OPCFoundation · mregen · Feb 27, 2024 · Oct 11, 2023 · Oct 11, 2023 · Oct 17, 2023
diff --git a/Libraries/Opc.Ua.Gds.Server.Common/ApplicationsNodeManager.cs b/Libraries/Opc.Ua.Gds.Server.Common/ApplicationsNodeManager.cs
@@ -167,11 +167,14 @@
             if (context != null)
             {
                 RoleBasedIdentity identity = context.UserIdentity as RoleBasedIdentity;
-
-                if ((identity == null) || (identity.Role != GdsRole.ApplicationAdmin))
+                if (identity != null)
                 {
-                    throw new ServiceResultException(StatusCodes.BadUserAccessDenied, "Application Administrator access required.");
+                    if (identity.Role == GdsRole.ApplicationAdmin)
+                    {
+                        return;
+                    }
                 }
+                throw new ServiceResultException(StatusCodes.BadUserAccessDenied, "Application Administrator access required.");
             }
         }
 
@@ -181,10 +184,40 @@
             {
                 RoleBasedIdentity identity = context.UserIdentity as RoleBasedIdentity;
 
-                if (identity == null)
+                if (identity != null)
+                {
+                    if ((identity.Role == GdsRole.ApplicationUser) || (identity.Role == GdsRole.ApplicationAdmin))
+                    {
+                        return;
+                    }
+                }
+                throw new ServiceResultException(StatusCodes.BadUserAccessDenied, "Application Administrator access required.");
+            }
+        }
+
+        /// <summary>
+        /// checks if the given Application can be modified with the current context
+        /// </summary>
+        /// <param name="context">the current context</param>
+        /// <param name="applicationId">the application to modify</param>
+        private void HasApplicationSelfAdminPrivilege(ISystemContext context, NodeId applicationId)
+        {
+            if (context != null)
+            {
+                RoleBasedIdentity identity = context.UserIdentity as RoleBasedIdentity;
+                if (identity != null)
                 {
-                    throw new ServiceResultException(StatusCodes.BadUserAccessDenied, "Application User access required.");
+                    //administrator/user has full access
+                    if (identity.Role == GdsRole.ApplicationAdmin || identity.Role == GdsRole.ApplicationUser)
+                        return;
+                    //not administrator/user only has access to own application
+                    if (identity.ApplicationId == applicationId)
+                    {
+                        return;
+                    }
                 }
+                throw new ServiceResultException(StatusCodes.BadUserAccessDenied, "Application Self Admin Privielge or " +
+                            "Application Administrator/User access required.");
             }
         }
 
@@ -760,7 +793,7 @@
             string privateKeyPassword,
             ref NodeId requestId)
         {
-            HasApplicationAdminAccess(context);
+            HasApplicationSelfAdminPrivilege(context, applicationId);
 
             var application = m_database.GetApplication(applicationId);
 
@@ -879,7 +912,7 @@
             byte[] certificateRequest,
             ref NodeId requestId)
         {
-            HasApplicationAdminAccess(context);
+            HasApplicationSelfAdminPrivilege(context, applicationId);
 
             var application = m_database.GetApplication(applicationId);
 
@@ -960,7 +993,7 @@
             signedCertificate = null;
             issuerCertificates = null;
             privateKey = null;
-            HasApplicationAdminAccess(context);
+            HasApplicationSelfAdminPrivilege(context, applicationId);
 
             var application = m_database.GetApplication(applicationId);
             if (application == null)
@@ -1126,7 +1159,7 @@
             NodeId applicationId,
             ref NodeId[] certificateGroupIds)
         {
-            HasApplicationUserAccess(context);
+            HasApplicationSelfAdminPrivilege(context, applicationId);
 
             var application = m_database.GetApplication(applicationId);
 
@@ -1154,7 +1187,7 @@
             NodeId certificateGroupId,
             ref NodeId trustListId)
         {
-            HasApplicationUserAccess(context);
+            HasApplicationSelfAdminPrivilege(context, applicationId);
 
             var application = m_database.GetApplication(applicationId);
 
@@ -1187,7 +1220,7 @@
             NodeId certificateTypeId,
             ref Boolean updateRequired)
         {
-            HasApplicationUserAccess(context);
+            HasApplicationSelfAdminPrivilege(context, applicationId);
 
             var application = m_database.GetApplication(applicationId);
 

diff --git a/Libraries/Opc.Ua.Gds.Server.Common/GlobalDiscoverySampleServer.cs b/Libraries/Opc.Ua.Gds.Server.Common/GlobalDiscoverySampleServer.cs
@@ -33,6 +33,10 @@
 using System.Threading;
 using Opc.Ua.Server;
 using Opc.Ua.Gds.Server.Database;
+using Opc.Ua.Security.Certificates;
+using Org.BouncyCastle.Asn1.Cmp;
+using System.Linq;
+using System.Data;
 
 namespace Opc.Ua.Gds.Server
 {
@@ -238,9 +242,61 @@
                 // role = GdsRole.ApplicationAdmin;
 
                 Utils.LogInfo("X509 Token Accepted: {0} as {1}", args.Identity.DisplayName, role.ToString());
-                args.Identity = new RoleBasedIdentity(new UserIdentity(x509Token), role);
+
+                string applicationUri = session.SessionDiagnostics.ClientDescription.ApplicationUri;
+                args.Identity = new RoleBasedIdentity(new UserIdentity(x509Token), role, applicationUri);
                 return;
             }
+
+            //check if applicable for application self admin privilege
+            if(session.ClientCertificate != null)
+            {
+                if (VerifiyApplicationRegistered(session.ClientCertificate))
+                {
+                    ImpersonateAsApplicationSelfAdmin(session, args);
+                }
+            }
+        }
+
+        /// <summary>
+        /// Verifies if an Application is registered with the provided certificate at at the GDS
+        /// </summary>
+        /// <param name="applicationInstanceCertificate">the certificate to check for</param>
+        /// <returns></returns>
+        private bool VerifiyApplicationRegistered(X509Certificate2 applicationInstanceCertificate)
+        {
+            bool applicationRegistered = false;
+            //get access to GDS configuration section to find out ApplicationCertificatesStorePath
+            GlobalDiscoveryServerConfiguration configuration = Configuration.ParseExtension<GlobalDiscoveryServerConfiguration>();
+            if (configuration == null)
+            {
+                configuration = new GlobalDiscoveryServerConfiguration();
+            }
+            //check if application certificate is in the Store of the GDS
+            using (ICertificateStore ApplicationsStore = CertificateStoreIdentifier.OpenStore(configuration.ApplicationCertificatesStorePath))
+            {
+                var matchingCerts = ApplicationsStore.FindByThumbprint(applicationInstanceCertificate.Thumbprint).Result;
+
+                if (matchingCerts.Contains(applicationInstanceCertificate))
+                    applicationRegistered =  true;
+            }
+            //check if application certificate is revoked
+            using (ICertificateStore AuthoritiesStore = CertificateStoreIdentifier.OpenStore(configuration.AuthoritiesStorePath))
+            {
+                var crls = AuthoritiesStore.EnumerateCRLs().Result;
+                foreach (X509CRL crl in crls)
+                {
+                    var revokedCertificates = crl.RevokedCertificates;
+                    foreach (RevokedCertificate revokedCertificate in revokedCertificates)
+                    {
+                        if(revokedCertificate.SerialNumber == applicationInstanceCertificate.SerialNumber)
+                        {
+                            applicationRegistered = false;
+                        }
+                    }
+                }
+            }
+            return applicationRegistered;
         }
 
         /// <summary>
@@ -301,6 +357,28 @@
             m_userDatabase.CreateUser("appadmin", "demo", GdsRole.ApplicationAdmin);
             m_userDatabase.CreateUser("appuser", "demo", GdsRole.ApplicationUser);
         }
+
+        /// <summary>
+        /// Impersonates the current Session as ApplicationSelfAdmin
+        /// </summary>
+        /// <param name="session">the current session</param>
+        /// <param name="args">the impersonateEventArgs</param>
+        private void ImpersonateAsApplicationSelfAdmin(Session session, ImpersonateEventArgs args)
+        {
+            string applicationUri = session.SessionDiagnostics.ClientDescription.ApplicationUri;
+            ApplicationRecordDataType[] application = m_database.FindApplications(applicationUri);
+            if(application == null || application.Length>1 || application.Length<1)
+            {
+                Utils.LogInfo("Cannot login based on ApplicationInstanceCertificate, no uniqure result for Application with URI: {0}", applicationUri);
+                return;
+            }
+            NodeId applicationId = application.FirstOrDefault().ApplicationId;
+            Utils.LogInfo("Application {0} accepted based on ApplicationInstanceCertificate as ApplicationSelfAdmin",
+                applicationUri);
+            args.Identity = new RoleBasedIdentity(new UserIdentity(), GdsRole.ApplicationSelfAdmin, applicationId);
+            return;
+        }
+
         #endregion
 
         #region Private Fields

diff --git a/Libraries/Opc.Ua.Gds.Server.Common/RoleBasedIdentity.cs b/Libraries/Opc.Ua.Gds.Server.Common/RoleBasedIdentity.cs
@@ -27,6 +27,7 @@
  * http://opcfoundation.org/License/MIT/1.00/
  * ======================================================================*/
 
+using System;
 using System.Xml;
 
 namespace Opc.Ua.Gds.Server
@@ -44,7 +45,12 @@
         /// <summary>
         /// The GDS application user.
         /// </summary>
-        ApplicationUser
+        ApplicationUser,
+
+        /// <summary>
+        /// Can manage the own Certificates and pull trust list
+        /// </summary>
+        ApplicationSelfAdmin
     }
 
     /// <summary>
@@ -54,6 +60,7 @@
     {
         private IUserIdentity m_identity;
         private GdsRole m_role;
+        private NodeId m_applicationId;
 
         /// <summary>
         /// Initialize the role based identity.
@@ -64,6 +71,12 @@
             m_role = role;
         }
 
+        public RoleBasedIdentity(IUserIdentity identity, GdsRole role, NodeId applicationId)
+            :this(identity, role)
+        {
+            m_applicationId = applicationId;
+        }
+
         /// <inheritdoc/>
         public NodeIdCollection GrantedRoleIds
         {
@@ -79,6 +92,14 @@
             get { return m_role; }
         }
 
+        /// <summary>
+        /// The applicationId in case the ApplicationSelfAdminPrivilege is used
+        /// </summary>
+        public NodeId ApplicationId
+        {
+            get { return m_applicationId; }
+        }
+
         /// <inheritdoc/>
         public string DisplayName
         {

diff --git a/Tests/Opc.Ua.Gds.Tests/ClientTest.cs b/Tests/Opc.Ua.Gds.Tests/ClientTest.cs
@@ -735,7 +735,9 @@ out byte[][] issuerCertificates
             } while (requestBusy);
         }
 
-        [Test, Order(511)]
+
+
+        [Test, Order(512)]
         public void FinishInvalidNewKeyPairRequests()
         {
             AssertIgnoreTestWithoutInvalidRegistration();
@@ -943,6 +945,68 @@ public void GetGoodCertificateGroupsAndTrustLists()
             }
         }
 
+        [Test, Order(620)]
+        public void FailToGetGoodCertificateGroupsWithoutPriviledges()
+        {
+            AssertIgnoreTestWithoutGoodRegistration();
+            AssertIgnoreTestWithoutGoodNewKeyPairRequest();
+
+            //connect to GDS without Admin Privilege
+            ConnectGDS(false);
+
+            foreach (var application in m_goodApplicationTestSet)
+            {
+                if (application.Certificate != null)
+                {
+                    var sre = Assert.Throws<ServiceResultException>(() => m_gdsClient.GDSClient.GetCertificateGroups(application.ApplicationRecord.ApplicationId));
+                    Assert.NotNull(sre);
+                    Assert.AreEqual(StatusCodes.BadUserAccessDenied, sre.StatusCode, sre.Result.ToString());
+
+                }
+            }
+        }
+
+        [Test, Order(630)]
+        public void GetGoodCertificateGroupsAsSelfAdmin()
+        {
+            AssertIgnoreTestWithoutGoodRegistration();
+            AssertIgnoreTestWithoutGoodNewKeyPairRequest();
+
+
+            // connect with gds issued certificate
+            m_gdsClient.RegisterTestClientAtGds();
+            ConnectGDS(false, true);
+
+            // ensure access to other applications is denied
+            foreach (var application in m_goodApplicationTestSet)
+            {
+                if (application.Certificate != null)
+                {
+                    var sre = Assert.Throws<ServiceResultException>(() => m_gdsClient.GDSClient.GetCertificateGroups(application.ApplicationRecord.ApplicationId));
+                    Assert.NotNull(sre);
+                    Assert.AreEqual(StatusCodes.BadUserAccessDenied, sre.StatusCode, sre.Result.ToString());
+                }
+            }
+
+            Assert.Ignore("TODO: Tests for other logic is not implemented yet!");
+
+            // use self registered application and get the group / trust lists
+            var certificateGroups = m_gdsClient.GDSClient.GetCertificateGroups(m_gdsClient.OwnApplicationTestData.ApplicationRecord.ApplicationId);
+            foreach (var certificateGroup in certificateGroups)
+            {
+                var trustListId = m_gdsClient.GDSClient.GetTrustList(m_gdsClient.OwnApplicationTestData.ApplicationRecord.ApplicationId, certificateGroup);
+                // Opc.Ua.TrustListDataType
+                var trustList = m_gdsClient.GDSClient.ReadTrustList(trustListId);
+                Assert.NotNull(trustList);
+            }
+
+            // self issue a certificate and read it back
+
+            // self issue a public/private key pair and read it back
+
+
+        }
+
         [Test, Order(690)]
         public void GetGoodCertificateStatus()
         {
@@ -1034,11 +1098,18 @@ public void ServerLogResult()
         #endregion
 
         #region Private Methods
-        private void ConnectGDS(bool admin,
+        private void ConnectGDS(bool admin, bool anonymous = false,
             [System.Runtime.CompilerServices.CallerMemberName] string memberName = ""
             )
         {
-            m_gdsClient.GDSClient.AdminCredentials = admin ? m_gdsClient.AdminUser : m_gdsClient.AppUser;
+            if (anonymous)
+            {
+                m_gdsClient.GDSClient.AdminCredentials = m_gdsClient.Anonymous;
+            }
+            else
+            {
+                m_gdsClient.GDSClient.AdminCredentials = admin ? m_gdsClient.AdminUser : m_gdsClient.AppUser;
+            } 
             m_gdsClient.GDSClient.Connect(m_gdsClient.GDSClient.EndpointUrl).Wait();
             TestContext.Progress.WriteLine($"GDS Client({admin}) connected -- {memberName}");
         }