ua_accesscontrol_default.c 5.2 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150
  1. /* This work is licensed under a Creative Commons CCZero 1.0 Universal License.
  2. * See http://creativecommons.org/publicdomain/zero/1.0/ for more information.
  3. *
  4. * Copyright 2016-2017 (c) Julius Pfrommer, Fraunhofer IOSB
  5. * Copyright 2017 (c) Stefan Profanter, fortiss GmbH
  6. */
  7. #include "ua_accesscontrol_default.h"
  8. /* Example access control management. Anonymous and username / password login.
  9. * The access rights are maximally permissive. */
  10. #define ANONYMOUS_POLICY "open62541-anonymous-policy"
  11. #define USERNAME_POLICY "open62541-username-policy"
  12. // TODO: There should be one definition of these strings in the endpoint.
  13. // Put the endpoint definition in the access control struct?
  14. #define UA_STRING_STATIC(s) {sizeof(s)-1, (UA_Byte*)s}
  15. const UA_String anonymous_policy = UA_STRING_STATIC(ANONYMOUS_POLICY);
  16. const UA_String username_policy = UA_STRING_STATIC(USERNAME_POLICY);
  17. typedef struct {
  18. UA_String username;
  19. UA_String password;
  20. } UA_UsernamePasswordLogin;
  21. const size_t usernamePasswordsSize = 2;
  22. UA_UsernamePasswordLogin usernamePasswords[2] = {
  23. { UA_STRING_STATIC("user1"), UA_STRING_STATIC("password") },
  24. { UA_STRING_STATIC("user2"), UA_STRING_STATIC("password1") } };
  25. UA_StatusCode
  26. activateSession_default(const UA_NodeId *sessionId,
  27. const UA_ExtensionObject *userIdentityToken,
  28. void **sessionContext) {
  29. /* Could the token be decoded? */
  30. if(userIdentityToken->encoding < UA_EXTENSIONOBJECT_DECODED)
  31. return UA_STATUSCODE_BADIDENTITYTOKENINVALID;
  32. /* Anonymous login */
  33. if(userIdentityToken->content.decoded.type ==
  34. &UA_TYPES[UA_TYPES_ANONYMOUSIDENTITYTOKEN]) {
  35. const UA_AnonymousIdentityToken *token =
  36. (UA_AnonymousIdentityToken*)userIdentityToken->content.decoded.data;
  37. /* Compatibility notice: Siemens OPC Scout v10 provides an empty
  38. * policyId. This is not compliant. For compatibility, assume that empty
  39. * policyId == ANONYMOUS_POLICY */
  40. if(token->policyId.data &&
  41. !UA_String_equal(&token->policyId, &anonymous_policy))
  42. return UA_STATUSCODE_BADIDENTITYTOKENINVALID;
  43. /* No userdata atm */
  44. *sessionContext = NULL;
  45. return UA_STATUSCODE_GOOD;
  46. }
  47. /* Username and password */
  48. if(userIdentityToken->content.decoded.type ==
  49. &UA_TYPES[UA_TYPES_USERNAMEIDENTITYTOKEN]) {
  50. const UA_UserNameIdentityToken *token =
  51. (UA_UserNameIdentityToken*)userIdentityToken->content.decoded.data;
  52. if(!UA_String_equal(&token->policyId, &username_policy))
  53. return UA_STATUSCODE_BADIDENTITYTOKENINVALID;
  54. /* TODO: Support encrypted username/password over unencrypted SecureChannels */
  55. if(token->encryptionAlgorithm.length > 0)
  56. return UA_STATUSCODE_BADIDENTITYTOKENINVALID;
  57. /* Empty username and password */
  58. if(token->userName.length == 0 && token->password.length == 0)
  59. return UA_STATUSCODE_BADIDENTITYTOKENINVALID;
  60. /* Try to match username/pw */
  61. UA_Boolean match = false;
  62. for(size_t i = 0; i < usernamePasswordsSize; i++) {
  63. const UA_String *user = &usernamePasswords[i].username;
  64. const UA_String *pw = &usernamePasswords[i].password;
  65. if(UA_String_equal(&token->userName, user) &&
  66. UA_String_equal(&token->password, pw)) {
  67. match = true;
  68. break;
  69. }
  70. }
  71. if(!match)
  72. return UA_STATUSCODE_BADUSERACCESSDENIED;
  73. /* No userdata atm */
  74. *sessionContext = NULL;
  75. return UA_STATUSCODE_GOOD;
  76. }
  77. /* Unsupported token type */
  78. return UA_STATUSCODE_BADIDENTITYTOKENINVALID;
  79. }
  80. void
  81. closeSession_default(const UA_NodeId *sessionId, void *sessionContext) {
  82. /* no context to clean up */
  83. }
  84. UA_UInt32
  85. getUserRightsMask_default(const UA_NodeId *sessionId, void *sessionContext,
  86. const UA_NodeId *nodeId, void *nodeContext) {
  87. return 0xFFFFFFFF;
  88. }
  89. UA_Byte
  90. getUserAccessLevel_default(const UA_NodeId *sessionId, void *sessionContext,
  91. const UA_NodeId *nodeId, void *nodeContext) {
  92. return 0xFF;
  93. }
  94. UA_Boolean
  95. getUserExecutable_default(const UA_NodeId *sessionId, void *sessionContext,
  96. const UA_NodeId *methodId, void *methodContext) {
  97. return true;
  98. }
  99. UA_Boolean
  100. getUserExecutableOnObject_default(const UA_NodeId *sessionId, void *sessionContext,
  101. const UA_NodeId *methodId, void *methodContext,
  102. const UA_NodeId *objectId, void *objectContext) {
  103. return true;
  104. }
  105. UA_Boolean
  106. allowAddNode_default(const UA_NodeId *sessionId, void *sessionContext,
  107. const UA_AddNodesItem *item) {
  108. return true;
  109. }
  110. UA_Boolean
  111. allowAddReference_default(const UA_NodeId *sessionId, void *sessionContext,
  112. const UA_AddReferencesItem *item) {
  113. return true;
  114. }
  115. UA_Boolean
  116. allowDeleteNode_default(const UA_NodeId *sessionId, void *sessionContext,
  117. const UA_DeleteNodesItem *item) {
  118. return true;
  119. }
  120. UA_Boolean
  121. allowDeleteReference_default(const UA_NodeId *sessionId, void *sessionContext,
  122. const UA_DeleteReferencesItem *item) {
  123. return true;
  124. }