Add configurable transport security profiles and bind address

Adds Security section to appsettings.json with configurable OPC UA transport profiles (None, Basic256Sha256-Sign, Basic256Sha256-SignAndEncrypt), certificate policy settings, and a configurable BindAddress for the OPC UA endpoint. Defaults preserve backward compatibility. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 15:59:43 -04:00
parent bbd043e97b
commit 55173665b1
28 changed files with 1092 additions and 87 deletions
--- a/tools/opcuacli-dotnet/OpcUaHelper.cs
+++ b/tools/opcuacli-dotnet/OpcUaHelper.cs
@@ -10,8 +10,12 @@ public static class OpcUaHelper
    /// Creates an OPC UA client session for the specified endpoint URL.
    /// </summary>
    /// <param name="endpointUrl">The OPC UA endpoint URL to connect to.</param>
+    /// <param name="username">Optional username for authentication.</param>
+    /// <param name="password">Optional password for authentication.</param>
+    /// <param name="security">The requested transport security mode: "none", "sign", or "encrypt".</param>
    /// <returns>An active OPC UA client session.</returns>
-    public static async Task<Session> ConnectAsync(string endpointUrl, string? username = null, string? password = null)
+    public static async Task<Session> ConnectAsync(string endpointUrl, string? username = null, string? password = null,
+        string security = "none")
    {
        var config = new ApplicationConfiguration
        {
@@ -49,7 +53,28 @@ public static class OpcUaHelper
        await config.Validate(ApplicationType.Client);
        config.CertificateValidator.CertificateValidation += (_, e) => e.Accept = true;

-        var endpoint = CoreClientUtils.SelectEndpoint(config, endpointUrl, false);
+        var requestedMode = ParseSecurityMode(security);
+
+        EndpointDescription endpoint;
+        if (requestedMode == MessageSecurityMode.None)
+        {
+            endpoint = CoreClientUtils.SelectEndpoint(config, endpointUrl, false);
+        }
+        else
+        {
+            // For secure connections, ensure the client has a certificate
+            var app = new ApplicationInstance
+            {
+                ApplicationName = "OpcUaCli",
+                ApplicationType = ApplicationType.Client,
+                ApplicationConfiguration = config
+            };
+            await app.CheckApplicationInstanceCertificatesAsync(false, 2048);
+
+            // Discover endpoints and pick the one matching the requested security mode
+            endpoint = SelectSecureEndpoint(config, endpointUrl, requestedMode);
+        }
+
        var endpointConfig = EndpointConfiguration.Create(config);
        var configuredEndpoint = new ConfiguredEndpoint(null, endpoint, endpointConfig);

@@ -70,6 +95,73 @@ public static class OpcUaHelper
 #pragma warning restore CS0618
    }

+    /// <summary>
+    /// Parses the security mode string from the CLI option.
+    /// </summary>
+    private static MessageSecurityMode ParseSecurityMode(string security)
+    {
+        return (security ?? "none").Trim().ToLowerInvariant() switch
+        {
+            "none" => MessageSecurityMode.None,
+            "sign" => MessageSecurityMode.Sign,
+            "encrypt" or "signandencrypt" => MessageSecurityMode.SignAndEncrypt,
+            _ => throw new ArgumentException(
+                $"Unknown security mode '{security}'. Valid values: none, sign, encrypt")
+        };
+    }
+
+    /// <summary>
+    /// Discovers server endpoints and selects one matching the requested security mode,
+    /// preferring Basic256Sha256 when multiple matches exist.
+    /// </summary>
+    private static EndpointDescription SelectSecureEndpoint(ApplicationConfiguration config,
+        string endpointUrl, MessageSecurityMode requestedMode)
+    {
+        // Use discovery to get all endpoints
+        using var client = DiscoveryClient.Create(new Uri(endpointUrl));
+        var allEndpoints = client.GetEndpoints(null);
+
+        EndpointDescription? best = null;
+
+        foreach (var ep in allEndpoints)
+        {
+            if (ep.SecurityMode != requestedMode)
+                continue;
+
+            if (best == null)
+            {
+                best = ep;
+                continue;
+            }
+
+            // Prefer Basic256Sha256
+            if (ep.SecurityPolicyUri == SecurityPolicies.Basic256Sha256)
+                best = ep;
+        }
+
+        if (best == null)
+        {
+            var available = string.Join(", ", allEndpoints.Select(e => $"{e.SecurityMode}/{e.SecurityPolicyUri}"));
+            throw new InvalidOperationException(
+                $"No endpoint found with security mode '{requestedMode}'. Available endpoints: {available}");
+        }
+
+        // Rewrite endpoint URL to use the user-supplied hostname instead of the server's
+        // internal address (e.g., 0.0.0.0 -> localhost) to handle NAT/hostname differences
+        var serverUri = new Uri(best.EndpointUrl);
+        var requestedUri = new Uri(endpointUrl);
+        if (serverUri.Host != requestedUri.Host)
+        {
+            var builder = new UriBuilder(best.EndpointUrl)
+            {
+                Host = requestedUri.Host
+            };
+            best.EndpointUrl = builder.ToString();
+        }
+
+        return best;
+    }
+
    /// <summary>
    /// Converts a raw command-line string into the runtime type expected by the target node.
    /// </summary>