Consolidate LDAP roles into OPC UA session roles with granular write permissions

Map LDAP groups to custom OPC UA role NodeIds on RoleBasedIdentity.GrantedRoleIds
during authentication, replacing the username-to-role side cache. Split ReadWrite
into WriteOperate/WriteTune/WriteConfigure so write access is gated per Galaxy
security classification. AnonymousCanWrite now behaves consistently regardless
of LDAP state.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

tests/ZB.MOM.WW.LmxOpcUa.Tests/Helpers/FakeAuthenticationProvider.cs

@@ -0,0 +1,36 @@
+using System;
+using System.Collections.Generic;
+using ZB.MOM.WW.LmxOpcUa.Host.Domain;
+
+namespace ZB.MOM.WW.LmxOpcUa.Tests.Helpers
+{
+    /// <summary>
+    /// Deterministic authentication provider for integration tests.
+    /// Validates credentials against hardcoded username/password pairs
+    /// and returns configured role sets per user.
+    /// </summary>
+    internal class FakeAuthenticationProvider : IUserAuthenticationProvider, IRoleProvider
+    {
+        private readonly Dictionary<string, string> _credentials =
+            new Dictionary<string, string>(StringComparer.OrdinalIgnoreCase);
+        private readonly Dictionary<string, IReadOnlyList<string>> _roles =
+            new Dictionary<string, IReadOnlyList<string>>(StringComparer.OrdinalIgnoreCase);
+
+        public FakeAuthenticationProvider AddUser(string username, string password, params string[] roles)
+        {
+            _credentials[username] = password;
+            _roles[username] = roles;
+            return this;
+        }
+
+        public bool ValidateCredentials(string username, string password)
+        {
+            return _credentials.TryGetValue(username, out var expected) && expected == password;
+        }
+
+        public IReadOnlyList<string> GetUserRoles(string username)
+        {
+            return _roles.TryGetValue(username, out var roles) ? roles : new[] { AppRoles.ReadOnly };
+        }
+    }
+}