Add configurable transport security profiles and bind address

Adds Security section to appsettings.json with configurable OPC UA transport profiles (None, Basic256Sha256-Sign, Basic256Sha256-SignAndEncrypt), certificate policy settings, and a configurable BindAddress for the OPC UA endpoint. Defaults preserve backward compatibility. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 15:59:43 -04:00
parent bbd043e97b
commit 55173665b1
28 changed files with 1092 additions and 87 deletions
--- a/tests/ZB.MOM.WW.LmxOpcUa.Tests/Security/SecurityProfileResolverTests.cs
+++ b/tests/ZB.MOM.WW.LmxOpcUa.Tests/Security/SecurityProfileResolverTests.cs
@@ -0,0 +1,137 @@
+using System.Collections.Generic;
+using System.Linq;
+using Opc.Ua;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.LmxOpcUa.Host.OpcUa;
+
+namespace ZB.MOM.WW.LmxOpcUa.Tests.Security
+{
+    public class SecurityProfileResolverTests
+    {
+        [Fact]
+        public void Resolve_DefaultNone_ReturnsSingleNonePolicy()
+        {
+            var result = SecurityProfileResolver.Resolve(new List<string> { "None" });
+
+            result.Count.ShouldBe(1);
+            result[0].SecurityMode.ShouldBe(MessageSecurityMode.None);
+            result[0].SecurityPolicyUri.ShouldBe(SecurityPolicies.None);
+        }
+
+        [Fact]
+        public void Resolve_SignProfile_ReturnsBasic256Sha256Sign()
+        {
+            var result = SecurityProfileResolver.Resolve(new List<string> { "Basic256Sha256-Sign" });
+
+            result.Count.ShouldBe(1);
+            result[0].SecurityMode.ShouldBe(MessageSecurityMode.Sign);
+            result[0].SecurityPolicyUri.ShouldBe(SecurityPolicies.Basic256Sha256);
+        }
+
+        [Fact]
+        public void Resolve_SignAndEncryptProfile_ReturnsBasic256Sha256SignAndEncrypt()
+        {
+            var result = SecurityProfileResolver.Resolve(new List<string> { "Basic256Sha256-SignAndEncrypt" });
+
+            result.Count.ShouldBe(1);
+            result[0].SecurityMode.ShouldBe(MessageSecurityMode.SignAndEncrypt);
+            result[0].SecurityPolicyUri.ShouldBe(SecurityPolicies.Basic256Sha256);
+        }
+
+        [Fact]
+        public void Resolve_MultipleProfiles_ReturnsExpectedPolicies()
+        {
+            var result = SecurityProfileResolver.Resolve(new List<string>
+            {
+                "None", "Basic256Sha256-Sign", "Basic256Sha256-SignAndEncrypt"
+            });
+
+            result.Count.ShouldBe(3);
+            result.ShouldContain(p => p.SecurityMode == MessageSecurityMode.None);
+            result.ShouldContain(p => p.SecurityMode == MessageSecurityMode.Sign);
+            result.ShouldContain(p => p.SecurityMode == MessageSecurityMode.SignAndEncrypt);
+        }
+
+        [Fact]
+        public void Resolve_DuplicateProfiles_Deduplicated()
+        {
+            var result = SecurityProfileResolver.Resolve(new List<string>
+            {
+                "None", "None", "Basic256Sha256-Sign", "Basic256Sha256-Sign"
+            });
+
+            result.Count.ShouldBe(2);
+        }
+
+        [Fact]
+        public void Resolve_UnknownProfile_SkippedWithWarning()
+        {
+            var result = SecurityProfileResolver.Resolve(new List<string>
+            {
+                "None", "SomeUnknownProfile"
+            });
+
+            result.Count.ShouldBe(1);
+            result[0].SecurityMode.ShouldBe(MessageSecurityMode.None);
+        }
+
+        [Fact]
+        public void Resolve_EmptyList_FallsBackToNone()
+        {
+            var result = SecurityProfileResolver.Resolve(new List<string>());
+
+            result.Count.ShouldBe(1);
+            result[0].SecurityMode.ShouldBe(MessageSecurityMode.None);
+            result[0].SecurityPolicyUri.ShouldBe(SecurityPolicies.None);
+        }
+
+        [Fact]
+        public void Resolve_NullList_FallsBackToNone()
+        {
+            var result = SecurityProfileResolver.Resolve(null!);
+
+            result.Count.ShouldBe(1);
+            result[0].SecurityMode.ShouldBe(MessageSecurityMode.None);
+        }
+
+        [Fact]
+        public void Resolve_AllUnknownProfiles_FallsBackToNone()
+        {
+            var result = SecurityProfileResolver.Resolve(new List<string> { "Bogus", "AlsoBogus" });
+
+            result.Count.ShouldBe(1);
+            result[0].SecurityMode.ShouldBe(MessageSecurityMode.None);
+        }
+
+        [Fact]
+        public void Resolve_CaseInsensitive()
+        {
+            var result = SecurityProfileResolver.Resolve(new List<string> { "none", "BASIC256SHA256-SIGN" });
+
+            result.Count.ShouldBe(2);
+            result.ShouldContain(p => p.SecurityMode == MessageSecurityMode.None);
+            result.ShouldContain(p => p.SecurityMode == MessageSecurityMode.Sign);
+        }
+
+        [Fact]
+        public void Resolve_WhitespaceEntries_Skipped()
+        {
+            var result = SecurityProfileResolver.Resolve(new List<string> { "", "  ", "None" });
+
+            result.Count.ShouldBe(1);
+            result[0].SecurityMode.ShouldBe(MessageSecurityMode.None);
+        }
+
+        [Fact]
+        public void ValidProfileNames_ContainsExpectedEntries()
+        {
+            var names = SecurityProfileResolver.ValidProfileNames;
+
+            names.ShouldContain("None");
+            names.ShouldContain("Basic256Sha256-Sign");
+            names.ShouldContain("Basic256Sha256-SignAndEncrypt");
+            names.Count.ShouldBe(3);
+        }
+    }
+}