/// <summary>
/// Called when a client tries to change its user identity.
/// </summary>
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
{
// check for a WSS token.
IssuedIdentityToken wssToken = args.NewIdentity as IssuedIdentityToken;
// check for a user name token.
UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken;
if (userNameToken != null)
{
args.Identity = VerifyPassword(userNameToken);
Logger.Information($"UserName Token Accepted: {args.Identity.DisplayName}");
return;
}
// check for x509 user token.
X509IdentityToken x509Token = args.NewIdentity as X509IdentityToken;
if (x509Token != null)
{
VerifyCertificate(x509Token.Certificate);
args.Identity = new UserIdentity(x509Token);
Logger.Information($"X509 Token Accepted: {args.Identity.DisplayName}");
return;
}
}
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
{
UserNameIdentityToken userNameIdentityToken = args.NewIdentity as UserNameIdentityToken;
if (userNameIdentityToken != null)
{
args.Identity = VerifyPassword(userNameIdentityToken);
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser);
if (args.Identity is SystemConfigurationIdentity)
{
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_ConfigureAdmin);
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_SecurityAdmin);
}
return;
}
X509IdentityToken x509IdentityToken = args.NewIdentity as X509IdentityToken;
if (x509IdentityToken != null)
{
VerifyUserTokenCertificate(x509IdentityToken.Certificate);
args.Identity = new UserIdentity(x509IdentityToken);
Utils.Trace("X509 Token Accepted: {0}", args.Identity.DisplayName);
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser);
return;
}
args.Identity = new UserIdentity();
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_Anonymous);
}
/// <summary>
/// Check whether it is an acceptable session.
/// </summary>
/// <param name="session">The session.</param>
/// <param name="args">IdentityToken.</param>
void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
{
switch (args.UserTokenPolicy.TokenType)
{
case UserTokenType.UserName:
UserNameIdentityToken token = args.NewIdentity as UserNameIdentityToken;
if (!m_userNameValidator.Validate(token))
{ // Bad user access denied.
// construct translation object with default text.
TranslationInfo info = new TranslationInfo(
"InvalidUserInformation",
"en-US",
"Specified user information are not valid. UserName='******'.",
token.UserName);
// create an exception with a vendor defined sub-code.
throw new ServiceResultException(new ServiceResult(
StatusCodes.BadUserAccessDenied,
"InvalidUserInformation",
"http://opcfoundation.org",
new LocalizedText(info)));
}
break;
default:
break;
}
}
/// <summary>
/// Called when a client tries to change its user identity.
/// </summary>
private void SessionManager_ImpersonateUser(Session session,
ImpersonateEventArgs args)
{
if (session == null)
{
throw new ArgumentNullException(nameof(session));
}
// check for a WSS token.
var wssToken = args.NewIdentity as IssuedIdentityToken;
// check for a user name token.
if (args.NewIdentity is UserNameIdentityToken userNameToken)
{
VerifyPassword(userNameToken.UserName, userNameToken.DecryptedPassword);
args.Identity = new UserIdentity(userNameToken);
Utils.Trace("UserName Token Accepted: {0}", args.Identity.DisplayName);
return;
}
// check for x509 user token.
if (args.NewIdentity is X509IdentityToken x509Token)
{
VerifyCertificate(x509Token.Certificate);
args.Identity = new UserIdentity(x509Token);
Utils.Trace("X509 Token Accepted: {0}", args.Identity.DisplayName);
return;
}
}
/// <summary>
/// Called when a client tries to change its user identity.
/// </summary>
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
{
// check for a WSS token.
IssuedIdentityToken wssToken = args.NewIdentity as IssuedIdentityToken;
if (wssToken != null)
{
SecurityToken samlToken = ParseAndVerifySamlToken(wssToken.DecryptedTokenData);
args.Identity = new UserIdentity(samlToken);
Utils.Trace("SAML Token Accepted: {0}", args.Identity.DisplayName);
return;
}
// check for a user name token.
UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken;
if (userNameToken != null)
{
VerifyPassword(userNameToken.UserName, userNameToken.DecryptedPassword);
args.Identity = new UserIdentity(userNameToken);
Utils.Trace("UserName Token Accepted: {0}", args.Identity.DisplayName);
return;
}
// check for x509 user token.
X509IdentityToken x509Token = args.NewIdentity as X509IdentityToken;
if (userNameToken != null)
{
VerifyCertificate(x509Token.Certificate);
args.Identity = new UserIdentity(x509Token);
Utils.Trace("X509 Token Accepted: {0}", args.Identity.DisplayName);
return;
}
}
/// <summary>
/// Called when a client tries to change its user identity.
/// </summary>
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
{
try
{
switch (args.NewIdentity)
{
//New connection entry point
// check for a user name token.
case UserNameIdentityToken userNameToken:
args.Identity = VerifyPassword(userNameToken);
return;
// check for x509 user token.
case X509IdentityToken x509Token:
VerifyUserTokenCertificate(x509Token.Certificate);
args.Identity = new UserIdentity(x509Token);
Utils.Trace($"X509 Token Accepted: {args.Identity.DisplayName}");
return;
}
}
catch (Exception e)
{
Utils.Trace($"Session Manager Impersonate Exception:\r\n{e.StackTrace}");
}
}
/// <summary>
/// Called when a client tries to change its user identity.
/// </summary>
protected virtual void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
{
// check for a user name token
if (args.NewIdentity is AnonymousIdentityToken anonymousToken)
{
args.Identity = new RoleBasedIdentity(new UserIdentity(), GdsRole.ApplicationUser);
return;
}
// check for a user name token
if (args.NewIdentity is UserNameIdentityToken userNameToken)
{
#if UNITTESTONLY
if (VerifyPassword(userNameToken))
{
switch (userNameToken.UserName)
{
// Server configuration administrator, manages the GDS server security
case "sysadmin":
{
args.Identity = new SystemConfigurationIdentity(new UserIdentity(userNameToken));
Utils.Trace("SystemConfigurationAdmin Token Accepted: {0}", args.Identity.DisplayName);
return;
}
// GDS administrator
case "appadmin":
{
args.Identity = new RoleBasedIdentity(new UserIdentity(userNameToken), GdsRole.ApplicationAdmin);
Utils.Trace("ApplicationAdmin Token Accepted: {0}", args.Identity.DisplayName);
return;
}
// GDS user
case "appuser":
{
args.Identity = new RoleBasedIdentity(new UserIdentity(userNameToken), GdsRole.ApplicationUser);
Utils.Trace("ApplicationUser Token Accepted: {0}", args.Identity.DisplayName);
return;
}
}
}
#endif
}
// check for x509 user token.
if (args.NewIdentity is X509IdentityToken x509Token)
{
GdsRole role = GdsRole.ApplicationAdmin;
VerifyUserTokenCertificate(x509Token.Certificate);
Utils.Trace("X509 Token Accepted: {0} as {1}", args.Identity.DisplayName, role.ToString());
args.Identity = new RoleBasedIdentity(new UserIdentity(x509Token), role);
return;
}
throw new ServiceResultException(new ServiceResult(StatusCodes.BadUserAccessDenied));
}
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
{
switch (args.NewIdentity)
{
// check for a user name token
case UserNameIdentityToken userNameToken:
{
if (VerifyPassword(userNameToken))
{
switch (userNameToken.UserName)
{
// Server configuration administrator, manages the GDS server security
case "sysadmin":
{
args.Identity = new SystemConfigurationIdentity(new UserIdentity(userNameToken));
Utils.Trace($"SystemConfigurationAdmin Token Accepted: {args.Identity.DisplayName}");
return;
}
// GDS administrator
case "appadmin":
{
//can register to GDS
args.Identity = new RoleBasedIdentity(new UserIdentity(userNameToken), GdsRole.ApplicationAdmin);
Utils.Trace($"ApplicationAdmin Token Accepted: {args.Identity.DisplayName}");
return;
}
// GDS user
case "appuser":
{
args.Identity = new RoleBasedIdentity(new UserIdentity(userNameToken), GdsRole.ApplicationUser);
Utils.Trace($"ApplicationUser Token Accepted: {args.Identity.DisplayName}");
return;
}
}
}
break;
}
// check for x509 user token.
case X509IdentityToken x509Token:
{
const GdsRole role = GdsRole.ApplicationUser;
VerifyUserTokenCertificate(x509Token.Certificate);
// todo: is cert listed in admin list? then
// role = GdsRole.ApplicationAdmin;
Utils.Trace($"X509 Token Accepted: {args.Identity.DisplayName} as {role.ToString()}");
args.Identity = new RoleBasedIdentity(new UserIdentity(x509Token), role);
return;
}
}
}
/// <summary>
/// Called when a client tries to change its user identity.
/// </summary>
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
{
// check for a user name token
UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken;
if (userNameToken != null)
{
if (VerifyPassword(userNameToken))
{
switch (userNameToken.UserName)
{
// Server configuration administrator, manages the GDS server security
case "sysadmin":
{
args.Identity = new SystemConfigurationIdentity(new UserIdentity(userNameToken));
Utils.LogInfo("SystemConfigurationAdmin Token Accepted: {0}", args.Identity.DisplayName);
return;
}
// GDS administrator
case "appadmin":
{
args.Identity = new RoleBasedIdentity(new UserIdentity(userNameToken), GdsRole.ApplicationAdmin);
Utils.LogInfo("ApplicationAdmin Token Accepted: {0}", args.Identity.DisplayName);
return;
}
// GDS user
case "appuser":
{
args.Identity = new RoleBasedIdentity(new UserIdentity(userNameToken), GdsRole.ApplicationUser);
Utils.LogInfo("ApplicationUser Token Accepted: {0}", args.Identity.DisplayName);
return;
}
}
}
}
// check for x509 user token.
X509IdentityToken x509Token = args.NewIdentity as X509IdentityToken;
if (x509Token != null)
{
GdsRole role = GdsRole.ApplicationUser;
VerifyUserTokenCertificate(x509Token.Certificate);
// todo: is cert listed in admin list? then
// role = GdsRole.ApplicationAdmin;
Utils.LogInfo("X509 Token Accepted: {0} as {1}", args.Identity.DisplayName, role.ToString());
args.Identity = new RoleBasedIdentity(new UserIdentity(x509Token), role);
return;
}
}
/// <summary>
/// Called when a client tries to change its user identity.
/// </summary>
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
{
// check for a user name token.
UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken;
if (userNameToken != null)
{
args.Identity = VerifyPassword(userNameToken);
return;
}
}
/// <summary>
/// Called when a client tries to change its user identity.
/// </summary>
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
{
// check for a user name token.
UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken;
if (userNameToken != null)
{
VerifyPassword(userNameToken.UserName, userNameToken.DecryptedPassword);
args.Identity = new UserIdentity(userNameToken);
Utils.Trace("UserName Token Accepted: {0}", args.Identity.DisplayName);
}
}
/// <summary>
/// Called when a client tries to change its user identity.
/// </summary>
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
{
// check for a user name token.
UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken;
if (userNameToken != null)
{
args.Identity = VerifyPassword(userNameToken);
Utils.LogInfo(Utils.TraceMasks.Security, "Username Token Accepted: {0}", args.Identity?.DisplayName);
// set AuthenticatedUser role for accepted user/password authentication
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser);
if (args.Identity is SystemConfigurationIdentity)
{
// set ConfigureAdmin role for user with permission to configure server
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_ConfigureAdmin);
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_SecurityAdmin);
}
return;
}
// check for x509 user token.
X509IdentityToken x509Token = args.NewIdentity as X509IdentityToken;
if (x509Token != null)
{
VerifyUserTokenCertificate(x509Token.Certificate);
args.Identity = new UserIdentity(x509Token);
Utils.LogInfo(Utils.TraceMasks.Security, "X509 Token Accepted: {0}", args.Identity?.DisplayName);
// set AuthenticatedUser role for accepted certificate authentication
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser);
return;
}
// check for anonymous token.
if (args.NewIdentity is AnonymousIdentityToken || args.NewIdentity == null)
{
// allow anonymous authentication and set Anonymous role for this authentication
args.Identity = new UserIdentity();
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_Anonymous);
return;
}
// unsuported identity token type.
throw ServiceResultException.Create(StatusCodes.BadIdentityTokenInvalid,
"Not supported user token type: {0}.", args.NewIdentity);
}
/// <summary>
/// Called when a client tries to change its user identity.
/// 当客户端尝试更改其用户身份时调用
/// </summary>
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
{
// check for a user name token.
// 检查用户名令牌
UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken;
if (userNameToken != null)
{
VerifyPassword(userNameToken.UserName, userNameToken.DecryptedPassword);
args.Identity = new UserIdentity(userNameToken);
return;
}
}
/// <summary>
/// Called when a client tries to change its user identity.
/// </summary>
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
{
if (args.NewIdentity is UserNameIdentityToken userNameToken)
{
// check for a user name token
args.Identity = VerifyPassword(userNameToken);
// set AuthenticatedUser role for accepted user/password authentication
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser);
if (args.Identity is SystemConfigurationIdentity)
{
// set ConfigureAdmin role for user with permission to configure server
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_ConfigureAdmin);
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_SecurityAdmin);
}
}
else if (args.NewIdentity is X509IdentityToken x509Token)
{
// check for x509 user token
VerifyUserTokenCertificate(x509Token.Certificate);
args.Identity = new UserIdentity(x509Token);
// set AuthenticatedUser role for accepted certificate authentication
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser);
}
else if (string.IsNullOrEmpty(options.Username))
{
// allow anonymous authentication and set Anonymous role for this authentication
args.Identity = new UserIdentity();
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_Anonymous);
log.WriteAction(Locale.IsRussian ?
"Анонимная аутентификация" :
"Anonymous authentication");
}
else
{
string msg = Locale.IsRussian ?
"Анонимная аутентификация не допускается" :
"Anonymous authentication is not allowed";
log.WriteError(msg);
throw new ServiceResultException(StatusCodes.BadIdentityTokenRejected, msg);
}
}
/// <summary>
/// Called when a client tries to change its user identity.
/// </summary>
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args) {
// check for a user name token.
UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken;
if (userNameToken != null) {
args.Identity = VerifyPassword(userNameToken);
return;
}
// check for x509 user token.
X509IdentityToken x509Token = args.NewIdentity as X509IdentityToken;
if (x509Token != null) {
VerifyUserTokenCertificate(x509Token.Certificate);
args.Identity = new UserIdentity(x509Token);
Utils.Trace("X509 Token Accepted: {0}", args.Identity.DisplayName);
return;
}
}
/// <summary>
/// Called when a client tries to change its user identity.
/// </summary>
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
{
// check for a user name token.
UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken;
if (userNameToken != null)
{
args.Identity = VerifyPassword(userNameToken);
// set AuthenticatedUser role for accepted user/password authentication
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser);
if (args.Identity is SystemConfigurationIdentity)
{
// set ConfigureAdmin role for user with permission to configure server
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_ConfigureAdmin);
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_SecurityAdmin);
}
return;
}
// check for x509 user token.
X509IdentityToken x509Token = args.NewIdentity as X509IdentityToken;
if (x509Token != null)
{
VerifyUserTokenCertificate(x509Token.Certificate);
args.Identity = new UserIdentity(x509Token);
Utils.Trace("X509 Token Accepted: {0}", args.Identity.DisplayName);
// set AuthenticatedUser role for accepted certificate authentication
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_AuthenticatedUser);
return;
}
// allow anonymous authentication and set Anonymous role for this authentication
args.Identity = new UserIdentity();
args.Identity.GrantedRoleIds.Add(ObjectIds.WellKnownRole_Anonymous);
}
/// <summary>
/// Called when a client tries to change its user identity.
/// </summary>
private void SessionManager_ImpersonateUser(Session session,
ImpersonateEventArgs args)
{
if (session == null)
{
throw new ArgumentNullException(nameof(session));
}
if (args.NewIdentity is AnonymousIdentityToken guest)
{
args.Identity = new UserIdentity(guest);
Utils.Trace("Guest access accepted: {0}", args.Identity.DisplayName);
return;
}
// check for a user name token.
if (args.NewIdentity is UserNameIdentityToken userNameToken)
{
var admin = VerifyPassword(userNameToken.UserName, userNameToken.DecryptedPassword);
args.Identity = new UserIdentity(userNameToken);
if (admin)
{
args.Identity = new SystemConfigurationIdentity(args.Identity);
}
Utils.Trace("UserName Token accepted: {0}", args.Identity.DisplayName);
return;
}
// check for x509 user token.
if (args.NewIdentity is X509IdentityToken x509Token)
{
var admin = VerifyCertificate(x509Token.Certificate);
args.Identity = new UserIdentity(x509Token);
if (admin)
{
args.Identity = new SystemConfigurationIdentity(args.Identity);
}
Utils.Trace("X509 Token accepted: {0}", args.Identity.DisplayName);
return;
}
// check for x509 user token.
if (args.NewIdentity is IssuedIdentityToken wssToken)
{
var admin = VerifyToken(wssToken);
args.Identity = new UserIdentity(wssToken);
if (admin)
{
args.Identity = new SystemConfigurationIdentity(args.Identity);
}
Utils.Trace("Issued Token accepted: {0}", args.Identity.DisplayName);
return;
}
// construct translation object with default text.
var info = new TranslationInfo("InvalidToken", "en-US",
"Specified token is not valid.");
// create an exception with a vendor defined sub-code.
throw new ServiceResultException(new ServiceResult(
StatusCodes.BadIdentityTokenRejected, "Bad token",
kServerNamespaceUri, new LocalizedText(info)));
}
/// <summary>
/// Called when a client tries to change its user identity.
/// </summary>
private void SessionManager_ImpersonateUser(Session session, ImpersonateEventArgs args)
{
// check for an issued token.
IssuedIdentityToken issuedToken = args.NewIdentity as IssuedIdentityToken;
if (issuedToken != null)
{
if (args.UserTokenPolicy.IssuedTokenType == "http://opcfoundation.org/UA/UserTokenPolicy#JWT")
{
JwtEndpointParameters parameters = new JwtEndpointParameters();
parameters.FromJson(args.UserTokenPolicy.IssuerEndpointUrl);
var jwt = new UTF8Encoding().GetString(issuedToken.DecryptedTokenData);
var identity = ValidateJwt(parameters, jwt);
Utils.Trace("JSON Web Token Accepted: {0}", identity.DisplayName);
args.Identity = identity;
return;
}
}
// check for a user name token.
UserNameIdentityToken userNameToken = args.NewIdentity as UserNameIdentityToken;
if (userNameToken != null)
{
var identity = new UserIdentity(userNameToken);
var token = (UserNameIdentityToken)identity.GetIdentityToken();
switch (token.UserName)
{
case "gdsadmin":
{
if (token.DecryptedPassword == "demo")
{
Utils.Trace("GdsAdmin Token Accepted: {0}", args.Identity.DisplayName);
return;
}
break;
}
case "appadmin":
{
if (token.DecryptedPassword == "demo")
{
args.Identity = new RoleBasedIdentity(identity, GdsRole.ApplicationAdmin);
Utils.Trace("ApplicationAdmin Token Accepted: {0}", args.Identity.DisplayName);
return;
}
break;
}
case "appuser":
{
if (token.DecryptedPassword == "demo")
{
args.Identity = new RoleBasedIdentity(identity, GdsRole.ApplicationUser);
Utils.Trace("ApplicationUser Token Accepted: {0}", args.Identity.DisplayName);
return;
}
break;
}
}
args.Identity = identity;
Utils.Trace("UserName Token Accepted: {0}", args.Identity.DisplayName);
return;
}
// check for x509 user token.
X509IdentityToken x509Token = args.NewIdentity as X509IdentityToken;
if (x509Token != null)
{
VerifyCertificate(x509Token.Certificate);
args.Identity = new UserIdentity(x509Token);
Utils.Trace("X509 Token Accepted: {0}", args.Identity.DisplayName);
return;
}
}
