use of org.eclipse.milo.opcua.stack.core.types.structured.UserTokenPolicy in project milo by eclipse.
the class AnonymousProviderTest method testGetIdentityToken_EmptyPolicyId.
@Test
public void testGetIdentityToken_EmptyPolicyId() throws Exception {
EndpointDescription endpoint = new EndpointDescription(null, null, null, null, null, new UserTokenPolicy[] { new UserTokenPolicy("", UserTokenType.Anonymous, null, null, null) }, null, null);
AnonymousProvider p = new AnonymousProvider();
SignedIdentityToken signedIdentityToken = p.getIdentityToken(endpoint, ByteString.NULL_VALUE);
assertEquals(signedIdentityToken.getToken().getPolicyId(), "");
assertTrue(signedIdentityToken.getToken() instanceof AnonymousIdentityToken);
}
use of org.eclipse.milo.opcua.stack.core.types.structured.UserTokenPolicy in project milo by eclipse.
the class AnonymousProviderTest method testGetIdentityToken.
@Test
public void testGetIdentityToken() throws Exception {
EndpointDescription endpoint = new EndpointDescription(null, null, null, null, null, new UserTokenPolicy[] { new UserTokenPolicy("anonymous", UserTokenType.Anonymous, null, null, null) }, null, null);
AnonymousProvider p = new AnonymousProvider();
SignedIdentityToken signedIdentityToken = p.getIdentityToken(endpoint, ByteString.NULL_VALUE);
assertEquals(signedIdentityToken.getToken().getPolicyId(), "anonymous");
assertTrue(signedIdentityToken.getToken() instanceof AnonymousIdentityToken);
}
use of org.eclipse.milo.opcua.stack.core.types.structured.UserTokenPolicy in project milo by eclipse.
the class SessionManager method validateIdentityToken.
private Object validateIdentityToken(Session session, Object tokenObject, SignatureData tokenSignature) throws UaException {
IdentityValidator identityValidator = server.getConfig().getIdentityValidator();
UserTokenPolicy tokenPolicy = validatePolicyId(session, tokenObject);
if (tokenObject instanceof UserIdentityToken) {
return identityValidator.validateIdentityToken(session, (UserIdentityToken) tokenObject, tokenPolicy, tokenSignature);
} else {
throw new UaException(StatusCodes.Bad_IdentityTokenInvalid);
}
}
use of org.eclipse.milo.opcua.stack.core.types.structured.UserTokenPolicy in project milo by eclipse.
the class SessionManager method validatePolicyId.
/**
* Validates the policyId on a {@link UserIdentityToken} Object is a policyId that exists on the Endpoint that
* {@code session} is connected to.
*
* @param session the current {@link Session}
* @param tokenObject the {@link UserIdentityToken} Object from the client.
* @return the first {@link UserTokenPolicy} on the Endpoint matching the policyId.
* @throws UaException if the token object is invalid or no matching policy is found.
*/
private UserTokenPolicy validatePolicyId(Session session, Object tokenObject) throws UaException {
if (tokenObject instanceof UserIdentityToken) {
UserIdentityToken token = (UserIdentityToken) tokenObject;
String policyId = token.getPolicyId();
List<UserTokenPolicy> userIdentityTokens = l(session.getEndpoint().getUserIdentityTokens());
Optional<UserTokenPolicy> policy = userIdentityTokens.stream().filter(t -> Objects.equal(policyId, t.getPolicyId())).findFirst();
return policy.orElseThrow(() -> new UaException(StatusCodes.Bad_IdentityTokenInvalid, "policy not found: " + policyId));
} else {
throw new UaException(StatusCodes.Bad_IdentityTokenInvalid);
}
}
use of org.eclipse.milo.opcua.stack.core.types.structured.UserTokenPolicy in project milo by eclipse.
the class UsernameProvider method getIdentityToken.
@Override
public SignedIdentityToken getIdentityToken(EndpointDescription endpoint, ByteString serverNonce) throws Exception {
List<UserTokenPolicy> userIdentityTokens = l(endpoint.getUserIdentityTokens());
List<UserTokenPolicy> tokenPolicies = userIdentityTokens.stream().filter(t -> t.getTokenType() == UserTokenType.UserName).collect(Collectors.toList());
if (tokenPolicies.isEmpty()) {
throw new Exception("no UserTokenPolicy with UserTokenType.UserName found");
}
UserTokenPolicy tokenPolicy = policyChooser.apply(tokenPolicies);
SecurityPolicy securityPolicy;
String securityPolicyUri = tokenPolicy.getSecurityPolicyUri();
try {
if (securityPolicyUri == null || securityPolicyUri.isEmpty()) {
securityPolicyUri = endpoint.getSecurityPolicyUri();
}
securityPolicy = SecurityPolicy.fromUri(securityPolicyUri);
} catch (Throwable t) {
throw new UaException(StatusCodes.Bad_SecurityPolicyRejected, t);
}
byte[] passwordBytes = password.getBytes(StandardCharsets.UTF_8);
byte[] nonceBytes = serverNonce.bytesOrEmpty();
ByteBuf buffer = Unpooled.buffer();
if (securityPolicy == SecurityPolicy.None) {
buffer.writeBytes(passwordBytes);
} else {
NonceUtil.validateNonce(serverNonce);
buffer.writeIntLE(passwordBytes.length + nonceBytes.length);
buffer.writeBytes(passwordBytes);
buffer.writeBytes(nonceBytes);
ByteString bs = endpoint.getServerCertificate();
if (bs == null || bs.isNull()) {
throw new UaException(StatusCodes.Bad_ConfigurationError, "UserTokenPolicy requires encryption but " + "server did not provide a certificate in endpoint");
}
List<X509Certificate> certificateChain = CertificateUtil.decodeCertificates(bs.bytes());
X509Certificate certificate = certificateChain.get(0);
if (SecurityPolicy.None.getUri().equals(endpoint.getSecurityPolicyUri()) || !Stack.TCP_UASC_UABINARY_TRANSPORT_URI.equals(endpoint.getTransportProfileUri())) {
// If the SecurityPolicy is None or if this is an HTTP(S) connection the certificate used to encrypt
// the username and password must be trusted. Otherwise, if it's a secure connection, the certificate
// will have already been validated and verified when the secure channel or session was created.
certificateValidator.validateCertificateChain(certificateChain, endpoint.getServer().getApplicationUri(), EndpointUtil.getHost(endpoint.getEndpointUrl()));
}
int plainTextBlockSize = SecureChannel.getAsymmetricPlainTextBlockSize(certificate, securityPolicy.getAsymmetricEncryptionAlgorithm());
int cipherTextBlockSize = SecureChannel.getAsymmetricCipherTextBlockSize(certificate, securityPolicy.getAsymmetricEncryptionAlgorithm());
int blockCount = (buffer.readableBytes() + plainTextBlockSize - 1) / plainTextBlockSize;
Cipher cipher = getAndInitializeCipher(certificate, securityPolicy);
ByteBuffer plainTextNioBuffer = buffer.nioBuffer();
ByteBuffer cipherTextNioBuffer = Unpooled.buffer(cipherTextBlockSize * blockCount).nioBuffer(0, cipherTextBlockSize * blockCount);
for (int blockNumber = 0; blockNumber < blockCount; blockNumber++) {
int position = blockNumber * plainTextBlockSize;
int limit = Math.min(buffer.readableBytes(), (blockNumber + 1) * plainTextBlockSize);
((Buffer) plainTextNioBuffer).position(position);
((Buffer) plainTextNioBuffer).limit(limit);
cipher.doFinal(plainTextNioBuffer, cipherTextNioBuffer);
}
((Buffer) cipherTextNioBuffer).flip();
buffer = Unpooled.wrappedBuffer(cipherTextNioBuffer);
}
byte[] bs = new byte[buffer.readableBytes()];
buffer.readBytes(bs);
// UA Part 4, Section 7.35.3 UserNameIdentityToken:
// encryptionAlgorithm parameter is null if the password is not encrypted.
String securityAlgorithmUri = securityPolicy.getAsymmetricEncryptionAlgorithm().getUri();
String encryptionAlgorithm = securityAlgorithmUri.isEmpty() ? null : securityAlgorithmUri;
UserNameIdentityToken token = new UserNameIdentityToken(tokenPolicy.getPolicyId(), username, ByteString.of(bs), encryptionAlgorithm);
return new SignedIdentityToken(token, new SignatureData(null, null));
}
Aggregations