dohertj2/lmxopcua
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

Add configurable transport security profiles and bind address

Browse Source 
Adds Security section to appsettings.json with configurable OPC UA
transport profiles (None, Basic256Sha256-Sign, Basic256Sha256-SignAndEncrypt),
certificate policy settings, and a configurable BindAddress for the
OPC UA endpoint. Defaults preserve backward compatibility.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Joseph Doherty
2026-03-27 15:59:43 -04:00
parent bbd043e97b
commit 55173665b1
28 changed files with 1092 additions and 87 deletions
Download Patch File Download Diff File Expand all files Collapse all files

5
tools/opcuacli-dotnet/Commands/AlarmsCommand.cs
View File

@@ -21,6 +21,9 @@ public class AlarmsCommand : ICommand
[CommandOption("password", 'P', Description = "Password for authentication")]
public string? Password { get; init; }
[CommandOption("security", 'S', Description = "Transport security: none, sign, encrypt (default: none)")]
public string Security { get; init; } = "none";
/// <summary>
/// Gets the node to subscribe to for event notifications, typically a source object or the server node.
/// </summary>
@@ -45,7 +48,7 @@ public class AlarmsCommand : ICommand
/// <param name="console">The CLI console used for cancellation and alarm-event output.</param>
public async ValueTask ExecuteAsync(IConsole console)
{
using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password);
using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password, Security);
var nodeId = string.IsNullOrEmpty(NodeId)
? ObjectIds.Server

5
tools/opcuacli-dotnet/Commands/BrowseCommand.cs
View File

@@ -21,6 +21,9 @@ public class BrowseCommand : ICommand
[CommandOption("password", 'P', Description = "Password for authentication")]
public string? Password { get; init; }
[CommandOption("security", 'S', Description = "Transport security: none, sign, encrypt (default: none)")]
public string Security { get; init; } = "none";
/// <summary>
/// Gets the optional node identifier to browse from; defaults to the OPC UA Objects folder.
/// </summary>
@@ -45,7 +48,7 @@ public class BrowseCommand : ICommand
/// <param name="console">The console used to emit browse output.</param>
public async ValueTask ExecuteAsync(IConsole console)
{
using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password);
using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password, Security);
var startNode = string.IsNullOrEmpty(NodeId)
? ObjectIds.ObjectsFolder

5
tools/opcuacli-dotnet/Commands/ConnectCommand.cs
View File

@@ -19,13 +19,16 @@ public class ConnectCommand : ICommand
[CommandOption("password", 'P', Description = "Password for authentication")]
public string? Password { get; init; }
[CommandOption("security", 'S', Description = "Transport security: none, sign, encrypt (default: none)")]
public string Security { get; init; } = "none";
/// <summary>
/// Connects to the OPC UA endpoint and prints the resolved server metadata.
/// </summary>
/// <param name="console">The console used to report connection results.</param>
public async ValueTask ExecuteAsync(IConsole console)
{
using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password);
using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password, Security);
await console.Output.WriteLineAsync($"Connected to: {session.Endpoint.EndpointUrl}");
await console.Output.WriteLineAsync($"Server: {session.Endpoint.Server!.ApplicationName}");
await console.Output.WriteLineAsync($"Security Mode: {session.Endpoint.SecurityMode}");

5
tools/opcuacli-dotnet/Commands/HistoryReadCommand.cs
View File

@@ -21,6 +21,9 @@ public class HistoryReadCommand : ICommand
[CommandOption("password", 'P', Description = "Password for authentication")]
public string? Password { get; init; }
[CommandOption("security", 'S', Description = "Transport security: none, sign, encrypt (default: none)")]
public string Security { get; init; } = "none";
/// <summary>
/// Gets the node identifier for the historized variable to query.
/// </summary>
@@ -63,7 +66,7 @@ public class HistoryReadCommand : ICommand
/// <param name="console">The CLI console used for output, errors, and cancellation handling.</param>
public async ValueTask ExecuteAsync(IConsole console)
{
using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password);
using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password, Security);
var nodeId = new NodeId(NodeId);
var start = string.IsNullOrEmpty(StartTime) ? DateTime.UtcNow.AddHours(-24) : DateTime.Parse(StartTime).ToUniversalTime();

5
tools/opcuacli-dotnet/Commands/ReadCommand.cs
View File

@@ -21,6 +21,9 @@ public class ReadCommand : ICommand
[CommandOption("password", 'P', Description = "Password for authentication")]
public string? Password { get; init; }
[CommandOption("security", 'S', Description = "Transport security: none, sign, encrypt (default: none)")]
public string Security { get; init; } = "none";
/// <summary>
/// Gets the node identifier whose value should be read.
/// </summary>
@@ -33,7 +36,7 @@ public class ReadCommand : ICommand
/// <param name="console">The console used to report the read result.</param>
public async ValueTask ExecuteAsync(IConsole console)
{
using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password);
using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password, Security);
var node = new NodeId(NodeId);
var value = await session.ReadValueAsync(node);

5
tools/opcuacli-dotnet/Commands/SubscribeCommand.cs
View File

@@ -21,6 +21,9 @@ public class SubscribeCommand : ICommand
[CommandOption("password", 'P', Description = "Password for authentication")]
public string? Password { get; init; }
[CommandOption("security", 'S', Description = "Transport security: none, sign, encrypt (default: none)")]
public string Security { get; init; } = "none";
/// <summary>
/// Gets the node identifier to monitor for value changes.
/// </summary>
@@ -39,7 +42,7 @@ public class SubscribeCommand : ICommand
/// <param name="console">The console used to display subscription updates.</param>
public async ValueTask ExecuteAsync(IConsole console)
{
using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password);
using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password, Security);
var subscription = new Subscription(session.DefaultSubscription)
{

5
tools/opcuacli-dotnet/Commands/WriteCommand.cs
View File

@@ -21,6 +21,9 @@ public class WriteCommand : ICommand
[CommandOption("password", 'P', Description = "Password for authentication")]
public string? Password { get; init; }
[CommandOption("security", 'S', Description = "Transport security: none, sign, encrypt (default: none)")]
public string Security { get; init; } = "none";
/// <summary>
/// Gets the node identifier that should receive the write.
/// </summary>
@@ -39,7 +42,7 @@ public class WriteCommand : ICommand
/// <param name="console">The console used to report the write result.</param>
public async ValueTask ExecuteAsync(IConsole console)
{
using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password);
using var session = await OpcUaHelper.ConnectAsync(Url, Username, Password, Security);
var node = new NodeId(NodeId);
var current = await session.ReadValueAsync(node);

96
tools/opcuacli-dotnet/OpcUaHelper.cs
View File

@@ -10,8 +10,12 @@ public static class OpcUaHelper
/// Creates an OPC UA client session for the specified endpoint URL.
/// </summary>
/// <param name="endpointUrl">The OPC UA endpoint URL to connect to.</param>
/// <param name="username">Optional username for authentication.</param>
/// <param name="password">Optional password for authentication.</param>
/// <param name="security">The requested transport security mode: "none", "sign", or "encrypt".</param>
/// <returns>An active OPC UA client session.</returns>
public static async Task<Session> ConnectAsync(string endpointUrl, string? username = null, string? password = null)
public static async Task<Session> ConnectAsync(string endpointUrl, string? username = null, string? password = null,
string security = "none")
{
var config = new ApplicationConfiguration
{
@@ -49,7 +53,28 @@ public static class OpcUaHelper
await config.Validate(ApplicationType.Client);
config.CertificateValidator.CertificateValidation += (_, e) => e.Accept = true;
var endpoint = CoreClientUtils.SelectEndpoint(config, endpointUrl, false);
var requestedMode = ParseSecurityMode(security);
EndpointDescription endpoint;
if (requestedMode == MessageSecurityMode.None)
{
endpoint = CoreClientUtils.SelectEndpoint(config, endpointUrl, false);
}
else
{
// For secure connections, ensure the client has a certificate
var app = new ApplicationInstance
{
ApplicationName = "OpcUaCli",
ApplicationType = ApplicationType.Client,
ApplicationConfiguration = config
};
await app.CheckApplicationInstanceCertificatesAsync(false, 2048);
// Discover endpoints and pick the one matching the requested security mode
endpoint = SelectSecureEndpoint(config, endpointUrl, requestedMode);
}
var endpointConfig = EndpointConfiguration.Create(config);
var configuredEndpoint = new ConfiguredEndpoint(null, endpoint, endpointConfig);
@@ -70,6 +95,73 @@ public static class OpcUaHelper
#pragma warning restore CS0618
}
/// <summary>
/// Parses the security mode string from the CLI option.
/// </summary>
private static MessageSecurityMode ParseSecurityMode(string security)
{
return (security ?? "none").Trim().ToLowerInvariant() switch
{
"none" => MessageSecurityMode.None,
"sign" => MessageSecurityMode.Sign,
"encrypt" or "signandencrypt" => MessageSecurityMode.SignAndEncrypt,
_ => throw new ArgumentException(
$"Unknown security mode '{security}'. Valid values: none, sign, encrypt")
};
}
/// <summary>
/// Discovers server endpoints and selects one matching the requested security mode,
/// preferring Basic256Sha256 when multiple matches exist.
/// </summary>
private static EndpointDescription SelectSecureEndpoint(ApplicationConfiguration config,
string endpointUrl, MessageSecurityMode requestedMode)
{
// Use discovery to get all endpoints
using var client = DiscoveryClient.Create(new Uri(endpointUrl));
var allEndpoints = client.GetEndpoints(null);
EndpointDescription? best = null;
foreach (var ep in allEndpoints)
{
if (ep.SecurityMode != requestedMode)
continue;
if (best == null)
{
best = ep;
continue;
}
// Prefer Basic256Sha256
if (ep.SecurityPolicyUri == SecurityPolicies.Basic256Sha256)
best = ep;
}
if (best == null)
{
var available = string.Join(", ", allEndpoints.Select(e => $"{e.SecurityMode}/{e.SecurityPolicyUri}"));
throw new InvalidOperationException(
$"No endpoint found with security mode '{requestedMode}'. Available endpoints: {available}");
}
// Rewrite endpoint URL to use the user-supplied hostname instead of the server's
// internal address (e.g., 0.0.0.0 -> localhost) to handle NAT/hostname differences
var serverUri = new Uri(best.EndpointUrl);
var requestedUri = new Uri(endpointUrl);
if (serverUri.Host != requestedUri.Host)
{
var builder = new UriBuilder(best.EndpointUrl)
{
Host = requestedUri.Host
};
best.EndpointUrl = builder.ToString();
}
return best;
}
/// <summary>
/// Converts a raw command-line string into the runtime type expected by the target node.
/// </summary>