Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

policyId of the userTokenPolicy must be unique within the context of a single Server #1140

Closed
GregoireG-C opened this issue Oct 8, 2020 · 0 comments
Closed

policyId of the userTokenPolicy must be unique within the context of a single Server #1140

GregoireG-C opened this issue Oct 8, 2020 · 0 comments
Assignees
@AlinMoldovean
Labels
bug A bug was identified and should be fixed.

Comments

@GregoireG-C
Copy link

Hello guys,

I report something that can be interpreted as a bug.

In Stack/SErver/ServerBase.Cs, we found GetUserTokenPolicies that returns the policies linked to the different endpoints.

protected virtual UserTokenPolicyCollection GetUserTokenPolicies(ApplicationConfiguration configuration, EndpointDescription description)
        {
            UserTokenPolicyCollection policies = new UserTokenPolicyCollection();

            if (configuration.ServerConfiguration == null || configuration.ServerConfiguration.UserTokenPolicies == null)
            {
                return policies;
            }

            foreach (UserTokenPolicy policy in configuration.ServerConfiguration.UserTokenPolicies)
            {
                // ensure a security policy is specified for user tokens.
                if (description.SecurityMode == MessageSecurityMode.None)
                {
                    if (String.IsNullOrEmpty(policy.SecurityPolicyUri))
                    {
                        UserTokenPolicy clone = (UserTokenPolicy)policy.MemberwiseClone();
                        clone.SecurityPolicyUri = SecurityPolicies.Basic256;
                        policies.Add(clone);
                        continue;
                    }
                }

                policies.Add(policy);
            }

            // ensure each policy has a unique id.
            for (int ii = 0; ii < policies.Count; ii++)
            {
                if (String.IsNullOrEmpty(policies[ii].PolicyId))
                {
                    policies[ii].PolicyId = Utils.Format("{0}", ii);
                }
            }

            return policies;
        }

My problem is in the case you have multiple endpoints and you are using the 3 token types : Anonymous, UserName and Certificate. In the config you precise nothing for the UserTokenPolicies :

<UserTokenPolicies xmlns:a="http://opcfoundation.org/UA/2008/02/Types.xsd">
      <a:UserTokenPolicy>
        <a:PolicyId i:nil="true" xmlns:i="http://www.w3.org/2001/XMLSchema-instance" />
        <a:TokenType>Anonymous_0</a:TokenType>
        <a:IssuedTokenType i:nil="true" xmlns:i="http://www.w3.org/2001/XMLSchema-instance" />
        <a:IssuerEndpointUrl i:nil="true" xmlns:i="http://www.w3.org/2001/XMLSchema-instance" />
        <a:SecurityPolicyUri i:nil="true" xmlns:i="http://www.w3.org/2001/XMLSchema-instance" />
      </a:UserTokenPolicy>
      <a:UserTokenPolicy>
        <a:PolicyId i:nil="true" xmlns:i="http://www.w3.org/2001/XMLSchema-instance" />
        <a:TokenType>UserName_1</a:TokenType>
        <a:IssuedTokenType i:nil="true" xmlns:i="http://www.w3.org/2001/XMLSchema-instance" />
        <a:IssuerEndpointUrl i:nil="true" xmlns:i="http://www.w3.org/2001/XMLSchema-instance" />
        <a:SecurityPolicyUri i:nil="true" xmlns:i="http://www.w3.org/2001/XMLSchema-instance" />
      </a:UserTokenPolicy>
      <a:UserTokenPolicy>
        <a:PolicyId i:nil="true" xmlns:i="http://www.w3.org/2001/XMLSchema-instance" />
        <a:TokenType>Certificate_2</a:TokenType>
        <a:IssuedTokenType i:nil="true" xmlns:i="http://www.w3.org/2001/XMLSchema-instance" />
        <a:IssuerEndpointUrl i:nil="true" xmlns:i="http://www.w3.org/2001/XMLSchema-instance" />
        <a:SecurityPolicyUri i:nil="true" xmlns:i="http://www.w3.org/2001/XMLSchema-instance" />
      </a:UserTokenPolicy>
    </UserTokenPolicies>

In this case because of

if (String.IsNullOrEmpty(policy.SecurityPolicyUri))
                    {
                        UserTokenPolicy clone = (UserTokenPolicy)policy.MemberwiseClone();
                        clone.SecurityPolicyUri = SecurityPolicies.Basic256;
                        policies.Add(clone);
                        continue;
                    }

You will have two Tokens with the same id and two SecurityPolicyUri different. One with SecurityPolicies.Basic256, the other null which is not allowed by the OPCUA specification.

I correct by addind an offset for the case of description.SecurityMode == MessageSecurityMode.None :

protected virtual UserTokenPolicyCollection GetUserTokenPolicies(ApplicationConfiguration configuration, EndpointDescription description)
        {
            UserTokenPolicyCollection policies = new UserTokenPolicyCollection();

            if (configuration.ServerConfiguration == null || configuration.ServerConfiguration.UserTokenPolicies == null)
            {
                return policies;
            }

            foreach (UserTokenPolicy policy in configuration.ServerConfiguration.UserTokenPolicies)
            {
                // ensure a security policy is specified for user tokens.
                if (description.SecurityMode == MessageSecurityMode.None)
                {
                    if (String.IsNullOrEmpty(policy.SecurityPolicyUri))
                    {
                        UserTokenPolicy clone = (UserTokenPolicy)policy.MemberwiseClone();
                        clone.SecurityPolicyUri = SecurityPolicies.Basic256;
                        policies.Add(clone);
                        continue;
                    }
                }

                policies.Add(policy);
            }
            // ensure each policy has a unique id.
            int policyIdOffset = 0;
            if (description.SecurityMode == MessageSecurityMode.None):
                    policyIdOffset = 3;
            for (int ii = 0; ii < policies.Count; ii++)
            {
                if (String.IsNullOrEmpty(policies[ii].PolicyId))
                {
                    policies[ii].PolicyId = Utils.Format("{0}", ii+ policyIdOffset);
                }
            }
            return policies;
        }

Best Regards :)
@AlinMoldovean AlinMoldovean self-assigned this Apr 12, 2021
@AlinMoldovean AlinMoldovean added bug A bug was identified and should be fixed. and removed needs investigation labels Apr 12, 2021
AlinMoldovean added a commit to AlinMoldovean/UA-.NETStandard that referenced this issue Apr 12, 2021
@AlinMoldovean
Fixes OPCFoundation#1140 - Ensure UserTokenPolicy.policyId is unique …
dfb9725 
…within the context of the server.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AlinMoldovean AlinMoldovean

Labels
bug A bug was identified and should be fixed.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@mregen @AlinMoldovean @GregoireG-C