void
Service_ActivateSession(UA_Server *server, UA_SecureChannel *channel,
UA_Session *session, const UA_ActivateSessionRequest *request,
UA_ActivateSessionResponse *response) {
if(session->validTill < UA_DateTime_nowMonotonic()) {
UA_LOG_INFO_SESSION(server->config.logger, session,
"ActivateSession: SecureChannel %i wants "
"to activate, but the session has timed out",
channel->securityToken.channelId);
response->responseHeader.serviceResult =
UA_STATUSCODE_BADSESSIONIDINVALID;
return;
}
checkSignature(server, channel, session, request, response);
if(response->responseHeader.serviceResult != UA_STATUSCODE_GOOD)
return;
/* Callback into userland access control */
response->responseHeader.serviceResult =
server->config.accessControl.activateSession(&session->sessionId,
&request->userIdentityToken,
&session->sessionHandle);
if(response->responseHeader.serviceResult != UA_STATUSCODE_GOOD)
return;
/* Detach the old SecureChannel */
if(session->channel && session->channel != channel) {
UA_LOG_INFO_SESSION(server->config.logger, session,
"ActivateSession: Detach from old channel");
UA_SecureChannel_detachSession(session->channel, session);
}
/* Attach to the SecureChannel and activate */
UA_SecureChannel_attachSession(channel, session);
session->activated = true;
UA_Session_updateLifetime(session);
UA_LOG_INFO_SESSION(server->config.logger, session,
"ActivateSession: Session activated");
}
void
Service_ActivateSession(UA_Server *server, UA_SecureChannel *channel, UA_Session *session,
const UA_ActivateSessionRequest *request, UA_ActivateSessionResponse *response) {
if(session->validTill < UA_DateTime_now()) {
UA_LOG_INFO_SESSION(server->config.logger, session, "ActivateSession: SecureChannel %i wants "
"to activate, but the session has timed out", channel->securityToken.channelId);
response->responseHeader.serviceResult = UA_STATUSCODE_BADSESSIONIDINVALID;
return;
}
if(request->userIdentityToken.encoding < UA_EXTENSIONOBJECT_DECODED ||
(request->userIdentityToken.content.decoded.type != &UA_TYPES[UA_TYPES_ANONYMOUSIDENTITYTOKEN] &&
request->userIdentityToken.content.decoded.type != &UA_TYPES[UA_TYPES_USERNAMEIDENTITYTOKEN])) {
UA_LOG_INFO_SESSION(server->config.logger, session, "ActivateSession: SecureChannel %i wants "
"to activate, but the UserIdentify token is invalid",
channel->securityToken.channelId);
response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENINVALID;
return;
}
UA_String ap = UA_STRING(ANONYMOUS_POLICY);
UA_String up = UA_STRING(USERNAME_POLICY);
/* Compatibility notice: Siemens OPC Scout v10 provides an empty policyId,
this is not okay For compatibility we will assume that empty policyId == ANONYMOUS_POLICY
if(token.policyId->data == NULL)
response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENINVALID;
*/
if(server->config.enableAnonymousLogin &&
request->userIdentityToken.content.decoded.type == &UA_TYPES[UA_TYPES_ANONYMOUSIDENTITYTOKEN]) {
/* anonymous login */
const UA_AnonymousIdentityToken *token = request->userIdentityToken.content.decoded.data;
if(token->policyId.data && !UA_String_equal(&token->policyId, &ap)) {
response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENINVALID;
return;
}
} else if(server->config.enableUsernamePasswordLogin &&
request->userIdentityToken.content.decoded.type == &UA_TYPES[UA_TYPES_USERNAMEIDENTITYTOKEN]) {
/* username login */
const UA_UserNameIdentityToken *token = request->userIdentityToken.content.decoded.data;
if(!UA_String_equal(&token->policyId, &up)) {
response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENINVALID;
return;
}
if(token->encryptionAlgorithm.length > 0) {
/* we don't support encryption */
response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENINVALID;
return;
}
if(token->userName.length == 0 && token->password.length == 0) {
/* empty username and password */
response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENINVALID;
return;
}
/* trying to match pw/username */
UA_Boolean match = false;
for(size_t i = 0; i < server->config.usernamePasswordLoginsSize; i++) {
UA_String *user = &server->config.usernamePasswordLogins[i].username;
UA_String *pw = &server->config.usernamePasswordLogins[i].password;
if(UA_String_equal(&token->userName, user) && UA_String_equal(&token->password, pw)) {
match = true;
break;
}
}
if(!match) {
UA_LOG_INFO_SESSION(server->config.logger, session, "ActivateSession: Did not find matching username/password");
response->responseHeader.serviceResult = UA_STATUSCODE_BADUSERACCESSDENIED;
return;
}
} else {
/* Unsupported token type */
response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENINVALID;
return;
}
/* Detach the old SecureChannel */
if(session->channel && session->channel != channel) {
UA_LOG_INFO_SESSION(server->config.logger, session, "ActivateSession: Detach from old channel");
UA_SecureChannel_detachSession(session->channel, session);
}
/* Attach to the SecureChannel and activate */
UA_SecureChannel_attachSession(channel, session);
session->activated = true;
UA_Session_updateLifetime(session);
UA_LOG_INFO_SESSION(server->config.logger, session, "ActivateSession: Session activated");
}
void Service_ActivateSession(UA_Server *server, UA_SecureChannel *channel,
const UA_ActivateSessionRequest *request,
UA_ActivateSessionResponse *response) {
// make the channel know about the session
UA_Session *foundSession =
UA_SessionManager_getSession(&server->sessionManager,
(const UA_NodeId*)&request->requestHeader.authenticationToken);
if(foundSession == UA_NULL) {
response->responseHeader.serviceResult = UA_STATUSCODE_BADSESSIONIDINVALID;
return;
} else if(foundSession->validTill < UA_DateTime_now()) {
response->responseHeader.serviceResult = UA_STATUSCODE_BADSESSIONIDINVALID;
return;
}
UA_UserIdentityToken token;
UA_UserIdentityToken_init(&token);
size_t offset = 0;
UA_UserIdentityToken_decodeBinary(&request->userIdentityToken.body, &offset, &token);
UA_UserNameIdentityToken username_token;
UA_UserNameIdentityToken_init(&username_token);
UA_String ap = UA_STRING(ANONYMOUS_POLICY);
UA_String up = UA_STRING(USERNAME_POLICY);
//(Compatibility notice)
//Siemens OPC Scout v10 provides an empty policyId, this is not okay
//For compatibility we will assume that empty policyId == ANONYMOUS_POLICY
//if(token.policyId.data == UA_NULL) {
// /* 1) no policy defined */
// response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENINVALID;
//} else
//(End Compatibility notice)
if(server->config.Login_enableAnonymous && (token.policyId.data == UA_NULL || UA_String_equal(&token.policyId, &ap))) {
/* 2) anonymous logins */
if(foundSession->channel && foundSession->channel != channel)
UA_SecureChannel_detachSession(foundSession->channel, foundSession);
UA_SecureChannel_attachSession(channel, foundSession);
foundSession->activated = UA_TRUE;
UA_Session_updateLifetime(foundSession);
} else if(server->config.Login_enableUsernamePassword && UA_String_equal(&token.policyId, &up)) {
/* 3) username logins */
offset = 0;
UA_UserNameIdentityToken_decodeBinary(&request->userIdentityToken.body, &offset, &username_token);
if(username_token.encryptionAlgorithm.data != UA_NULL) {
/* 3.1) we only support encryption */
response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENINVALID;
} else if(username_token.userName.length == -1 && username_token.password.length == -1){
/* 3.2) empty username and password */
response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENINVALID;
} else {
/* 3.3) ok, trying to match the username */
UA_UInt32 i = 0;
for(; i < server->config.Login_loginsCount; ++i) {
UA_String user = UA_STRING(server->config.Login_usernames[i]);
UA_String pw = UA_STRING(server->config.Login_passwords[i]);
if(UA_String_equal(&username_token.userName, &user) &&
UA_String_equal(&username_token.password, &pw)) {
/* success - activate */
if(foundSession->channel && foundSession->channel != channel)
UA_SecureChannel_detachSession(foundSession->channel, foundSession);
UA_SecureChannel_attachSession(channel, foundSession);
foundSession->activated = UA_TRUE;
UA_Session_updateLifetime(foundSession);
break;
}
}
/* no username/pass matched */
if(i >= server->config.Login_loginsCount)
response->responseHeader.serviceResult = UA_STATUSCODE_BADUSERACCESSDENIED;
}
} else {
response->responseHeader.serviceResult = UA_STATUSCODE_BADIDENTITYTOKENINVALID;
}
UA_UserIdentityToken_deleteMembers(&token);
UA_UserNameIdentityToken_deleteMembers(&username_token);
return;
}
