From 8a6018f996639028e529264a25e4c93649334993 Mon Sep 17 00:00:00 2001 From: Christoph Ziebuhr Date: Fri, 11 Oct 2024 15:09:15 +0200 Subject: [PATCH] Allow regular users to do write requests --- asyncua/crypto/permission_rules.py | 16 ++++++++-------- tests/test_permissions.py | 16 +++++++++------- 2 files changed, 17 insertions(+), 15 deletions(-) diff --git a/asyncua/crypto/permission_rules.py b/asyncua/crypto/permission_rules.py index 46b67c6d3..53d1dd729 100644 --- a/asyncua/crypto/permission_rules.py +++ b/asyncua/crypto/permission_rules.py @@ -1,8 +1,7 @@ from asyncua import ua from asyncua.server.users import UserRole -WRITE_TYPES = [ - ua.ObjectIds.WriteRequest_Encoding_DefaultBinary, +ADMIN_TYPES = [ ua.ObjectIds.RegisterServerRequest_Encoding_DefaultBinary, ua.ObjectIds.RegisterServer2Request_Encoding_DefaultBinary, ua.ObjectIds.AddNodesRequest_Encoding_DefaultBinary, @@ -11,11 +10,12 @@ ua.ObjectIds.DeleteReferencesRequest_Encoding_DefaultBinary, ] -READ_TYPES = [ +USER_TYPES = [ ua.ObjectIds.CreateSessionRequest_Encoding_DefaultBinary, ua.ObjectIds.CloseSessionRequest_Encoding_DefaultBinary, ua.ObjectIds.ActivateSessionRequest_Encoding_DefaultBinary, ua.ObjectIds.ReadRequest_Encoding_DefaultBinary, + ua.ObjectIds.WriteRequest_Encoding_DefaultBinary, ua.ObjectIds.BrowseRequest_Encoding_DefaultBinary, ua.ObjectIds.GetEndpointsRequest_Encoding_DefaultBinary, ua.ObjectIds.FindServersRequest_Encoding_DefaultBinary, @@ -49,15 +49,15 @@ def check_validity(self, user, action_type, body): class SimpleRoleRuleset(PermissionRuleset): """ Standard simple role-based ruleset. - Admins alone can write, admins and users can read, and anonymous users can't do anything. + Admins alone can change address space, admins and users can read/write, and anonymous users can't do anything. """ def __init__(self): - write_ids = list(map(ua.NodeId, WRITE_TYPES)) - read_ids = list(map(ua.NodeId, READ_TYPES)) + admin_ids = list(map(ua.NodeId, ADMIN_TYPES)) + user_ids = list(map(ua.NodeId, USER_TYPES)) self._permission_dict = { - UserRole.Admin: set().union(write_ids, read_ids), - UserRole.User: set().union(read_ids), + UserRole.Admin: set().union(admin_ids, user_ids), + UserRole.User: set().union(user_ids), UserRole.Anonymous: set() } diff --git a/tests/test_permissions.py b/tests/test_permissions.py index b4700b8ba..b5acc8504 100644 --- a/tests/test_permissions.py +++ b/tests/test_permissions.py @@ -88,9 +88,9 @@ async def test_permissions_admin(srv_crypto_one_cert): assert await clt.get_objects_node().get_children() objects = clt.nodes.objects child = await objects.get_child(['0:MyObject', '0:MyVariable']) - await child.read_value() await child.set_value(42.0) - + assert await child.read_value() == 42.0 + await child.add_property(0, "MyProperty1", 3) async def test_permissions_user(srv_crypto_one_cert): clt = Client(uri_crypto_cert) @@ -106,9 +106,10 @@ async def test_permissions_user(srv_crypto_one_cert): assert await clt.get_objects_node().get_children() objects = clt.nodes.objects child = await objects.get_child(['0:MyObject', '0:MyVariable']) - await child.read_value() + await child.set_value(44.0) + assert await child.read_value() == 44.0 with pytest.raises(ua.uaerrors.BadUserAccessDenied): - await child.set_value(42) + await child.add_property(0, "MyProperty2", 3) async def test_permissions_anonymous(srv_crypto_one_cert): @@ -121,6 +122,7 @@ async def test_permissions_anonymous(srv_crypto_one_cert): server_certificate=srv_crypto_params[0][1], mode=ua.MessageSecurityMode.SignAndEncrypt ) - await clt.connect() - await clt.get_endpoints() - await clt.disconnect() + async with clt: + await clt.get_endpoints() + with pytest.raises(ua.uaerrors.BadUserAccessDenied): + await clt.nodes.objects.get_children()