node-opcua-address-space 2.164.2 → 2.165.0

package/source/session_context.ts

@@ -3,7 +3,7 @@
  */
 
 import { assert } from "node-opcua-assert";
-import { CertificateInternals, exploreCertificate } from "node-opcua-crypto/web";
+import { Certificate, CertificateInternals, exploreCertificate } from "node-opcua-crypto/web";
 import { AccessRestrictionsFlag, allPermissions, AttributeIds, PermissionFlag } from "node-opcua-data-model";
 import { PreciseClock } from "node-opcua-date-time";
 import { NodeId, NodeIdLike, resolveNodeId, sameNodeId } from "node-opcua-nodeid";
@@ -99,8 +99,22 @@ export interface IUserManager {
      */
     getUserRoles?: (user: string) => NodeId[];
 }
+
+/**
+ * A temporary override for role resolution.
+ *
+ * When set on the server, `getUserRoles` is called
+ * **before** the default `userManager`. Returning
+ * a `NodeId[]` overrides the roles; returning `null`
+ * falls through to the default resolution.
+ */
+export interface IRolePolicyOverride {
+    getUserRoles(username: string): NodeId[] | null;
+}
+
 export interface IServerBase {
     userManager?: IUserManager;
+    rolePolicyOverride?: IRolePolicyOverride | null;
 }
 
 export interface SessionContextOptions {
@@ -206,6 +220,33 @@ export class SessionContext implements ISessionContext {
         this.currentTime = undefined;
     }
 
+    /**
+     * The client's application-instance certificate,
+     * or `null` if no secure channel is available.
+     */
+    public get clientCertificate(): Certificate | null {
+        return this.session?.channel?.clientCertificate ?? null;
+    }
+
+    /**
+     * The application URI extracted from the client
+     * certificate's SubjectAltName, or `null` if
+     * no certificate is available.
+     */
+    public get clientApplicationUri(): string | null {
+        const cert = this.clientCertificate;
+        if (!cert) {
+            return null;
+        }
+        try {
+            const info = exploreCertificate(cert);
+            const san = info.tbsCertificate.extensions?.subjectAltName;
+            return san?.uniformResourceIdentifier?.[0] ?? null;
+        } catch {
+            return null;
+        }
+    }
+
     /**
      * getCurrentUserRoles
      *
@@ -228,6 +269,15 @@ export class SessionContext implements ISessionContext {
 
         const username = getUserName(userIdentityToken);
 
+        // --- US-028: check role policy override first ---
+        if (this.server?.rolePolicyOverride) {
+            const overriddenRoles = this.server.rolePolicyOverride.getUserRoles(username);
+            if (overriddenRoles !== null) {
+                return overriddenRoles;
+            }
+            // null => fall through to default resolution
+        }
+
         if (username === "anonymous") {
             return anonymous;
         }
@@ -305,7 +355,7 @@ export class SessionContext implements ISessionContext {
                 return true;
             }
         }
-        if (!this.session ) { return false; }
+        if (!this.session) { return false; }
         const securityMode = this.session?.channel?.securityMode;
         if (accessRestrictions & AccessRestrictionsFlag.SigningRequired) {
             if (securityMode !== MessageSecurityMode.Sign && securityMode !== MessageSecurityMode.SignAndEncrypt) {

package/src/address_space.ts

@@ -55,7 +55,8 @@ import {
     IAddressSpace,
     ShutdownTask,
     RaiseEventData,
-    UAVariableT
+    UAVariableT,
+    MethodCallInterceptor
 } from "node-opcua-address-space-base";
 import { make_debugLog, make_warningLog, make_errorLog } from "node-opcua-debug";
 
@@ -191,6 +192,7 @@ export class AddressSpace implements AddressSpacePrivate {
     private _shutdownTask?: ShutdownTask[];
     private _modelChangeTransactionCounter = 0;
     private _modelChanges: ModelChangeStructureDataType[] = [];
+    public _methodCallInterceptors: MethodCallInterceptor[] = [];
 
     constructor() {
         this._private_namespaceIndex = 1;
@@ -1082,6 +1084,27 @@ export class AddressSpace implements AddressSpacePrivate {
         this._shutdownTask.push(task);
     }
 
+    /**
+     * Register a method call interceptor.
+     * Interceptors are called sequentially before each UAMethod.execute().
+     * If any interceptor returns a non-Good StatusCode, the method call
+     * is rejected and subsequent interceptors are skipped.
+     */
+    public addMethodCallInterceptor(interceptor: MethodCallInterceptor): void {
+        assert(typeof interceptor === "function");
+        this._methodCallInterceptors.push(interceptor);
+    }
+
+    /**
+     * Remove a previously registered method call interceptor.
+     */
+    public removeMethodCallInterceptor(interceptor: MethodCallInterceptor): void {
+        const index = this._methodCallInterceptors.indexOf(interceptor);
+        if (index !== -1) {
+            this._methodCallInterceptors.splice(index, 1);
+        }
+    }
+
     public async shutdown(): Promise<void> {
         const performTasks = async (tasks: ShutdownTask[]) => {
             // perform registerShutdownTask

package/src/address_space_private.ts

@@ -20,7 +20,8 @@ import {
     UAObjectType,
     UAReference,
     UAVariable,
-    ContinuationData
+    ContinuationData,
+    MethodCallInterceptor
 } from "node-opcua-address-space-base";
 import { UARootFolder } from "../source/ua_root_folder";
 import { ExtensionObjectConstructorFuncWithSchema } from "../source/interfaces/extension_object_constructor";
@@ -89,4 +90,6 @@ export interface AddressSpacePrivate extends IAddressSpace {
     ) => void;
 
     isEnumeration(dataType: NodeId): boolean;
+
+    _methodCallInterceptors: MethodCallInterceptor[];
 }