Open drsso opened 6 years ago
Users and Passwords are not implemented. There is a hardcoded admin user that is disabled by default. If you want to implement a user management system (maybe there is already a python library for this) please submit a pull request.
I try to implement it and I lost my way between the Lines. I am not a Python expert but I think I can do the JOB can you please tell me where to start in the CODE cause its not easy to change too much in the source code uaprotocol_auto.py class UserNameIdentityToken(FrozenClass): class CreateSessionResponse(FrozenClass):
how do the client username and password will be sent to the server and how can I get them in the server side ??? in other form in witch class, function, or atrribute could i found them in the server implementetion and when this not implemented would you tell me where did the they have been thrown out from the client uri (in the code ) thereby i can get them
The user info is send when creating a session. Look into internal_server.py And search for where session is created. This is where you save user info and can deny session creation
But the main issue here is to decide how to store users and password safely. I have no idea. It would be great to use another (known secured) library and do not do things ourself in opcua. Place you code in user.py and replace the enumeration by a more advanced class
my intention it to do it in users.py. i think of two ways to do it either to save them in a byte file or in sqlite.
my problem now is to implement:
so you mean I have to make a class for authentication in users.py and then use it in create_session(self, params, sockname=None):
yes. you also need to have an admin user and change tests in address_space.py (It is currently checking for an enum. you need to replace check by a call like MyUserClass.is_admin(user) or similar. run tests/tests.py when you have made changes so you are sure you do not break something
please correct me if i dosnt understand it good i have printed result in create_session in internal_server.py but i didnt find my username that I gave to the client shouldn't username and pwd be sent with the connection request from client ????
This is supposed to work. Check parameters structure. Either create session or activate session
now I could read the username and password from client and I check the connection with just a username and it works (simple test). my problem is now DECRYPTING PASSWORD to be save it in a variable and play with it then :+1:
Look at how password is encrypted in Client and do the same for decryption. But you will need to suport several encryption, at least no encryption
i am a little confused
i have decrypted it this way uacrypto.decrypt_rsa15(myprivateKEY,id_token.Password)
my password is BOLD is there any way to take it out or am I on the wrong way ??
b',\x00\x00\x00ABCDI999ABCD\x98\xa2qN&\xa3.\x11F\xfb2\xaa\x84\xb9\xecy\xe6\xaf7\n\xf4}G\xfd\x00\xe8\x88\x13\x8b*\x84\xb3'
no idea what bold means... be usre to support several encrytion and read it the correct one from parameters
This is client password: ABCDI999ABCD And this is what I get from decrypting:
b',\x00\x00\x00ABCDI999ABCD\x98\xa2qN&\xa3.\x11F\xfb2\xaa\x84\xb9\xecy\xe6\xaf7\n\xf4}G\xfd\x00\xe8\x88\x13\x8b*\x84\xb3'
How can I deactivate them Encription without Channing Evers things
Hello,
I'm new to python OPC-UA. I get stuck in username and pwd login. I don't know how to start it. Could you share some of codes? If so, it will be a great help. Sorry for bothering!
Hello,
Is there an example for how to make server that allows client with username and PASSWORD to login?
Some work was done on this, but I do not think an example was made.
You would have to look at https://github.com/FreeOpcUa/python-opcua/pull/691 and dig around in the code. I think there is a simple default user manager you can look at in the source.
If you can make an example and submit it would be great.
Hello I thank you for your answer. I am writing a login example with an username and password. it works. But I can not disable the Anonymous connection. Here is my code :
iimport time
from opcua import ua, Server
from opcua.server.user_manager import UserManager
# users database
users_db = {
'user1': 'passwd1',
'user2': 'passwd2',
'user3': 'passwd3',
}
# user manager
def user_manager(isession, username, password):
print(isession, username, password)
isession.user = UserManager.User
return username in users_db and password == users_db[username]
if __name__ == "__main__":
# setup our server
server = Server()
server.set_endpoint("opc.tcp://0.0.0.0:4840/freeopcua/server/")
# load server certificate and private key. This enables endpoints
# with signing and encryption.
server.load_certificate("certificate-example.der")
server.load_private_key("private-key-example.pem")
# set all possible endpoint policies for clients to connect through
server.set_security_policy([
# ua.SecurityPolicyType.NoSecurity,
ua.SecurityPolicyType.Basic256Sha256_SignAndEncrypt,
# ua.SecurityPolicyType.Basic256Sha256_Sign,
])
# set the security endpoints for identification of clients
# self.server.set_security_IDs(["Anonymous", "Basic256Sha256", "Username"])
server.set_security_IDs(["Username"])
# set the user_manager function
server.user_manager.set_user_manager(user_manager)
# starting!
server.start()
print("Endpoints : ", str(server.get_endpoints()).replace(',', '\n'))
try:
while True:
time.sleep(5)
finally:
# close connection, remove subscriptions, etc
server.stop()
It's likely that you can't disable it without editing the library. The general idea with this package is that connectivity is the focus, not security. Maybe another contributor knows if it's possible, but be aware that even the certificate may not be fully enforced.
OK. In the server.py file, it's written that :
def set_security_IDs(self, policyIDs):
"""
Method setting up the security endpoints for identification
of clients. During server object initialization, all possible
endpoints are enabled:
self._policyIDs = ["Anonymous", "Basic256Sha256", "Username"]
E.g. to limit the number of IDs and disable anonymous clients:
set_security_policy(["Basic256Sha256"])
(Implementation for ID check is currently not finalized...)
"""
self._policyIDs = policyIDs
I will try to see if i can do it.
this issue was fixed by PR #781.
How to make server that allows just client with username and PASSWORD to login
I dosent find an example for it!!!!