Add authentication and role-based write access control

Implements configurable user authentication (anonymous + username/password) with pluggable credential provider (IUserAuthenticationProvider). Anonymous writes can be disabled via AnonymousCanWrite setting while reads remain open. Adds -U/-P flags to all CLI commands for authenticated sessions. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-27 02:14:37 -04:00
parent b27d355763
commit bbd043e97b
24 changed files with 499 additions and 34 deletions
--- a/tests/ZB.MOM.WW.LmxOpcUa.Tests/Authentication/UserAuthenticationTests.cs
+++ b/tests/ZB.MOM.WW.LmxOpcUa.Tests/Authentication/UserAuthenticationTests.cs
@@ -0,0 +1,74 @@
+using System.Collections.Generic;
+using Shouldly;
+using Xunit;
+using ZB.MOM.WW.LmxOpcUa.Host.Configuration;
+using ZB.MOM.WW.LmxOpcUa.Host.Domain;
+
+namespace ZB.MOM.WW.LmxOpcUa.Tests.Authentication
+{
+    public class UserAuthenticationTests
+    {
+        [Fact]
+        public void ValidCredentials_ReturnsTrue()
+        {
+            var provider = new ConfigUserAuthenticationProvider(new List<UserCredential>
+            {
+                new UserCredential { Username = "operator", Password = "op123" }
+            });
+
+            provider.ValidateCredentials("operator", "op123").ShouldBeTrue();
+        }
+
+        [Fact]
+        public void WrongPassword_ReturnsFalse()
+        {
+            var provider = new ConfigUserAuthenticationProvider(new List<UserCredential>
+            {
+                new UserCredential { Username = "operator", Password = "op123" }
+            });
+
+            provider.ValidateCredentials("operator", "wrong").ShouldBeFalse();
+        }
+
+        [Fact]
+        public void UnknownUsername_ReturnsFalse()
+        {
+            var provider = new ConfigUserAuthenticationProvider(new List<UserCredential>
+            {
+                new UserCredential { Username = "operator", Password = "op123" }
+            });
+
+            provider.ValidateCredentials("unknown", "op123").ShouldBeFalse();
+        }
+
+        [Fact]
+        public void Username_IsCaseInsensitive()
+        {
+            var provider = new ConfigUserAuthenticationProvider(new List<UserCredential>
+            {
+                new UserCredential { Username = "Operator", Password = "op123" }
+            });
+
+            provider.ValidateCredentials("operator", "op123").ShouldBeTrue();
+            provider.ValidateCredentials("OPERATOR", "op123").ShouldBeTrue();
+        }
+
+        [Fact]
+        public void EmptyUserList_RejectsAll()
+        {
+            var provider = new ConfigUserAuthenticationProvider(new List<UserCredential>());
+
+            provider.ValidateCredentials("anyone", "anything").ShouldBeFalse();
+        }
+
+        [Fact]
+        public void AuthenticationConfiguration_Defaults()
+        {
+            var config = new AuthenticationConfiguration();
+
+            config.AllowAnonymous.ShouldBeTrue();
+            config.AnonymousCanWrite.ShouldBeTrue();
+            config.Users.ShouldBeEmpty();
+        }
+    }
+}