@vitormnm/node-red-simple-opcua 1.4.2 → 1.5.0

package/server/lib/opcua-config.js

@@ -19,6 +19,7 @@ class OpcUaServerConfigParser {
 
     parseNodeConfig(config, credentials) {
         const security = this.applySecuritySettings(config.securityPolicy, config.securityMode);
+        const auth = this.parseAuthConfig(config, credentials);
         return {
             id: this.node.id,
             name: config.name,
@@ -29,7 +30,8 @@ class OpcUaServerConfigParser {
             resourcePath: config.resourcePath || DEFAULT_RESOURCE_PATH,
             treeConfig: this.parseTreeConfig(config.tree),
             allowAnonymous: this.normalizeAllowAnonymous(config.allowAnonymous),
-            users: this.parseUsersConfig(config.users, credentials),
+            groups: auth.groups,
+            users: auth.users,
             securityPolicy: security.securityPolicy,
             securityMode: security.securityMode
         };
@@ -44,19 +46,55 @@ class OpcUaServerConfigParser {
         }
     }
 
-    parseUsersConfig(rawUsers, credentials) {
+    parseAuthConfig(config, credentials) {
+        const safeConfig = config || {};
+        let groups = [];
+        let users = [];
+
         try {
-            const users = this.normalizeUsersConfig(rawUsers);
-            const credentialUser = this.normalizeCredentialUser(credentials);
-            if (credentialUser) {
-                users.unshift(credentialUser);
-            }
-            return users;
+            groups = this.normalizeGroupsConfig(
+                credentials && credentials.groups !== undefined ? credentials.groups : safeConfig.groups
+            );
         } catch (error) {
-            this.node.warn("Invalid users configuration in editor, using only credential user: " + error.message);
-            const credentialUser = this.normalizeCredentialUser(credentials);
-            return credentialUser ? [credentialUser] : [];
+            this.node.warn("Invalid groups configuration in editor, using derived groups only: " + error.message);
+        }
+
+        try {
+            users = this.normalizeUsersConfig(
+                credentials && credentials.users !== undefined ? credentials.users : safeConfig.users
+            );
+        } catch (error) {
+            this.node.warn("Invalid users configuration in editor, using only legacy credential user: " + error.message);
+        }
+
+        const credentialUser = this.normalizeCredentialUser(credentials);
+        if (credentialUser) {
+            users.unshift(credentialUser);
         }
+
+        return {
+            groups: this.buildResolvedGroups(groups, users),
+            users
+        };
+    }
+
+    buildResolvedGroups(groups, users) {
+        const resolved = [];
+        const seen = new Set();
+
+        const addGroup = (groupName) => {
+            const normalized = typeof groupName === "string" ? groupName.trim() : "";
+            if (!normalized || seen.has(normalized)) {
+                return;
+            }
+            seen.add(normalized);
+            resolved.push(normalized);
+        };
+
+        (Array.isArray(groups) ? groups : []).forEach(addGroup);
+        (Array.isArray(users) ? users : []).forEach((user) => addGroup(user && user.group));
+
+        return resolved;
     }
 
     normalizeTreeConfig(rawTree) {
@@ -125,6 +163,37 @@ class OpcUaServerConfigParser {
         };
     }
 
+    normalizeAccessPermissions(rawPermissions) {
+        let values = rawPermissions;
+
+        if (values === undefined || values === null || values === "") {
+            values = ["public"];
+        }
+
+        if (typeof values === "string") {
+            values = values.indexOf(",") >= 0
+                ? values.split(",")
+                : [values];
+        }
+
+        if (!Array.isArray(values)) {
+            throw new Error("'accessPermission' must be an array or string");
+        }
+
+        const seen = new Set();
+        const normalized = values.reduce((result, value) => {
+            const permission = String(value || "").trim().toLowerCase();
+            if (!permission || seen.has(permission)) {
+                return result;
+            }
+            seen.add(permission);
+            result.push(permission);
+            return result;
+        }, []);
+
+        return normalized.length ? normalized : ["public"];
+    }
+
     normalizeObjectTypes(objectTypes) {
         if (!Array.isArray(objectTypes)) {
             throw new Error("'objectsTypes' must be an array");
@@ -133,6 +202,53 @@ class OpcUaServerConfigParser {
         return objectTypes.map((objectTypeConfig) => this.normalizeBranch(objectTypeConfig, "object type"));
     }
 
+    normalizeGroupsConfig(rawGroups) {
+        let parsed = rawGroups;
+
+        if (parsed === undefined || parsed === null || parsed === "") {
+            parsed = [];
+        }
+
+        if (typeof parsed === "string") {
+            parsed = JSON.parse(parsed);
+        }
+
+        if (!Array.isArray(parsed)) {
+            throw new Error("Groups configuration must be an array");
+        }
+
+        const seen = new Set();
+        return parsed.reduce((groups, groupConfig) => {
+            const groupName = this.normalizeGroup(groupConfig);
+            if (!seen.has(groupName)) {
+                seen.add(groupName);
+                groups.push(groupName);
+            }
+            return groups;
+        }, []);
+    }
+
+    normalizeGroup(groupConfig) {
+        if (typeof groupConfig === "string") {
+            const groupName = groupConfig.trim();
+            if (!groupName) {
+                throw new Error("Each group requires a non-empty name");
+            }
+            return groupName;
+        }
+
+        if (!groupConfig || typeof groupConfig !== "object" || Array.isArray(groupConfig)) {
+            throw new Error("Each group must be a string or an object");
+        }
+
+        const groupName = typeof groupConfig.name === "string" ? groupConfig.name.trim() : "";
+        if (!groupName) {
+            throw new Error("Each group requires a non-empty name");
+        }
+
+        return groupName;
+    }
+
     normalizeUsersConfig(rawUsers) {
         let parsed = rawUsers;
 
@@ -163,7 +279,8 @@ class OpcUaServerConfigParser {
         return {
             username,
             password,
-            passwordHash: ""
+            passwordHash: "",
+            group: "default"
         };
     }
 
@@ -196,6 +313,7 @@ class OpcUaServerConfigParser {
             description: branchConfig.description || "",
             nodeId: this.normalizeOptionalNodeId(branchConfig.nodeId),
             namespaceId: this.normalizeNamespaceId(branchConfig.namespaceId),
+            accessPermission: this.normalizeAccessPermissions(branchConfig.accessPermission || branchConfig.accessPermissions),
             folders: Array.isArray(branchConfig.folders)
                 ? branchConfig.folders.map((folderConfig) => this.normalizeBranch(folderConfig, "folder"))
                 : [],
@@ -271,7 +389,8 @@ class OpcUaServerConfigParser {
             description: variableConfig.description || "",
             displayName: variableConfig.displayName || name,
             nodeId: this.normalizeOptionalNodeId(variableConfig.nodeId),
-            namespaceId: this.normalizeNamespaceId(variableConfig.namespaceId)
+            namespaceId: this.normalizeNamespaceId(variableConfig.namespaceId),
+            accessPermission: this.normalizeAccessPermissions(variableConfig.accessPermission || variableConfig.accessPermissions)
         };
     }
 
@@ -288,6 +407,7 @@ class OpcUaServerConfigParser {
             description: methodConfig.description || "",
             nodeId: this.normalizeOptionalNodeId(methodConfig.nodeId),
             namespaceId: this.normalizeNamespaceId(methodConfig.namespaceId),
+            accessPermission: this.normalizeAccessPermissions(methodConfig.accessPermission || methodConfig.accessPermissions),
             inputs: Array.isArray(methodConfig.inputs)
                 ? methodConfig.inputs.map((arg) => this.normalizeMethodArg(arg))
                 : Array.isArray(methodConfig.inputArguments)
@@ -336,6 +456,7 @@ class OpcUaServerConfigParser {
             description: typeof alarmConfig.description === "string" ? alarmConfig.description : "",
             nodeId: this.normalizeOptionalNodeId(alarmConfig.nodeId),
             namespaceId: this.normalizeNamespaceId(alarmConfig.namespaceId),
+            accessPermission: this.normalizeAccessPermissions(alarmConfig.accessPermission || alarmConfig.accessPermissions),
             enabled: typeof alarmConfig.enabled === "boolean" ? alarmConfig.enabled : true
         };
 
@@ -364,6 +485,11 @@ class OpcUaServerConfigParser {
         const username = typeof userConfig.username === "string" ? userConfig.username.trim() : "";
         const passwordHash = typeof userConfig.passwordHash === "string" ? userConfig.passwordHash : "";
         const password = typeof userConfig.password === "string" ? userConfig.password : "";
+        const group = typeof userConfig.group === "string"
+            ? userConfig.group.trim()
+            : typeof userConfig.role === "string"
+                ? userConfig.role.trim()
+                : "";
 
         if (!username) {
             throw new Error("Each user requires a non-empty username");
@@ -373,10 +499,15 @@ class OpcUaServerConfigParser {
             throw new Error("Each user requires a password or password hash");
         }
 
+        if (!group) {
+            throw new Error("Each user requires a non-empty group");
+        }
+
         return {
             username,
             password,
-            passwordHash
+            passwordHash,
+            group
         };
     }
 

package/server/lib/opcua-constants.js

@@ -13,6 +13,11 @@ const {
     MessageSecurityMode,
     UserTokenType,
     coerceNodeId ,
+    resolveNodeId,
+    PermissionType,
+    makeRoles,
+    WellKnownRoles,
+    OPCUACertificateManager,
 } = opcua;
 
 const DEFAULT_PORT = 4840;
@@ -90,12 +95,17 @@ module.exports = {
     OPCUAServer,
     Variant,
     DataType,
+    OPCUACertificateManager,
     StatusCodes,
     VariantArrayType,
     SecurityPolicy,
     MessageSecurityMode,
     UserTokenType,
     coerceNodeId,
+    resolveNodeId,
+    PermissionType,
+    makeRoles,
+    WellKnownRoles,
     DEFAULT_PORT,
     DEFAULT_SERVER_NAME,
     DEFAULT_NAMESPACE_URI,

package/server/lib/opcua-server-runtime-child.js

@@ -100,6 +100,17 @@ class OpcUaServerProcess {
                 nodeId: nodeId
             });
 
+            process.send({
+                type: "send",
+                data: {
+                    payload: {
+                        status: "running"
+                    },
+                    topic : settings.serverName
+                },
+                nodeId: nodeId
+            });
+
 
         } catch (error) {
             this.isRunning = false;
@@ -110,6 +121,17 @@ class OpcUaServerProcess {
                 data: "Failed to start OPC UA server: " + error.message
             });
 
+            process.send({
+                type: "send",
+                data: {
+                    payload: {
+                        status: "error"
+                    },
+                    topic : settings.serverName
+                },
+                nodeId: nodeId
+            });
+
             process.send({
                 type: "status",
                 data: {
@@ -214,7 +236,7 @@ class OpcUaServerProcess {
             msg.payload = result.payload;
             this.assignReadMetadata(msg, identifierType, result.identifiers);
 
-            
+
 
             if (result.identifiers.length === 1) {
                 msg.topic = result.identifiers[0];
@@ -438,7 +460,7 @@ class OpcUaServerProcess {
                 writtenPaths
             );
 
-          
+
             if (writtenPaths.length === 1) {
                 msg.topic = writtenPaths[0];
             }
@@ -592,6 +614,17 @@ class OpcUaServerProcess {
                 nodeId: nodeId
             });
 
+            process.send({
+                type: "send",
+                data: {
+                    payload: {
+                        status: "updating"
+                    },
+                    topic : this.node.serverName
+                },
+                nodeId: nodeId
+            });
+
             await this.ensureReady();
 
             const nextTree = this.parser.normalizeTreeConfig(payload);
@@ -600,6 +633,17 @@ class OpcUaServerProcess {
 
             const endpointUrl = await this.runtime.getEndpointUrl();
 
+            process.send({
+                type: "send",
+                data: {
+                    payload: {
+                        status: "running"
+                    },
+                    topic : this.node.serverName
+                },
+                nodeId: nodeId
+            });
+
 
             process.send({
                 type: "status",
@@ -623,6 +667,16 @@ class OpcUaServerProcess {
                 nodeId: nodeId
             });
 
+            process.send({
+                type: "send",
+                data: {
+                    payload: {
+                        status: "error"
+                    }
+                },
+                nodeId: nodeId
+            });
+
             process.send({
                 type: "status",
                 data: {

package/server/lib/opcua-server-runtime.js

@@ -5,10 +5,20 @@
 const {
     OPCUAServer,
     UserTokenType,
-    buildApplicationUri
+    buildApplicationUri,
+    makeRoles,
+    WellKnownRoles,
+    resolveNodeId
 } = require("./opcua-constants");
 const { OpcUaAddressSpaceBuilder } = require("./opcua-address-space-builder");
 const { OpcUaServerMethods } = require("./opcua-server-methods");
+let bcrypt = null;
+
+try {
+    bcrypt = require("bcryptjs");
+} catch (error) {
+    bcrypt = null;
+}
 
 class OpcUaServerRuntime {
     constructor(options) {
@@ -22,6 +32,7 @@ class OpcUaServerRuntime {
         this.namespaceUri = options.settings.namespaceUri;
         this.resourcePath = options.settings.resourcePath;
         this.allowAnonymous = options.settings.allowAnonymous;
+        this.groups = options.settings.groups;
         this.users = options.settings.users;
         this.securityPolicy = options.settings.securityPolicy;
         this.securityMode = options.settings.securityMode;
@@ -55,7 +66,8 @@ class OpcUaServerRuntime {
             registry: this.registry,
             node: this.node,
             serverName: this.serverName,
-            addressSpace: this.addressSpace
+            addressSpace: this.addressSpace,
+            allowAnonymous: this.allowAnonymous
         });
 
 
@@ -195,9 +207,6 @@ class OpcUaServerRuntime {
                 buildNumber: "1",
                 buildDate: new Date()
             },
-            // serverCertificateManager: {
-            //     automaticallyAcceptUnknownCertificate: true
-            // },
             serverCapabilities: {
                 maxSessions: this.maxConnections
             },
@@ -210,12 +219,64 @@ class OpcUaServerRuntime {
             securityModes: [this.securityMode],
             allowAnonymous: this.allowAnonymous,
             userManager: {
-                isValidUser: (username, password) => this.isValidUser(username, password)
+                isValidUser: (username, password) => this.isValidUser(username, password),
+                getUserRoles: (username) => this.getUserRoles(username)
             },
             userTokenPolicies
         };
     }
 
+    getUserRoles(username) {
+        const normalizedUserName = typeof username === "string" ? username.trim() : "";
+        if (!normalizedUserName || normalizedUserName.toLowerCase() === "anonymous") {
+            return makeRoles([WellKnownRoles.Anonymous]);
+        }
+
+        const user = this.users.find((entry) => entry && entry.username === normalizedUserName);
+        if (!user) {
+            return makeRoles([WellKnownRoles.AuthenticatedUser]);
+        }
+
+        const roles = [resolveNodeId("WellKnownRole_AuthenticatedUser")];
+        const customRole = this.resolveGroupRoleNodeId(user.group);
+        if (customRole) {
+            roles.push(customRole);
+        }
+        return roles;
+    }
+
+    resolveGroupRoleNodeId(groupName) {
+        const normalized = String(groupName || "").trim().toLowerCase();
+        if (!normalized || normalized === "public") {
+            return null;
+        }
+
+        const wellKnownRoles = {
+            operator: "WellKnownRole_Operator",
+            supervisor: "WellKnownRole_Supervisor",
+            engineer: "WellKnownRole_Engineer",
+            engineering: "WellKnownRole_Engineer",
+            observer: "WellKnownRole_Observer",
+            admin: "WellKnownRole_ConfigureAdmin",
+            configureadmin: "WellKnownRole_ConfigureAdmin",
+            securityadmin: "WellKnownRole_SecurityAdmin"
+        };
+
+        if (wellKnownRoles[normalized]) {
+            return resolveNodeId(wellKnownRoles[normalized]);
+        }
+
+        return resolveNodeId("ns=1;s=NodeRedRole/" + this.sanitizeRoleSegment(normalized));
+    }
+
+    sanitizeRoleSegment(value) {
+        return String(value || "")
+            .trim()
+            .toLowerCase()
+            .replace(/\s+/g, "_")
+            .replace(/[^a-z0-9._-]/g, "_");
+    }
+
     isValidUser(username, password) {
         return this.users.some((user) => {
             if (user.username !== username) {
@@ -227,6 +288,10 @@ class OpcUaServerRuntime {
             }
 
             if (user.passwordHash) {
+                if (!bcrypt) {
+                    this.node.warn("bcryptjs is not installed, so hashed passwords cannot be validated.");
+                    return false;
+                }
                 try {
                     return bcrypt.compareSync(password, user.passwordHash);
                 } catch (error) {

package/server/opcua-server-io.js

@@ -179,6 +179,7 @@ module.exports = function (RED) {
     function childControl(node) {
 
         const child = registry.resolveChild(node.serverRef)
+        child.setMaxListeners(0);
 
         child.on("message", (msg) => {