search

FreeOpcUa / python-opcua

LGPL Pure Python OPC-UA Client and Server
http://freeopcua.github.io/
GNU Lesser General Public License v3.0
1.35k stars 658 forks source link

User authentication has security bug #1457

Closed ryangu18 closed 2 years ago

ryangu18 commented 2 years ago

Describe the bug
User authentication has security bug, even enable server.set_security_IDs(“Username”),But I can log still in anonymously

To Reproduce
Steps to reproduce the behavior incl code.
The code comes from here https://github.com/FreeOpcUa/python-opcua/issues/1153#issuecomment-713593224 it is Mr. AndreasHeine's demonstration code, I didn't make any changes.

Expected behavior
Create a ua server, the security policy is Basic256Sha256_SignAndEncrypt , the authentication user/pwd is 'user1' and 'pw1'

Screenshots
image

This screenshot is as expected, we see the security policy, and can only authenticate with username and password, anonymous is disabled, Select ok, then, we do not connect to this server, but right-click to open properties, image At this time I see that Anonymous has been enabled, choose anonymous, image

ok , and connect to the server, we see that the server has been connected without entering a password.

image

Version
Python-Version: python 3.9 64bit
python-opcua Version (e.g. master branch, 0.9): 0.98.13 image

schroeder- commented 2 years ago

UAExpert allows to select every Security Policy even if it is not support, if you go over the Properties menu.

AndreasHeine commented 2 years ago

nether the less it should not be able to connect with anonymus...

ryangu18 commented 2 years ago

Note that the security policy and authorization for this server are set in the code

server.set_security_policy([

ua.SecurityPolicyType.NoSecurity,

                                # ua.SecurityPolicyType.Basic128Rsa15_Sign,
                                # ua.SecurityPolicyType.Basic128Rsa15_SignAndEncrypt,
                                # ua.SecurityPolicyType.Basic256Sha256_Sign,
                                ua.SecurityPolicyType.Basic256Sha256_SignAndEncrypt
                            ])
policyIDs = ["Username"]

My problem was that I bypassed the password entry using the method above. If it's not a bug, sorry for my bad submission, but how do I make my expectations valid? "Anonymous login is prohibited and must be authorized with username, password

schroeder- commented 2 years ago

I quickly scanned through the code and I think the server always accepts ever UserToken even if it is disabled via set_security_policy. The server only provides the supported UserTokens for discovery/GetEndpoints, but on create_session this is not checked.

AndreasHeine commented 2 years ago

should be checked in activate session! image

schroeder- commented 2 years ago

Its not see: https://github.com/FreeOpcUa/python-opcua/blob/858274721766907148b527916e97446dbbf6af6d/opcua/server/internal_server.py#L348-L353 I can provide a pr in the next days.

AndreasHeine commented 2 years ago

@schroeder- could you check asyncua aswell probably the same there!

schroeder- commented 2 years ago

@AndreasHeine same, I can provide the same fix there.

floriandorre commented 2 years ago

Hi,

Is there a chance that this PR will be merged even if this package is not maintained anymore ?