namespace ZB.MOM.WW.OtOpcUa.Server.Security;

/// <summary>
///     Validates a (username, password) pair and returns the resolved OPC UA roles for the user.
///     The Server's <c>SessionManager_ImpersonateUser</c> hook delegates here so unit tests can
///     swap in a fake authenticator without a live LDAP.
/// </summary>
public interface IUserAuthenticator
{
    Task<UserAuthResult> AuthenticateAsync(string username, string password, CancellationToken ct = default);
}

public sealed record UserAuthResult(bool Success, string? DisplayName, IReadOnlyList<string> Roles, string? Error);

/// <summary>
///     Always-reject authenticator used when no security config is provided. Lets the server
///     start (with only an anonymous endpoint) without throwing on UserName token attempts.
/// </summary>
public sealed class DenyAllUserAuthenticator : IUserAuthenticator
{
    public Task<UserAuthResult> AuthenticateAsync(string _, string __, CancellationToken ___)
        => Task.FromResult(new UserAuthResult(false, null, [], "UserName token not supported"));
}