diff options
| author | Thomas Vanbesien <tvanbesi@proton.me> | 2026-02-17 03:31:40 +0100 |
|---|---|---|
| committer | Thomas Vanbesien <tvanbesi@proton.me> | 2026-02-17 03:31:40 +0100 |
| commit | 3425cddd75fa105b940c8c0afe4a63065c446515 (patch) | |
| tree | f1c2840985feeb06a9187d6bd99fe8274daf5412 /src/server_lds.c | |
| parent | 1bbf7e6c2ff571b2e26b643a7e86e35790b91875 (diff) | |
| download | BobinkCOpcUa-3425cddd75fa105b940c8c0afe4a63065c446515.tar.gz BobinkCOpcUa-3425cddd75fa105b940c8c0afe4a63065c446515.zip | |
Make authentication mode and credentials configurable via CLI
Replace hardcoded user/password credentials with a new <auth-mode>
parameter that accepts "anonymous" or "user". When "user" is chosen,
two additional <username> <password> arguments are required.
ServerRegister accepts two independent auth modes: one for its own
server-side access control and one for authenticating to the LDS when
registering. ClientFindServers passes credentials to readServerTime,
which selects UA_Client_connectUsername or UA_Client_connect accordingly.
Update CLAUDE.md running examples and add an auth modes table.
Diffstat (limited to 'src/server_lds.c')
| -rw-r--r-- | src/server_lds.c | 64 |
1 files changed, 51 insertions, 13 deletions
diff --git a/src/server_lds.c b/src/server_lds.c index 12dfe59..fc51596 100644 --- a/src/server_lds.c +++ b/src/server_lds.c @@ -33,14 +33,17 @@ main (int argc, char *argv[]) signal (SIGINT, stopHandler); signal (SIGTERM, stopHandler); - if (argc < 6) + if (argc < 7) { UA_LOG_FATAL (UA_Log_Stdout, UA_LOGCATEGORY_USERLAND, "Usage: %s\n" " <port> <applicationUri>\n" " <server-certificate.der> <private-key.der>\n" " <cleanup-timeout-seconds>\n" - " [<trustlist1.der>, ...]", + " <auth-mode> [<username> <password>]\n" + " [<trustlist1.der>, ...]\n" + "\n" + "Auth modes: anonymous, user", argv[0]); return EXIT_FAILURE; } @@ -57,27 +60,62 @@ main (int argc, char *argv[]) cleanupTimeout); return EXIT_FAILURE; } - size_t trustSize = (argc > 6) ? (size_t)argc - 6 : 0; + + int idx = 6; + const char *authMode = argv[idx++]; + UA_Boolean allowAnonymous; + char *username = NULL, *password = NULL; + + if (strcmp (authMode, "anonymous") == 0) + { + allowAnonymous = true; + } + else if (strcmp (authMode, "user") == 0) + { + if (idx + 2 > argc) + { + UA_LOG_FATAL (UA_Log_Stdout, UA_LOGCATEGORY_USERLAND, + "Auth mode 'user' requires <username> <password>"); + return EXIT_FAILURE; + } + allowAnonymous = false; + username = argv[idx++]; + password = argv[idx++]; + } + else + { + UA_LOG_FATAL (UA_Log_Stdout, UA_LOGCATEGORY_USERLAND, + "Unknown auth mode: %s " + "(expected 'anonymous' or 'user')", + authMode); + return EXIT_FAILURE; + } + + size_t trustSize = (idx < argc) ? (size_t)(argc - idx) : 0; UA_StatusCode retval; UA_Server *server = createSecureServer (port, argv[2], argv[3], argv[4], - argv + 6, trustSize, &retval); + argv + idx, trustSize, &retval); if (!server) return EXIT_FAILURE; UA_ServerConfig *serverConfig = UA_Server_getConfig (server); - /* Disallow anonymous sessions. + /* Configure access control after server creation because UA_ServerConfig_setDefaultWithSecurityPolicies (called by - createSecureServer) resets access control, so this must come after server - creation. The static credential list is deep-copied. */ - UA_UsernamePasswordLogin logins[] - = { { UA_STRING_STATIC ("user"), UA_STRING_STATIC ("password") } }; - retval = UA_AccessControl_default (serverConfig, false, NULL, 1, logins); - if (retval != UA_STATUSCODE_GOOD) + createSecureServer) resets the access control plugin. The credential + list is deep-copied by UA_AccessControl_default. */ + if (!allowAnonymous) { - UA_Server_delete (server); - return EXIT_FAILURE; + UA_UsernamePasswordLogin logins[1]; + logins[0].username = UA_STRING (username); + logins[0].password = UA_STRING (password); + retval = UA_AccessControl_default (serverConfig, false, NULL, 1, logins); + if (retval != UA_STATUSCODE_GOOD) + { + UA_Server_delete (server); + return EXIT_FAILURE; + } } /* Mark this server as a Discovery Server so clients can identify it. */ |