node-opcua-server-configuration 2.163.1 → 2.164.2

package/source/server/roles_and_permissions.ts

@@ -1,15 +1,14 @@
-import { PermissionType, RolePermissionTypeOptions, WellKnownRoles } from "node-opcua-address-space";
-import { makePermissionFlag, allPermissions } from "node-opcua-data-model";
+import { PermissionType, type RolePermissionTypeOptions, WellKnownRoles } from "node-opcua-address-space";
+import { allPermissions, makePermissionFlag } from "node-opcua-data-model";
 
 export const rolePermissionRestricted: RolePermissionTypeOptions[] = [
-
     {
         roleId: WellKnownRoles.Anonymous,
-        permissions: PermissionType.Browse,
+        permissions: PermissionType.Browse
     },
     {
         roleId: WellKnownRoles.AuthenticatedUser,
-        permissions: PermissionType.Browse,
+        permissions: PermissionType.Browse
     },
     {
         roleId: WellKnownRoles.ConfigureAdmin,
@@ -18,14 +17,14 @@ export const rolePermissionRestricted: RolePermissionTypeOptions[] = [
     {
         roleId: WellKnownRoles.SecurityAdmin,
         permissions: allPermissions
-    },
+    }
 ];
 export const rolePermissionAdminOnly: RolePermissionTypeOptions[] = [
     {
         roleId: WellKnownRoles.SecurityAdmin,
         permissions: allPermissions
-    },
- /*   {
+    }
+    /*   {
         roleId: WellKnownRoles.Anonymous,
         permissions: PermissionType.Browse
     },

package/source/server/tools.ts

@@ -1,10 +1,8 @@
-import { ISessionContext, WellKnownRoles } from "node-opcua-address-space";
+import { type ISessionContext, WellKnownRoles } from "node-opcua-address-space";
 import { MessageSecurityMode } from "node-opcua-secure-channel";
 
 export function hasExpectedUserAccess(context: ISessionContext) {
-    if (!context ||
-        !context.session ||
-        !context.session.userIdentityToken) {
+    if (!context || !context.session || !context.session.userIdentityToken) {
         return false;
     }
     return context.currentUserHasRole(WellKnownRoles.SecurityAdmin);
@@ -13,4 +11,3 @@ export function hasExpectedUserAccess(context: ISessionContext) {
 export function hasEncryptedChannel(context: ISessionContext) {
     return !!(context.session?.channel?.securityMode === MessageSecurityMode.SignAndEncrypt);
 }
-

package/source/server/trust_list_server.ts

@@ -1,12 +1,11 @@
-import fs from "fs";
-import path from "path";
-
-import { OPCUACertificateManager } from "node-opcua-certificate-manager";
-import { TrustListDataType } from "node-opcua-types";
-import { AbstractFs } from "node-opcua-file-transfer";
+import fs from "node:fs";
+import path from "node:path";
 import { BinaryStream } from "node-opcua-binary-stream";
+import type { OPCUACertificateManager } from "node-opcua-certificate-manager";
 import { readCertificate, readCertificateRevocationList } from "node-opcua-crypto";
 import { make_errorLog } from "node-opcua-debug";
+import type { AbstractFs } from "node-opcua-file-transfer";
+import { TrustListDataType } from "node-opcua-types";
 
 const errorLog = make_errorLog("TrustListServer");
 
@@ -20,6 +19,7 @@ async function readAll(folder: string): Promise<Buffer[]> {
             const buf = await readCertificate(file);
             results.push(buf);
         } else if (ext === ".crl") {
+            // Strict validation: only accept valid CRL files
             const buf = await readCertificateRevocationList(file);
             results.push(buf);
         } else {
@@ -53,13 +53,28 @@ export async function buildTrustList(
         trustList.trustedCertificates = await readAll(certificateManager.trustedFolder);
     }
     if ((trustListFlag & TrustListMasks.TrustedCrls) === TrustListMasks.TrustedCrls) {
-        trustList.trustedCrls = await readAll(certificateManager.crlFolder);
+        const crlFolder = certificateManager.crlFolder;
+        if (fs.existsSync(crlFolder)) {
+            trustList.trustedCrls = await readAll(crlFolder);
+        } else {
+            trustList.trustedCrls = [];
+        }
     }
     if ((trustListFlag & TrustListMasks.IssuerCertificates) === TrustListMasks.IssuerCertificates) {
-        trustList.issuerCertificates = await readAll(certificateManager.issuersCertFolder);
+        const issuersCertFolder = certificateManager.issuersCertFolder;
+        if (fs.existsSync(issuersCertFolder)) {
+            trustList.issuerCertificates = await readAll(issuersCertFolder);
+        } else {
+            trustList.issuerCertificates = [];
+        }
     }
     if ((trustListFlag & TrustListMasks.IssuerCrls) === TrustListMasks.IssuerCrls) {
-        trustList.issuerCrls = await readAll(certificateManager.issuersCrlFolder);
+        const issuersCrlFolder = certificateManager.issuersCrlFolder;
+        if (fs.existsSync(issuersCrlFolder)) {
+            trustList.issuerCrls = await readAll(issuersCrlFolder);
+        } else {
+            trustList.issuerCrls = [];
+        }
     }
     return trustList;
 }

package/source/standard_certificate_types.ts

@@ -3,10 +3,9 @@
  */
 import { resolveNodeId } from "node-opcua-nodeid";
 
-export const CertificateType =  {
+export const CertificateType = {
     Application: resolveNodeId("ApplicationCertificateType"),
     Https: resolveNodeId("HttpsCertificateType"),
     RsaMinApplication: resolveNodeId("RsaMinApplicationCertificateType"),
-    RsaSha256Application: resolveNodeId("RsaSha256ApplicationCertificateType"),
+    RsaSha256Application: resolveNodeId("RsaSha256ApplicationCertificateType")
 };
-         

package/source/trust_list.ts

@@ -1,26 +1,25 @@
-import { StatusCode } from "node-opcua-status-code";
+import type { StatusCode } from "node-opcua-status-code";
 
 /**
  * @module node-opcua-server-configuration
  */
 export interface ITrustList {
-
     /**
      * The CloseAndUpdate Method closes the file and applies the changes to the Trust List. It can
      * only be called if the file was opened for writing. If the Close Method is called any cached data
      * is discarded and the Trust List is not changed.
-     * 
+     *
      * The Server shall verify that every Certificate in the new Trust List is valid according to the
      * mandatory rules defined in Part 4. If an invalid Certificate is found the Server shall return an
      * error and shall not update the Trust List. If only part of the Trust List is being updated the
      * Server creates a temporary Trust List that includes the existing Trust List plus any updates
      * and validates the temporary Trust List.
-     * 
+     *
      * If the file cannot be processed this Method still closes the file and discards the data before
      * returning an error. This Method is required if the Server supports updates to the Trust List.
      * The structure uploaded includes a mask (see 7.5.8) which specifies which fields are updated.
      * If a bit is not set then the associated field is not changed.
-     * 
+     *
      * @param fileHandle UInt32 - The handle of the previously opened file
      * @return applyChangesRequired - A flag indicating whether the ApplyChanges Method (see 7.7.5) shall be called
      *                                before the new Trust List will be used by the Server.
@@ -31,46 +30,43 @@ export interface ITrustList {
      *                              error.
      */
     closeAndUpdate(
-      // fileHandle: UInt32,
-      applyChangesRequired: boolean 
+        // fileHandle: UInt32,
+        applyChangesRequired: boolean
     ): Promise<boolean>;
 
     /**
-     * The AddCertificate Method allows a Client to add a single Certificate to the Trust List. 
-     * 
+     * The AddCertificate Method allows a Client to add a single Certificate to the Trust List.
+     *
      * The Server shall verify that the Certificate is valid according to the rules defined in Part 4.
-     * 
+     *
      * If an invalid Certificate is found the Server shall return an error and shall not update the Trust List.
-     * 
+     *
      * If the Certificate is issued by a CA then the Client shall provide the entire chain in the
-     * certificate argument (see Part 6). 
-     * 
-     * After validating the Certificate, the Server shall add the CA Certificates to the Issuers list in the Trust List. 
-     * 
+     * certificate argument (see Part 6).
+     *
+     * After validating the Certificate, the Server shall add the CA Certificates to the Issuers list in the Trust List.
+     *
      * The leaf Certificate is added to the list specified by the isTrustedCertificate argument.
-     * 
+     *
      * This method cannot be called if the file object is open
      * @param  certificate - The DER encoded Certificate to add as a ByteStrng
-     * @param  isTrustedCertificate - If TRUE the Certificate is added to the Trusted Certificates List. If FALSE the Certificate is added to the Issuer Certificates List.
+     * @param  isTrustedCerticopy ficate - If TRUE the Certificate is added to the Trusted Certificates List. If FALSE the Certificate is added to the Issuer Certificates List.
      *
-     * **Result Code**            
+     * **Result Code**
      * - BadUserAccessDenied:     The current user does not have the rights required.
      * - BadCertificateInvalid:   The certificate to add is invalid.
      * - BadInvalidState:         The object is opened.
-     *     
+     *
      */
-    addCertificate(
-      certificate: Buffer,
-      isTrustedCertificate: boolean
-    ): Promise<StatusCode>;
+    addCertificate(certificate: Buffer, isTrustedCertificate: boolean): Promise<StatusCode>;
 
     /**
-     * The RemoveCertificate Method allows a Client to remove a single Certificate from the Trust List. 
-     * 
+     * The RemoveCertificate Method allows a Client to remove a single Certificate from the Trust List.
+     *
      * It returns BadInvalidArgument if the thumbprint does not match a Certificate in the Trust List.
-     * 
+     *
      * If the Certificate is a CA Certificate with associated CRLs then all CRLs are removed as well.
-     * 
+     *
      * This method cannot be called if the file object is open.
      *
      * @param thumbprint - The SHA1 hash of the Certificate to remove
@@ -81,11 +77,8 @@ export interface ITrustList {
      * -BadUserAccessDenied:   The current user does not have the rights required.
      * -BadInvalidArgument:    The certificate to remove was not found.
      * -BadInvalidState:       The object is opened.
-     * 
-     * 
+     *
+     *
      */
-    removeCertificate(
-      thumbprint: string,
-      isTrustedCertificate: boolean
-    ): Promise<StatusCode>;
+    removeCertificate(thumbprint: string, isTrustedCertificate: boolean): Promise<StatusCode>;
 }