/// <summary> /// Called when a client tries to change its user identity. /// </summary> private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args) { // check for a WSS token. IssuedIdentityToken wssToken = args.NewIdentity as IssuedIdentityToken; // check for a user name token. UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken; if (userNameToken != null) { args.Identity = VerifyPassword(userNameToken); Logger.Information($"UserName Token Accepted: {args.Identity.DisplayName}"); return; } // check for x509 user token. X509IdentityToken x509Token = args.NewIdentity as X509IdentityToken; if (x509Token != null) { VerifyCertificate(x509Token.Certificate); args.Identity = new UserIdentity(x509Token); Logger.Information($"X509 Token Accepted: {args.Identity.DisplayName}"); return; } }
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args) { UserNameIdentityToken userNameIdentityToken = args.NewIdentity as UserNameIdentityToken; if (userNameIdentityToken != null) { args.Identity = VerifyPassword(userNameIdentityToken); args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser); if (args.Identity is SystemConfigurationIdentity) { args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_ConfigureAdmin); args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_SecurityAdmin); } return; } X509IdentityToken x509IdentityToken = args.NewIdentity as X509IdentityToken; if (x509IdentityToken != null) { VerifyUserTokenCertificate(x509IdentityToken.Certificate); args.Identity = new UserIdentity(x509IdentityToken); Utils.Trace("X509 Token Accepted: {0}", args.Identity.DisplayName); args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser); return; } args.Identity = new UserIdentity(); args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_Anonymous); }
/// <summary> /// Check whether it is an acceptable session. /// </summary> /// <param name="session">The session.</param> /// <param name="args">IdentityToken.</param> void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args) { switch (args.UserTokenPolicy.TokenType) { case UserTokenType.UserName: UserNameIdentityToken token = args.NewIdentity as UserNameIdentityToken; if (!m_userNameValidator.Validate(token)) { // Bad user access denied. // construct translation object with default text. TranslationInfo info = new TranslationInfo( "InvalidUserInformation", "en-US", "Specified user information are not valid. UserName='******'.", token.UserName); // create an exception with a vendor defined sub-code. throw new ServiceResultException(new ServiceResult( StatusCodes.BadUserAccessDenied, "InvalidUserInformation", "http://opcfoundation.org", new LocalizedText(info))); } break; default: break; } }
/// <summary> /// Called when a client tries to change its user identity. /// </summary> private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args) { if (session == null) { throw new ArgumentNullException(nameof(session)); } // check for a WSS token. var wssToken = args.NewIdentity as IssuedIdentityToken; // check for a user name token. if (args.NewIdentity is UserNameIdentityToken userNameToken) { VerifyPassword(userNameToken.UserName, userNameToken.DecryptedPassword); args.Identity = new UserIdentity(userNameToken); Utils.Trace("UserName Token Accepted: {0}", args.Identity.DisplayName); return; } // check for x509 user token. if (args.NewIdentity is X509IdentityToken x509Token) { VerifyCertificate(x509Token.Certificate); args.Identity = new UserIdentity(x509Token); Utils.Trace("X509 Token Accepted: {0}", args.Identity.DisplayName); return; } }
/// <summary> /// Called when a client tries to change its user identity. /// </summary> private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args) { // check for a WSS token. IssuedIdentityToken wssToken = args.NewIdentity as IssuedIdentityToken; if (wssToken != null) { SecurityToken samlToken = ParseAndVerifySamlToken(wssToken.DecryptedTokenData); args.Identity = new UserIdentity(samlToken); Utils.Trace("SAML Token Accepted: {0}", args.Identity.DisplayName); return; } // check for a user name token. UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken; if (userNameToken != null) { VerifyPassword(userNameToken.UserName, userNameToken.DecryptedPassword); args.Identity = new UserIdentity(userNameToken); Utils.Trace("UserName Token Accepted: {0}", args.Identity.DisplayName); return; } // check for x509 user token. X509IdentityToken x509Token = args.NewIdentity as X509IdentityToken; if (userNameToken != null) { VerifyCertificate(x509Token.Certificate); args.Identity = new UserIdentity(x509Token); Utils.Trace("X509 Token Accepted: {0}", args.Identity.DisplayName); return; } }
/// <summary> /// Called when a client tries to change its user identity. /// </summary> private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args) { try { switch (args.NewIdentity) { //New connection entry point // check for a user name token. case UserNameIdentityToken userNameToken: args.Identity = VerifyPassword(userNameToken); return; // check for x509 user token. case X509IdentityToken x509Token: VerifyUserTokenCertificate(x509Token.Certificate); args.Identity = new UserIdentity(x509Token); Utils.Trace($"X509 Token Accepted: {args.Identity.DisplayName}"); return; } } catch (Exception e) { Utils.Trace($"Session Manager Impersonate Exception:\r\n{e.StackTrace}"); } }
/// <summary> /// Called when a client tries to change its user identity. /// </summary> protected virtual void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args) { // check for a user name token if (args.NewIdentity is AnonymousIdentityToken anonymousToken) { args.Identity = new RoleBasedIdentity(new UserIdentity(), GdsRole.ApplicationUser); return; } // check for a user name token if (args.NewIdentity is UserNameIdentityToken userNameToken) { #if UNITTESTONLY if (VerifyPassword(userNameToken)) { switch (userNameToken.UserName) { // Server configuration administrator, manages the GDS server security case "sysadmin": { args.Identity = new SystemConfigurationIdentity(new UserIdentity(userNameToken)); Utils.Trace("SystemConfigurationAdmin Token Accepted: {0}", args.Identity.DisplayName); return; } // GDS administrator case "appadmin": { args.Identity = new RoleBasedIdentity(new UserIdentity(userNameToken), GdsRole.ApplicationAdmin); Utils.Trace("ApplicationAdmin Token Accepted: {0}", args.Identity.DisplayName); return; } // GDS user case "appuser": { args.Identity = new RoleBasedIdentity(new UserIdentity(userNameToken), GdsRole.ApplicationUser); Utils.Trace("ApplicationUser Token Accepted: {0}", args.Identity.DisplayName); return; } } } #endif } // check for x509 user token. if (args.NewIdentity is X509IdentityToken x509Token) { GdsRole role = GdsRole.ApplicationAdmin; VerifyUserTokenCertificate(x509Token.Certificate); Utils.Trace("X509 Token Accepted: {0} as {1}", args.Identity.DisplayName, role.ToString()); args.Identity = new RoleBasedIdentity(new UserIdentity(x509Token), role); return; } throw new ServiceResultException(new ServiceResult(StatusCodes.BadUserAccessDenied)); }
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args) { switch (args.NewIdentity) { // check for a user name token case UserNameIdentityToken userNameToken: { if (VerifyPassword(userNameToken)) { switch (userNameToken.UserName) { // Server configuration administrator, manages the GDS server security case "sysadmin": { args.Identity = new SystemConfigurationIdentity(new UserIdentity(userNameToken)); Utils.Trace($"SystemConfigurationAdmin Token Accepted: {args.Identity.DisplayName}"); return; } // GDS administrator case "appadmin": { //can register to GDS args.Identity = new RoleBasedIdentity(new UserIdentity(userNameToken), GdsRole.ApplicationAdmin); Utils.Trace($"ApplicationAdmin Token Accepted: {args.Identity.DisplayName}"); return; } // GDS user case "appuser": { args.Identity = new RoleBasedIdentity(new UserIdentity(userNameToken), GdsRole.ApplicationUser); Utils.Trace($"ApplicationUser Token Accepted: {args.Identity.DisplayName}"); return; } } } break; } // check for x509 user token. case X509IdentityToken x509Token: { const GdsRole role = GdsRole.ApplicationUser; VerifyUserTokenCertificate(x509Token.Certificate); // todo: is cert listed in admin list? then // role = GdsRole.ApplicationAdmin; Utils.Trace($"X509 Token Accepted: {args.Identity.DisplayName} as {role.ToString()}"); args.Identity = new RoleBasedIdentity(new UserIdentity(x509Token), role); return; } } }
/// <summary> /// Called when a client tries to change its user identity. /// </summary> private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args) { // check for a user name token UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken; if (userNameToken != null) { if (VerifyPassword(userNameToken)) { switch (userNameToken.UserName) { // Server configuration administrator, manages the GDS server security case "sysadmin": { args.Identity = new SystemConfigurationIdentity(new UserIdentity(userNameToken)); Utils.LogInfo("SystemConfigurationAdmin Token Accepted: {0}", args.Identity.DisplayName); return; } // GDS administrator case "appadmin": { args.Identity = new RoleBasedIdentity(new UserIdentity(userNameToken), GdsRole.ApplicationAdmin); Utils.LogInfo("ApplicationAdmin Token Accepted: {0}", args.Identity.DisplayName); return; } // GDS user case "appuser": { args.Identity = new RoleBasedIdentity(new UserIdentity(userNameToken), GdsRole.ApplicationUser); Utils.LogInfo("ApplicationUser Token Accepted: {0}", args.Identity.DisplayName); return; } } } } // check for x509 user token. X509IdentityToken x509Token = args.NewIdentity as X509IdentityToken; if (x509Token != null) { GdsRole role = GdsRole.ApplicationUser; VerifyUserTokenCertificate(x509Token.Certificate); // todo: is cert listed in admin list? then // role = GdsRole.ApplicationAdmin; Utils.LogInfo("X509 Token Accepted: {0} as {1}", args.Identity.DisplayName, role.ToString()); args.Identity = new RoleBasedIdentity(new UserIdentity(x509Token), role); return; } }
/// <summary> /// Called when a client tries to change its user identity. /// </summary> private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args) { // check for a user name token. UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken; if (userNameToken != null) { args.Identity = VerifyPassword(userNameToken); return; } }
/// <summary> /// Called when a client tries to change its user identity. /// </summary> private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args) { // check for a user name token. UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken; if (userNameToken != null) { VerifyPassword(userNameToken.UserName, userNameToken.DecryptedPassword); args.Identity = new UserIdentity(userNameToken); Utils.Trace("UserName Token Accepted: {0}", args.Identity.DisplayName); } }
/// <summary> /// Called when a client tries to change its user identity. /// </summary> private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args) { // check for a user name token. UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken; if (userNameToken != null) { args.Identity = VerifyPassword(userNameToken); Utils.LogInfo(Utils.TraceMasks.Security, "Username Token Accepted: {0}", args.Identity?.DisplayName); // set AuthenticatedUser role for accepted user/password authentication args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser); if (args.Identity is SystemConfigurationIdentity) { // set ConfigureAdmin role for user with permission to configure server args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_ConfigureAdmin); args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_SecurityAdmin); } return; } // check for x509 user token. X509IdentityToken x509Token = args.NewIdentity as X509IdentityToken; if (x509Token != null) { VerifyUserTokenCertificate(x509Token.Certificate); args.Identity = new UserIdentity(x509Token); Utils.LogInfo(Utils.TraceMasks.Security, "X509 Token Accepted: {0}", args.Identity?.DisplayName); // set AuthenticatedUser role for accepted certificate authentication args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser); return; } // check for anonymous token. if (args.NewIdentity is AnonymousIdentityToken || args.NewIdentity == null) { // allow anonymous authentication and set Anonymous role for this authentication args.Identity = new UserIdentity(); args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_Anonymous); return; } // unsuported identity token type. throw ServiceResultException.Create(StatusCodes.BadIdentityTokenInvalid, "Not supported user token type: {0}.", args.NewIdentity); }
/// <summary> /// Called when a client tries to change its user identity. /// 当客户端尝试更改其用户身份时调用 /// </summary> private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args) { // check for a user name token. // 检查用户名令牌 UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken; if (userNameToken != null) { VerifyPassword(userNameToken.UserName, userNameToken.DecryptedPassword); args.Identity = new UserIdentity(userNameToken); return; } }
/// <summary> /// Called when a client tries to change its user identity. /// </summary> private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args) { if (args.NewIdentity is UserNameIdentityToken userNameToken) { // check for a user name token args.Identity = VerifyPassword(userNameToken); // set AuthenticatedUser role for accepted user/password authentication args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser); if (args.Identity is SystemConfigurationIdentity) { // set ConfigureAdmin role for user with permission to configure server args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_ConfigureAdmin); args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_SecurityAdmin); } } else if (args.NewIdentity is X509IdentityToken x509Token) { // check for x509 user token VerifyUserTokenCertificate(x509Token.Certificate); args.Identity = new UserIdentity(x509Token); // set AuthenticatedUser role for accepted certificate authentication args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser); } else if (string.IsNullOrEmpty(options.Username)) { // allow anonymous authentication and set Anonymous role for this authentication args.Identity = new UserIdentity(); args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_Anonymous); log.WriteAction(Locale.IsRussian ? "Анонимная аутентификация" : "Anonymous authentication"); } else { string msg = Locale.IsRussian ? "Анонимная аутентификация не допускается" : "Anonymous authentication is not allowed"; log.WriteError(msg); throw new ServiceResultException(StatusCodes.BadIdentityTokenRejected, msg); } }
/// <summary> /// Called when a client tries to change its user identity. /// </summary> private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args) { // check for a user name token. UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken; if (userNameToken != null) { args.Identity = VerifyPassword(userNameToken); return; } // check for x509 user token. X509IdentityToken x509Token = args.NewIdentity as X509IdentityToken; if (x509Token != null) { VerifyUserTokenCertificate(x509Token.Certificate); args.Identity = new UserIdentity(x509Token); Utils.Trace("X509 Token Accepted: {0}", args.Identity.DisplayName); return; } }
/// <summary> /// Called when a client tries to change its user identity. /// </summary> private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args) { // check for a user name token. UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken; if (userNameToken != null) { args.Identity = VerifyPassword(userNameToken); // set AuthenticatedUser role for accepted user/password authentication args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser); if (args.Identity is SystemConfigurationIdentity) { // set ConfigureAdmin role for user with permission to configure server args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_ConfigureAdmin); args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_SecurityAdmin); } return; } // check for x509 user token. X509IdentityToken x509Token = args.NewIdentity as X509IdentityToken; if (x509Token != null) { VerifyUserTokenCertificate(x509Token.Certificate); args.Identity = new UserIdentity(x509Token); Utils.Trace("X509 Token Accepted: {0}", args.Identity.DisplayName); // set AuthenticatedUser role for accepted certificate authentication args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser); return; } // allow anonymous authentication and set Anonymous role for this authentication args.Identity = new UserIdentity(); args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_Anonymous); }
/// <summary> /// Called when a client tries to change its user identity. /// </summary> private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args) { if (session == null) { throw new ArgumentNullException(nameof(session)); } if (args.NewIdentity is AnonymousIdentityToken guest) { args.Identity = new UserIdentity(guest); Utils.Trace("Guest access accepted: {0}", args.Identity.DisplayName); return; } // check for a user name token. if (args.NewIdentity is UserNameIdentityToken userNameToken) { var admin = VerifyPassword(userNameToken.UserName, userNameToken.DecryptedPassword); args.Identity = new UserIdentity(userNameToken); if (admin) { args.Identity = new SystemConfigurationIdentity(args.Identity); } Utils.Trace("UserName Token accepted: {0}", args.Identity.DisplayName); return; } // check for x509 user token. if (args.NewIdentity is X509IdentityToken x509Token) { var admin = VerifyCertificate(x509Token.Certificate); args.Identity = new UserIdentity(x509Token); if (admin) { args.Identity = new SystemConfigurationIdentity(args.Identity); } Utils.Trace("X509 Token accepted: {0}", args.Identity.DisplayName); return; } // check for x509 user token. if (args.NewIdentity is IssuedIdentityToken wssToken) { var admin = VerifyToken(wssToken); args.Identity = new UserIdentity(wssToken); if (admin) { args.Identity = new SystemConfigurationIdentity(args.Identity); } Utils.Trace("Issued Token accepted: {0}", args.Identity.DisplayName); return; } // construct translation object with default text. var info = new TranslationInfo("InvalidToken", "en-US", "Specified token is not valid."); // create an exception with a vendor defined sub-code. throw new ServiceResultException(new ServiceResult( StatusCodes.BadIdentityTokenRejected, "Bad token", kServerNamespaceUri, new LocalizedText(info))); }
/// <summary> /// Called when a client tries to change its user identity. /// </summary> private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args) { // check for an issued token. IssuedIdentityToken issuedToken = args.NewIdentity as IssuedIdentityToken; if (issuedToken != null) { if (args.UserTokenPolicy.IssuedTokenType == "http://opcfoundation.org/UA/UserTokenPolicy#JWT") { JwtEndpointParameters parameters = new JwtEndpointParameters(); parameters.FromJson(args.UserTokenPolicy.IssuerEndpointUrl); var jwt = new UTF8Encoding().GetString(issuedToken.DecryptedTokenData); var identity = ValidateJwt(parameters, jwt); Utils.Trace("JSON Web Token Accepted: {0}", identity.DisplayName); args.Identity = identity; return; } } // check for a user name token. UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken; if (userNameToken != null) { var identity = new UserIdentity(userNameToken); var token = (UserNameIdentityToken)identity.GetIdentityToken(); switch (token.UserName) { case "gdsadmin": { if (token.DecryptedPassword == "demo") { Utils.Trace("GdsAdmin Token Accepted: {0}", args.Identity.DisplayName); return; } break; } case "appadmin": { if (token.DecryptedPassword == "demo") { args.Identity = new RoleBasedIdentity(identity, GdsRole.ApplicationAdmin); Utils.Trace("ApplicationAdmin Token Accepted: {0}", args.Identity.DisplayName); return; } break; } case "appuser": { if (token.DecryptedPassword == "demo") { args.Identity = new RoleBasedIdentity(identity, GdsRole.ApplicationUser); Utils.Trace("ApplicationUser Token Accepted: {0}", args.Identity.DisplayName); return; } break; } } args.Identity = identity; Utils.Trace("UserName Token Accepted: {0}", args.Identity.DisplayName); return; } // check for x509 user token. X509IdentityToken x509Token = args.NewIdentity as X509IdentityToken; if (x509Token != null) { VerifyCertificate(x509Token.Certificate); args.Identity = new UserIdentity(x509Token); Utils.Trace("X509 Token Accepted: {0}", args.Identity.DisplayName); return; } }