Examples with UserTokenPolicy org.eclipse.milo.opcua.stack.core.types.structured.UserTokenPolicy used on opensource projects

Example 1 with UserTokenPolicy

use of org.eclipse.milo.opcua.stack.core.types.structured.UserTokenPolicy in project milo by eclipse.

the class AnonymousProviderTest method testGetIdentityToken_EmptyPolicyId.

@Test
public void testGetIdentityToken_EmptyPolicyId() throws Exception {
    EndpointDescription endpoint = new EndpointDescription(null, null, null, null, null, new UserTokenPolicy[] { new UserTokenPolicy("", UserTokenType.Anonymous, null, null, null) }, null, null);
    AnonymousProvider p = new AnonymousProvider();
    SignedIdentityToken signedIdentityToken = p.getIdentityToken(endpoint, ByteString.NULL_VALUE);
    assertEquals(signedIdentityToken.getToken().getPolicyId(), "");
    assertTrue(signedIdentityToken.getToken() instanceof AnonymousIdentityToken);
}

Example 2 with UserTokenPolicy

use of org.eclipse.milo.opcua.stack.core.types.structured.UserTokenPolicy in project milo by eclipse.

the class AnonymousProviderTest method testGetIdentityToken.

@Test
public void testGetIdentityToken() throws Exception {
    EndpointDescription endpoint = new EndpointDescription(null, null, null, null, null, new UserTokenPolicy[] { new UserTokenPolicy("anonymous", UserTokenType.Anonymous, null, null, null) }, null, null);
    AnonymousProvider p = new AnonymousProvider();
    SignedIdentityToken signedIdentityToken = p.getIdentityToken(endpoint, ByteString.NULL_VALUE);
    assertEquals(signedIdentityToken.getToken().getPolicyId(), "anonymous");
    assertTrue(signedIdentityToken.getToken() instanceof AnonymousIdentityToken);
}

Example 3 with UserTokenPolicy

use of org.eclipse.milo.opcua.stack.core.types.structured.UserTokenPolicy in project milo by eclipse.

the class SessionManager method validateIdentityToken.

private Object validateIdentityToken(Session session, Object tokenObject, SignatureData tokenSignature) throws UaException {
    IdentityValidator identityValidator = server.getConfig().getIdentityValidator();
    UserTokenPolicy tokenPolicy = validatePolicyId(session, tokenObject);
    if (tokenObject instanceof UserIdentityToken) {
        return identityValidator.validateIdentityToken(session, (UserIdentityToken) tokenObject, tokenPolicy, tokenSignature);
    } else {
        throw new UaException(StatusCodes.Bad_IdentityTokenInvalid);
    }
}

Example 4 with UserTokenPolicy

use of org.eclipse.milo.opcua.stack.core.types.structured.UserTokenPolicy in project milo by eclipse.

the class SessionManager method validatePolicyId.

/**
 * Validates the policyId on a {@link UserIdentityToken} Object is a policyId that exists on the Endpoint that
 * {@code session} is connected to.
 *
 * @param session     the current {@link Session}
 * @param tokenObject the {@link UserIdentityToken} Object from the client.
 * @return the first {@link UserTokenPolicy} on the Endpoint matching the policyId.
 * @throws UaException if the token object is invalid or no matching policy is found.
 */
private UserTokenPolicy validatePolicyId(Session session, Object tokenObject) throws UaException {
    if (tokenObject instanceof UserIdentityToken) {
        UserIdentityToken token = (UserIdentityToken) tokenObject;
        String policyId = token.getPolicyId();
        List<UserTokenPolicy> userIdentityTokens = l(session.getEndpoint().getUserIdentityTokens());
        Optional<UserTokenPolicy> policy = userIdentityTokens.stream().filter(t -> Objects.equal(policyId, t.getPolicyId())).findFirst();
        return policy.orElseThrow(() -> new UaException(StatusCodes.Bad_IdentityTokenInvalid, "policy not found: " + policyId));
    } else {
        throw new UaException(StatusCodes.Bad_IdentityTokenInvalid);
    }
}

Example 5 with UserTokenPolicy

use of org.eclipse.milo.opcua.stack.core.types.structured.UserTokenPolicy in project milo by eclipse.

the class UsernameProvider method getIdentityToken.

@Override
public SignedIdentityToken getIdentityToken(EndpointDescription endpoint, ByteString serverNonce) throws Exception {
    List<UserTokenPolicy> userIdentityTokens = l(endpoint.getUserIdentityTokens());
    List<UserTokenPolicy> tokenPolicies = userIdentityTokens.stream().filter(t -> t.getTokenType() == UserTokenType.UserName).collect(Collectors.toList());
    if (tokenPolicies.isEmpty()) {
        throw new Exception("no UserTokenPolicy with UserTokenType.UserName found");
    }
    UserTokenPolicy tokenPolicy = policyChooser.apply(tokenPolicies);
    SecurityPolicy securityPolicy;
    String securityPolicyUri = tokenPolicy.getSecurityPolicyUri();
    try {
        if (securityPolicyUri == null || securityPolicyUri.isEmpty()) {
            securityPolicyUri = endpoint.getSecurityPolicyUri();
        }
        securityPolicy = SecurityPolicy.fromUri(securityPolicyUri);
    } catch (Throwable t) {
        throw new UaException(StatusCodes.Bad_SecurityPolicyRejected, t);
    }
    byte[] passwordBytes = password.getBytes(StandardCharsets.UTF_8);
    byte[] nonceBytes = serverNonce.bytesOrEmpty();
    ByteBuf buffer = Unpooled.buffer();
    if (securityPolicy == SecurityPolicy.None) {
        buffer.writeBytes(passwordBytes);
    } else {
        NonceUtil.validateNonce(serverNonce);
        buffer.writeIntLE(passwordBytes.length + nonceBytes.length);
        buffer.writeBytes(passwordBytes);
        buffer.writeBytes(nonceBytes);
        ByteString bs = endpoint.getServerCertificate();
        if (bs == null || bs.isNull()) {
            throw new UaException(StatusCodes.Bad_ConfigurationError, "UserTokenPolicy requires encryption but " + "server did not provide a certificate in endpoint");
        }
        List<X509Certificate> certificateChain = CertificateUtil.decodeCertificates(bs.bytes());
        X509Certificate certificate = certificateChain.get(0);
        if (SecurityPolicy.None.getUri().equals(endpoint.getSecurityPolicyUri()) || !Stack.TCP_UASC_UABINARY_TRANSPORT_URI.equals(endpoint.getTransportProfileUri())) {
            // If the SecurityPolicy is None or if this is an HTTP(S) connection the certificate used to encrypt
            // the username and password must be trusted. Otherwise, if it's a secure connection, the certificate
            // will have already been validated and verified when the secure channel or session was created.
            certificateValidator.validateCertificateChain(certificateChain, endpoint.getServer().getApplicationUri(), EndpointUtil.getHost(endpoint.getEndpointUrl()));
        }
        int plainTextBlockSize = SecureChannel.getAsymmetricPlainTextBlockSize(certificate, securityPolicy.getAsymmetricEncryptionAlgorithm());
        int cipherTextBlockSize = SecureChannel.getAsymmetricCipherTextBlockSize(certificate, securityPolicy.getAsymmetricEncryptionAlgorithm());
        int blockCount = (buffer.readableBytes() + plainTextBlockSize - 1) / plainTextBlockSize;
        Cipher cipher = getAndInitializeCipher(certificate, securityPolicy);
        ByteBuffer plainTextNioBuffer = buffer.nioBuffer();
        ByteBuffer cipherTextNioBuffer = Unpooled.buffer(cipherTextBlockSize * blockCount).nioBuffer(0, cipherTextBlockSize * blockCount);
        for (int blockNumber = 0; blockNumber < blockCount; blockNumber++) {
            int position = blockNumber * plainTextBlockSize;
            int limit = Math.min(buffer.readableBytes(), (blockNumber + 1) * plainTextBlockSize);
            ((Buffer) plainTextNioBuffer).position(position);
            ((Buffer) plainTextNioBuffer).limit(limit);
            cipher.doFinal(plainTextNioBuffer, cipherTextNioBuffer);
        }
        ((Buffer) cipherTextNioBuffer).flip();
        buffer = Unpooled.wrappedBuffer(cipherTextNioBuffer);
    }
    byte[] bs = new byte[buffer.readableBytes()];
    buffer.readBytes(bs);
    // UA Part 4, Section 7.35.3 UserNameIdentityToken:
    // encryptionAlgorithm parameter is null if the password is not encrypted.
    String securityAlgorithmUri = securityPolicy.getAsymmetricEncryptionAlgorithm().getUri();
    String encryptionAlgorithm = securityAlgorithmUri.isEmpty() ? null : securityAlgorithmUri;
    UserNameIdentityToken token = new UserNameIdentityToken(tokenPolicy.getPolicyId(), username, ByteString.of(bs), encryptionAlgorithm);
    return new SignedIdentityToken(token, new SignatureData(null, null));
}