User authentication has security bug

[ryangu18]

Describe the bug

User authentication has security bug, even enable server.set_security_IDs(“Username”)，But I can log still in anonymously

To Reproduce

Steps to reproduce the behavior incl code.

The code comes from here #1153 (comment)
it is Mr. AndreasHeine's demonstration code, I didn't make any changes.

Expected behavior

Create a ua server, the security policy is Basic256Sha256_SignAndEncrypt , the authentication user/pwd is 'user1' and 'pw1'

Screenshots

This screenshot is as expected, we see the security policy, and can only authenticate with username and password, anonymous is disabled, Select ok, then, we do not connect to this server, but right-click to open properties,

At this time I see that Anonymous has been enabled, choose anonymous,

ok , and connect to the server, we see that the server has been connected without entering a password.

Version

Python-Version: python 3.9 64bit

python-opcua Version (e.g. master branch, 0.9): 0.98.13

[schroeder-]

UAExpert allows to select every Security Policy even if it is not support, if you go over the Properties menu.

[AndreasHeine]

nether the less it should not be able to connect with anonymus...

[ryangu18]

Note that the security policy and authorization for this server are set in the code

server.set_security_policy([
# ua.SecurityPolicyType.NoSecurity,
# ua.SecurityPolicyType.Basic128Rsa15_Sign,
# ua.SecurityPolicyType.Basic128Rsa15_SignAndEncrypt,
# ua.SecurityPolicyType.Basic256Sha256_Sign,
ua.SecurityPolicyType.Basic256Sha256_SignAndEncrypt
])
policyIDs = ["Username"]

My problem was that I bypassed the password entry using the method above.
If it's not a bug, sorry for my bad submission, but how do I make my expectations valid? "Anonymous login is prohibited and must be authorized with username, password

[schroeder-]

I quickly scanned through the code and I think the server always accepts ever UserToken even if it is disabled via set_security_policy. The server only provides the supported UserTokens for discovery/GetEndpoints, but on create_session this is not checked.

[AndreasHeine]

should be checked in activate session!

[schroeder-]

Its not see:

python-opcua/opcua/server/internal_server.py

Lines 348 to 353 in 8582747

	id_token = params.UserIdentityToken
	if isinstance(id_token, ua.UserNameIdentityToken):
	if self.user_manager.check_user_token(self, id_token) == False:
	raise utils.ServiceError(ua.StatusCodes.BadUserAccessDenied)
	self.logger.info("Activated internal session %s for user %s", self.name, self.user)
	return result

I can provide a pr in the next days.

[AndreasHeine]

@schroeder- could you check asyncua aswell probably the same there!

[schroeder-]

@AndreasHeine same, I can provide the same fix there.

[floriandorre]

Hi,

Is there a chance that this PR will be merged even if this package is not maintained anymore ?