mirror of
https://gitee.com/iioter/iotgateway.git
synced 2024-12-02 03:38:01 +08:00
382 lines
16 KiB
C#
382 lines
16 KiB
C#
/* ========================================================================
|
|
* Copyright (c) 2005-2020 The OPC Foundation, Inc. All rights reserved.
|
|
*
|
|
* OPC Foundation MIT License 1.00
|
|
*
|
|
* Permission is hereby granted, free of charge, to any person
|
|
* obtaining a copy of this software and associated documentation
|
|
* files (the "Software"), to deal in the Software without
|
|
* restriction, including without limitation the rights to use,
|
|
* copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
* copies of the Software, and to permit persons to whom the
|
|
* Software is furnished to do so, subject to the following
|
|
* conditions:
|
|
*
|
|
* The above copyright notice and this permission notice shall be
|
|
* included in all copies or substantial portions of the Software.
|
|
* THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
|
|
* EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES
|
|
* OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
|
|
* NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT
|
|
* HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY,
|
|
* WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING
|
|
* FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR
|
|
* OTHER DEALINGS IN THE SOFTWARE.
|
|
*
|
|
* The complete license agreement can be found here:
|
|
* http://opcfoundation.org/License/MIT/1.00/
|
|
* ======================================================================*/
|
|
|
|
using System;
|
|
using System.Collections.Generic;
|
|
using System.Linq;
|
|
using System.Reflection;
|
|
using System.Security.Cryptography.X509Certificates;
|
|
using Opc.Ua;
|
|
using Opc.Ua.Server;
|
|
|
|
namespace Quickstarts.ReferenceServer
|
|
{
|
|
/// <summary>
|
|
/// Implements the Quickstart Reference Server.
|
|
/// </summary>
|
|
/// <remarks>
|
|
/// Each server instance must have one instance of a StandardServer object which is
|
|
/// responsible for reading the configuration file, creating the endpoints and dispatching
|
|
/// incoming requests to the appropriate handler.
|
|
///
|
|
/// This sub-class specifies non-configurable metadata such as Product Name and initializes
|
|
/// the EmptyNodeManager which provides access to the data exposed by the Server.
|
|
/// </remarks>
|
|
public partial class ReferenceServer : ReverseConnectServer
|
|
{
|
|
#region Overridden Methods
|
|
/// <summary>
|
|
/// Creates the node managers for the server.
|
|
/// </summary>
|
|
/// <remarks>
|
|
/// This method allows the sub-class create any additional node managers which it uses. The SDK
|
|
/// always creates a CoreNodeManager which handles the built-in nodes defined by the specification.
|
|
/// Any additional NodeManagers are expected to handle application specific nodes.
|
|
/// </remarks>
|
|
protected override MasterNodeManager CreateMasterNodeManager(IServerInternal server, ApplicationConfiguration configuration)
|
|
{
|
|
|
|
|
|
// create the custom node managers.
|
|
nodeManagers.Add(new ReferenceNodeManager(server, configuration));
|
|
|
|
if (m_nodeManagerFactory == null || m_nodeManagerFactory.Count == 0)
|
|
{
|
|
AddDefaultFactories();
|
|
}
|
|
|
|
foreach (var nodeManagerFactory in m_nodeManagerFactory)
|
|
{
|
|
nodeManagers.Add(nodeManagerFactory.Create(server, configuration));
|
|
}
|
|
|
|
// create master node manager.
|
|
return new MasterNodeManager(server, configuration, null, nodeManagers.ToArray());
|
|
}
|
|
|
|
/// <summary>
|
|
/// Loads the non-configurable properties for the application.
|
|
/// </summary>
|
|
/// <remarks>
|
|
/// These properties are exposed by the server but cannot be changed by administrators.
|
|
/// </remarks>
|
|
protected override ServerProperties LoadServerProperties()
|
|
{
|
|
ServerProperties properties = new ServerProperties();
|
|
|
|
properties.ManufacturerName = "OPC Foundation";
|
|
properties.ProductName = "Quickstart Reference Server";
|
|
properties.ProductUri = "http://opcfoundation.org/Quickstart/ReferenceServer/v1.04";
|
|
properties.SoftwareVersion = Utils.GetAssemblySoftwareVersion();
|
|
properties.BuildNumber = Utils.GetAssemblyBuildNumber();
|
|
properties.BuildDate = Utils.GetAssemblyTimestamp();
|
|
|
|
return properties;
|
|
}
|
|
|
|
/// <summary>
|
|
/// Creates the resource manager for the server.
|
|
/// </summary>
|
|
protected override ResourceManager CreateResourceManager(IServerInternal server, ApplicationConfiguration configuration)
|
|
{
|
|
ResourceManager resourceManager = new ResourceManager(server, configuration);
|
|
|
|
System.Reflection.FieldInfo[] fields = typeof(StatusCodes).GetFields(System.Reflection.BindingFlags.Public | System.Reflection.BindingFlags.Static);
|
|
|
|
foreach (System.Reflection.FieldInfo field in fields)
|
|
{
|
|
uint? id = field.GetValue(typeof(StatusCodes)) as uint?;
|
|
|
|
if (id != null)
|
|
{
|
|
resourceManager.Add(id.Value, "en-US", field.Name);
|
|
}
|
|
}
|
|
|
|
return resourceManager;
|
|
}
|
|
|
|
/// <summary>
|
|
/// Initializes the server before it starts up.
|
|
/// </summary>
|
|
/// <remarks>
|
|
/// This method is called before any startup processing occurs. The sub-class may update the
|
|
/// configuration object or do any other application specific startup tasks.
|
|
/// </remarks>
|
|
protected override void OnServerStarting(ApplicationConfiguration configuration)
|
|
{
|
|
|
|
base.OnServerStarting(configuration);
|
|
|
|
// it is up to the application to decide how to validate user identity tokens.
|
|
// this function creates validator for X509 identity tokens.
|
|
CreateUserIdentityValidators(configuration);
|
|
}
|
|
|
|
/// <summary>
|
|
/// Called after the server has been started.
|
|
/// </summary>
|
|
protected override void OnServerStarted(IServerInternal server)
|
|
{
|
|
base.OnServerStarted(server);
|
|
|
|
// request notifications when the user identity is changed. all valid users are accepted by default.
|
|
server.SessionManager.ImpersonateUser += new ImpersonateEventHandler(SessionManager_ImpersonateUser);
|
|
|
|
try
|
|
{
|
|
lock (ServerInternal.Status.Lock)
|
|
{
|
|
// allow a faster sampling interval for CurrentTime node.
|
|
ServerInternal.Status.Variable.CurrentTime.MinimumSamplingInterval = 250;
|
|
}
|
|
}
|
|
catch
|
|
{ }
|
|
|
|
}
|
|
#endregion
|
|
|
|
#region User Validation Functions
|
|
/// <summary>
|
|
/// Creates the objects used to validate the user identity tokens supported by the server.
|
|
/// </summary>
|
|
private void CreateUserIdentityValidators(ApplicationConfiguration configuration)
|
|
{
|
|
for (int ii = 0; ii < configuration.ServerConfiguration.UserTokenPolicies.Count; ii++)
|
|
{
|
|
UserTokenPolicy policy = configuration.ServerConfiguration.UserTokenPolicies[ii];
|
|
|
|
// create a validator for a certificate token policy.
|
|
if (policy.TokenType == UserTokenType.Certificate)
|
|
{
|
|
// check if user certificate trust lists are specified in configuration.
|
|
if (configuration.SecurityConfiguration.TrustedUserCertificates != null &&
|
|
configuration.SecurityConfiguration.UserIssuerCertificates != null)
|
|
{
|
|
CertificateValidator certificateValidator = new CertificateValidator();
|
|
certificateValidator.Update(configuration.SecurityConfiguration).Wait();
|
|
certificateValidator.Update(configuration.SecurityConfiguration.UserIssuerCertificates,
|
|
configuration.SecurityConfiguration.TrustedUserCertificates,
|
|
configuration.SecurityConfiguration.RejectedCertificateStore);
|
|
|
|
// set custom validator for user certificates.
|
|
m_userCertificateValidator = certificateValidator.GetChannelValidator();
|
|
}
|
|
}
|
|
}
|
|
}
|
|
|
|
/// <summary>
|
|
/// Called when a client tries to change its user identity.
|
|
/// </summary>
|
|
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
|
|
{
|
|
// check for a user name token.
|
|
UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken;
|
|
|
|
if (userNameToken != null)
|
|
{
|
|
args.Identity = VerifyPassword(userNameToken);
|
|
|
|
// set AuthenticatedUser role for accepted user/password authentication
|
|
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser);
|
|
|
|
if (args.Identity is SystemConfigurationIdentity)
|
|
{
|
|
// set ConfigureAdmin role for user with permission to configure server
|
|
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_ConfigureAdmin);
|
|
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_SecurityAdmin);
|
|
}
|
|
|
|
return;
|
|
}
|
|
|
|
// check for x509 user token.
|
|
X509IdentityToken x509Token = args.NewIdentity as X509IdentityToken;
|
|
|
|
if (x509Token != null)
|
|
{
|
|
VerifyUserTokenCertificate(x509Token.Certificate);
|
|
args.Identity = new UserIdentity(x509Token);
|
|
|
|
// set AuthenticatedUser role for accepted certificate authentication
|
|
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser);
|
|
|
|
return;
|
|
}
|
|
|
|
// check for anonymous token.
|
|
if (args.NewIdentity is AnonymousIdentityToken || args.NewIdentity == null)
|
|
{
|
|
// allow anonymous authentication and set Anonymous role for this authentication
|
|
args.Identity = new UserIdentity();
|
|
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_Anonymous);
|
|
|
|
return;
|
|
}
|
|
|
|
// unsuported identity token type.
|
|
throw ServiceResultException.Create(StatusCodes.BadIdentityTokenInvalid,
|
|
"Not supported user token type: {0}.", args.NewIdentity);
|
|
}
|
|
|
|
/// <summary>
|
|
/// Validates the password for a username token.
|
|
/// </summary>
|
|
private IUserIdentity VerifyPassword(UserNameIdentityToken userNameToken)
|
|
{
|
|
var userName = userNameToken.UserName;
|
|
var password = userNameToken.DecryptedPassword;
|
|
if (String.IsNullOrEmpty(userName))
|
|
{
|
|
// an empty username is not accepted.
|
|
throw ServiceResultException.Create(StatusCodes.BadIdentityTokenInvalid,
|
|
"Security token is not a valid username token. An empty username is not accepted.");
|
|
}
|
|
|
|
if (String.IsNullOrEmpty(password))
|
|
{
|
|
// an empty password is not accepted.
|
|
throw ServiceResultException.Create(StatusCodes.BadIdentityTokenRejected,
|
|
"Security token is not a valid username token. An empty password is not accepted.");
|
|
}
|
|
|
|
// User with permission to configure server
|
|
if (userName == "sysadmin" && password == "demo")
|
|
{
|
|
return new SystemConfigurationIdentity(new UserIdentity(userNameToken));
|
|
}
|
|
|
|
// standard users for CTT verification
|
|
if (!((userName == "user1" && password == "password") ||
|
|
(userName == "user2" && password == "password1")))
|
|
{
|
|
// construct translation object with default text.
|
|
TranslationInfo info = new TranslationInfo(
|
|
"InvalidPassword",
|
|
"en-US",
|
|
"Invalid username or password.",
|
|
userName);
|
|
|
|
// create an exception with a vendor defined sub-code.
|
|
throw new ServiceResultException(new ServiceResult(
|
|
StatusCodes.BadUserAccessDenied,
|
|
"InvalidPassword",
|
|
LoadServerProperties().ProductUri,
|
|
new LocalizedText(info)));
|
|
}
|
|
|
|
return new UserIdentity(userNameToken);
|
|
}
|
|
|
|
/// <summary>
|
|
/// Verifies that a certificate user token is trusted.
|
|
/// </summary>
|
|
private void VerifyUserTokenCertificate(X509Certificate2 certificate)
|
|
{
|
|
try
|
|
{
|
|
if (m_userCertificateValidator != null)
|
|
{
|
|
m_userCertificateValidator.Validate(certificate);
|
|
}
|
|
else
|
|
{
|
|
CertificateValidator.Validate(certificate);
|
|
}
|
|
}
|
|
catch (Exception e)
|
|
{
|
|
TranslationInfo info;
|
|
StatusCode result = StatusCodes.BadIdentityTokenRejected;
|
|
ServiceResultException se = e as ServiceResultException;
|
|
if (se != null && se.StatusCode == StatusCodes.BadCertificateUseNotAllowed)
|
|
{
|
|
info = new TranslationInfo(
|
|
"InvalidCertificate",
|
|
"en-US",
|
|
"'{0}' is an invalid user certificate.",
|
|
certificate.Subject);
|
|
|
|
result = StatusCodes.BadIdentityTokenInvalid;
|
|
}
|
|
else
|
|
{
|
|
// construct translation object with default text.
|
|
info = new TranslationInfo(
|
|
"UntrustedCertificate",
|
|
"en-US",
|
|
"'{0}' is not a trusted user certificate.",
|
|
certificate.Subject);
|
|
}
|
|
|
|
// create an exception with a vendor defined sub-code.
|
|
throw new ServiceResultException(new ServiceResult(
|
|
result,
|
|
info.Key,
|
|
LoadServerProperties().ProductUri,
|
|
new LocalizedText(info)));
|
|
}
|
|
}
|
|
|
|
private static INodeManagerFactory IsINodeManagerFactoryType(Type type)
|
|
{
|
|
var nodeManagerTypeInfo = type.GetTypeInfo();
|
|
if (nodeManagerTypeInfo.IsAbstract ||
|
|
!typeof(INodeManagerFactory).IsAssignableFrom(type))
|
|
{
|
|
return null;
|
|
}
|
|
|
|
return Activator.CreateInstance(type) as INodeManagerFactory;
|
|
}
|
|
|
|
private void AddDefaultFactories()
|
|
{
|
|
var assembly = GetType().Assembly;
|
|
var factories = assembly.GetExportedTypes().Select(type => IsINodeManagerFactoryType(type)).Where(type => type != null);
|
|
m_nodeManagerFactory = new List<INodeManagerFactory>();
|
|
foreach (var nodeManagerFactory in factories)
|
|
{
|
|
m_nodeManagerFactory.Add(nodeManagerFactory);
|
|
}
|
|
}
|
|
#endregion
|
|
|
|
#region Private Fields
|
|
private IList<INodeManagerFactory> m_nodeManagerFactory;
|
|
private ICertificateValidator m_userCertificateValidator;
|
|
#endregion
|
|
|
|
|
|
public List<INodeManager> nodeManagers = new List<INodeManager>();
|
|
}
|
|
}
|