Extract configureAccessControl() into common

The access-control switch block was duplicated in server_lds.c and
server_register.c.  Move it to a shared helper in common.c with a
Doxygen block that consolidates the rationale from both call sites.

4 files changed, 44 insertions, 47 deletions

diff --git a/src/common.c b/src/common.c
index cf364bb..9401392 100644
--- a/src/common.c
+++ b/src/common.c
@@ -6,6 +6,7 @@
 #include "common.h"
 
 #include <open62541/client_config_default.h>
+#include <open62541/plugin/accesscontrol_default.h>
 #include <open62541/plugin/log_stdout.h>
 #include <open62541/server_config_default.h>
 
@@ -305,6 +306,30 @@ resolveSecurityPolicyUri (const char *shortName)
 }
 
 /* ========================================================================
+ * Access Control
+ * ======================================================================== */
+
+UA_StatusCode
+configureAccessControl (UA_ServerConfig *config, const AuthConfig *auth)
+{
+  switch (auth->mode)
+    {
+    case AUTH_ANONYMOUS:
+      return UA_AccessControl_default (config, true, NULL, 0, NULL);
+    case AUTH_USER:
+      {
+        UA_UsernamePasswordLogin logins[1];
+        logins[0].username = UA_STRING ((char *)auth->user.username);
+        logins[0].password = UA_STRING ((char *)auth->user.password);
+        return UA_AccessControl_default (config, false, NULL, 1, logins);
+      }
+    case AUTH_CERT:
+      return UA_AccessControl_default (config, false, NULL, 0, NULL);
+    }
+  return UA_STATUSCODE_BADINTERNALERROR;
+}
+
+/* ========================================================================
  * Output Formatting
  * ======================================================================== */
 
diff --git a/src/common.h b/src/common.h
index b8643d7..63fa683 100644
--- a/src/common.h
+++ b/src/common.h
@@ -247,6 +247,23 @@ UA_StatusCode createSecureClientConfig (UA_ClientConfig *cc,
                                         const SecurityConfig *sec,
                                         const AuthConfig *auth);
 
+/**
+ * @brief Configures server access control from an AuthConfig.
+ *
+ * UA_ServerConfig_setDefaultWithSecureSecurityPolicies installs
+ * certificate-only authentication by default.  This function
+ * overrides that with the desired policy: anonymous, username/password,
+ * or X509 certificate.  For AUTH_CERT the sessionPKI verifier set by
+ * createServer is preserved, so UA_AccessControl_default automatically
+ * advertises the X509 certificate token policy.
+ *
+ * @param config  Server configuration to modify.
+ * @param auth    Authentication configuration.
+ * @return UA_STATUSCODE_GOOD on success, error code otherwise.
+ */
+UA_StatusCode configureAccessControl (UA_ServerConfig *config,
+                                      const AuthConfig *auth);
+
 /* ========================================================================
  * Output Formatting
  * ======================================================================== */
diff --git a/src/server_lds.c b/src/server_lds.c
index 311be4b..8d34acc 100644
--- a/src/server_lds.c
+++ b/src/server_lds.c
@@ -13,7 +13,6 @@
 #include "common.h"
 #include "config.h"
 
-#include <open62541/plugin/accesscontrol_default.h>
 #include <open62541/plugin/log_stdout.h>
 #include <open62541/server.h>
 
@@ -111,27 +110,7 @@ main (int argc, char *argv[])
      Downgrade to a warning so third-party servers can still register. */
   serverConfig->verifyRequestTimestamp = UA_RULEHANDLING_WARN;
 
-  /* Configure access control.  UA_ServerConfig_setDefaultWithSecure-
-     SecurityPolicies sets certificate-only auth by default, so we must
-     always call UA_AccessControl_default to get the desired policy. */
-  switch (auth.mode)
-    {
-    case AUTH_ANONYMOUS:
-      retval = UA_AccessControl_default (serverConfig, true, NULL, 0, NULL);
-      break;
-    case AUTH_USER:
-      {
-        UA_UsernamePasswordLogin logins[1];
-        logins[0].username = UA_STRING ((char *)auth.user.username);
-        logins[0].password = UA_STRING ((char *)auth.user.password);
-        retval
-            = UA_AccessControl_default (serverConfig, false, NULL, 1, logins);
-        break;
-      }
-    case AUTH_CERT:
-      retval = UA_AccessControl_default (serverConfig, false, NULL, 0, NULL);
-      break;
-    }
+  retval = configureAccessControl (serverConfig, &auth);
   if (retval != UA_STATUSCODE_GOOD)
     {
       UA_Server_delete (server);
diff --git a/src/server_register.c b/src/server_register.c
index 8a64d08..1514c92 100644
--- a/src/server_register.c
+++ b/src/server_register.c
@@ -13,7 +13,6 @@
 
 #include <open62541/client.h>
 #include <open62541/client_config_default.h>
-#include <open62541/plugin/accesscontrol_default.h>
 #include <open62541/plugin/log_stdout.h>
 #include <open62541/server.h>
 
@@ -158,30 +157,7 @@ main (int argc, char **argv)
   UA_ServerConfig *serverConfig = UA_Server_getConfig (server);
   serverConfig->logging->context = (void *)(uintptr_t)logLevel;
 
-  /* Configure access control.  UA_ServerConfig_setDefaultWithSecure-
-     SecurityPolicies sets certificate-only auth by default, so we must
-     always call UA_AccessControl_default to get the desired policy. */
-  switch (serverAuth.mode)
-    {
-    case AUTH_ANONYMOUS:
-      retval = UA_AccessControl_default (serverConfig, true, NULL, 0, NULL);
-      break;
-    case AUTH_USER:
-      {
-        UA_UsernamePasswordLogin logins[1];
-        logins[0].username = UA_STRING ((char *)serverAuth.user.username);
-        logins[0].password = UA_STRING ((char *)serverAuth.user.password);
-        retval
-            = UA_AccessControl_default (serverConfig, false, NULL, 1, logins);
-        break;
-      }
-    case AUTH_CERT:
-      /* cert auth — sessionPKI.verifyCertificate is set by createServer
-         via setDefaultWithSecureSecurityPolicies, so UA_AccessControl_default
-         will automatically advertise the X509 certificate token policy. */
-      retval = UA_AccessControl_default (serverConfig, false, NULL, 0, NULL);
-      break;
-    }
+  retval = configureAccessControl (serverConfig, &serverAuth);
   if (retval != UA_STATUSCODE_GOOD)
     goto cleanup;