ua_accesscontrol_default.c 9.7 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253
  1. /* This work is licensed under a Creative Commons CCZero 1.0 Universal License.
  2. * See http://creativecommons.org/publicdomain/zero/1.0/ for more information.
  3. *
  4. * Copyright 2016-2017 (c) Fraunhofer IOSB (Author: Julius Pfrommer)
  5. * Copyright 2017 (c) Stefan Profanter, fortiss GmbH
  6. */
  7. #include "ua_accesscontrol_default.h"
  8. /* Example access control management. Anonymous and username / password login.
  9. * The access rights are maximally permissive. */
  10. typedef struct {
  11. UA_Boolean allowAnonymous;
  12. size_t usernamePasswordLoginSize;
  13. UA_UsernamePasswordLogin *usernamePasswordLogin;
  14. } AccessControlContext;
  15. #define ANONYMOUS_POLICY "open62541-anonymous-policy"
  16. #define USERNAME_POLICY "open62541-username-policy"
  17. const UA_String anonymous_policy = UA_STRING_STATIC(ANONYMOUS_POLICY);
  18. const UA_String username_policy = UA_STRING_STATIC(USERNAME_POLICY);
  19. /************************/
  20. /* Access Control Logic */
  21. /************************/
  22. static UA_StatusCode
  23. activateSession_default(UA_Server *server, UA_AccessControl *ac,
  24. const UA_NodeId *sessionId,
  25. const UA_ExtensionObject *userIdentityToken,
  26. void **sessionContext) {
  27. AccessControlContext *context = (AccessControlContext*)ac->context;
  28. /* The empty token is interpreted as anonymous */
  29. if(userIdentityToken->encoding == UA_EXTENSIONOBJECT_ENCODED_NOBODY) {
  30. if(!context->allowAnonymous)
  31. return UA_STATUSCODE_BADIDENTITYTOKENINVALID;
  32. /* No userdata atm */
  33. *sessionContext = NULL;
  34. return UA_STATUSCODE_GOOD;
  35. }
  36. /* Could the token be decoded? */
  37. if(userIdentityToken->encoding < UA_EXTENSIONOBJECT_DECODED)
  38. return UA_STATUSCODE_BADIDENTITYTOKENINVALID;
  39. /* Anonymous login */
  40. if(userIdentityToken->content.decoded.type == &UA_TYPES[UA_TYPES_ANONYMOUSIDENTITYTOKEN]) {
  41. if(!context->allowAnonymous)
  42. return UA_STATUSCODE_BADIDENTITYTOKENINVALID;
  43. const UA_AnonymousIdentityToken *token = (UA_AnonymousIdentityToken*)
  44. userIdentityToken->content.decoded.data;
  45. /* Compatibility notice: Siemens OPC Scout v10 provides an empty
  46. * policyId. This is not compliant. For compatibility, assume that empty
  47. * policyId == ANONYMOUS_POLICY */
  48. if(token->policyId.data && !UA_String_equal(&token->policyId, &anonymous_policy))
  49. return UA_STATUSCODE_BADIDENTITYTOKENINVALID;
  50. /* No userdata atm */
  51. *sessionContext = NULL;
  52. return UA_STATUSCODE_GOOD;
  53. }
  54. /* Username and password */
  55. if(userIdentityToken->content.decoded.type == &UA_TYPES[UA_TYPES_USERNAMEIDENTITYTOKEN]) {
  56. const UA_UserNameIdentityToken *userToken =
  57. (UA_UserNameIdentityToken*)userIdentityToken->content.decoded.data;
  58. if(!UA_String_equal(&userToken->policyId, &username_policy))
  59. return UA_STATUSCODE_BADIDENTITYTOKENINVALID;
  60. /* TODO: Support encrypted username/password over unencrypted SecureChannels */
  61. if(userToken->encryptionAlgorithm.length > 0)
  62. return UA_STATUSCODE_BADIDENTITYTOKENINVALID;
  63. /* Empty username and password */
  64. if(userToken->userName.length == 0 && userToken->password.length == 0)
  65. return UA_STATUSCODE_BADIDENTITYTOKENINVALID;
  66. /* Try to match username/pw */
  67. UA_Boolean match = false;
  68. for(size_t i = 0; i < context->usernamePasswordLoginSize; i++) {
  69. if(UA_String_equal(&userToken->userName, &context->usernamePasswordLogin[i].username) &&
  70. UA_String_equal(&userToken->password, &context->usernamePasswordLogin[i].password)) {
  71. match = true;
  72. break;
  73. }
  74. }
  75. if(!match)
  76. return UA_STATUSCODE_BADUSERACCESSDENIED;
  77. /* No userdata atm */
  78. *sessionContext = NULL;
  79. return UA_STATUSCODE_GOOD;
  80. }
  81. /* Unsupported token type */
  82. return UA_STATUSCODE_BADIDENTITYTOKENINVALID;
  83. }
  84. static void
  85. closeSession_default(UA_Server *server, UA_AccessControl *ac,
  86. const UA_NodeId *sessionId, void *sessionContext) {
  87. /* no context to clean up */
  88. }
  89. static UA_UInt32
  90. getUserRightsMask_default(UA_Server *server, UA_AccessControl *ac,
  91. const UA_NodeId *sessionId, void *sessionContext,
  92. const UA_NodeId *nodeId, void *nodeContext) {
  93. return 0xFFFFFFFF;
  94. }
  95. static UA_Byte
  96. getUserAccessLevel_default(UA_Server *server, UA_AccessControl *ac,
  97. const UA_NodeId *sessionId, void *sessionContext,
  98. const UA_NodeId *nodeId, void *nodeContext) {
  99. return 0xFF;
  100. }
  101. static UA_Boolean
  102. getUserExecutable_default(UA_Server *server, UA_AccessControl *ac,
  103. const UA_NodeId *sessionId, void *sessionContext,
  104. const UA_NodeId *methodId, void *methodContext) {
  105. return true;
  106. }
  107. static UA_Boolean
  108. getUserExecutableOnObject_default(UA_Server *server, UA_AccessControl *ac,
  109. const UA_NodeId *sessionId, void *sessionContext,
  110. const UA_NodeId *methodId, void *methodContext,
  111. const UA_NodeId *objectId, void *objectContext) {
  112. return true;
  113. }
  114. static UA_Boolean
  115. allowAddNode_default(UA_Server *server, UA_AccessControl *ac,
  116. const UA_NodeId *sessionId, void *sessionContext,
  117. const UA_AddNodesItem *item) {
  118. return true;
  119. }
  120. static UA_Boolean
  121. allowAddReference_default(UA_Server *server, UA_AccessControl *ac,
  122. const UA_NodeId *sessionId, void *sessionContext,
  123. const UA_AddReferencesItem *item) {
  124. return true;
  125. }
  126. static UA_Boolean
  127. allowDeleteNode_default(UA_Server *server, UA_AccessControl *ac,
  128. const UA_NodeId *sessionId, void *sessionContext,
  129. const UA_DeleteNodesItem *item) {
  130. return true;
  131. }
  132. static UA_Boolean
  133. allowDeleteReference_default(UA_Server *server, UA_AccessControl *ac,
  134. const UA_NodeId *sessionId, void *sessionContext,
  135. const UA_DeleteReferencesItem *item) {
  136. return true;
  137. }
  138. /***************************************/
  139. /* Create Delete Access Control Plugin */
  140. /***************************************/
  141. static void deleteMembers_default(UA_AccessControl *ac) {
  142. UA_Array_delete((void*)(uintptr_t)ac->userTokenPolicies,
  143. ac->userTokenPoliciesSize,
  144. &UA_TYPES[UA_TYPES_USERTOKENPOLICY]);
  145. AccessControlContext *context = (AccessControlContext*)ac->context;
  146. for(size_t i = 0; i < context->usernamePasswordLoginSize; i++) {
  147. UA_String_deleteMembers(&context->usernamePasswordLogin[i].username);
  148. UA_String_deleteMembers(&context->usernamePasswordLogin[i].password);
  149. }
  150. if(context->usernamePasswordLoginSize > 0)
  151. UA_free(context->usernamePasswordLogin);
  152. UA_free(ac->context);
  153. }
  154. UA_AccessControl
  155. UA_AccessControl_default(UA_Boolean allowAnonymous, size_t usernamePasswordLoginSize,
  156. const UA_UsernamePasswordLogin *usernamePasswordLogin) {
  157. AccessControlContext *context = (AccessControlContext*)
  158. UA_malloc(sizeof(AccessControlContext));
  159. memset(context, 0, sizeof(AccessControlContext));
  160. UA_AccessControl ac;
  161. memset(&ac, 0, sizeof(ac));
  162. ac.context = context;
  163. ac.deleteMembers = deleteMembers_default;
  164. ac.activateSession = activateSession_default;
  165. ac.closeSession = closeSession_default;
  166. ac.getUserRightsMask = getUserRightsMask_default;
  167. ac.getUserAccessLevel = getUserAccessLevel_default;
  168. ac.getUserExecutable = getUserExecutable_default;
  169. ac.getUserExecutableOnObject = getUserExecutableOnObject_default;
  170. ac.allowAddNode = allowAddNode_default;
  171. ac.allowAddReference = allowAddReference_default;
  172. ac.allowDeleteNode = allowDeleteNode_default;
  173. ac.allowDeleteReference = allowDeleteReference_default;
  174. /* Allow anonymous? */
  175. context->allowAnonymous = allowAnonymous;
  176. /* Copy username/password to the access control plugin */
  177. if(usernamePasswordLoginSize > 0) {
  178. context->usernamePasswordLogin = (UA_UsernamePasswordLogin*)
  179. UA_malloc(usernamePasswordLoginSize * sizeof(UA_UsernamePasswordLogin));
  180. if(!context->usernamePasswordLogin)
  181. return ac;
  182. context->usernamePasswordLoginSize = usernamePasswordLoginSize;
  183. for(size_t i = 0; i < usernamePasswordLoginSize; i++) {
  184. UA_String_copy(&usernamePasswordLogin[i].username, &context->usernamePasswordLogin[i].username);
  185. UA_String_copy(&usernamePasswordLogin[i].password, &context->usernamePasswordLogin[i].password);
  186. }
  187. }
  188. /* Set the allowed policies */
  189. size_t policies = 0;
  190. if(allowAnonymous)
  191. policies++;
  192. if(usernamePasswordLoginSize > 0)
  193. policies++;
  194. ac.userTokenPoliciesSize = 0;
  195. ac.userTokenPolicies = (UA_UserTokenPolicy *)
  196. UA_Array_new(policies, &UA_TYPES[UA_TYPES_USERTOKENPOLICY]);
  197. if(!ac.userTokenPolicies)
  198. return ac;
  199. ac.userTokenPoliciesSize = policies;
  200. policies = 0;
  201. if(allowAnonymous) {
  202. ac.userTokenPolicies[policies].tokenType = UA_USERTOKENTYPE_ANONYMOUS;
  203. ac.userTokenPolicies[policies].policyId = UA_STRING_ALLOC(ANONYMOUS_POLICY);
  204. policies++;
  205. }
  206. if(usernamePasswordLoginSize > 0) {
  207. ac.userTokenPolicies[policies].tokenType = UA_USERTOKENTYPE_USERNAME;
  208. ac.userTokenPolicies[policies].policyId = UA_STRING_ALLOC(USERNAME_POLICY);
  209. /* No encryption of username/password supported at the moment */
  210. ac.userTokenPolicies[policies].securityPolicyUri =
  211. UA_STRING_ALLOC("http://opcfoundation.org/UA/SecurityPolicy#None");
  212. }
  213. return ac;
  214. }