-
Notifications
You must be signed in to change notification settings - Fork 271
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Fallback to set session.AuthPolicyURI #706
base: main
Are you sure you want to change the base?
Conversation
…oken does not provide it
Hmm, good point. Is there something in the spec which describes the desired behavior? |
Can we add a test for that? |
I´m not familiar in detail with the spec. However I guess I found some relevant part of it here, which says
|
I can, but that might take a while. Looking at the current tests, I wasn´t able to find out yet, how the python components are triggered when a go test is executed. Is there some documentation on this? Edit: Nevermind, I think I´ll manage.. |
I added a check on AuthPolicyURI property in client.go to make sure it is always set. However with check several integration tests will fail since they seem to rely on the anonymous policy which if I understood that correct seems to be handled as a default case. On the other hand when that default is set in I a bit stuck now because as I didn´t find some information in the spec saying that each session must have an AuthPolicyUri set. Do you have further requirements what the test case should cover? |
I´m using the lib in Telegraf. In a Certificate based connection I had the problem that the library raised the error
error creating session signature: opcua: unsupported security policy
I was able to track the origin of that issue: The field AuthPolicyURI of the session config is not set.
When setting up the Connection the library retrieves the endpoints from the server. I set up some debug prints to show information on the received endpoint information. The Server is providing one endpoint:
During connection setup the telegraf opcua client is calling the SecurityFromEndpoint method of the opcua library. In that method the relevant userIdeentityToken from the received Endpoint is used to set the session.AuthPolicyURI field. However the field for the security policy uri of the relevant UserIdentityToken (token type: 2 in my case) is empty. As a result the AuthPolicyURI will get no value and the connection does fail.
I was able to fix that issue for that specific server by adding some fallback logic: If the relevant UserIdentityToken does not provide the needed security policy, that one from the endpoint will be used.
However I can´t say if this change is safe in general or if it´s more like a hack to fix the connection to that specific misbehaving server.