GDS: implement ApplicationSelfAdmin privilege in GlobalDiscoverySampleServer

Libraries/Opc.Ua.Gds.Server.Common/ApplicationsNodeManager.cs

@@ -188,6 +188,29 @@
             }
         }
 
+        /// <summary>
+        /// checks if the given Application can be modified with the current context
+        /// </summary>
+        /// <param name="context">the current context</param>
+        /// <param name="applicationId">the application to modify</param>
+        private void HasApplicationSelfAdminPrivilege(ISystemContext context, NodeId applicationId)
+        {
+            HasApplicationUserAccess(context);
+            if (context != null)
+            {
+                RoleBasedIdentity identity = context.UserIdentity as RoleBasedIdentity;
+                //administrator has full access
+                if (identity.Role == GdsRole.ApplicationAdmin)
+                    return;
+                //not administrator only has access to specified application
+                if (identity.ApplicationId != applicationId)
+                {
+                    throw new ServiceResultException(StatusCodes.BadUserAccessDenied, "Application Self Admin Privielge or " +
+                        "Application Administrator access required.");
+                }
+            }
+        }
+
         private NodeId GetTrustListId(NodeId certificateGroupId)
         {
 
@@ -760,7 +783,7 @@
             string privateKeyPassword,
             ref NodeId requestId)
         {
-            HasApplicationAdminAccess(context);
+            HasApplicationSelfAdminPrivilege(context, applicationId);
 
             var application = m_database.GetApplication(applicationId);
 
@@ -879,7 +902,7 @@
             byte[] certificateRequest,
             ref NodeId requestId)
         {
-            HasApplicationAdminAccess(context);
+            HasApplicationSelfAdminPrivilege(context, applicationId);
 
             var application = m_database.GetApplication(applicationId);
 
@@ -960,7 +983,7 @@
             signedCertificate = null;
             issuerCertificates = null;
             privateKey = null;
-            HasApplicationAdminAccess(context);
+            HasApplicationSelfAdminPrivilege(context, applicationId);
 
             var application = m_database.GetApplication(applicationId);
             if (application == null)
@@ -1126,7 +1149,7 @@
             NodeId applicationId,
             ref NodeId[] certificateGroupIds)
         {
-            HasApplicationUserAccess(context);
+            HasApplicationSelfAdminPrivilege(context, applicationId);
 
             var application = m_database.GetApplication(applicationId);
 
@@ -1154,7 +1177,7 @@
             NodeId certificateGroupId,
             ref NodeId trustListId)
         {
-            HasApplicationUserAccess(context);
+            HasApplicationSelfAdminPrivilege(context, applicationId);
 
             var application = m_database.GetApplication(applicationId);
 
@@ -1187,7 +1210,7 @@
             NodeId certificateTypeId,
             ref Boolean updateRequired)
         {
-            HasApplicationUserAccess(context);
+            HasApplicationSelfAdminPrivilege(context, applicationId);
 
             var application = m_database.GetApplication(applicationId);
 

Libraries/Opc.Ua.Gds.Server.Common/GlobalDiscoverySampleServer.cs

@@ -33,6 +33,10 @@
 using System.Threading;
 using Opc.Ua.Server;
 using Opc.Ua.Gds.Server.Database;
+using Opc.Ua.Security.Certificates;
+using Org.BouncyCastle.Asn1.Cmp;
+using System.Linq;
+using System.Data;
 
 namespace Opc.Ua.Gds.Server
 {
@@ -229,9 +233,61 @@
                 // role = GdsRole.ApplicationAdmin;
 
                 Utils.LogInfo("X509 Token Accepted: {0} as {1}", args.Identity.DisplayName, role.ToString());
-                args.Identity = new RoleBasedIdentity(new UserIdentity(x509Token), role);
+
+                string applicationUri = session.SessionDiagnostics.ClientDescription.ApplicationUri;
+                args.Identity = new RoleBasedIdentity(new UserIdentity(x509Token), role, applicationUri);
                 return;
             }
+
+            //check if applicable for application self admin privilege
+            if(session.ClientCertificate != null)
+            {
+                if (VerifiyApplicationRegistered(session.ClientCertificate))
+                {
+                    ImpersonateAsApplicationSelfAdmin(session, args);
+                }
+            }
+        }
+
+        /// <summary>
+        /// Verifies if an Application is registered with the provided certificate at at the GDS
+        /// </summary>
+        /// <param name="applicationInstanceCertificate">the certificate to check for</param>
+        /// <returns></returns>
+        private bool VerifiyApplicationRegistered(X509Certificate2 applicationInstanceCertificate)
+        {
+            bool applicationRegistered = false;
+            //get access to GDS configuration section to find out ApplicationCertificatesStorePath
+            GlobalDiscoveryServerConfiguration configuration = Configuration.ParseExtension<GlobalDiscoveryServerConfiguration>();
+            if (configuration == null)
+            {
+                configuration = new GlobalDiscoveryServerConfiguration();
+            }
+            //check if application certificate is in the Store of the GDS
+            using (ICertificateStore ApplicationsStore = CertificateStoreIdentifier.OpenStore(configuration.ApplicationCertificatesStorePath))
+            {
+                var matchingCerts = ApplicationsStore.FindByThumbprint(applicationInstanceCertificate.Thumbprint).Result;
+
+                if (matchingCerts.Contains(applicationInstanceCertificate))
+                    applicationRegistered =  true;
+            }
+            //check if application certificate is revoked
+            using (ICertificateStore AuthoritiesStore = CertificateStoreIdentifier.OpenStore(configuration.AuthoritiesStorePath))
+            {
+                var crls = AuthoritiesStore.EnumerateCRLs().Result;
+                foreach (X509CRL crl in crls)
+                {
+                    var revokedCertificates = crl.RevokedCertificates;
+                    foreach (RevokedCertificate revokedCertificate in revokedCertificates)
+                    {
+                        if(revokedCertificate.SerialNumber == applicationInstanceCertificate.SerialNumber)
+                        {
+                            applicationRegistered = false;
+                        }
+                    }
+                }
+            }
+            return applicationRegistered;
         }
 
         /// <summary>
@@ -282,6 +338,28 @@
             // TODO: check username/password permissions
             return userNameToken.DecryptedPassword == "demo";
         }
+
+        /// <summary>
+        /// Impersonates the current Session as ApplicationSelfAdmin
+        /// </summary>
+        /// <param name="session">the current session</param>
+        /// <param name="args">the impersonateEventArgs</param>
+        private void ImpersonateAsApplicationSelfAdmin(Session session, ImpersonateEventArgs args)
+        {
+            string applicationUri = session.SessionDiagnostics.ClientDescription.ApplicationUri;
+            ApplicationRecordDataType[] application = m_database.FindApplications(applicationUri);
+            if(application == null || application.Length>1 || application.Length<1)
+            {
+                Utils.LogInfo("Cannot login based on ApplicationInstanceCertificate, no uniqure result for Application with URI: {0}", applicationUri);
+                return;
+            }
+            NodeId applicationId = application.FirstOrDefault().ApplicationId;
+            Utils.LogInfo("Application {0} accepted based on ApplicationInstanceCertificate as ApplicationSelfAdmin",
+                applicationUri);
+            args.Identity = new RoleBasedIdentity(new UserIdentity(), GdsRole.ApplicationSelfAdmin, applicationId);
+            return;
+        }
+
         #endregion
 
         #region Private Fields

Libraries/Opc.Ua.Gds.Server.Common/RoleBasedIdentity.cs

@@ -27,6 +27,7 @@
  * http://opcfoundation.org/License/MIT/1.00/
  * ======================================================================*/
 
+using System;
 using System.Xml;
 
 namespace Opc.Ua.Gds.Server
@@ -44,7 +45,12 @@
         /// <summary>
         /// The GDS application user.
         /// </summary>
-        ApplicationUser
+        ApplicationUser,
+
+        /// <summary>
+        /// Can manage the own Certificates and pull trust list
+        /// </summary>
+        ApplicationSelfAdmin
     }
 
     /// <summary>
@@ -54,6 +60,7 @@
     {
         private IUserIdentity m_identity;
         private GdsRole m_role;
+        private NodeId m_applicationId;
 
         /// <summary>
         /// Initialize the role based identity.
@@ -64,6 +71,12 @@
             m_role = role;
         }
 
+        public RoleBasedIdentity(IUserIdentity identity, GdsRole role, NodeId applicationId)
+            :this(identity, role)
+        {
+            m_applicationId = applicationId;
+        }
+
         /// <inheritdoc/>
         public NodeIdCollection GrantedRoleIds
         {
@@ -79,6 +92,14 @@
             get { return m_role; }
         }
 
+        /// <summary>
+        /// The applicationId in case the ApplicationSelfAdminPrivilege is used
+        /// </summary>
+        public NodeId ApplicationId
+        {
+            get { return m_applicationId; }
+        }
+
         /// <inheritdoc/>
         public string DisplayName
         {

Tests/Opc.Ua.Gds.Tests/ClientTest.cs

@@ -85,6 +85,7 @@ protected async Task OneTimeSetUp()
             m_goodRegistrationOk = false;
             m_invalidRegistrationOk = false;
             m_goodNewKeyPairRequestOk = false;
+            m_runApplicationSelfAdminTests = false;
         }
 
         /// <summary>
@@ -735,7 +736,9 @@ out byte[][] issuerCertificates
             } while (requestBusy);
         }
 
-        [Test, Order(511)]
+
+
+        [Test, Order(512)]
         public void FinishInvalidNewKeyPairRequests()
         {
             AssertIgnoreTestWithoutInvalidRegistration();
@@ -941,6 +944,31 @@ public void GetGoodCertificateGroupsAndTrustLists()
                     Assert.NotNull(trustList);
                 }
             }
+
+            if (m_runApplicationSelfAdminTests)
+            {
+                AssertIgnoreTestWithoutGoodRegistration();
+                AssertIgnoreTestWithoutGoodNewKeyPairRequest();
+                DisconnectGDS();
+                //connect to GDS without Admin Privilege
+                ConnectGDS(false);
+
+                foreach (var application in m_goodApplicationTestSet)
+                {
+                    if (application.Certificate != null)
+                    {
+                        var certificateGroups = m_gdsClient.GDSClient.GetCertificateGroups(application.ApplicationRecord.ApplicationId);
+                        foreach (var certificateGroup in certificateGroups)
+                        {
+                            var trustListId = m_gdsClient.GDSClient.GetTrustList(application.ApplicationRecord.ApplicationId, certificateGroup);
+                            // Opc.Ua.TrustListDataType
+                            var trustList = m_gdsClient.GDSClient.ReadTrustList(trustListId);
+                            Assert.NotNull(trustList);
+                        }
+                    }
+                }
+
+            }
         }
 
         [Test, Order(690)]
@@ -1094,6 +1122,7 @@ private int GoodServersOnNetworkCount()
         private bool m_goodRegistrationOk;
         private bool m_invalidRegistrationOk;
         private bool m_goodNewKeyPairRequestOk;
+        private bool m_runApplicationSelfAdminTests;
         #endregion
     }