens flow through the authenticator and either attach a UserIdentity to the session (Allow) or set IdentityValidationError = BadIdentityTokenRejected (Deny / authenticator exception). Anonymous + X509 tokens fall through to SDK defaults. LdapOpcUaUserAuthenticator (Host project) bridges to the same ILdapAuthService that AddOtOpcUaAuth uses for Admin cookies / JWT, so a single LDAP source-of-truth governs both Admin control plane and OPC UA data plane. Program.cs registers LdapOptions + LdapAuthService + IOpcUaUserAuthenticator on driver-role hosts; admin-only nodes are unchanged. OtOpcUaServerHostedService threads the resolved authenticator into OpcUaApplicationHost so the seam respects Host DI. 10 new tests: 6 in OpcUaServer.Tests cover the pure HandleImpersonation static method (success / denial / anonymous fallthrough / authenticator- throw / null-username / Null authenticator); 4 in Host.IntegrationTests cover the LdapOpcUaUserAuthenticator adapter (LDAP allow → Allow with roles, LDAP deny → Deny, exception → backend-error denial, display-name fallback). OpcUaServer suite is 40 / 40 green. Closes #104. Unblocks Task 60 (dual-endpoint + ServiceLevel tests) once #81 residual lands.
2026-05-26 10:21:37 -04:00
parent 8b08566f41
commit 21eac21409
7 changed files with 399 additions and 2 deletions
@@ -3,6 +3,7 @@ using Microsoft.Extensions.Hosting;
 using Microsoft.Extensions.Logging;
 using ZB.MOM.WW.OtOpcUa.Commons.OpcUa;
 using ZB.MOM.WW.OtOpcUa.OpcUaServer;
+using ZB.MOM.WW.OtOpcUa.OpcUaServer.Security;

 namespace ZB.MOM.WW.OtOpcUa.Host.OpcUa;

@@ -21,6 +22,7 @@ public sealed class OtOpcUaServerHostedService : IHostedService, IAsyncDisposabl
 {
    private readonly IConfiguration _configuration;
    private readonly DeferredAddressSpaceSink _deferredSink;
+    private readonly IOpcUaUserAuthenticator _userAuthenticator;
    private readonly ILoggerFactory _loggerFactory;
    private readonly ILogger<OtOpcUaServerHostedService> _logger;

@@ -30,10 +32,12 @@ public sealed class OtOpcUaServerHostedService : IHostedService, IAsyncDisposabl
    public OtOpcUaServerHostedService(
        IConfiguration configuration,
        DeferredAddressSpaceSink deferredSink,
+        IOpcUaUserAuthenticator userAuthenticator,
        ILoggerFactory loggerFactory)
    {
        _configuration = configuration;
        _deferredSink = deferredSink;
+        _userAuthenticator = userAuthenticator;
        _loggerFactory = loggerFactory;
        _logger = loggerFactory.CreateLogger<OtOpcUaServerHostedService>();
    }
@@ -44,7 +48,10 @@ public sealed class OtOpcUaServerHostedService : IHostedService, IAsyncDisposabl
        _configuration.GetSection("OpcUa").Bind(options);

        _server = new OtOpcUaSdkServer();
-        _appHost = new OpcUaApplicationHost(options, _loggerFactory.CreateLogger<OpcUaApplicationHost>());
+        _appHost = new OpcUaApplicationHost(
+            options,
+            _loggerFactory.CreateLogger<OpcUaApplicationHost>(),
+            _userAuthenticator);

        try
        {