/* ======================================================================== * Copyright (c) 2005-2020 The OPC Foundation, Inc. All rights reserved. * * OPC Foundation MIT License 1.00 * * Permission is hereby granted, free of charge, to any person * obtaining a copy of this software and associated documentation * files (the "Software"), to deal in the Software without * restriction, including without limitation the rights to use, * copy, modify, merge, publish, distribute, sublicense, and/or sell * copies of the Software, and to permit persons to whom the * Software is furnished to do so, subject to the following * conditions: * * The above copyright notice and this permission notice shall be * included in all copies or substantial portions of the Software. * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES * OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT * HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, * WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING * FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR * OTHER DEALINGS IN THE SOFTWARE. * * The complete license agreement can be found here: * http://opcfoundation.org/License/MIT/1.00/ * ======================================================================*/ using System; using System.Collections.Generic; using System.Linq; using System.Reflection; using System.Security.Cryptography.X509Certificates; using Opc.Ua; using Opc.Ua.Server; namespace Quickstarts.ReferenceServer { ///

/// Implements the Quickstart Reference Server. ///

/// /// Each server instance must have one instance of a StandardServer object which is /// responsible for reading the configuration file, creating the endpoints and dispatching /// incoming requests to the appropriate handler. /// /// This sub-class specifies non-configurable metadata such as Product Name and initializes /// the EmptyNodeManager which provides access to the data exposed by the Server. /// public partial class ReferenceServer : ReverseConnectServer { #region Overridden Methods ///

/// Creates the node managers for the server. ///

/// /// This method allows the sub-class create any additional node managers which it uses. The SDK /// always creates a CoreNodeManager which handles the built-in nodes defined by the specification. /// Any additional NodeManagers are expected to handle application specific nodes. /// protected override MasterNodeManager CreateMasterNodeManager(IServerInternal server, ApplicationConfiguration configuration) { // create the custom node managers. nodeManagers.Add(new ReferenceNodeManager(server, configuration)); if (m_nodeManagerFactory == null || m_nodeManagerFactory.Count == 0) { AddDefaultFactories(); } foreach (var nodeManagerFactory in m_nodeManagerFactory) { nodeManagers.Add(nodeManagerFactory.Create(server, configuration)); } // create master node manager. return new MasterNodeManager(server, configuration, null, nodeManagers.ToArray()); } ///

/// Loads the non-configurable properties for the application. ///

/// /// These properties are exposed by the server but cannot be changed by administrators. /// protected override ServerProperties LoadServerProperties() { ServerProperties properties = new ServerProperties(); properties.ManufacturerName = "OPC Foundation"; properties.ProductName = "Quickstart Reference Server"; properties.ProductUri = "http://opcfoundation.org/Quickstart/ReferenceServer/v1.04"; properties.SoftwareVersion = Utils.GetAssemblySoftwareVersion(); properties.BuildNumber = Utils.GetAssemblyBuildNumber(); properties.BuildDate = Utils.GetAssemblyTimestamp(); return properties; } ///

/// Creates the resource manager for the server. ///

protected override ResourceManager CreateResourceManager(IServerInternal server, ApplicationConfiguration configuration) { ResourceManager resourceManager = new ResourceManager(server, configuration); System.Reflection.FieldInfo[] fields = typeof(StatusCodes).GetFields(System.Reflection.BindingFlags.Public | System.Reflection.BindingFlags.Static); foreach (System.Reflection.FieldInfo field in fields) { uint? id = field.GetValue(typeof(StatusCodes)) as uint?; if (id != null) { resourceManager.Add(id.Value, "en-US", field.Name); } } return resourceManager; } ///

/// Initializes the server before it starts up. ///

/// /// This method is called before any startup processing occurs. The sub-class may update the /// configuration object or do any other application specific startup tasks. /// protected override void OnServerStarting(ApplicationConfiguration configuration) { base.OnServerStarting(configuration); // it is up to the application to decide how to validate user identity tokens. // this function creates validator for X509 identity tokens. CreateUserIdentityValidators(configuration); } ///

/// Called after the server has been started. ///

protected override void OnServerStarted(IServerInternal server) { base.OnServerStarted(server); // request notifications when the user identity is changed. all valid users are accepted by default. server.SessionManager.ImpersonateUser += new ImpersonateEventHandler(SessionManager_ImpersonateUser); try { lock (ServerInternal.Status.Lock) { // allow a faster sampling interval for CurrentTime node. ServerInternal.Status.Variable.CurrentTime.MinimumSamplingInterval = 250; } } catch { } } #endregion #region User Validation Functions ///

/// Creates the objects used to validate the user identity tokens supported by the server. ///

private void CreateUserIdentityValidators(ApplicationConfiguration configuration) { for (int ii = 0; ii < configuration.ServerConfiguration.UserTokenPolicies.Count; ii++) { UserTokenPolicy policy = configuration.ServerConfiguration.UserTokenPolicies[ii]; // create a validator for a certificate token policy. if (policy.TokenType == UserTokenType.Certificate) { // check if user certificate trust lists are specified in configuration. if (configuration.SecurityConfiguration.TrustedUserCertificates != null && configuration.SecurityConfiguration.UserIssuerCertificates != null) { CertificateValidator certificateValidator = new CertificateValidator(); certificateValidator.Update(configuration.SecurityConfiguration).Wait(); certificateValidator.Update(configuration.SecurityConfiguration.UserIssuerCertificates, configuration.SecurityConfiguration.TrustedUserCertificates, configuration.SecurityConfiguration.RejectedCertificateStore); // set custom validator for user certificates. m_userCertificateValidator = certificateValidator.GetChannelValidator(); } } } } ///

/// Called when a client tries to change its user identity. ///

private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args) { // check for a user name token. UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken; if (userNameToken != null) { args.Identity = VerifyPassword(userNameToken); // set AuthenticatedUser role for accepted user/password authentication args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser); if (args.Identity is SystemConfigurationIdentity) { // set ConfigureAdmin role for user with permission to configure server args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_ConfigureAdmin); args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_SecurityAdmin); } return; } // check for x509 user token. X509IdentityToken x509Token = args.NewIdentity as X509IdentityToken; if (x509Token != null) { VerifyUserTokenCertificate(x509Token.Certificate); args.Identity = new UserIdentity(x509Token); // set AuthenticatedUser role for accepted certificate authentication args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser); return; } // check for anonymous token. if (args.NewIdentity is AnonymousIdentityToken || args.NewIdentity == null) { // allow anonymous authentication and set Anonymous role for this authentication args.Identity = new UserIdentity(); args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_Anonymous); return; } // unsuported identity token type. throw ServiceResultException.Create(StatusCodes.BadIdentityTokenInvalid, "Not supported user token type: {0}.", args.NewIdentity); } ///

/// Validates the password for a username token. ///

private IUserIdentity VerifyPassword(UserNameIdentityToken userNameToken) { var userName = userNameToken.UserName; var password = userNameToken.DecryptedPassword; if (String.IsNullOrEmpty(userName)) { // an empty username is not accepted. throw ServiceResultException.Create(StatusCodes.BadIdentityTokenInvalid, "Security token is not a valid username token. An empty username is not accepted."); } if (String.IsNullOrEmpty(password)) { // an empty password is not accepted. throw ServiceResultException.Create(StatusCodes.BadIdentityTokenRejected, "Security token is not a valid username token. An empty password is not accepted."); } // User with permission to configure server if (userName == "sysadmin" && password == "demo") { return new SystemConfigurationIdentity(new UserIdentity(userNameToken)); } // standard users for CTT verification if (!((userName == "user1" && password == "password") || (userName == "user2" && password == "password1"))) { // construct translation object with default text. TranslationInfo info = new TranslationInfo( "InvalidPassword", "en-US", "Invalid username or password.", userName); // create an exception with a vendor defined sub-code. throw new ServiceResultException(new ServiceResult( StatusCodes.BadUserAccessDenied, "InvalidPassword", LoadServerProperties().ProductUri, new LocalizedText(info))); } return new UserIdentity(userNameToken); } ///

/// Verifies that a certificate user token is trusted. ///

private void VerifyUserTokenCertificate(X509Certificate2 certificate) { try { if (m_userCertificateValidator != null) { m_userCertificateValidator.Validate(certificate); } else { CertificateValidator.Validate(certificate); } } catch (Exception e) { TranslationInfo info; StatusCode result = StatusCodes.BadIdentityTokenRejected; ServiceResultException se = e as ServiceResultException; if (se != null && se.StatusCode == StatusCodes.BadCertificateUseNotAllowed) { info = new TranslationInfo( "InvalidCertificate", "en-US", "'{0}' is an invalid user certificate.", certificate.Subject); result = StatusCodes.BadIdentityTokenInvalid; } else { // construct translation object with default text. info = new TranslationInfo( "UntrustedCertificate", "en-US", "'{0}' is not a trusted user certificate.", certificate.Subject); } // create an exception with a vendor defined sub-code. throw new ServiceResultException(new ServiceResult( result, info.Key, LoadServerProperties().ProductUri, new LocalizedText(info))); } } private static INodeManagerFactory IsINodeManagerFactoryType(Type type) { var nodeManagerTypeInfo = type.GetTypeInfo(); if (nodeManagerTypeInfo.IsAbstract || !typeof(INodeManagerFactory).IsAssignableFrom(type)) { return null; } return Activator.CreateInstance(type) as INodeManagerFactory; } private void AddDefaultFactories() { var assembly = GetType().Assembly; var factories = assembly.GetExportedTypes().Select(type => IsINodeManagerFactoryType(type)).Where(type => type != null); m_nodeManagerFactory = new List(); foreach (var nodeManagerFactory in factories) { m_nodeManagerFactory.Add(nodeManagerFactory); } } #endregion #region Private Fields private IList m_nodeManagerFactory; private ICertificateValidator m_userCertificateValidator; #endregion public List nodeManagers = new List(); } }