Example 1 with UserIdentityToken
use of org.eclipse.milo.opcua.stack.core.types.structured.UserIdentityToken in project milo by eclipse.
the class SessionFsmFactory method activateSession.
@SuppressWarnings("Duplicates")
private static CompletableFuture<OpcUaSession> activateSession(FsmContext<State, Event> ctx, OpcUaClient client, CreateSessionResponse csr) {
UaStackClient stackClient = client.getStackClient();
try {
EndpointDescription endpoint = client.getConfig().getEndpoint();
ByteString csrNonce = csr.getServerNonce();
SignedIdentityToken signedIdentityToken = client.getConfig().getIdentityProvider().getIdentityToken(endpoint, csrNonce);
UserIdentityToken userIdentityToken = signedIdentityToken.getToken();
SignatureData userTokenSignature = signedIdentityToken.getSignature();
ActivateSessionRequest request = new ActivateSessionRequest(client.newRequestHeader(csr.getAuthenticationToken()), buildClientSignature(client.getConfig(), csrNonce), new SignedSoftwareCertificate[0], new String[0], ExtensionObject.encode(client.getStaticSerializationContext(), userIdentityToken), userTokenSignature);
LOGGER.debug("[{}] Sending ActivateSessionRequest...", ctx.getInstanceId());
return stackClient.sendRequest(request).thenApply(ActivateSessionResponse.class::cast).thenCompose(asr -> {
ByteString asrNonce = asr.getServerNonce();
// TODO check for repeated nonce?
OpcUaSession session = new OpcUaSession(csr.getAuthenticationToken(), csr.getSessionId(), client.getConfig().getSessionName().get(), csr.getRevisedSessionTimeout(), csr.getMaxRequestMessageSize(), csr.getServerCertificate(), csr.getServerSoftwareCertificates());
session.setServerNonce(asrNonce);
return completedFuture(session);
});
} catch (Exception ex) {
return failedFuture(ex);
}
}
Also used :
SignatureData(org.eclipse.milo.opcua.stack.core.types.structured.SignatureData)
OpcUaSession(org.eclipse.milo.opcua.sdk.client.OpcUaSession)
ActivateSessionRequest(org.eclipse.milo.opcua.stack.core.types.structured.ActivateSessionRequest)
UaStackClient(org.eclipse.milo.opcua.stack.client.UaStackClient)
ByteString(org.eclipse.milo.opcua.stack.core.types.builtin.ByteString)
SignedIdentityToken(org.eclipse.milo.opcua.sdk.client.api.identity.SignedIdentityToken)
EndpointDescription(org.eclipse.milo.opcua.stack.core.types.structured.EndpointDescription)
UserIdentityToken(org.eclipse.milo.opcua.stack.core.types.structured.UserIdentityToken)
CertificateEncodingException(java.security.cert.CertificateEncodingException)
UaException(org.eclipse.milo.opcua.stack.core.UaException)
Example 2 with UserIdentityToken
use of org.eclipse.milo.opcua.stack.core.types.structured.UserIdentityToken in project milo by eclipse.
the class SessionManager method activateSession.
private ActivateSessionResponse activateSession(ServiceRequest serviceRequest) throws UaException {
ActivateSessionRequest request = (ActivateSessionRequest) serviceRequest.getRequest();
long secureChannelId = serviceRequest.getSecureChannelId();
NodeId authToken = request.getRequestHeader().getAuthenticationToken();
List<SignedSoftwareCertificate> clientSoftwareCertificates = l(request.getClientSoftwareCertificates());
Session session = createdSessions.get(authToken);
if (session == null) {
session = activeSessions.get(authToken);
if (session == null) {
throw new UaException(StatusCodes.Bad_SessionIdInvalid);
} else {
verifyClientSignature(session, request);
SecurityConfiguration securityConfiguration = session.getSecurityConfiguration();
if (session.getSecureChannelId() == secureChannelId) {
/*
* Identity change
*/
UserIdentityToken identityToken = decodeIdentityToken(request.getUserIdentityToken(), session.getEndpoint().getUserIdentityTokens());
Object identityObject = validateIdentityToken(session, identityToken, request.getUserTokenSignature());
StatusCode[] results = new StatusCode[clientSoftwareCertificates.size()];
Arrays.fill(results, StatusCode.GOOD);
ByteString serverNonce = NonceUtil.generateNonce(32);
session.setClientAddress(serviceRequest.getClientAddress());
session.setIdentityObject(identityObject, identityToken);
session.setLastNonce(serverNonce);
session.setLocaleIds(request.getLocaleIds());
return new ActivateSessionResponse(serviceRequest.createResponseHeader(), serverNonce, results, new DiagnosticInfo[0]);
} else {
/*
* Associate session with new secure channel if client certificate and identity token match.
*/
ByteString clientCertificateBytes = serviceRequest.getClientCertificateBytes();
UserIdentityToken identityToken = decodeIdentityToken(request.getUserIdentityToken(), session.getEndpoint().getUserIdentityTokens());
Object identityObject = validateIdentityToken(session, identityToken, request.getUserTokenSignature());
boolean sameIdentity = Objects.equal(identityObject, session.getIdentityObject());
boolean sameCertificate = Objects.equal(clientCertificateBytes, securityConfiguration.getClientCertificateBytes());
if (sameIdentity && sameCertificate) {
SecurityConfiguration newSecurityConfiguration = createSecurityConfiguration(serviceRequest.getEndpoint(), clientCertificateBytes);
session.setEndpoint(serviceRequest.getEndpoint());
session.setSecureChannelId(secureChannelId);
session.setSecurityConfiguration(newSecurityConfiguration);
logger.debug("Session id={} is now associated with secureChannelId={}", session.getSessionId(), secureChannelId);
StatusCode[] results = new StatusCode[clientSoftwareCertificates.size()];
Arrays.fill(results, StatusCode.GOOD);
ByteString serverNonce = NonceUtil.generateNonce(32);
session.setClientAddress(serviceRequest.getClientAddress());
session.setLastNonce(serverNonce);
session.setLocaleIds(request.getLocaleIds());
return new ActivateSessionResponse(serviceRequest.createResponseHeader(), serverNonce, results, new DiagnosticInfo[0]);
} else {
throw new UaException(StatusCodes.Bad_SecurityChecksFailed);
}
}
}
} else {
if (secureChannelId != session.getSecureChannelId()) {
throw new UaException(StatusCodes.Bad_SecurityChecksFailed);
}
verifyClientSignature(session, request);
UserIdentityToken identityToken = decodeIdentityToken(request.getUserIdentityToken(), session.getEndpoint().getUserIdentityTokens());
Object identityObject = validateIdentityToken(session, identityToken, request.getUserTokenSignature());
createdSessions.remove(authToken);
activeSessions.put(authToken, session);
StatusCode[] results = new StatusCode[clientSoftwareCertificates.size()];
Arrays.fill(results, StatusCode.GOOD);
ByteString serverNonce = NonceUtil.generateNonce(32);
session.setClientAddress(serviceRequest.getClientAddress());
session.setIdentityObject(identityObject, identityToken);
session.setLocaleIds(request.getLocaleIds());
session.setLastNonce(serverNonce);
return new ActivateSessionResponse(serviceRequest.createResponseHeader(), serverNonce, results, new DiagnosticInfo[0]);
}
}
Also used :
ActivateSessionRequest(org.eclipse.milo.opcua.stack.core.types.structured.ActivateSessionRequest)
UaException(org.eclipse.milo.opcua.stack.core.UaException)
ByteString(org.eclipse.milo.opcua.stack.core.types.builtin.ByteString)
StatusCode(org.eclipse.milo.opcua.stack.core.types.builtin.StatusCode)
NodeId(org.eclipse.milo.opcua.stack.core.types.builtin.NodeId)
SignedSoftwareCertificate(org.eclipse.milo.opcua.stack.core.types.structured.SignedSoftwareCertificate)
ExtensionObject(org.eclipse.milo.opcua.stack.core.types.builtin.ExtensionObject)
UserIdentityToken(org.eclipse.milo.opcua.stack.core.types.structured.UserIdentityToken)
ActivateSessionResponse(org.eclipse.milo.opcua.stack.core.types.structured.ActivateSessionResponse)
Example 3 with UserIdentityToken
use of org.eclipse.milo.opcua.stack.core.types.structured.UserIdentityToken in project milo by eclipse.
the class SessionManager method validateIdentityToken.
private Object validateIdentityToken(Session session, Object tokenObject, SignatureData tokenSignature) throws UaException {
IdentityValidator identityValidator = server.getConfig().getIdentityValidator();
UserTokenPolicy tokenPolicy = validatePolicyId(session, tokenObject);
if (tokenObject instanceof UserIdentityToken) {
return identityValidator.validateIdentityToken(session, (UserIdentityToken) tokenObject, tokenPolicy, tokenSignature);
} else {
throw new UaException(StatusCodes.Bad_IdentityTokenInvalid);
}
}
Also used :
IdentityValidator(org.eclipse.milo.opcua.sdk.server.identity.IdentityValidator)
UaException(org.eclipse.milo.opcua.stack.core.UaException)
UserIdentityToken(org.eclipse.milo.opcua.stack.core.types.structured.UserIdentityToken)
UserTokenPolicy(org.eclipse.milo.opcua.stack.core.types.structured.UserTokenPolicy)
Example 4 with UserIdentityToken
use of org.eclipse.milo.opcua.stack.core.types.structured.UserIdentityToken in project milo by eclipse.
the class SessionManager method validatePolicyId.
/**
* Validates the policyId on a {@link UserIdentityToken} Object is a policyId that exists on the Endpoint that
* {@code session} is connected to.
*
* @param session the current {@link Session}
* @param tokenObject the {@link UserIdentityToken} Object from the client.
* @return the first {@link UserTokenPolicy} on the Endpoint matching the policyId.
* @throws UaException if the token object is invalid or no matching policy is found.
*/
private UserTokenPolicy validatePolicyId(Session session, Object tokenObject) throws UaException {
if (tokenObject instanceof UserIdentityToken) {
UserIdentityToken token = (UserIdentityToken) tokenObject;
String policyId = token.getPolicyId();
List<UserTokenPolicy> userIdentityTokens = l(session.getEndpoint().getUserIdentityTokens());
Optional<UserTokenPolicy> policy = userIdentityTokens.stream().filter(t -> Objects.equal(policyId, t.getPolicyId())).findFirst();
return policy.orElseThrow(() -> new UaException(StatusCodes.Bad_IdentityTokenInvalid, "policy not found: " + policyId));
} else {
throw new UaException(StatusCodes.Bad_IdentityTokenInvalid);
}
}
Also used :
X509Certificate(java.security.cert.X509Certificate)
KeyPair(java.security.KeyPair)
SignedSoftwareCertificate(org.eclipse.milo.opcua.stack.core.types.structured.SignedSoftwareCertificate)
MonitoredItemServiceSet(org.eclipse.milo.opcua.stack.server.services.MonitoredItemServiceSet)
DigestUtil.sha1(org.eclipse.milo.opcua.stack.core.util.DigestUtil.sha1)
Arrays(java.util.Arrays)
ApplicationType(org.eclipse.milo.opcua.stack.core.types.enumerated.ApplicationType)
ByteString(org.eclipse.milo.opcua.stack.core.types.builtin.ByteString)
LoggerFactory(org.slf4j.LoggerFactory)
ExtensionObject(org.eclipse.milo.opcua.stack.core.types.builtin.ExtensionObject)
ByteBuffer(java.nio.ByteBuffer)
UserIdentityToken(org.eclipse.milo.opcua.stack.core.types.structured.UserIdentityToken)
AttributeServiceSet(org.eclipse.milo.opcua.stack.server.services.AttributeServiceSet)
SecurityAlgorithm(org.eclipse.milo.opcua.stack.core.security.SecurityAlgorithm)
Unsigned.uint(org.eclipse.milo.opcua.stack.core.types.builtin.unsigned.Unsigned.uint)
Duration(java.time.Duration)
Map(java.util.Map)
NodeManagementServiceSet(org.eclipse.milo.opcua.stack.server.services.NodeManagementServiceSet)
Objects(com.google.common.base.Objects)
ServiceAttributes(org.eclipse.milo.opcua.sdk.server.services.ServiceAttributes)
CertificateUtil(org.eclipse.milo.opcua.stack.core.util.CertificateUtil)
RoundingMode(java.math.RoundingMode)
CreateSessionRequest(org.eclipse.milo.opcua.stack.core.types.structured.CreateSessionRequest)
ActivateSessionRequest(org.eclipse.milo.opcua.stack.core.types.structured.ActivateSessionRequest)
ServerDiagnosticsSummary(org.eclipse.milo.opcua.sdk.server.diagnostics.ServerDiagnosticsSummary)
NodeId(org.eclipse.milo.opcua.stack.core.types.builtin.NodeId)
UUID(java.util.UUID)
Bytes(com.google.common.primitives.Bytes)
DiagnosticInfo(org.eclipse.milo.opcua.stack.core.types.builtin.DiagnosticInfo)
ActivateSessionResponse(org.eclipse.milo.opcua.stack.core.types.structured.ActivateSessionResponse)
Nullable(org.jetbrains.annotations.Nullable)
List(java.util.List)
StatusCode(org.eclipse.milo.opcua.stack.core.types.builtin.StatusCode)
CloseSessionResponse(org.eclipse.milo.opcua.stack.core.types.structured.CloseSessionResponse)
Optional(java.util.Optional)
NotNull(org.jetbrains.annotations.NotNull)
EndpointUtil(org.eclipse.milo.opcua.stack.core.util.EndpointUtil)
SubscriptionServiceSet(org.eclipse.milo.opcua.stack.server.services.SubscriptionServiceSet)
CopyOnWriteArrayList(java.util.concurrent.CopyOnWriteArrayList)
CloseSessionRequest(org.eclipse.milo.opcua.stack.core.types.structured.CloseSessionRequest)
ViewServiceSet(org.eclipse.milo.opcua.stack.server.services.ViewServiceSet)
UserTokenPolicy(org.eclipse.milo.opcua.stack.core.types.structured.UserTokenPolicy)
UaRuntimeException(org.eclipse.milo.opcua.stack.core.UaRuntimeException)
Strings.nullToEmpty(com.google.common.base.Strings.nullToEmpty)
IdentityValidator(org.eclipse.milo.opcua.sdk.server.identity.IdentityValidator)
CreateSessionResponse(org.eclipse.milo.opcua.stack.core.types.structured.CreateSessionResponse)
ArrayList(java.util.ArrayList)
Lists(com.google.common.collect.Lists)
ServiceRequest(org.eclipse.milo.opcua.stack.server.services.ServiceRequest)
EndpointDescription(org.eclipse.milo.opcua.stack.core.types.structured.EndpointDescription)
ServerCertificateValidator(org.eclipse.milo.opcua.stack.server.security.ServerCertificateValidator)
MethodServiceSet(org.eclipse.milo.opcua.stack.server.services.MethodServiceSet)
ConversionUtil.l(org.eclipse.milo.opcua.stack.core.util.ConversionUtil.l)
MessageSecurityMode(org.eclipse.milo.opcua.stack.core.types.enumerated.MessageSecurityMode)
SignatureData(org.eclipse.milo.opcua.stack.core.types.structured.SignatureData)
AttributeHistoryServiceSet(org.eclipse.milo.opcua.stack.server.services.AttributeHistoryServiceSet)
SecurityPolicy(org.eclipse.milo.opcua.stack.core.security.SecurityPolicy)
QueryServiceSet(org.eclipse.milo.opcua.stack.server.services.QueryServiceSet)
DoubleMath(com.google.common.math.DoubleMath)
StatusCodes(org.eclipse.milo.opcua.stack.core.StatusCodes)
SignatureUtil(org.eclipse.milo.opcua.stack.core.util.SignatureUtil)
Lists.newCopyOnWriteArrayList(com.google.common.collect.Lists.newCopyOnWriteArrayList)
Logger(org.slf4j.Logger)
UInteger(org.eclipse.milo.opcua.stack.core.types.builtin.unsigned.UInteger)
AnonymousIdentityToken(org.eclipse.milo.opcua.stack.core.types.structured.AnonymousIdentityToken)
UserTokenType(org.eclipse.milo.opcua.stack.core.types.enumerated.UserTokenType)
SessionServiceSet(org.eclipse.milo.opcua.stack.server.services.SessionServiceSet)
Maps(com.google.common.collect.Maps)
NonceUtil(org.eclipse.milo.opcua.stack.core.util.NonceUtil)
ApplicationDescription(org.eclipse.milo.opcua.stack.core.types.structured.ApplicationDescription)
UaException(org.eclipse.milo.opcua.stack.core.UaException)
UaException(org.eclipse.milo.opcua.stack.core.UaException)
UserIdentityToken(org.eclipse.milo.opcua.stack.core.types.structured.UserIdentityToken)
ByteString(org.eclipse.milo.opcua.stack.core.types.builtin.ByteString)
UserTokenPolicy(org.eclipse.milo.opcua.stack.core.types.structured.UserTokenPolicy)
Aggregations
UaException (org.eclipse.milo.opcua.stack.core.UaException)4
UserIdentityToken (org.eclipse.milo.opcua.stack.core.types.structured.UserIdentityToken)4
ByteString (org.eclipse.milo.opcua.stack.core.types.builtin.ByteString)3
ActivateSessionRequest (org.eclipse.milo.opcua.stack.core.types.structured.ActivateSessionRequest)3
IdentityValidator (org.eclipse.milo.opcua.sdk.server.identity.IdentityValidator)2
ExtensionObject (org.eclipse.milo.opcua.stack.core.types.builtin.ExtensionObject)2
NodeId (org.eclipse.milo.opcua.stack.core.types.builtin.NodeId)2
StatusCode (org.eclipse.milo.opcua.stack.core.types.builtin.StatusCode)2
ActivateSessionResponse (org.eclipse.milo.opcua.stack.core.types.structured.ActivateSessionResponse)2
EndpointDescription (org.eclipse.milo.opcua.stack.core.types.structured.EndpointDescription)2
SignatureData (org.eclipse.milo.opcua.stack.core.types.structured.SignatureData)2
SignedSoftwareCertificate (org.eclipse.milo.opcua.stack.core.types.structured.SignedSoftwareCertificate)2
UserTokenPolicy (org.eclipse.milo.opcua.stack.core.types.structured.UserTokenPolicy)2
Objects (com.google.common.base.Objects)1
Strings.nullToEmpty (com.google.common.base.Strings.nullToEmpty)1
Lists (com.google.common.collect.Lists)1
Lists.newCopyOnWriteArrayList (com.google.common.collect.Lists.newCopyOnWriteArrayList)1
Maps (com.google.common.collect.Maps)1
DoubleMath (com.google.common.math.DoubleMath)1
Bytes (com.google.common.primitives.Bytes)1
