diff options
Diffstat (limited to 'src')
| -rw-r--r-- | src/common.c | 25 | ||||
| -rw-r--r-- | src/common.h | 17 | ||||
| -rw-r--r-- | src/server_lds.c | 23 | ||||
| -rw-r--r-- | src/server_register.c | 26 |
4 files changed, 44 insertions, 47 deletions
diff --git a/src/common.c b/src/common.c index cf364bb..9401392 100644 --- a/src/common.c +++ b/src/common.c @@ -6,6 +6,7 @@ #include "common.h" #include <open62541/client_config_default.h> +#include <open62541/plugin/accesscontrol_default.h> #include <open62541/plugin/log_stdout.h> #include <open62541/server_config_default.h> @@ -305,6 +306,30 @@ resolveSecurityPolicyUri (const char *shortName) } /* ======================================================================== + * Access Control + * ======================================================================== */ + +UA_StatusCode +configureAccessControl (UA_ServerConfig *config, const AuthConfig *auth) +{ + switch (auth->mode) + { + case AUTH_ANONYMOUS: + return UA_AccessControl_default (config, true, NULL, 0, NULL); + case AUTH_USER: + { + UA_UsernamePasswordLogin logins[1]; + logins[0].username = UA_STRING ((char *)auth->user.username); + logins[0].password = UA_STRING ((char *)auth->user.password); + return UA_AccessControl_default (config, false, NULL, 1, logins); + } + case AUTH_CERT: + return UA_AccessControl_default (config, false, NULL, 0, NULL); + } + return UA_STATUSCODE_BADINTERNALERROR; +} + +/* ======================================================================== * Output Formatting * ======================================================================== */ diff --git a/src/common.h b/src/common.h index b8643d7..63fa683 100644 --- a/src/common.h +++ b/src/common.h @@ -247,6 +247,23 @@ UA_StatusCode createSecureClientConfig (UA_ClientConfig *cc, const SecurityConfig *sec, const AuthConfig *auth); +/** + * @brief Configures server access control from an AuthConfig. + * + * UA_ServerConfig_setDefaultWithSecureSecurityPolicies installs + * certificate-only authentication by default. This function + * overrides that with the desired policy: anonymous, username/password, + * or X509 certificate. For AUTH_CERT the sessionPKI verifier set by + * createServer is preserved, so UA_AccessControl_default automatically + * advertises the X509 certificate token policy. + * + * @param config Server configuration to modify. + * @param auth Authentication configuration. + * @return UA_STATUSCODE_GOOD on success, error code otherwise. + */ +UA_StatusCode configureAccessControl (UA_ServerConfig *config, + const AuthConfig *auth); + /* ======================================================================== * Output Formatting * ======================================================================== */ diff --git a/src/server_lds.c b/src/server_lds.c index 311be4b..8d34acc 100644 --- a/src/server_lds.c +++ b/src/server_lds.c @@ -13,7 +13,6 @@ #include "common.h" #include "config.h" -#include <open62541/plugin/accesscontrol_default.h> #include <open62541/plugin/log_stdout.h> #include <open62541/server.h> @@ -111,27 +110,7 @@ main (int argc, char *argv[]) Downgrade to a warning so third-party servers can still register. */ serverConfig->verifyRequestTimestamp = UA_RULEHANDLING_WARN; - /* Configure access control. UA_ServerConfig_setDefaultWithSecure- - SecurityPolicies sets certificate-only auth by default, so we must - always call UA_AccessControl_default to get the desired policy. */ - switch (auth.mode) - { - case AUTH_ANONYMOUS: - retval = UA_AccessControl_default (serverConfig, true, NULL, 0, NULL); - break; - case AUTH_USER: - { - UA_UsernamePasswordLogin logins[1]; - logins[0].username = UA_STRING ((char *)auth.user.username); - logins[0].password = UA_STRING ((char *)auth.user.password); - retval - = UA_AccessControl_default (serverConfig, false, NULL, 1, logins); - break; - } - case AUTH_CERT: - retval = UA_AccessControl_default (serverConfig, false, NULL, 0, NULL); - break; - } + retval = configureAccessControl (serverConfig, &auth); if (retval != UA_STATUSCODE_GOOD) { UA_Server_delete (server); diff --git a/src/server_register.c b/src/server_register.c index 8a64d08..1514c92 100644 --- a/src/server_register.c +++ b/src/server_register.c @@ -13,7 +13,6 @@ #include <open62541/client.h> #include <open62541/client_config_default.h> -#include <open62541/plugin/accesscontrol_default.h> #include <open62541/plugin/log_stdout.h> #include <open62541/server.h> @@ -158,30 +157,7 @@ main (int argc, char **argv) UA_ServerConfig *serverConfig = UA_Server_getConfig (server); serverConfig->logging->context = (void *)(uintptr_t)logLevel; - /* Configure access control. UA_ServerConfig_setDefaultWithSecure- - SecurityPolicies sets certificate-only auth by default, so we must - always call UA_AccessControl_default to get the desired policy. */ - switch (serverAuth.mode) - { - case AUTH_ANONYMOUS: - retval = UA_AccessControl_default (serverConfig, true, NULL, 0, NULL); - break; - case AUTH_USER: - { - UA_UsernamePasswordLogin logins[1]; - logins[0].username = UA_STRING ((char *)serverAuth.user.username); - logins[0].password = UA_STRING ((char *)serverAuth.user.password); - retval - = UA_AccessControl_default (serverConfig, false, NULL, 1, logins); - break; - } - case AUTH_CERT: - /* cert auth — sessionPKI.verifyCertificate is set by createServer - via setDefaultWithSecureSecurityPolicies, so UA_AccessControl_default - will automatically advertise the X509 certificate token policy. */ - retval = UA_AccessControl_default (serverConfig, false, NULL, 0, NULL); - break; - } + retval = configureAccessControl (serverConfig, &serverAuth); if (retval != UA_STATUSCODE_GOOD) goto cleanup; |