From 74f18c6264618187386a5dc8b1152faa8727bf53 Mon Sep 17 00:00:00 2001 From: Thomas Vanbesien Date: Wed, 18 Feb 2026 22:45:06 +0100 Subject: Extract configureAccessControl() into common The access-control switch block was duplicated in server_lds.c and server_register.c. Move it to a shared helper in common.c with a Doxygen block that consolidates the rationale from both call sites. --- src/common.c | 25 +++++++++++++++++++++++++ src/common.h | 17 +++++++++++++++++ src/server_lds.c | 23 +---------------------- src/server_register.c | 26 +------------------------- 4 files changed, 44 insertions(+), 47 deletions(-) (limited to 'src') diff --git a/src/common.c b/src/common.c index cf364bb..9401392 100644 --- a/src/common.c +++ b/src/common.c @@ -6,6 +6,7 @@ #include "common.h" #include +#include #include #include @@ -304,6 +305,30 @@ resolveSecurityPolicyUri (const char *shortName) return NULL; } +/* ======================================================================== + * Access Control + * ======================================================================== */ + +UA_StatusCode +configureAccessControl (UA_ServerConfig *config, const AuthConfig *auth) +{ + switch (auth->mode) + { + case AUTH_ANONYMOUS: + return UA_AccessControl_default (config, true, NULL, 0, NULL); + case AUTH_USER: + { + UA_UsernamePasswordLogin logins[1]; + logins[0].username = UA_STRING ((char *)auth->user.username); + logins[0].password = UA_STRING ((char *)auth->user.password); + return UA_AccessControl_default (config, false, NULL, 1, logins); + } + case AUTH_CERT: + return UA_AccessControl_default (config, false, NULL, 0, NULL); + } + return UA_STATUSCODE_BADINTERNALERROR; +} + /* ======================================================================== * Output Formatting * ======================================================================== */ diff --git a/src/common.h b/src/common.h index b8643d7..63fa683 100644 --- a/src/common.h +++ b/src/common.h @@ -247,6 +247,23 @@ UA_StatusCode createSecureClientConfig (UA_ClientConfig *cc, const SecurityConfig *sec, const AuthConfig *auth); +/** + * @brief Configures server access control from an AuthConfig. + * + * UA_ServerConfig_setDefaultWithSecureSecurityPolicies installs + * certificate-only authentication by default. This function + * overrides that with the desired policy: anonymous, username/password, + * or X509 certificate. For AUTH_CERT the sessionPKI verifier set by + * createServer is preserved, so UA_AccessControl_default automatically + * advertises the X509 certificate token policy. + * + * @param config Server configuration to modify. + * @param auth Authentication configuration. + * @return UA_STATUSCODE_GOOD on success, error code otherwise. + */ +UA_StatusCode configureAccessControl (UA_ServerConfig *config, + const AuthConfig *auth); + /* ======================================================================== * Output Formatting * ======================================================================== */ diff --git a/src/server_lds.c b/src/server_lds.c index 311be4b..8d34acc 100644 --- a/src/server_lds.c +++ b/src/server_lds.c @@ -13,7 +13,6 @@ #include "common.h" #include "config.h" -#include #include #include @@ -111,27 +110,7 @@ main (int argc, char *argv[]) Downgrade to a warning so third-party servers can still register. */ serverConfig->verifyRequestTimestamp = UA_RULEHANDLING_WARN; - /* Configure access control. UA_ServerConfig_setDefaultWithSecure- - SecurityPolicies sets certificate-only auth by default, so we must - always call UA_AccessControl_default to get the desired policy. */ - switch (auth.mode) - { - case AUTH_ANONYMOUS: - retval = UA_AccessControl_default (serverConfig, true, NULL, 0, NULL); - break; - case AUTH_USER: - { - UA_UsernamePasswordLogin logins[1]; - logins[0].username = UA_STRING ((char *)auth.user.username); - logins[0].password = UA_STRING ((char *)auth.user.password); - retval - = UA_AccessControl_default (serverConfig, false, NULL, 1, logins); - break; - } - case AUTH_CERT: - retval = UA_AccessControl_default (serverConfig, false, NULL, 0, NULL); - break; - } + retval = configureAccessControl (serverConfig, &auth); if (retval != UA_STATUSCODE_GOOD) { UA_Server_delete (server); diff --git a/src/server_register.c b/src/server_register.c index 8a64d08..1514c92 100644 --- a/src/server_register.c +++ b/src/server_register.c @@ -13,7 +13,6 @@ #include #include -#include #include #include @@ -158,30 +157,7 @@ main (int argc, char **argv) UA_ServerConfig *serverConfig = UA_Server_getConfig (server); serverConfig->logging->context = (void *)(uintptr_t)logLevel; - /* Configure access control. UA_ServerConfig_setDefaultWithSecure- - SecurityPolicies sets certificate-only auth by default, so we must - always call UA_AccessControl_default to get the desired policy. */ - switch (serverAuth.mode) - { - case AUTH_ANONYMOUS: - retval = UA_AccessControl_default (serverConfig, true, NULL, 0, NULL); - break; - case AUTH_USER: - { - UA_UsernamePasswordLogin logins[1]; - logins[0].username = UA_STRING ((char *)serverAuth.user.username); - logins[0].password = UA_STRING ((char *)serverAuth.user.password); - retval - = UA_AccessControl_default (serverConfig, false, NULL, 1, logins); - break; - } - case AUTH_CERT: - /* cert auth — sessionPKI.verifyCertificate is set by createServer - via setDefaultWithSecureSecurityPolicies, so UA_AccessControl_default - will automatically advertise the X509 certificate token policy. */ - retval = UA_AccessControl_default (serverConfig, false, NULL, 0, NULL); - break; - } + retval = configureAccessControl (serverConfig, &serverAuth); if (retval != UA_STATUSCODE_GOOD) goto cleanup; -- cgit v1.2.3