/* The request/response are casted to the header (first element of their struct) */
static void invoke_service(UA_Server *server, UA_SecureChannel *channel,
UA_UInt32 requestId, UA_RequestHeader *request, const UA_DataType *responseType,
void (*service)(UA_Server*, UA_Session*, void*, void*)) {
UA_ResponseHeader *response = UA_alloca(responseType->memSize);
UA_init(response, responseType);
init_response_header(request, response);
/* try to get the session from the securechannel first */
UA_Session *session = UA_SecureChannel_getSession(channel, &request->authenticationToken);
if(!session)
session = UA_SessionManager_getSession(&server->sessionManager, &request->authenticationToken);
if(!session)
response->serviceResult = UA_STATUSCODE_BADSESSIONIDINVALID;
else if(session->activated == UA_FALSE) {
response->serviceResult = UA_STATUSCODE_BADSESSIONNOTACTIVATED;
/* the session is invalidated FIXME: do this delayed*/
UA_SessionManager_removeSession(&server->sessionManager, &request->authenticationToken);
} else if(session->channel != channel) {
response->serviceResult = UA_STATUSCODE_BADSESSIONIDINVALID;
} else {
UA_Session_updateLifetime(session);
service(server, session, request, response);
}
UA_SecureChannel_sendBinaryMessage(channel, requestId, response, responseType);
UA_deleteMembers(response, responseType);
}
END_TEST
START_TEST(Session_updateLifetime_ShallWork) {
UA_Session session;
UA_Session_init(&session);
UA_DateTime tmpDateTime;
tmpDateTime = session.validTill;
UA_Session_updateLifetime(&session);
UA_Int32 result = (session.validTill >= tmpDateTime);
ck_assert_int_gt(result,0);
}
/* The request/response are casted to the header (first element of their struct) */
static void invoke_service(UA_Server *server, UA_SecureChannel *channel, UA_UInt32 requestId,
UA_RequestHeader *request, const UA_DataType *responseType,
void (*service)(UA_Server*, UA_Session*, void*, void*)) {
UA_ResponseHeader *response = UA_alloca(responseType->memSize);
UA_init(response, responseType);
init_response_header(request, response);
/* try to get the session from the securechannel first */
UA_Session *session = UA_SecureChannel_getSession(channel, &request->authenticationToken);
#ifdef EXTENSION_STATELESS
if(request->authenticationToken.namespaceIndex == 0
&& request->authenticationToken.identifierType == UA_NODEIDTYPE_NUMERIC
&& request->authenticationToken.identifier.numeric == 0
&& (responseType->typeIndex == UA_TYPES_READRESPONSE
|| responseType->typeIndex == UA_TYPES_WRITERESPONSE
|| responseType->typeIndex == UA_TYPES_BROWSERESPONSE)
){
session = &anonymousSession;
service(server, session, request, response);
}else{
#endif
if(!session || session->channel != channel) {
response->serviceResult = UA_STATUSCODE_BADSESSIONIDINVALID;
} else if(session->activated == UA_FALSE) {
response->serviceResult = UA_STATUSCODE_BADSESSIONNOTACTIVATED;
/* /\* the session is invalidated FIXME: do this delayed*\/ */
/* UA_SessionManager_removeSession(&server->sessionManager, server, &request->authenticationToken); */
} else {
UA_Session_updateLifetime(session);
service(server, session, request, response);
}
#ifdef EXTENSION_STATELESS
}
#endif
UA_StatusCode retval = UA_SecureChannel_sendBinaryMessage(channel, requestId, response, responseType);
if(retval != UA_STATUSCODE_GOOD) {
if(retval == UA_STATUSCODE_BADENCODINGLIMITSEXCEEDED)
response->serviceResult = UA_STATUSCODE_BADRESPONSETOOLARGE;
else
response->serviceResult = retval;
UA_SecureChannel_sendBinaryMessage(channel, requestId, response, &UA_TYPES[UA_TYPES_SERVICEFAULT]);
}
UA_deleteMembers(response, responseType);
}
void
Service_ActivateSession(UA_Server *server, UA_SecureChannel *channel,
UA_Session *session, const UA_ActivateSessionRequest *request,
UA_ActivateSessionResponse *response) {
if(session->validTill < UA_DateTime_nowMonotonic()) {
UA_LOG_INFO_SESSION(server->config.logger, session,
"ActivateSession: SecureChannel %i wants "
"to activate, but the session has timed out",
channel->securityToken.channelId);
response->responseHeader.serviceResult =
UA_STATUSCODE_BADSESSIONIDINVALID;
return;
}
checkSignature(server, channel, session, request, response);
if(response->responseHeader.serviceResult != UA_STATUSCODE_GOOD)
return;
/* Callback into userland access control */
response->responseHeader.serviceResult =
server->config.accessControl.activateSession(&session->sessionId,
&request->userIdentityToken,
&session->sessionHandle);
if(response->responseHeader.serviceResult != UA_STATUSCODE_GOOD)
return;
/* Detach the old SecureChannel */
if(session->channel && session->channel != channel) {
UA_LOG_INFO_SESSION(server->config.logger, session,
"ActivateSession: Detach from old channel");
UA_SecureChannel_detachSession(session->channel, session);
}
/* Attach to the SecureChannel and activate */
UA_SecureChannel_attachSession(channel, session);
session->activated = true;
UA_Session_updateLifetime(session);
UA_LOG_INFO_SESSION(server->config.logger, session,
"ActivateSession: Session activated");
}
static void
processMSG(UA_Server *server, UA_SecureChannel *channel,
UA_UInt32 requestId, const UA_ByteString *msg) {
/* At 0, the nodeid starts... */
size_t ppos = 0;
size_t *offset = &ppos;
/* Decode the nodeid */
UA_NodeId requestTypeId;
UA_StatusCode retval = UA_NodeId_decodeBinary(msg, offset, &requestTypeId);
if(retval != UA_STATUSCODE_GOOD)
return;
if(requestTypeId.identifierType != UA_NODEIDTYPE_NUMERIC)
UA_NodeId_deleteMembers(&requestTypeId); /* leads to badserviceunsupported */
/* Store the start-position of the request */
size_t requestPos = *offset;
/* Get the service pointers */
UA_Service service = NULL;
const UA_DataType *requestType = NULL;
const UA_DataType *responseType = NULL;
UA_Boolean sessionRequired = true;
getServicePointers(requestTypeId.identifier.numeric, &requestType,
&responseType, &service, &sessionRequired);
if(!requestType) {
if(requestTypeId.identifier.numeric == 787) {
UA_LOG_INFO_CHANNEL(server->config.logger, channel,
"Client requested a subscription, " \
"but those are not enabled in the build");
} else {
UA_LOG_INFO_CHANNEL(server->config.logger, channel, "Unknown request %i",
requestTypeId.identifier.numeric);
}
sendError(channel, msg, requestPos, &UA_TYPES[UA_TYPES_SERVICEFAULT],
requestId, UA_STATUSCODE_BADSERVICEUNSUPPORTED);
return;
}
UA_assert(responseType);
#ifdef UA_ENABLE_NONSTANDARD_STATELESS
/* Stateless extension: Sessions are optional */
sessionRequired = false;
#endif
/* Decode the request */
void *request = UA_alloca(requestType->memSize);
UA_RequestHeader *requestHeader = (UA_RequestHeader*)request;
retval = UA_decodeBinary(msg, offset, request, requestType);
if(retval != UA_STATUSCODE_GOOD) {
UA_LOG_DEBUG_CHANNEL(server->config.logger, channel, "Could not decode the request");
sendError(channel, msg, requestPos, responseType, requestId, retval);
return;
}
/* Prepare the respone */
void *response = UA_alloca(responseType->memSize);
UA_init(response, responseType);
UA_Session *session = NULL; /* must be initialized before goto send_response */
/* CreateSession doesn't need a session */
if(requestType == &UA_TYPES[UA_TYPES_CREATESESSIONREQUEST]) {
Service_CreateSession(server, channel, request, response);
goto send_response;
}
/* Find the matching session */
session = UA_SecureChannel_getSession(channel, &requestHeader->authenticationToken);
if(!session)
session = UA_SessionManager_getSession(&server->sessionManager,
&requestHeader->authenticationToken);
if(requestType == &UA_TYPES[UA_TYPES_ACTIVATESESSIONREQUEST]) {
if(!session) {
UA_LOG_DEBUG_CHANNEL(server->config.logger, channel,
"Trying to activate a session that is " \
"not known in the server");
sendError(channel, msg, requestPos, responseType,
requestId, UA_STATUSCODE_BADSESSIONIDINVALID);
UA_deleteMembers(request, requestType);
return;
}
Service_ActivateSession(server, channel, session, request, response);
goto send_response;
}
/* Set an anonymous, inactive session for services that need no session */
UA_Session anonymousSession;
if(!session) {
if(sessionRequired) {
UA_LOG_INFO_CHANNEL(server->config.logger, channel,
"Service request %i without a valid session",
requestType->binaryEncodingId);
sendError(channel, msg, requestPos, responseType,
requestId, UA_STATUSCODE_BADSESSIONIDINVALID);
UA_deleteMembers(request, requestType);
return;
}
UA_Session_init(&anonymousSession);
anonymousSession.sessionId = UA_NODEID_GUID(0, UA_GUID_NULL);
anonymousSession.channel = channel;
session = &anonymousSession;
}
/* Trying to use a non-activated session? */
if(sessionRequired && !session->activated) {
UA_LOG_INFO_SESSION(server->config.logger, session,
"Calling service %i on a non-activated session",
requestType->binaryEncodingId);
sendError(channel, msg, requestPos, responseType,
requestId, UA_STATUSCODE_BADSESSIONNOTACTIVATED);
UA_SessionManager_removeSession(&server->sessionManager,
&session->authenticationToken);
UA_deleteMembers(request, requestType);
return;
}
/* The session is bound to another channel */
if(session->channel != channel) {
UA_LOG_DEBUG_CHANNEL(server->config.logger, channel,
"Client tries to use an obsolete securechannel");
sendError(channel, msg, requestPos, responseType,
requestId, UA_STATUSCODE_BADSECURECHANNELIDINVALID);
UA_deleteMembers(request, requestType);
return;
}
/* Update the session lifetime */
UA_Session_updateLifetime(session);
#ifdef UA_ENABLE_SUBSCRIPTIONS
/* The publish request is not answered immediately */
if(requestType == &UA_TYPES[UA_TYPES_PUBLISHREQUEST]) {
Service_Publish(server, session, request, requestId);
UA_deleteMembers(request, requestType);
return;
}
#endif
/* Call the service */
UA_assert(service); /* For all services besides publish, the service pointer is non-NULL*/
service(server, session, request, response);
send_response:
/* Send the response */
((UA_ResponseHeader*)response)->requestHandle = requestHeader->requestHandle;
((UA_ResponseHeader*)response)->timestamp = UA_DateTime_now();
retval = UA_SecureChannel_sendBinaryMessage(channel, requestId, response, responseType);
if(retval != UA_STATUSCODE_GOOD)
UA_LOG_INFO_CHANNEL(server->config.logger, channel, "Could not send the message over "
"the SecureChannel with error code 0x%08x", retval);
/* Clean up */
UA_deleteMembers(request, requestType);
UA_deleteMembers(response, responseType);
}
void
Service_ActivateSession(UA_Server *server, UA_SecureChannel *channel, UA_Session *session,
const UA_ActivateSessionRequest *request, UA_ActivateSessionResponse *response) {
if(session->validTill < UA_DateTime_now()) {
UA_LOG_INFO_SESSION(server->config.logger, session, "ActivateSession: SecureChannel %i wants "
"to activate, but the session has timed out", channel->securityToken.channelId);
response->responseHeader.serviceResult = UA_STATUSCODE_BADSESSIONIDINVALID;
return;
}
if(request->userIdentityToken.encoding < UA_EXTENSIONOBJECT_DECODED ||
(request->userIdentityToken.content.decoded.type != &UA_TYPES[UA_TYPES_ANONYMOUSIDENTITYTOKEN] &&
request->userIdentityToken.content.decoded.type != &UA_TYPES[UA_TYPES_USERNAMEIDENTITYTOKEN])) {
UA_LOG_INFO_SESSION(server->config.logger, session, "ActivateSession: SecureChannel %i wants "
"to activate, but the UserIdentify token is invalid",
channel->securityToken.channelId);
response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENINVALID;
return;
}
UA_String ap = UA_STRING(ANONYMOUS_POLICY);
UA_String up = UA_STRING(USERNAME_POLICY);
/* Compatibility notice: Siemens OPC Scout v10 provides an empty policyId,
this is not okay For compatibility we will assume that empty policyId == ANONYMOUS_POLICY
if(token.policyId->data == NULL)
response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENINVALID;
*/
if(server->config.enableAnonymousLogin &&
request->userIdentityToken.content.decoded.type == &UA_TYPES[UA_TYPES_ANONYMOUSIDENTITYTOKEN]) {
/* anonymous login */
const UA_AnonymousIdentityToken *token = request->userIdentityToken.content.decoded.data;
if(token->policyId.data && !UA_String_equal(&token->policyId, &ap)) {
response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENINVALID;
return;
}
} else if(server->config.enableUsernamePasswordLogin &&
request->userIdentityToken.content.decoded.type == &UA_TYPES[UA_TYPES_USERNAMEIDENTITYTOKEN]) {
/* username login */
const UA_UserNameIdentityToken *token = request->userIdentityToken.content.decoded.data;
if(!UA_String_equal(&token->policyId, &up)) {
response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENINVALID;
return;
}
if(token->encryptionAlgorithm.length > 0) {
/* we don't support encryption */
response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENINVALID;
return;
}
if(token->userName.length == 0 && token->password.length == 0) {
/* empty username and password */
response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENINVALID;
return;
}
/* trying to match pw/username */
UA_Boolean match = false;
for(size_t i = 0; i < server->config.usernamePasswordLoginsSize; i++) {
UA_String *user = &server->config.usernamePasswordLogins[i].username;
UA_String *pw = &server->config.usernamePasswordLogins[i].password;
if(UA_String_equal(&token->userName, user) && UA_String_equal(&token->password, pw)) {
match = true;
break;
}
}
if(!match) {
UA_LOG_INFO_SESSION(server->config.logger, session, "ActivateSession: Did not find matching username/password");
response->responseHeader.serviceResult = UA_STATUSCODE_BADUSERACCESSDENIED;
return;
}
} else {
/* Unsupported token type */
response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENINVALID;
return;
}
/* Detach the old SecureChannel */
if(session->channel && session->channel != channel) {
UA_LOG_INFO_SESSION(server->config.logger, session, "ActivateSession: Detach from old channel");
UA_SecureChannel_detachSession(session->channel, session);
}
/* Attach to the SecureChannel and activate */
UA_SecureChannel_attachSession(channel, session);
session->activated = true;
UA_Session_updateLifetime(session);
UA_LOG_INFO_SESSION(server->config.logger, session, "ActivateSession: Session activated");
}
void Service_ActivateSession(UA_Server *server, UA_SecureChannel *channel,
const UA_ActivateSessionRequest *request,
UA_ActivateSessionResponse *response) {
// make the channel know about the session
UA_Session *foundSession =
UA_SessionManager_getSession(&server->sessionManager,
(const UA_NodeId*)&request->requestHeader.authenticationToken);
if(foundSession == UA_NULL) {
response->responseHeader.serviceResult = UA_STATUSCODE_BADSESSIONIDINVALID;
return;
} else if(foundSession->validTill < UA_DateTime_now()) {
response->responseHeader.serviceResult = UA_STATUSCODE_BADSESSIONIDINVALID;
return;
}
UA_UserIdentityToken token;
UA_UserIdentityToken_init(&token);
size_t offset = 0;
UA_UserIdentityToken_decodeBinary(&request->userIdentityToken.body, &offset, &token);
UA_UserNameIdentityToken username_token;
UA_UserNameIdentityToken_init(&username_token);
UA_String ap = UA_STRING(ANONYMOUS_POLICY);
UA_String up = UA_STRING(USERNAME_POLICY);
//(Compatibility notice)
//Siemens OPC Scout v10 provides an empty policyId, this is not okay
//For compatibility we will assume that empty policyId == ANONYMOUS_POLICY
//if(token.policyId.data == UA_NULL) {
// /* 1) no policy defined */
// response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENINVALID;
//} else
//(End Compatibility notice)
if(server->config.Login_enableAnonymous && (token.policyId.data == UA_NULL || UA_String_equal(&token.policyId, &ap))) {
/* 2) anonymous logins */
if(foundSession->channel && foundSession->channel != channel)
UA_SecureChannel_detachSession(foundSession->channel, foundSession);
UA_SecureChannel_attachSession(channel, foundSession);
foundSession->activated = UA_TRUE;
UA_Session_updateLifetime(foundSession);
} else if(server->config.Login_enableUsernamePassword && UA_String_equal(&token.policyId, &up)) {
/* 3) username logins */
offset = 0;
UA_UserNameIdentityToken_decodeBinary(&request->userIdentityToken.body, &offset, &username_token);
if(username_token.encryptionAlgorithm.data != UA_NULL) {
/* 3.1) we only support encryption */
response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENINVALID;
} else if(username_token.userName.length == -1 && username_token.password.length == -1){
/* 3.2) empty username and password */
response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENINVALID;
} else {
/* 3.3) ok, trying to match the username */
UA_UInt32 i = 0;
for(; i < server->config.Login_loginsCount; ++i) {
UA_String user = UA_STRING(server->config.Login_usernames[i]);
UA_String pw = UA_STRING(server->config.Login_passwords[i]);
if(UA_String_equal(&username_token.userName, &user) &&
UA_String_equal(&username_token.password, &pw)) {
/* success - activate */
if(foundSession->channel && foundSession->channel != channel)
UA_SecureChannel_detachSession(foundSession->channel, foundSession);
UA_SecureChannel_attachSession(channel, foundSession);
foundSession->activated = UA_TRUE;
UA_Session_updateLifetime(foundSession);
break;
}
}
/* no username/pass matched */
if(i >= server->config.Login_loginsCount)
response->responseHeader.serviceResult = UA_STATUSCODE_BADUSERACCESSDENIED;
}
} else {
response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENINVALID;
}
UA_UserIdentityToken_deleteMembers(&token);
UA_UserNameIdentityToken_deleteMembers(&username_token);
return;
}
static void
processMSG(UA_Connection *connection, UA_Server *server, const UA_ByteString *msg, size_t *pos) {
/* If we cannot decode these, don't respond */
UA_UInt32 secureChannelId = 0;
UA_UInt32 tokenId = 0;
UA_SequenceHeader sequenceHeader;
UA_NodeId requestTypeId;
UA_StatusCode retval = UA_UInt32_decodeBinary(msg, pos, &secureChannelId);
retval |= UA_UInt32_decodeBinary(msg, pos, &tokenId);
retval |= UA_SequenceHeader_decodeBinary(msg, pos, &sequenceHeader);
retval = UA_NodeId_decodeBinary(msg, pos, &requestTypeId);
if(retval != UA_STATUSCODE_GOOD)
return;
UA_SecureChannel *channel = connection->channel;
UA_SecureChannel anonymousChannel;
if(!channel) {
UA_SecureChannel_init(&anonymousChannel);
anonymousChannel.connection = connection;
channel = &anonymousChannel;
}
/* Test if the secure channel is ok */
if(secureChannelId != channel->securityToken.channelId)
return;
if(tokenId != channel->securityToken.tokenId) {
if(tokenId != channel->nextSecurityToken.tokenId) {
/* close the securechannel but keep the connection open */
UA_LOG_INFO(server->logger, UA_LOGCATEGORY_SECURECHANNEL,
"Request with a wrong security token. Closing the SecureChannel %i.",
channel->securityToken.channelId);
Service_CloseSecureChannel(server, channel->securityToken.channelId);
return;
}
UA_SecureChannel_revolveTokens(channel);
}
/* Test if the service type nodeid has the right format */
if(requestTypeId.identifierType != UA_NODEIDTYPE_NUMERIC ||
requestTypeId.namespaceIndex != 0) {
UA_NodeId_deleteMembers(&requestTypeId);
sendError(channel, msg, *pos, sequenceHeader.requestId, UA_STATUSCODE_BADSERVICEUNSUPPORTED);
return;
}
/* Get the service pointers */
UA_Service service = NULL;
const UA_DataType *requestType = NULL;
const UA_DataType *responseType = NULL;
getServicePointers(requestTypeId.identifier.numeric, &requestType, &responseType, &service);
if(!service) {
/* The service is not supported */
if(requestTypeId.identifier.numeric==787)
UA_LOG_INFO(server->logger, UA_LOGCATEGORY_SERVER,
"Client requested a subscription that are not supported, "
"the message will be skipped");
else
UA_LOG_INFO(server->logger, UA_LOGCATEGORY_SERVER, "Unknown request: NodeId(ns=%d, i=%d)",
requestTypeId.namespaceIndex, requestTypeId.identifier.numeric);
sendError(channel, msg, *pos, sequenceHeader.requestId, UA_STATUSCODE_BADSERVICEUNSUPPORTED);
return;
}
/* Most services can only be called with a valid securechannel */
#ifndef EXTENSION_STATELESS
if(channel == &anonymousChannel &&
requestType->typeIndex > UA_TYPES_OPENSECURECHANNELREQUEST) {
sendError(channel, msg, *pos, sequenceHeader.requestId, UA_STATUSCODE_BADSECURECHANNELIDINVALID);
return;
}
#endif
/* Decode the request */
void *request = UA_alloca(requestType->memSize);
size_t oldpos = *pos;
retval = UA_decodeBinary(msg, pos, request, requestType);
if(retval != UA_STATUSCODE_GOOD) {
sendError(channel, msg, oldpos, sequenceHeader.requestId, retval);
return;
}
/* Find the matching session */
UA_Session *session =
UA_SecureChannel_getSession(channel, &((UA_RequestHeader*)request)->authenticationToken);
UA_Session anonymousSession;
if(!session) {
UA_Session_init(&anonymousSession);
anonymousSession.channel = channel;
anonymousSession.activated = UA_TRUE;
session = &anonymousSession;
}
/* Test if the session is valid */
if(!session->activated && requestType->typeIndex != UA_TYPES_ACTIVATESESSIONREQUEST) {
UA_LOG_INFO(server->logger, UA_LOGCATEGORY_SERVER, "Client tries to call a service with a non-activated session");
sendError(channel, msg, *pos, sequenceHeader.requestId, UA_STATUSCODE_BADSESSIONNOTACTIVATED);
return;
}
#ifndef EXTENSION_STATELESS
if(session == &anonymousSession &&
requestType->typeIndex > UA_TYPES_ACTIVATESESSIONREQUEST) {
UA_LOG_INFO(server->logger, UA_LOGCATEGORY_SERVER, "Client tries to call a service without a session");
sendError(channel, msg, *pos, sequenceHeader.requestId, UA_STATUSCODE_BADSESSIONIDINVALID);
return;
}
#endif
/* Call the service */
UA_Session_updateLifetime(session);
void *response = UA_alloca(responseType->memSize);
UA_init(response, responseType);
init_response_header(request, response);
service(server, session, request, response);
/* Send the response */
retval = UA_SecureChannel_sendBinaryMessage(channel, sequenceHeader.requestId,
response, responseType);
if(retval != UA_STATUSCODE_GOOD) {
/* e.g. UA_STATUSCODE_BADENCODINGLIMITSEXCEEDED */
sendError(channel, msg, oldpos, sequenceHeader.requestId, retval);
}
/* Clean up */
UA_deleteMembers(request, requestType);
UA_deleteMembers(response, responseType);
return;
}
