CTT: Disable unencrypted and anonymous login by default in the CTT

examples/server_ctt.c

@@ -434,6 +434,57 @@ setInformationModel(UA_Server *server) {
 #endif
 }
 
+static void
+disableAnonymous(UA_ServerConfig *config) {
+    for(size_t i = 0; i < config->endpointsSize; i++) {
+        UA_EndpointDescription *ep = &config->endpoints[i];
+
+        for(size_t j = 0; j < ep->userIdentityTokensSize; j++) {
+            UA_UserTokenPolicy *utp = &ep->userIdentityTokens[j];
+            if(utp->tokenType != UA_USERTOKENTYPE_ANONYMOUS)
+                continue;
+
+            UA_UserTokenPolicy_clear(utp);
+            /* Move the last to this position */
+            if(j + 1 < ep->userIdentityTokensSize) {
+                ep->userIdentityTokens[j] = ep->userIdentityTokens[ep->userIdentityTokensSize-1];
+                j--;
+            }
+            ep->userIdentityTokensSize--;
+        }
+
+        /* Delete the entire array if the last UserTokenPolicy was removed */
+        if(ep->userIdentityTokensSize == 0) {
+            UA_free(ep->userIdentityTokens);
+            ep->userIdentityTokens = NULL;
+        }
+    }
+}
+
+#ifdef UA_ENABLE_ENCRYPTION
+static void
+disableUnencrypted(UA_ServerConfig *config) {
+    for(size_t i = 0; i < config->endpointsSize; i++) {
+        UA_EndpointDescription *ep = &config->endpoints[i];
+        if(ep->securityMode != UA_MESSAGESECURITYMODE_NONE)
+            continue;
+
+        UA_EndpointDescription_clear(ep);
+        /* Move the last to this position */
+        if(i + 1 < config->endpointsSize) {
+            config->endpoints[i] = config->endpoints[config->endpointsSize-1];
+            i--;
+        }
+        config->endpointsSize--;
+    }
+    /* Delete the entire array if the last Endpoint was removed */
+    if(config->endpointsSize== 0) {
+        UA_free(config->endpoints);
+        config->endpoints = NULL;
+    }
+}
+#endif
+
 UA_Boolean running = true;
 
 static void
@@ -446,10 +497,16 @@ static void
 usage(void) {
     UA_LOG_WARNING(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
                    "Usage:\n"
+#ifndef UA_ENABLE_ENCRYPTION
+                   "server_ctt [<server-certificate.der>]\n"
+#else
                    "server_ctt <server-certificate.der> <private-key.der>\n"
-                   "[--trustlist <tl1.ctl> <tl2.ctl> ... ]\n"
-                   "[--issuerlist <il1.der> <il2.der> ... ]\n"
-                   "[--revocationlist <rv1.crl> <rv2.crl> ...]\n");
+                   "\t[--trustlist <tl1.ctl> <tl2.ctl> ... ]\n"
+                   "\t[--issuerlist <il1.der> <il2.der> ... ]\n"
+                   "\t[--revocationlist <rv1.crl> <rv2.crl> ...]\n"
+                   "\t[--enableUnencrypted]\n"
+#endif
+                   "\t[--enableAnonymous]\n");
 }
 
 int main(int argc, char **argv) {
@@ -469,125 +526,151 @@ int main(int argc, char **argv) {
         return EXIT_FAILURE;
     UA_ServerConfig *config = UA_Server_getConfig(server);
 
-#ifdef UA_ENABLE_ENCRYPTION
-    if(argc < 3) {
-        usage();
-        UA_ServerConfig_setDefault(config);
-    } else {
-        /* Load certificate and private key */
-        UA_ByteString certificate = loadFile(argv[1]);
+    /* Load certificate */
+    size_t pos = 1;
+    UA_ByteString certificate = UA_BYTESTRING_NULL;
+    if((size_t)argc >= pos + 1) {
+        certificate = loadFile(argv[1]);
         if(certificate.length == 0) {
             UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
-                           "Unable to load file %s.", argv[1]);
+                           "Unable to load file %s.", argv[pos]);
             return EXIT_FAILURE;
         }
-        UA_ByteString privateKey = loadFile(argv[2]);
+        pos++;
+    }
+
+#ifdef UA_ENABLE_ENCRYPTION
+    /* Load the private key */
+    UA_ByteString privateKey = UA_BYTESTRING_NULL;
+    if((size_t)argc >= pos + 1) {
+        privateKey = loadFile(argv[2]);
         if(privateKey.length == 0) {
             UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
-                           "Unable to load file %s.", argv[2]);
+                           "Unable to load file %s.", argv[pos]);
             return EXIT_FAILURE;
         }
+        pos++;
+    }
 
-        UA_ByteString trustList[100];
-        size_t trustListSize = 0;
-        UA_ByteString issuerList[100];
-        size_t issuerListSize = 0;
-        UA_ByteString revocationList[100];
-        size_t revocationListSize = 0;
-        char filetype = ' '; /* t==trustlist, l == issuerList, r==revocationlist */
-        for(int i = 3; i < argc; i++) {
-            if(strcmp(argv[i], "--trustlist") == 0) {
-                filetype = 't';
-                continue;
-            }
+    UA_ByteString trustList[100];
+    size_t trustListSize = 0;
+    UA_ByteString issuerList[100];
+    size_t issuerListSize = 0;
+    UA_ByteString revocationList[100];
+    size_t revocationListSize = 0;
+    char filetype = ' '; /* t==trustlist, l == issuerList, r==revocationlist */
+    UA_Boolean enableUnencr = false;
+#endif
 
-            if(strcmp(argv[i], "--issuerlist") == 0) {
-                filetype = 'l';
-                continue;
-            }
+    UA_Boolean enableAnon = false;
 
-            if(strcmp(argv[i], "--revocationlist") == 0) {
-                filetype = 'r';
-                continue;
-            }
+    /* Loop over the remaining arguments */
+    for(; pos < (size_t)argc; pos++) {
 
-            if(filetype == 't') {
-                if(trustListSize >= 100) {
-                    UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
-                                 "Too many trust lists");
-                    return EXIT_FAILURE;
-                }
-                trustList[trustListSize] = loadFile(argv[i]);
-                if(trustList[trustListSize].data == NULL) {
-                    UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
-                                 "Unable to load trust list %s", argv[i]);
-                    return EXIT_FAILURE;
-                }
-                trustListSize++;
-                continue;
-            }
+        if(strcmp(argv[pos], "--enableAnonymous") == 0) {
+            enableAnon = true;
+            continue;
+        }
 
-            if(filetype == 'l') {
-                if(issuerListSize >= 100) {
-                    UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
-                                 "Too many trust lists");
-                    return EXIT_FAILURE;
-                }
-                issuerList[issuerListSize] = loadFile(argv[i]);
-                if(issuerList[issuerListSize].data == NULL) {
-                    UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
-                                 "Unable to load trust list %s", argv[i]);
-                    return EXIT_FAILURE;
-                }
-                issuerListSize++;
-                continue;
+#ifdef UA_ENABLE_ENCRYPTION
+        if(strcmp(argv[pos], "--enableUnencrypted") == 0) {
+            enableUnencr = true;
+            continue;
+        }
+
+        if(strcmp(argv[pos], "--trustlist") == 0) {
+            filetype = 't';
+            continue;
+        }
+
+        if(strcmp(argv[pos], "--issuerlist") == 0) {
+            filetype = 'l';
+            continue;
+        }
+
+        if(strcmp(argv[pos], "--revocationlist") == 0) {
+            filetype = 'r';
+            continue;
+        }
+
+        if(filetype == 't') {
+            if(trustListSize >= 100) {
+                UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
+                             "Too many trust lists");
+                return EXIT_FAILURE;
+            }
+            trustList[trustListSize] = loadFile(argv[pos]);
+            if(trustList[trustListSize].data == NULL) {
+                UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
+                             "Unable to load trust list %s", argv[pos]);
+                return EXIT_FAILURE;
             }
+            trustListSize++;
+            continue;
+        }
 
-            if(filetype == 'r') {
-                if(revocationListSize >= 100) {
-                    UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
-                                 "Too many revocation lists");
-                    return EXIT_FAILURE;
-                }
-                if(revocationList[revocationListSize].data == NULL) {
-                    UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
-                                 "Unable to load revocationlist %s", argv[i]);
-                    return EXIT_FAILURE;
-                }
-                revocationList[revocationListSize] = loadFile(argv[i]);
-                revocationListSize++;
-                continue;
+        if(filetype == 'l') {
+            if(issuerListSize >= 100) {
+                UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
+                             "Too many trust lists");
+                return EXIT_FAILURE;
             }
+            issuerList[issuerListSize] = loadFile(argv[pos]);
+            if(issuerList[issuerListSize].data == NULL) {
+                UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
+                             "Unable to load trust list %s", argv[pos]);
+                return EXIT_FAILURE;
+            }
+            issuerListSize++;
+            continue;
+        }
 
-            usage();
-            return EXIT_FAILURE;
+        if(filetype == 'r') {
+            if(revocationListSize >= 100) {
+                UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
+                             "Too many revocation lists");
+                return EXIT_FAILURE;
+            }
+            if(revocationList[revocationListSize].data == NULL) {
+                UA_LOG_FATAL(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
+                             "Unable to load revocationlist %s", argv[pos]);
+                return EXIT_FAILURE;
+            }
+            revocationList[revocationListSize] = loadFile(argv[pos]);
+            revocationListSize++;
+            continue;
         }
+#endif
 
-        UA_ServerConfig_setDefaultWithSecurityPolicies(config, 4840,
-                                                       &certificate, &privateKey,
-                                                       trustList, trustListSize,
-                                                       issuerList, issuerListSize,
-                                                       revocationList, revocationListSize);
-
-        UA_ByteString_clear(&certificate);
-        UA_ByteString_clear(&privateKey);
-        for(size_t i = 0; i < trustListSize; i++)
-            UA_ByteString_clear(&trustList[i]);
-        for(size_t i = 0; i < issuerListSize; i++)
-            UA_ByteString_clear(&issuerList[i]);
-        for(size_t i = 0; i < revocationListSize; i++)
-            UA_ByteString_clear(&revocationList[i]);
+        usage();
+        return EXIT_FAILURE;
     }
+
+#ifdef UA_ENABLE_ENCRYPTION
+    UA_ServerConfig_setDefaultWithSecurityPolicies(config, 4840,
+                                                   &certificate, &privateKey,
+                                                   trustList, trustListSize,
+                                                   issuerList, issuerListSize,
+                                                   revocationList, revocationListSize);
+    if(!enableUnencr)
+        disableUnencrypted(config);
 #else
-    UA_ByteString certificate = UA_BYTESTRING_NULL;
-    if(argc < 2) {
-        UA_LOG_WARNING(UA_Log_Stdout, UA_LOGCATEGORY_USERLAND,
-                       "Missing argument for the server certificate");
-    } else {
-        certificate = loadFile(argv[1]);
-    }
-    UA_ServerConfig_setDefault(config);
+    UA_ServerConfig_setMinimal(config, 4840, &certificate);
+#endif
+
+    if(!enableAnon)
+        disableAnonymous(config);
+
+    /* Clean up temp values */
     UA_ByteString_clear(&certificate);
+#ifdef UA_ENABLE_ENCRYPTION
+    UA_ByteString_clear(&privateKey);
+    for(size_t i = 0; i < trustListSize; i++)
+        UA_ByteString_clear(&trustList[i]);
+    for(size_t i = 0; i < issuerListSize; i++)
+        UA_ByteString_clear(&issuerList[i]);
+    for(size_t i = 0; i < revocationListSize; i++)
+        UA_ByteString_clear(&revocationList[i]);
 #endif
 
     /* Override with a custom access control policy */