Frontend for the authorization backend.
More...
|
| Null Backend |
| The null backend implements all functions required by the authorization frontend with dummy functionallity, thus this backend grants full permissions for every user to every node.
|
|
| RolePermission Backend |
| This backend implements RolePermissions as described by the OPC Specification, Part 18 Role-Based Security.
|
|
|
SERVER_EXPORT ua_statuscode | ua_authorization_has_permission (ua_node_t node, const struct ua_user_ctx *user, uint32_t permission) |
| Checks if a user has the given permission to access a node. More...
|
|
SERVER_EXPORT bool | ua_authorization_user_has_role (const struct ua_user_ctx *user, int role_id) |
| Returns true if the user belongs to the role given by the role_id . More...
|
|
SERVER_EXPORT int | ua_authorization_find_role_by_nodeid (const struct ua_nodeid *role_nodeid, bool create) |
| Find the internal role_id for a role. More...
|
|
SERVER_EXPORT int | ua_authorization_get_role_nodeid (int role_id, struct ua_nodeid *role_nodeid) |
| Get the nodeid for an internal role_id. More...
|
|
SERVER_EXPORT int | ua_authorization_nodepermissions_filter (const struct ua_nodepermission *perms_in, uint16_t num_perms_in, const struct ua_user_ctx *user_ctx, struct ua_nodepermission *perms_out, uint16_t *num_perms_out) |
| Remove all permission entries from the input permissions which the user does not have the role for. More...
|
|
SERVER_EXPORT int | ua_authorization_nodepermissions_to_variant (const struct ua_nodepermission *perms, uint16_t num_perms, struct ua_variant *result) |
| Fills an array of ua_nodepermission into a variant of type ua_rolepermissiontype. More...
|
|
SERVER_EXPORT int | ua_authorization_nodepermissions_from_rolepermissions (const struct ua_rolepermissiontype *perms_in, struct ua_nodepermission *perms_out, uint16_t num_perms, bool create_roles) |
| Create an array of ua_nodepermission for server internal use from an array of ua_rolepermissiontype. More...
|
|
SERVER_NO_EXPORT ua_statuscode | ua_authorization_get_user_info (struct ua_user_ctx *user_ctx, const struct uasession_user_info *user_info, const struct uasession_session *session, const struct uasession_channel *channel, const struct uasession_msg_ctxt *msg_ctx) |
| Called during ActivateSession to fill the user_ctx based on the other arguments. More...
|
|
SERVER_NO_EXPORT const struct ua_nodepermission * | ua_authorization_get_nodepermissions (ua_node_t node, uint16_t *num_perms, bool *is_ns_default) |
|
SERVER_NO_EXPORT int | ua_authorization_set_nodepermissions (ua_node_t node, const struct ua_nodepermission *perms, uint16_t num_perms) |
|
SERVER_NO_EXPORT int | ua_authorization_set_nodepermissions_ns_default (ua_node_t node) |
|
SERVER_NO_EXPORT int | ua_authorization_init (void) |
|
SERVER_NO_EXPORT void | ua_authorization_clear (void) |
|
Frontend for the authorization backend.
The functions declared here are implemented in the authorization backend (execpt for those already implemented in the frontend). Highler level functionallity based on these functions is implemented in node rolepermissions.
Further functionallity like role management is backend specific and thus implemented in the backend like RolePermission Backend. If possible using backend specific functions should be avoid as these must be protected by the respective define of UA_AUTHORIZATION_BACKEND
◆ ua_authorization_find_role_by_nodeid()
SERVER_EXPORT int ua_authorization_find_role_by_nodeid |
( |
const struct ua_nodeid * |
role_nodeid, |
|
|
bool |
create |
|
) |
| |
Find the internal role_id for a role.
- Parameters
-
role_nodeid | The nodeid of the role. This is the nodeid of the role object in the address space. |
create | If true the role is created if it does not yet exist and the new id is returned. This should only be set to true if ua_role_synchronize_roles is called shortly after, e.g. during server startup. |
- Returns
- Negative errorcode on failure or non-negative role_id on success.
◆ ua_authorization_get_role_nodeid()
SERVER_EXPORT int ua_authorization_get_role_nodeid |
( |
int |
role_id, |
|
|
struct ua_nodeid * |
role_nodeid |
|
) |
| |
Get the nodeid for an internal role_id.
This is the inverse operation of ua_authorization_find_role_by_nodeid.
- Parameters
-
role_id | Server internal id of the role. |
role_nodeid | Struct to copy the nodeid to, must be freed by the caller. |
- Returns
- Zero on success or negative errorcode on failure.
◆ ua_authorization_get_user_info()
Called during ActivateSession to fill the user_ctx based on the other arguments.
All previous information is cleared from the ctx.
◆ ua_authorization_has_permission()
Checks if a user has the given permission to access a node.
Only a single permission is allowed for a single call, so applicatons might as well want to use the permission specific functions like ua_node_allow_read.
This function also takes the AccressRestrictions into account, so a user might be denied access if the permission allows it, but e.g. the connection is not secure.
- Parameters
-
node | Node handle to check permssions for. |
user | User identified by its ua_user_ctx. |
permission | The permission to check, must be a single bit of ua_permissiontype. |
- Returns
- Zero on success or statuscode on failure.
◆ ua_authorization_nodepermissions_filter()
SERVER_EXPORT int ua_authorization_nodepermissions_filter |
( |
const struct ua_nodepermission * |
perms_in, |
|
|
uint16_t |
num_perms_in, |
|
|
const struct ua_user_ctx * |
user_ctx, |
|
|
struct ua_nodepermission * |
perms_out, |
|
|
uint16_t * |
num_perms_out |
|
) |
| |
Remove all permission entries from the input permissions which the user does not have the role for.
- Parameters
-
perms_in | Array of input permissions to filter, may only be NULL if num_perms_in is 0. |
num_perms_in | Number of input permissions. |
user_ctx | The context of the user to filter for. |
perms_out | The array of filtered output permissions, the array must be allocated by the caller and is filled by this function. If the array is too small an error is returned. |
num_perms_out | Number of output permissions, the caller must set the size of the output array, this function will set the number of filled output permisssions. |
- Returns
- Zero on success or negative errorcode on failure.
◆ ua_authorization_nodepermissions_from_rolepermissions()
SERVER_EXPORT int ua_authorization_nodepermissions_from_rolepermissions |
( |
const struct ua_rolepermissiontype * |
perms_in, |
|
|
struct ua_nodepermission * |
perms_out, |
|
|
uint16_t |
num_perms, |
|
|
bool |
create_roles |
|
) |
| |
Create an array of ua_nodepermission for server internal use from an array of ua_rolepermissiontype.
struct ua_nodepermissions np[2];
{
UA_PERMISSIONTYPE_BROWSE
},
{
UA_PERMISSIONTYPE_READ
| UA_PERMISSIONTYPE_BROWSE
| UA_PERMISSIONTYPE_READROLEPERMISSIONS
},
};
if (ret != 0) return ret;
- Parameters
-
perms_in | Input permissions array. |
perms_out | Output permissions array. |
num_perms | Number of input and output permissions, these must have the same size. |
create_roles | If true a role is created if it does not yet exist. This should only be set to true if ua_role_synchronize_roles is called shortly after, e.g. during server startup. |
- Returns
- Zero on success or negative errorcode on failure.
◆ ua_authorization_nodepermissions_to_variant()
SERVER_EXPORT int ua_authorization_nodepermissions_to_variant |
( |
const struct ua_nodepermission * |
perms, |
|
|
uint16_t |
num_perms, |
|
|
struct ua_variant * |
result |
|
) |
| |
Fills an array of ua_nodepermission into a variant of type ua_rolepermissiontype.
- Parameters
-
perms | Array of permission, may only be NULL if num_perms is 0. |
num_perms | Number of permissions in the array. |
result | Variant with the permissions array. |
- Returns
- Zero on success or negative errorcode on failure.
◆ ua_authorization_user_has_role()
SERVER_EXPORT bool ua_authorization_user_has_role |
( |
const struct ua_user_ctx * |
user, |
|
|
int |
role_id |
|
) |
| |
Returns true if the user
belongs to the role given by the role_id
.