More x509 / userpass work on server side. More stringent user token /…

… policy checks.
miaokong0724 · May 4, 2019 · 41b3a0e · 41b3a0e
1 parent 79f1324
commit 41b3a0e
Show file tree

Hide file tree

Showing 9 changed files with 201 additions and 87 deletions.
diff --git a/samples/demo-server/users/sample-x509.der b/samples/demo-server/users/sample-x509.der
diff --git a/samples/server.conf b/samples/server.conf
@@ -11,9 +11,12 @@ tcp_config:
   host: 127.0.0.1
   port: 4855
 user_tokens:
-  sample_user:
+  sample_password_user:
     user: sample
     pass: sample1
+  sample_x509_user:
+    user: sample_x509
+    x509: "./users/sample-x509.der"
   unused_user:
     user: unused
     pass: unused1
@@ -28,7 +31,8 @@ endpoints:
     password_security_policy: ~
     user_token_ids:
       - ANONYMOUS
-      - sample_user
+      - sample_password_user
+      - sample_x509_user
   basic128rsa15_sign_encrypt:
     path: /
     security_policy: Basic128Rsa15
@@ -37,7 +41,8 @@ endpoints:
     password_security_policy: ~
     user_token_ids:
       - ANONYMOUS
-      - sample_user
+      - sample_password_user
+      - sample_x509_user
   basic256_sign:
     path: /
     security_policy: Basic256
@@ -46,7 +51,8 @@ endpoints:
     password_security_policy: ~
     user_token_ids:
       - ANONYMOUS
-      - sample_user
+      - sample_password_user
+      - sample_x509_user
   basic256_sign_encrypt:
     path: /
     security_policy: Basic256
@@ -55,7 +61,8 @@ endpoints:
     password_security_policy: ~
     user_token_ids:
       - ANONYMOUS
-      - sample_user
+      - sample_password_user
+      - sample_x509_user
   basic256sha256_sign:
     path: /
     security_policy: Basic256Sha256
@@ -64,7 +71,8 @@ endpoints:
     password_security_policy: ~
     user_token_ids:
       - ANONYMOUS
-      - sample_user
+      - sample_password_user
+      - sample_x509_user
   basic256sha256_sign_encrypt:
     path: /
     security_policy: Basic256Sha256
@@ -73,7 +81,8 @@ endpoints:
     password_security_policy: ~
     user_token_ids:
       - ANONYMOUS
-      - sample_user
+      - sample_password_user
+      - sample_x509_user
   no_access:
     path: /noaccess
     security_policy: None
@@ -89,7 +98,8 @@ endpoints:
     password_security_policy: ~
     user_token_ids:
       - ANONYMOUS
-      - sample_user
+      - sample_password_user
+      - sample_x509_user
 max_subscriptions: 100
 max_array_length: 1000
 max_string_length: 65536

diff --git a/samples/simple-client/identity/sample-x509.der b/samples/simple-client/identity/sample-x509.der
diff --git a/samples/simple-client/identity/sample-x509.pem b/samples/simple-client/identity/sample-x509.pem
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCwS49oftNWSMyN
+kmCgxTT0SilJrFKYuK77X/lGrzEdtz8HM/05nQR0McKSGLDFki59fUPzthn/btfm
+XrAP/wEaOkdmZxmA4J8Wzf7W9wTn2cNW0Piruis9tgNSvplxA5dX6ZxEWbGkB5eo
++aMwRK5ON5aJo2BtVibBBaszgL9IrK4hecU9+f4SQmEjw7s5ETCPaYYb0t1vN+2f
+n2IiKK4qcheGeGOpzk3gXUKSi6MKPoB+/VvwZGfxCmM+w8K5luF3RY+M0JzIHXdB
+9tHjKpdSuphnMp6ZU3YMUmTpaKj4no0BTzeCRalr993cEEkuln4cTA6mh/lNbkPm
+rtn3aX2DAgMBAAECggEAJylBu/agP4SAW9puOIhWEQYAUetDlcVAqXpSR09XW8B+
+8bysvYWRnbYIAKgXbGvig+G1nIeREtqufu/9sC/3MLpNbgPs+GHtNQWhXGMW5eHL
+sJdPBeafAGBUMKdCMoaXseGk4tIB0ewV1mVNyMUY6ysR95UhMGh4x1vZAeHRm/TR
+Yp/yIn0b2r8um5jgDjo+oghqvnvmArykXrdiMdoZED/waKM9s+zoJ4XkMs/Fe4Qn
+drMILsmS6hAZGfe246G3Ud4xvqsPy57sAYgDM8LxBEfS53AmtMQsdyud4V5zdtZr
+M1maShdu2RlQxoeH+Vu2fdxoOfxFJ2L2r8aQ9b85IQKBgQDfGMPL0WjLFm6XlVEK
+hwjKkQ0S7F4B3JmoaMYJaqAazxjW/qh/b4xqZ4yzkQsFvTrByrGvbkXXdowj74fL
+XYcrOLw0LPZJmzWsRsBIj1tbWXsvKcFbE8CRuUAk2Wei3gdlXceq8vm6cpowxt0B
+MKRYrmds4q+mputqiSumggvmmQKBgQDKS8GIIoxf9968h6tayq50VoNVfIB9e5IV
+CwgtMLkX+bw1Oxz6OSgJlppC9OmFON5ppiYP3aKYtu6YCpqXvqqeFwyv8TrkhQcr
+uZ8MO5w5fYGLXhi0OXN/tzKof8RycF8O/SmwBCKXtXNOwq/X4/8FXK3oBvCj5f2F
+A/LRDFiCewKBgFADoM2sCIq2O+nv6sX80mFcjrTXw4ulZBLrqQNdk5ip6D3LzgEO
+r+zFwMfyYGKpkLZKjVnfEfuKEA8fbLO6kq0kxxNrgNW7bg+gvHwJtnlX6X9r2WZh
++jIJoADXXH0kZsCrVt5wELMXQUf3OvKfUIJh4sRBtT/vJAXstpQclkoZAoGBAIA5
+9qlY5Mur7RZplJcPI/eAIu1b5oIjgpwuCvfCC4ED/mVrW9nLwvIY8R0B6sdUHb6v
+3y5tWTQduCzNg+ItrC5bA+K+MItLOxlfJk51tnfGcwepFFWgmPJaaBTgL+AuFEMG
++5ajeF3bWQSSaS2aSjrW3TDWvU/WZ5UZxJ73iV7jAoGAEjdbhqbHRiLzHlc1NPsm
+wTikjvEOmE3GXgVQKv/r47vrpXmGPBBsBa08r0T00/cgRj5so2qqTe336k9Wi9vP
+GQbG9lQqSXp8YH7HCpXd+PjU0NrJxdu2cdT8NLn5cMuXu7vtMZ1kyotKiHGBqYPe
+O3INidX0+nHfInitSSBmCrQ=
+-----END PRIVATE KEY-----
diff --git a/samples/simple-server/users/sample-x509.der b/samples/simple-server/users/sample-x509.der
diff --git a/server/src/builder.rs b/server/src/builder.rs
@@ -42,19 +42,25 @@ impl ServerBuilder {
         warn!("Sample configuration is for testing purposes only. Use a proper configuration in your production environment");
 
         let path = DEFAULT_ENDPOINT_PATH;
-        let sample_user_id = "sample_user";
-        let user_token_ids = vec![ANONYMOUS_USER_TOKEN_ID.to_string(), sample_user_id.to_string()];
+
+        let user_token_ids = ["sample_password_user", "sample_x509_user", ANONYMOUS_USER_TOKEN_ID]
+            .iter().map(|u| u.to_string()).collect::<Vec<String>>();
 
         ServerBuilder::new()
             .application_name("OPC UA Sample Server")
             .application_uri("urn:OPC UA Sample Server")
             .create_sample_keypair(true)
             .discovery_server_url(Some(constants::DEFAULT_DISCOVERY_SERVER_URL.to_string()))
-            .user_token("sample_user", ServerUserToken {
+            .user_token("sample_password_user", ServerUserToken {
                 user: "sample".to_string(),
                 pass: Some("sample1".to_string()),
                 x509: None,
             })
+            .user_token("sample_x509_user", ServerUserToken {
+                user: "sample_x509".to_string(),
+                pass: None,
+                x509: Some("./users/sample-x509.der".to_string()),
+            })
             .user_token("unused_user", ServerUserToken {
                 user: "unused".to_string(),
                 pass: Some("unused1".to_string()),

diff --git a/server/src/config.rs b/server/src/config.rs
@@ -31,9 +31,9 @@ pub struct ServerUserToken {
     /// Password
     #[serde(skip_serializing_if = "Option::is_none")]
     pub pass: Option<String>,
-    // X509 file path
+    // X509 file path (as a string)
     #[serde(skip_serializing_if = "Option::is_none")]
-    pub x509: Option<PathBuf>,
+    pub x509: Option<String>,
 }
 
 impl ServerUserToken {
@@ -58,12 +58,9 @@ impl ServerUserToken {
         if self.pass.is_some() && self.x509.is_some() {
             error!("User token {} has a password and a path to an x509 cert", id);
             valid = false;
-        }
-        if let Some(ref path) = self.x509 {
-            if !path.exists() || !path.is_file() {
-                error!("User token {} x509 cert does not exist", id);
-                valid = false;
-            }
+        } else if self.pass.is_none() && self.x509.is_none() {
+            error!("User token {} is neither a password or an x509 cert", id);
+            valid = false;
         }
         valid
     }
@@ -213,11 +210,57 @@ impl ServerEndpoint {
         format!("{}{}", base_endpoint, self.path)
     }
 
+    pub fn password_security_policy(&self) -> SecurityPolicy {
+        if let Some(ref security_policy) = self.password_security_policy {
+            if let Ok(security_policy) = SecurityPolicy::from_str(security_policy) {
+                if security_policy != SecurityPolicy::Unknown {
+                    security_policy
+                } else {
+                    SecurityPolicy::None
+                }
+            } else {
+                SecurityPolicy::None
+            }
+        } else {
+            SecurityPolicy::None
+        }
+    }
+
     /// Test if the endpoint supports anonymous users
     pub fn supports_anonymous(&self) -> bool {
         self.supports_user_token_id(ANONYMOUS_USER_TOKEN_ID)
     }
 
+    /// Tests if this endpoint supports user pass tokens. It does this by looking to see
+    /// if any of the users allowed to access this endpoint are user pass users.
+    pub fn supports_user_pass(&self, server_tokens: &BTreeMap<String, ServerUserToken>) -> bool {
+        for user_token_id in &self.user_token_ids {
+            if user_token_id != ANONYMOUS_USER_TOKEN_ID {
+                if let Some(user_token) = server_tokens.get(user_token_id) {
+                    if user_token.is_user_pass() {
+                        return true;
+                    }
+                }
+            }
+        }
+        false
+    }
+
+    /// Tests if this endpoint supports x509 tokens.  It does this by looking to see
+    //    /// if any of the users allowed to access this endpoint are x509 users.
+    pub fn supports_x509(&self, server_tokens: &BTreeMap<String, ServerUserToken>) -> bool {
+        for user_token_id in &self.user_token_ids {
+            if user_token_id != ANONYMOUS_USER_TOKEN_ID {
+                if let Some(user_token) = server_tokens.get(user_token_id) {
+                    if user_token.is_x509() {
+                        return true;
+                    }
+                }
+            }
+        }
+        false
+    }
+
     pub fn supports_user_token_id(&self, id: &str) -> bool {
         self.user_token_ids.contains(id)
     }