Make LDS security config optional, add nosec_anon test

ServerLDS and ServerRegister can now run without encryption when
certificate, privateKey, and trustStore are all omitted from the
server config file.  When any of the three is present, all three are
still required.  The unsecured server uses UA_ServerConfig_setMinimal
with SecurityPolicy#None only.

Add nosec_anon integration test covering the LDS unsecured path.

Update readme: use symlinks instead of copies for trust stores, note
that ServerLDS and ServerRegister support running without certs.

1 files changed, 59 insertions, 29 deletions

diff --git a/src/server_register.c b/src/server_register.c
index 6e1eb6d..cea7124 100644
--- a/src/server_register.c
+++ b/src/server_register.c
@@ -73,22 +73,36 @@ main (int argc, char **argv)
   int port = configRequireInt (&serverCfg, "port", "ServerRegister");
   const char *applicationUri
       = configRequire (&serverCfg, "applicationUri", "ServerRegister");
-  const char *serverCertPath
-      = configRequire (&serverCfg, "certificate", "ServerRegister");
-  const char *serverKeyPath
-      = configRequire (&serverCfg, "privateKey", "ServerRegister");
   int registerInterval
       = configRequireInt (&serverCfg, "registerInterval", "ServerRegister");
   const char *serverAuthMode
       = configRequire (&serverCfg, "authMode", "ServerRegister");
 
-  if (!applicationUri || !serverCertPath || !serverKeyPath || !serverAuthMode
-      || port < 0 || registerInterval < 0)
+  if (!applicationUri || !serverAuthMode || port < 0 || registerInterval < 0)
     {
       configFree (&serverCfg);
       return EXIT_FAILURE;
     }
 
+  /* Security configuration (optional).  When certificate, privateKey, and
+     trustStore are all omitted the server runs with SecurityPolicy#None
+     only.  When any of the three is present, all three are required. */
+  const char *serverCertPath = configGet (&serverCfg, "certificate");
+  const char *serverKeyPath = configGet (&serverCfg, "privateKey");
+  const char *serverTrustStore = configGet (&serverCfg, "trustStore");
+  UA_Boolean serverSecure = (serverCertPath != NULL || serverKeyPath != NULL
+                             || serverTrustStore != NULL);
+
+  if (serverSecure && (!serverCertPath || !serverKeyPath || !serverTrustStore))
+    {
+      UA_LOG_FATAL (UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
+                    "Incomplete server security config: certificate, "
+                    "privateKey, and trustStore must all be set, or all "
+                    "omitted");
+      configFree (&serverCfg);
+      return EXIT_FAILURE;
+    }
+
   /* Parse server-side auth mode (what clients connecting to this server
      need).  "anonymous" allows unauthenticated sessions; "user" requires
      a username/password pair. */
@@ -122,18 +136,11 @@ main (int argc, char **argv)
       return EXIT_FAILURE;
     }
 
-  const char *serverTrustStore
-      = configRequire (&serverCfg, "trustStore", "ServerRegister");
-  if (!serverTrustStore)
-    {
-      configFree (&serverCfg);
-      return EXIT_FAILURE;
-    }
-
   char **serverTrustPaths = NULL;
   size_t serverTrustSize = 0;
-  if (loadTrustStore (serverTrustStore, &serverTrustPaths, &serverTrustSize)
-      != 0)
+  if (serverSecure
+      && loadTrustStore (serverTrustStore, &serverTrustPaths, &serverTrustSize)
+             != 0)
     {
       configFree (&serverCfg);
       return EXIT_FAILURE;
@@ -251,25 +258,48 @@ main (int argc, char **argv)
   /* ── Create and configure server ────────────────────────────── */
 
   UA_StatusCode retval;
-  UA_Server *server = createSecureServer (
-      (UA_UInt16)port, applicationUri, serverCertPath, serverKeyPath,
-      serverTrustPaths, serverTrustSize, &retval);
-  if (!server)
+  UA_Server *server;
+
+  if (serverSecure)
     {
-      freeTrustStore (clientTrustPaths, clientTrustSize);
-      freeTrustStore (serverTrustPaths, serverTrustSize);
-      configFree (&clientCfg);
-      configFree (&serverCfg);
-      return EXIT_FAILURE;
+      server = createSecureServer ((UA_UInt16)port, applicationUri,
+                                   serverCertPath, serverKeyPath,
+                                   serverTrustPaths, serverTrustSize, &retval);
+      if (!server)
+        {
+          freeTrustStore (clientTrustPaths, clientTrustSize);
+          freeTrustStore (serverTrustPaths, serverTrustSize);
+          configFree (&clientCfg);
+          configFree (&serverCfg);
+          return EXIT_FAILURE;
+        }
+    }
+  else
+    {
+      server = UA_Server_new ();
+      UA_ServerConfig *config = UA_Server_getConfig (server);
+      retval = UA_ServerConfig_setMinimal (config, (UA_UInt16)port, NULL);
+      if (retval != UA_STATUSCODE_GOOD)
+        {
+          UA_Server_delete (server);
+          freeTrustStore (clientTrustPaths, clientTrustSize);
+          freeTrustStore (serverTrustPaths, serverTrustSize);
+          configFree (&clientCfg);
+          configFree (&serverCfg);
+          return EXIT_FAILURE;
+        }
+      UA_String_clear (&config->applicationDescription.applicationUri);
+      config->applicationDescription.applicationUri
+          = UA_String_fromChars (applicationUri);
     }
 
   UA_ServerConfig *serverConfig = UA_Server_getConfig (server);
   serverConfig->logging->context = (void *)(uintptr_t)logLevel;
 
-  /* Configure access control after server creation because
-     UA_ServerConfig_setDefaultWithSecurityPolicies (called by
-     createSecureServer) resets the access control plugin.  The credential
-     list is deep-copied by UA_AccessControl_default. */
+  /* Configure access control after server creation because both
+     UA_ServerConfig_setDefaultWithSecurityPolicies and
+     UA_ServerConfig_setMinimal reset the access control plugin.  The
+     credential list is deep-copied by UA_AccessControl_default. */
   if (!serverAllowAnonymous)
     {
       UA_UsernamePasswordLogin logins[1];