async-opcua-server 0.18.0

OPC UA server API
Documentation 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389

//! The [AuthManager] trait, and tooling related to this.

use async_trait::async_trait;

use opcua_crypto::{SecurityPolicy, Thumbprint};
use opcua_types::{
    ByteString, Error, MessageSecurityMode, NodeId, StatusCode, UAString, UserTokenPolicy,
    UserTokenType,
};
use tracing::{debug, error};

use crate::identity_token::{
    POLICY_ID_ANONYMOUS, POLICY_ID_ISSUED_TOKEN_NONE, POLICY_ID_ISSUED_TOKEN_RSA_15,
    POLICY_ID_ISSUED_TOKEN_RSA_OAEP, POLICY_ID_ISSUED_TOKEN_RSA_OAEP_SHA256,
    POLICY_ID_USER_PASS_NONE, POLICY_ID_USER_PASS_RSA_15, POLICY_ID_USER_PASS_RSA_OAEP,
    POLICY_ID_USER_PASS_RSA_OAEP_SHA256, POLICY_ID_X509,
};

use super::{
    address_space::AccessLevel, config::ANONYMOUS_USER_TOKEN_ID, ServerEndpoint, ServerUserToken,
};
use std::{collections::BTreeMap, fmt::Debug};

/// Debug-safe wrapper around a password.
#[derive(Clone, PartialEq, Eq)]
pub struct Password(String);

impl Debug for Password {
    fn fmt(&self, f: &mut std::fmt::Formatter<'_>) -> std::fmt::Result {
        f.debug_tuple("Password").field(&"****").finish()
    }
}

impl Password {
    /// Create a new debug-safe password.
    pub fn new(password: String) -> Self {
        Self(password)
    }

    /// get the inner value. Note: you should make sure not to log this!
    pub fn get(&self) -> &str {
        &self.0
    }
}

/// A unique identifier for a _user_. Distinct from a client/session, a user can
/// have multiple sessions at the same time, and is typically the value we use to
/// control access.
#[derive(Debug, Clone, PartialEq, Eq)]
pub struct UserToken(pub String);

/// Key used to identify a user.
/// Goes beyond just the identity token, since some services require
/// information about the application URI and security mode as well.
#[derive(Debug, Clone)]
pub struct UserSecurityKey {
    /// Raw user token.
    pub token: UserToken,
    /// Connection security mode.
    pub security_mode: MessageSecurityMode,
    /// Client application URI.
    pub application_uri: String,
}

impl UserToken {
    /// `true` if this is an anonymous user token.
    pub fn is_anonymous(&self) -> bool {
        self.0 == ANONYMOUS_USER_TOKEN_ID
    }
}

/// Permissions for the core and diagnostics node managers.
#[derive(Default, Debug, Clone)]
pub struct CoreServerPermissions {
    /// Whether the user can read the server diagnostics.
    pub read_diagnostics: bool,
}

#[allow(unused)]
#[async_trait]
/// The AuthManager trait is used to let servers control access to the server.
/// It serves two main purposes:
///
/// - It validates user credentials and returns a user token. Two clients with the
///   same user token are considered the _same_ user, and have some ability to interfere
///   with each other.
/// - It uses user tokens to check access levels.
///
/// Note that the only async methods are the ones validating access tokens. This means
/// that these methods should load and store any information you need to check user
/// access level down the line.
///
/// This is currently the only way to restrict access to core resources. For resources in
/// your own custom node managers you are free to use whatever access regime you want.
pub trait AuthManager: Send + Sync + 'static {
    /// Validate whether an anonymous user is allowed to access the given endpoint.
    /// This does not return a user token, all anonymous users share the same special token.
    async fn authenticate_anonymous_token(&self, endpoint: &ServerEndpoint) -> Result<(), Error> {
        Err(Error::new(
            StatusCode::BadIdentityTokenRejected,
            "Anonymous identity token unsupported",
        ))
    }

    /// Validate the given username and password for `endpoint`.
    /// This should return a user token associated with the user, for example the username itself.
    async fn authenticate_username_identity_token(
        &self,
        endpoint: &ServerEndpoint,
        username: &str,
        password: &Password,
    ) -> Result<UserToken, Error> {
        Err(Error::new(
            StatusCode::BadIdentityTokenRejected,
            "Username identity token unsupported",
        ))
    }

    /// Validate the signing thumbprint for `endpoint`.
    /// This should return a user token associated with the user.
    async fn authenticate_x509_identity_token(
        &self,
        endpoint: &ServerEndpoint,
        signing_thumbprint: &Thumbprint,
    ) -> Result<UserToken, Error> {
        Err(Error::new(
            StatusCode::BadIdentityTokenRejected,
            "X509 identity token unsupported",
        ))
    }

    /// Validate the given issued identity token for `endpoint`.
    /// This should return a user token associated with the user.
    async fn authenticate_issued_identity_token(
        &self,
        endpoint: &ServerEndpoint,
        token: &ByteString,
    ) -> Result<UserToken, Error> {
        Err(Error::new(
            StatusCode::BadIdentityTokenRejected,
            "Issued identity token unsupported",
        ))
    }

    /// Return the effective user access level for the given node ID
    fn effective_user_access_level(
        &self,
        token: &UserToken,
        user_access_level: AccessLevel,
        node_id: &NodeId,
    ) -> AccessLevel {
        user_access_level
    }

    /// Return whether a method is actually user executable, overriding whatever is returned by the
    /// node manager.
    fn is_user_executable(&self, token: &UserToken, method_id: &NodeId) -> bool {
        true
    }

    /// Return the valid user token policies for the given endpoint.
    /// Only valid tokens will be passed to the authenticator.
    fn user_token_policies(&self, endpoint: &ServerEndpoint) -> Vec<UserTokenPolicy>;

    /// Return whether the endpoint supports anonymous authentication.
    fn supports_anonymous(&self, endpoint: &ServerEndpoint) -> bool {
        self.user_token_policies(endpoint)
            .iter()
            .any(|e| e.token_type == UserTokenType::Anonymous)
    }

    /// Return whether the endpoint supports username/password authentication.
    fn supports_user_pass(&self, endpoint: &ServerEndpoint) -> bool {
        self.user_token_policies(endpoint)
            .iter()
            .any(|e| e.token_type == UserTokenType::UserName)
    }

    /// Return whether the endpoint supports x509-certificate authentication.
    fn supports_x509(&self, endpoint: &ServerEndpoint) -> bool {
        self.user_token_policies(endpoint)
            .iter()
            .any(|e| e.token_type == UserTokenType::Certificate)
    }

    /// Returns whether the endpoint supports issued-token authentication.
    fn supports_issued_token(&self, endpoint: &ServerEndpoint) -> bool {
        self.user_token_policies(endpoint)
            .iter()
            .any(|e| e.token_type == UserTokenType::IssuedToken)
    }

    /// Return the permissions for the core server for the given user.
    fn core_permissions(&self, token: &UserToken) -> CoreServerPermissions {
        CoreServerPermissions::default()
    }
}

/// A simple authenticator that keeps a map of valid users in memory.
/// In production applications you will almost always want to create your own
/// custom authenticator.
pub struct DefaultAuthenticator {
    users: BTreeMap<String, ServerUserToken>,
}

impl DefaultAuthenticator {
    /// Create a new default authenticator with the given set of users.
    pub fn new(users: BTreeMap<String, ServerUserToken>) -> Self {
        Self { users }
    }
}

#[async_trait]
impl AuthManager for DefaultAuthenticator {
    async fn authenticate_anonymous_token(&self, endpoint: &ServerEndpoint) -> Result<(), Error> {
        if !endpoint.user_token_ids.contains(ANONYMOUS_USER_TOKEN_ID) {
            return Err(Error::new(
                StatusCode::BadIdentityTokenRejected,
                format!(
                    "Endpoint \"{}\" does not support anonymous authentication",
                    endpoint.path
                ),
            ));
        }
        Ok(())
    }

    async fn authenticate_username_identity_token(
        &self,
        endpoint: &ServerEndpoint,
        username: &str,
        password: &Password,
    ) -> Result<UserToken, Error> {
        let token_password = password.get();
        for user_token_id in &endpoint.user_token_ids {
            if let Some(server_user_token) = self.users.get(user_token_id) {
                if server_user_token.is_user_pass() && server_user_token.user == username {
                    // test for empty password
                    let valid = if let Some(server_password) = server_user_token.pass.as_ref() {
                        server_password.as_bytes() == token_password.as_bytes()
                    } else {
                        token_password.is_empty()
                    };

                    if !valid {
                        error!(
                            "Cannot authenticate \"{}\", password is invalid",
                            server_user_token.user
                        );
                        return Err(Error::new(
                            StatusCode::BadIdentityTokenRejected,
                            format!("Cannot authenticate user \"{username}\""),
                        ));
                    } else {
                        return Ok(UserToken(user_token_id.clone()));
                    }
                }
            }
        }
        error!(
            "Cannot authenticate \"{}\", user not found for endpoint",
            username
        );
        Err(Error::new(
            StatusCode::BadIdentityTokenRejected,
            format!("Cannot authenticate \"{username}\""),
        ))
    }

    async fn authenticate_x509_identity_token(
        &self,
        endpoint: &ServerEndpoint,
        signing_thumbprint: &Thumbprint,
    ) -> Result<UserToken, Error> {
        // Check the endpoint to see if this token is supported
        for user_token_id in &endpoint.user_token_ids {
            if let Some(server_user_token) = self.users.get(user_token_id) {
                if let Some(ref user_thumbprint) = server_user_token.thumbprint {
                    // The signing cert matches a user's identity, so it is valid
                    if user_thumbprint == signing_thumbprint {
                        return Ok(UserToken(user_token_id.clone()));
                    }
                }
            }
        }
        Err(Error::new(
            StatusCode::BadIdentityTokenRejected,
            "Authentication failed",
        ))
    }

    fn user_token_policies(&self, endpoint: &ServerEndpoint) -> Vec<UserTokenPolicy> {
        let mut user_identity_tokens = Vec::with_capacity(3);

        // Anonymous policy
        if endpoint.user_token_ids.contains(ANONYMOUS_USER_TOKEN_ID) {
            user_identity_tokens.push(UserTokenPolicy {
                policy_id: UAString::from(POLICY_ID_ANONYMOUS),
                token_type: UserTokenType::Anonymous,
                issued_token_type: UAString::null(),
                issuer_endpoint_url: UAString::null(),
                security_policy_uri: UAString::null(),
            });
        }
        // User pass policy
        if endpoint.user_token_ids.iter().any(|id| {
            id != ANONYMOUS_USER_TOKEN_ID
                && self.users.get(id).is_some_and(|token| token.is_user_pass())
        }) {
            // The endpoint may set a password security policy
            user_identity_tokens.push(UserTokenPolicy {
                policy_id: user_pass_security_policy_id(endpoint),
                token_type: UserTokenType::UserName,
                issued_token_type: UAString::null(),
                issuer_endpoint_url: UAString::null(),
                security_policy_uri: user_pass_security_policy_uri(endpoint),
            });
        }
        // X509 policy
        if endpoint.user_token_ids.iter().any(|id| {
            id != ANONYMOUS_USER_TOKEN_ID && self.users.get(id).is_some_and(|token| token.is_x509())
        }) {
            user_identity_tokens.push(UserTokenPolicy {
                policy_id: UAString::from(POLICY_ID_X509),
                token_type: UserTokenType::Certificate,
                issued_token_type: UAString::null(),
                issuer_endpoint_url: UAString::null(),
                security_policy_uri: UAString::from(SecurityPolicy::Basic128Rsa15.to_uri()),
            });
        }

        if user_identity_tokens.is_empty() {
            debug!(
                "user_identity_tokens() returned zero endpoints for endpoint {} / {} {}",
                endpoint.path, endpoint.security_policy, endpoint.security_mode
            );
        }

        user_identity_tokens
    }

    fn core_permissions(&self, token: &UserToken) -> CoreServerPermissions {
        self.users
            .get(token.0.as_str())
            .map(|r| CoreServerPermissions {
                read_diagnostics: r.read_diagnostics,
            })
            .unwrap_or_default()
    }
}

/// Get the username and password policy ID for the given endpoint.
pub fn user_pass_security_policy_id(endpoint: &ServerEndpoint) -> UAString {
    match endpoint.password_security_policy() {
        SecurityPolicy::None => POLICY_ID_USER_PASS_NONE,
        SecurityPolicy::Basic128Rsa15 => POLICY_ID_USER_PASS_RSA_15,
        SecurityPolicy::Basic256
        | SecurityPolicy::Basic256Sha256
        | SecurityPolicy::Aes128Sha256RsaOaep => POLICY_ID_USER_PASS_RSA_OAEP,
        SecurityPolicy::Aes256Sha256RsaPss => POLICY_ID_USER_PASS_RSA_OAEP_SHA256,
        _ => {
            panic!("Invalid security policy for username and password")
        }
    }
    .into()
}

/// Get the issued token policy ID for the given endpoint.
pub fn issued_token_security_policy(endpoint: &ServerEndpoint) -> UAString {
    match endpoint.password_security_policy() {
        SecurityPolicy::None => POLICY_ID_ISSUED_TOKEN_NONE,
        SecurityPolicy::Basic128Rsa15 => POLICY_ID_ISSUED_TOKEN_RSA_15,
        SecurityPolicy::Basic256
        | SecurityPolicy::Basic256Sha256
        | SecurityPolicy::Aes128Sha256RsaOaep => POLICY_ID_ISSUED_TOKEN_RSA_OAEP,
        SecurityPolicy::Aes256Sha256RsaPss => POLICY_ID_ISSUED_TOKEN_RSA_OAEP_SHA256,
        _ => {
            panic!("Invalid security policy for username and password")
        }
    }
    .into()
}

/// Get the username and password policy URI for the given endpioint.
pub fn user_pass_security_policy_uri(_endpoint: &ServerEndpoint) -> UAString {
    // TODO we could force the security policy uri for passwords to be something other than the default
    //  here to ensure they're secure even when the endpoint's security policy is None.
    UAString::null()
}