Security Lesson 3: Assigning Access Rights to Nodes

[FaMo]

Hello,

I am currently using the ANSI C sdk evaluation. in the third server lesson security 3 I have done as described but when i log in Anonymously. I see the three variables and can edit them all. I didn't edit the code i just moved UA Expert Certificated from rejected to trusted/certs .The server is running on Debian virtual machine and UA Expert on windows host machine. I have checked the "group" and "passwd" files, they are both on the same folder as server executable. any ideas what could I be doing wrong ?

thanks

[Support Team]

Hello FaMo,

thank you for informing us about this issue. The reason for this behaviour is that we changed the default root and anonymous user IDs in version 1.7.0 of the SDK to be consistent with our other SDKs. Unfortunately, the used IDs in security lesson 03 are hard coded and have not been adapted. We will change the lesson to use the user names instead in the next version of the SDK.

Until then you can replace the function CustomProvider_CreateSampleNodes in lesson_security03/custom_provider.c with following version to resolve the issue:

Code: Select all

OpcUa_StatusCode CustomProvider_CreateSampleNodes(OpcUa_BaseNode *a_pOwner, OpcUa_NodeId *a_pStartingNodeId)
{
/*! [CreateSampleNodes prototype] */
    OpcUa_DataVariable      *pVariable              = OpcUa_Null;
    OpcUa_Variant           *pValue                 = OpcUa_Null;
    UaServer_AddressSpace   *pAddressSpace          = &g_pCustomProvider->AddressSpace;
    UaServer_AddressSpace   *pServerAddressSpace    = OpcUa_Null;
    OpcUa_NodeId             nodeId, referenceNodeId, typeNodeId;
    OpcUa_uid_t              uidAnonymous = 0, uidRoot = 0;
    OpcUa_gid_t              gidAnonymous = 0, gidRoot = 0;

OpcUa_InitializeStatus(OpcUa_Module_Server, "CustomProvider_CreateSampleNodes");

    OpcUa_ReturnErrorIfArgumentNull(a_pOwner);
    OpcUa_ReturnErrorIfArgumentNull(a_pStartingNodeId);

    UaServer_AddressSpace_Get(0, &pServerAddressSpace);
    OpcUa_NodeId_Initialize(&nodeId);
    OpcUa_NodeId_Initialize(&referenceNodeId);
    OpcUa_NodeId_Initialize(&typeNodeId);

    uStatus = UaServer_GetUserId(OpcUa_String_FromCString("anonymous"), &uidAnonymous, &gidAnonymous);
    OpcUa_GotoErrorIfBad(uStatus);
    uStatus = UaServer_GetUserId(OpcUa_String_FromCString("root"), &uidRoot, &gidRoot);
    OpcUa_GotoErrorIfBad(uStatus);

/*! [RW all] */
    /* Create variable that is read- and writable by all users */
    a_pStartingNodeId->Identifier.Numeric++;
    uStatus = UaServer_CreateDataVariable(pAddressSpace,
                                          &pVariable,
                                          a_pOwner,
                                          a_pStartingNodeId->Identifier.Numeric,
                                          g_uCustomProvider_NamespaceIndex,
                                          "Sample_WriteAll_ReadAll");
    OpcUa_GotoErrorIfBad(uStatus);
    OpcUa_Variable_SetDataType_Numeric(pVariable, OpcUaId_UInt32, 0);
    pValue = OpcUa_Variable_GetValue(pVariable);
    pValue->Datatype = OpcUaType_UInt32;
    pValue->Value.UInt32 = 100;

    UaServer_UserMgt_SetPermissions((OpcUa_BaseNode*)pVariable,
                                    uidAnonymous,
                                    gidAnonymous,
                                    0x0FFF);
/*! [RW all] */

/*! [R all RW root] */
    /* Create variable that is readable by all users and only writable by user 'root' */
    a_pStartingNodeId->Identifier.Numeric++;
    uStatus = UaServer_CreateDataVariable(pAddressSpace,
                                          &pVariable,
                                          a_pOwner,
                                          a_pStartingNodeId->Identifier.Numeric,
                                          g_uCustomProvider_NamespaceIndex,
                                          "Sample_WriteRoot_ReadAll");
    OpcUa_GotoErrorIfBad(uStatus);
    OpcUa_Variable_SetDataType_Numeric(pVariable, OpcUaId_UInt32, 0);
    pValue = OpcUa_Variable_GetValue(pVariable);
    pValue->Datatype = OpcUaType_UInt32;
    pValue->Value.UInt32 = 100;

    UaServer_UserMgt_SetPermissions((OpcUa_BaseNode*)pVariable,
                                    uidRoot,
                                    gidRoot,
                                    UA_USER_ATTRWRITABLE | UA_USER_WRITABLE | UA_USER_READABLE | UA_USER_BROWSEABLE |
                                    UA_GROUP_READABLE | UA_GROUP_BROWSEABLE |
                                    UA_OTHER_READABLE | UA_OTHER_BROWSEABLE);
/*! [R all RW root] */

/*! [RW root] */
    /* Create variable that is read- and writable only by user 'root' */
    a_pStartingNodeId->Identifier.Numeric++;
    uStatus = UaServer_CreateDataVariable(pAddressSpace,
                                          &pVariable,
                                          a_pOwner,
                                          a_pStartingNodeId->Identifier.Numeric,
                                          g_uCustomProvider_NamespaceIndex,
                                          "Sample_WriteRoot_ReadRoot");
    OpcUa_GotoErrorIfBad(uStatus);
    OpcUa_Variable_SetDataType_Numeric(pVariable, OpcUaId_UInt32, 0);
    pValue = OpcUa_Variable_GetValue(pVariable);
    pValue->Datatype = OpcUaType_UInt32;
    pValue->Value.UInt32 = 100;

    UaServer_UserMgt_SetPermissions((OpcUa_BaseNode*)pVariable,
                                    uidRoot,
                                    gidRoot,
                                    UA_USER_ATTRWRITABLE | UA_USER_WRITABLE | UA_USER_READABLE | UA_USER_BROWSEABLE);
/*! [RW root] */

OpcUa_ReturnStatusCode;
OpcUa_BeginErrorHandling;

OpcUa_FinishErrorHandling;
}