From 4a0e0ff8cca00a6e4b4557d468894682d1b91333 Mon Sep 17 00:00:00 2001
From: Thomas Vanbesien <tvanbesi@proton.me>
Date: Wed, 18 Feb 2026 22:01:05 +0100
Subject: Refactor auth and security params into aggregate types

Introduce AuthConfig tagged union (AUTH_ANONYMOUS/AUTH_USER/AUTH_CERT)
and SecurityConfig struct to replace scattered parameters. Add
parseSecurityConfig helper to consolidate duplicated security parsing
across all three programs. Simplify opReadTime by moving all auth
handling into the client config factory functions.
---
 src/server_lds.c | 65 ++++++++++++++++++++++----------------------------------
 1 file changed, 25 insertions(+), 40 deletions(-)

(limited to 'src/server_lds.c')

diff --git a/src/server_lds.c b/src/server_lds.c
index 3307073..311be4b 100644
--- a/src/server_lds.c
+++ b/src/server_lds.c
@@ -67,24 +67,6 @@ main (int argc, char *argv[])
       return EXIT_FAILURE;
     }
 
-  /* Security configuration (optional).  When certificate, privateKey, and
-     trustStore are all omitted the server runs with SecurityPolicy#None
-     only.  When any of the three is present, all three are required. */
-  const char *certPath = configGet (&cfg, "certificate");
-  const char *keyPath = configGet (&cfg, "privateKey");
-  const char *trustStore = configGet (&cfg, "trustStore");
-  UA_Boolean secure
-      = (certPath != NULL || keyPath != NULL || trustStore != NULL);
-
-  if (secure && (!certPath || !keyPath || !trustStore))
-    {
-      UA_LOG_FATAL (UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
-                    "Incomplete security config: certificate, privateKey, and "
-                    "trustStore must all be set, or all omitted");
-      configFree (&cfg);
-      return EXIT_FAILURE;
-    }
-
   /* The OPC UA specification requires the cleanup timeout to exceed the
      register-server interval.  open62541 enforces a floor of 10 seconds. */
   if (cleanupTimeout <= 10)
@@ -96,31 +78,27 @@ main (int argc, char *argv[])
       return EXIT_FAILURE;
     }
 
-  UA_Boolean allowAnonymous;
-  const char *username = NULL, *password = NULL;
-  if (parseAuthConfig (&cfg, "ServerLDS", &allowAnonymous, &username,
-                       &password, NULL)
-      != 0)
+  SecurityConfig sec;
+  if (parseSecurityConfig (&cfg, "ServerLDS", false, &sec) != 0)
     {
       configFree (&cfg);
       return EXIT_FAILURE;
     }
 
-  char **trustPaths = NULL;
-  size_t trustSize = 0;
-  if (secure && loadTrustStore (trustStore, &trustPaths, &trustSize) != 0)
+  AuthConfig auth;
+  if (parseAuthConfig (&cfg, "ServerLDS", &auth) != 0)
     {
+      freeTrustStore (sec.trustPaths, sec.trustSize);
       configFree (&cfg);
       return EXIT_FAILURE;
     }
 
   UA_StatusCode retval;
-  UA_Server *server
-      = createServer ((UA_UInt16)port, applicationUri, certPath, keyPath,
-                      trustPaths, trustSize, true, &retval);
+  UA_Server *server = createServer ((UA_UInt16)port, applicationUri,
+                                    sec.certPath ? &sec : NULL, true, &retval);
   if (!server)
     {
-      freeTrustStore (trustPaths, trustSize);
+      freeTrustStore (sec.trustPaths, sec.trustSize);
       configFree (&cfg);
       return EXIT_FAILURE;
     }
@@ -136,21 +114,28 @@ main (int argc, char *argv[])
   /* Configure access control.  UA_ServerConfig_setDefaultWithSecure-
      SecurityPolicies sets certificate-only auth by default, so we must
      always call UA_AccessControl_default to get the desired policy. */
-  if (allowAnonymous)
+  switch (auth.mode)
     {
+    case AUTH_ANONYMOUS:
       retval = UA_AccessControl_default (serverConfig, true, NULL, 0, NULL);
-    }
-  else
-    {
-      UA_UsernamePasswordLogin logins[1];
-      logins[0].username = UA_STRING ((char *)username);
-      logins[0].password = UA_STRING ((char *)password);
-      retval = UA_AccessControl_default (serverConfig, false, NULL, 1, logins);
+      break;
+    case AUTH_USER:
+      {
+        UA_UsernamePasswordLogin logins[1];
+        logins[0].username = UA_STRING ((char *)auth.user.username);
+        logins[0].password = UA_STRING ((char *)auth.user.password);
+        retval
+            = UA_AccessControl_default (serverConfig, false, NULL, 1, logins);
+        break;
+      }
+    case AUTH_CERT:
+      retval = UA_AccessControl_default (serverConfig, false, NULL, 0, NULL);
+      break;
     }
   if (retval != UA_STATUSCODE_GOOD)
     {
       UA_Server_delete (server);
-      freeTrustStore (trustPaths, trustSize);
+      freeTrustStore (sec.trustPaths, sec.trustSize);
       configFree (&cfg);
       return EXIT_FAILURE;
     }
@@ -166,7 +151,7 @@ main (int argc, char *argv[])
   retval = UA_Server_run (server, &running);
 
   UA_Server_delete (server);
-  freeTrustStore (trustPaths, trustSize);
+  freeTrustStore (sec.trustPaths, sec.trustSize);
   configFree (&cfg);
   return retval == UA_STATUSCODE_GOOD ? EXIT_SUCCESS : EXIT_FAILURE;
 }
-- 
cgit v1.2.3