S2OPC OPCUA Toolkit
Data Structures | Typedefs | Enumerations | Functions
sopc_user_manager.h File Reference

Defines the user manager, the applicative interface used to authenticate users, and authorize read/write operations in the address space. More...

#include <stdbool.h>
#include "sopc_builtintypes.h"
#include "sopc_pki_decl.h"
#include "sopc_user.h"

Go to the source code of this file.

Data Structures

struct  SOPC_UserAuthentication_Functions
 
struct  SOPC_UserAuthorization_Functions
 
struct  SOPC_UserAuthentication_Manager
 
struct  SOPC_UserAuthorization_Manager
 

Typedefs

typedef struct SOPC_UserAuthentication_Manager SOPC_UserAuthentication_Manager
 
typedef struct SOPC_UserAuthorization_Manager SOPC_UserAuthorization_Manager
 
typedef struct SOPC_UserWithAuthorization SOPC_UserWithAuthorization
 
typedef void SOPC_UserAuthentication_Free_Func(SOPC_UserAuthentication_Manager *authenticationManager)
 
typedef SOPC_ReturnStatus SOPC_UserAuthentication_ValidateUserIdentity_Func(SOPC_UserAuthentication_Manager *authenticationManager, const SOPC_ExtensionObject *pUser, SOPC_UserAuthentication_Status *pUserAuthenticated)
 
typedef void SOPC_UserAuthorization_Free_Func(SOPC_UserAuthorization_Manager *authorizationManager)
 
typedef SOPC_ReturnStatus SOPC_UserAuthorization_AuthorizeOperation_Func(SOPC_UserAuthorization_Manager *authorizationManager, SOPC_UserAuthorization_OperationType operationType, const SOPC_NodeId *nodeId, uint32_t attributeId, const SOPC_User *pUser, bool *pbOperationAuthorized)
 
typedef struct SOPC_UserAuthentication_Functions SOPC_UserAuthentication_Functions
 
typedef struct SOPC_UserAuthorization_Functions SOPC_UserAuthorization_Functions
 

Enumerations

enum  SOPC_UserAuthorization_OperationType { SOPC_USER_AUTHORIZATION_OPERATION_READ, SOPC_USER_AUTHORIZATION_OPERATION_WRITE, SOPC_USER_AUTHORIZATION_OPERATION_EXECUTABLE, SOPC_USER_AUTHORIZATION_OPERATION_ADDNODE }
 The operation type to authorize, see SOPC_UserAuthorization_IsAuthorizedOperation. More...
 
enum  SOPC_UserAuthentication_Status {
  SOPC_USER_AUTHENTICATION_INVALID_TOKEN, SOPC_USER_AUTHENTICATION_REJECTED_TOKEN, SOPC_USER_AUTHENTICATION_ACCESS_DENIED, SOPC_USER_AUTHENTICATION_SIGNATURE_INVALID,
  SOPC_USER_AUTHENTICATION_OK
}
 The user authentication status code, see SOPC_UserAuthentication_IsValidUserIdentity. More...
 

Functions

SOPC_ReturnStatus SOPC_UserAuthentication_IsValidUserIdentity (SOPC_UserAuthentication_Manager *authenticationManager, const SOPC_ExtensionObject *pUser, SOPC_UserAuthentication_Status *pUserAuthenticated)
 Authenticate a user with the chosen authentication manager. More...
 
SOPC_ReturnStatus SOPC_UserAuthorization_IsAuthorizedOperation (SOPC_UserWithAuthorization *userWithAuthorization, SOPC_UserAuthorization_OperationType operationType, const SOPC_NodeId *nodeId, uint32_t attributeId, bool *pbOperationAuthorized)
 Authorize an operation with the chosen authorization manager. More...
 
void SOPC_UserAuthentication_FreeManager (SOPC_UserAuthentication_Manager **ppAuthenticationManager)
 Deletes a SOPC_UserAuthentication_Manager using its pFuncFree. More...
 
void SOPC_UserAuthorization_FreeManager (SOPC_UserAuthorization_Manager **ppAuthorizationManager)
 Deletes a SOPC_UserAuthorization_Manager using its pFuncFree. More...
 
SOPC_UserAuthentication_ManagerSOPC_UserAuthentication_CreateManager_AllowAll (void)
 A helper implementation that always authentication positively a user. More...
 
SOPC_UserAuthorization_ManagerSOPC_UserAuthorization_CreateManager_AllowAll (void)
 A helper implementation that always authorize an operation. More...
 
SOPC_UserWithAuthorizationSOPC_UserWithAuthorization_CreateFromIdentityToken (const SOPC_ExtensionObject *pUserIdentity, SOPC_UserAuthorization_Manager *authorizationManager)
 Creates a SOPC_UserWithAuthorization from an OpcUa_IdentityToken and an authorization manager. More...
 
SOPC_UserWithAuthorizationSOPC_UserWithAuthorization_CreateLocal (SOPC_UserAuthorization_Manager *authorizationManager)
 Creates a SOPC_UserWithAuthorization for a local user. More...
 
SOPC_UserAuthorization_ManagerSOPC_UserWithAuthorization_GetManager (SOPC_UserWithAuthorization *userWithAuthorization)
 Return the user part of the user with authorization manager. More...
 
const SOPC_UserSOPC_UserWithAuthorization_GetUser (SOPC_UserWithAuthorization *userWithAuthorization)
 Return the authorization manager associated with the user. More...
 
void SOPC_UserWithAuthorization_Free (SOPC_UserWithAuthorization **ppUserWithAuthorization)
 Free a SOPC_UserWithAuthorization and its embedded user when needed. More...
 

Detailed Description

Defines the user manager, the applicative interface used to authenticate users, and authorize read/write operations in the address space.

These structures are only used on the server side.

The developer shall follow these steps to use the user authentication and authorization:

Typedef Documentation

◆ SOPC_UserAuthentication_Manager

◆ SOPC_UserAuthorization_Manager

◆ SOPC_UserWithAuthorization

The server-side user with an authorization manager. The authorization manager is borrowed when the structure is created.

◆ SOPC_UserAuthentication_Free_Func

typedef void SOPC_UserAuthentication_Free_Func(SOPC_UserAuthentication_Manager *authenticationManager)

◆ SOPC_UserAuthentication_ValidateUserIdentity_Func

typedef SOPC_ReturnStatus SOPC_UserAuthentication_ValidateUserIdentity_Func(SOPC_UserAuthentication_Manager *authenticationManager, const SOPC_ExtensionObject *pUser, SOPC_UserAuthentication_Status *pUserAuthenticated)

◆ SOPC_UserAuthorization_Free_Func

typedef void SOPC_UserAuthorization_Free_Func(SOPC_UserAuthorization_Manager *authorizationManager)

◆ SOPC_UserAuthorization_AuthorizeOperation_Func

typedef SOPC_ReturnStatus SOPC_UserAuthorization_AuthorizeOperation_Func(SOPC_UserAuthorization_Manager *authorizationManager, SOPC_UserAuthorization_OperationType operationType, const SOPC_NodeId *nodeId, uint32_t attributeId, const SOPC_User *pUser, bool *pbOperationAuthorized)

◆ SOPC_UserAuthentication_Functions

◆ SOPC_UserAuthorization_Functions

Enumeration Type Documentation

◆ SOPC_UserAuthorization_OperationType

The operation type to authorize, see SOPC_UserAuthorization_IsAuthorizedOperation.

Enumerator
SOPC_USER_AUTHORIZATION_OPERATION_READ 
SOPC_USER_AUTHORIZATION_OPERATION_WRITE 

includes CurrentWrite, StatusWrite, TimestampWrite in UserAccessLevel

SOPC_USER_AUTHORIZATION_OPERATION_EXECUTABLE 
SOPC_USER_AUTHORIZATION_OPERATION_ADDNODE 

◆ SOPC_UserAuthentication_Status

The user authentication status code, see SOPC_UserAuthentication_IsValidUserIdentity.

Enumerator
SOPC_USER_AUTHENTICATION_INVALID_TOKEN 
SOPC_USER_AUTHENTICATION_REJECTED_TOKEN 
SOPC_USER_AUTHENTICATION_ACCESS_DENIED 

It is strongly discouraged to use this value, prefer SOPC_USER_AUTHENTICATION_REJECTED_TOKEN. This value is described by OPC UA part 4 and tested by UACTT but access evaluation shall be enforced on other services calls (read, write, callmethod, etc.)

SOPC_USER_AUTHENTICATION_SIGNATURE_INVALID 
SOPC_USER_AUTHENTICATION_OK 

Function Documentation

◆ SOPC_UserAuthentication_IsValidUserIdentity()

SOPC_ReturnStatus SOPC_UserAuthentication_IsValidUserIdentity ( SOPC_UserAuthentication_Manager authenticationManager,
const SOPC_ExtensionObject pUser,
SOPC_UserAuthentication_Status pUserAuthenticated 
)

Authenticate a user with the chosen authentication manager.

Parameters
authenticationManagerThe SOPC_UserAuthentication_Manager instance.
pUserThe user identity token which was received in the ActivateSession request.
pUserAuthenticatedA valid pointer to the uninitialized result of the operation. The callback sets it to one of the following values:
  • SOPC_USER_AUTHENTICATION_INVALID_TOKEN: the callback could not read the user identity token,
  • SOPC_USER_AUTHENTICATION_REJECTED_TOKEN: the proposed identity could not be authenticated,
  • SOPC_USER_AUTHENTICATION_OK: the identity token correctly authenticates a user.
Returns
SOPC_STATUS_OK when pbUserAuthenticated was set.

◆ SOPC_UserAuthorization_IsAuthorizedOperation()

SOPC_ReturnStatus SOPC_UserAuthorization_IsAuthorizedOperation ( SOPC_UserWithAuthorization userWithAuthorization,
SOPC_UserAuthorization_OperationType  operationType,
const SOPC_NodeId nodeId,
uint32_t  attributeId,
bool *  pbOperationAuthorized 
)

Authorize an operation with the chosen authorization manager.

Parameters
userWithAuthorizationThe user and authorization manager to use.
operationTypeSet to SOPC_USER_AUTHORIZATION_OPERATION_READ for a read operation, or SOPC_USER_AUTHORIZATION_OPERATION_WRITE for a write operation.
nodeIdThe operation reads/write this NodeId.
attributeIdThe operation reads/write this attribute.
pbOperationAuthorizedA valid pointer to the uninitialized result of the operation. The callback shall set it to false when the operation is refused.
Returns
SOPC_STATUS_OK when pbUserAuthorized was set.

◆ SOPC_UserAuthentication_FreeManager()

void SOPC_UserAuthentication_FreeManager ( SOPC_UserAuthentication_Manager **  ppAuthenticationManager)

Deletes a SOPC_UserAuthentication_Manager using its pFuncFree.

◆ SOPC_UserAuthorization_FreeManager()

void SOPC_UserAuthorization_FreeManager ( SOPC_UserAuthorization_Manager **  ppAuthorizationManager)

Deletes a SOPC_UserAuthorization_Manager using its pFuncFree.

◆ SOPC_UserAuthentication_CreateManager_AllowAll()

SOPC_UserAuthentication_Manager* SOPC_UserAuthentication_CreateManager_AllowAll ( void  )

A helper implementation that always authentication positively a user.

◆ SOPC_UserAuthorization_CreateManager_AllowAll()

SOPC_UserAuthorization_Manager* SOPC_UserAuthorization_CreateManager_AllowAll ( void  )

A helper implementation that always authorize an operation.

◆ SOPC_UserWithAuthorization_CreateFromIdentityToken()

SOPC_UserWithAuthorization* SOPC_UserWithAuthorization_CreateFromIdentityToken ( const SOPC_ExtensionObject pUserIdentity,
SOPC_UserAuthorization_Manager authorizationManager 
)

Creates a SOPC_UserWithAuthorization from an OpcUa_IdentityToken and an authorization manager.

Note
The created user is freed with the SOPC_UserWithAuthorization, whereas the manager is not.
Parameters
pUserIdentityThe user identity supported by an extension object, either a OpcUa_AnonymousIdentityToken or a OpcUa_UserNameIdentityToken.
authorizationManagerA borrowed reference to an authorization manager, may be NULL.
Returns
The created object if successful, otherwise NULL.

◆ SOPC_UserWithAuthorization_CreateLocal()

SOPC_UserWithAuthorization* SOPC_UserWithAuthorization_CreateLocal ( SOPC_UserAuthorization_Manager authorizationManager)

Creates a SOPC_UserWithAuthorization for a local user.

Note
The authorization manager is not free with this object.
Parameters
authorizationManagerA borrowed reference to an authorization manager, may be NULL.
Returns
The created object if successful, otherwise NULL.

◆ SOPC_UserWithAuthorization_GetManager()

SOPC_UserAuthorization_Manager* SOPC_UserWithAuthorization_GetManager ( SOPC_UserWithAuthorization userWithAuthorization)

Return the user part of the user with authorization manager.

◆ SOPC_UserWithAuthorization_GetUser()

const SOPC_User* SOPC_UserWithAuthorization_GetUser ( SOPC_UserWithAuthorization userWithAuthorization)

Return the authorization manager associated with the user.

◆ SOPC_UserWithAuthorization_Free()

void SOPC_UserWithAuthorization_Free ( SOPC_UserWithAuthorization **  ppUserWithAuthorization)

Free a SOPC_UserWithAuthorization and its embedded user when needed.