node-opcua-server 2.66.1 → 2.67.0

package/dist/user_manager.d.ts

@@ -0,0 +1,32 @@
+import { IUserManager, UARoleSet } from "node-opcua-address-space";
+import { NodeId } from "node-opcua-nodeid";
+import { IdentityMappingRuleType } from "node-opcua-types";
+import { ServerSession } from "./server_session";
+export declare type ValidUserFunc = (this: ServerSession, username: string, password: string) => boolean;
+export declare type ValidUserAsyncFunc = (this: ServerSession, username: string, password: string, callback: (err: Error | null, isAuthorized?: boolean) => void) => void;
+export interface IUserManagerEx extends IUserManager {
+    /** synchronous function to check the credentials - can be overruled by isValidUserAsync */
+    isValidUser?: ValidUserFunc;
+    /** asynchronous function to check if the credentials - overrules isValidUser */
+    isValidUserAsync?: ValidUserAsyncFunc;
+}
+export declare type UserManagerOptions = IUserManagerEx | UAUserManagerBase;
+export interface IUAUserManager extends IUserManager {
+    getUserRoles(user: string): NodeId[];
+    isValidUser(session: ServerSession, username: string, password: string): Promise<boolean>;
+    getIdentitiesForRole(role: NodeId): IdentityMappingRuleType[];
+}
+export declare abstract class UAUserManagerBase implements IUAUserManager {
+    getUserRoles(user: string): NodeId[];
+    isValidUser(session: ServerSession, username: string, password: string): Promise<boolean>;
+    getIdentitiesForRole(role: NodeId): IdentityMappingRuleType[];
+    bind(roleSet: UARoleSet): void;
+}
+export declare class UAUserManager1 extends UAUserManagerBase {
+    private options;
+    constructor(options: IUserManagerEx);
+    getUserRoles(user: string): NodeId[];
+    isValidUser(session: ServerSession, username: string, password: string): Promise<boolean>;
+    getIdentitiesForRole(role: NodeId): IdentityMappingRuleType[];
+}
+export declare function makeUserManager(options?: UserManagerOptions): UAUserManagerBase;

package/dist/user_manager.js

@@ -0,0 +1,72 @@
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.makeUserManager = exports.UAUserManager1 = exports.UAUserManagerBase = void 0;
+class UAUserManagerBase {
+    getUserRoles(user) {
+        throw new Error("Method not implemented.");
+    }
+    isValidUser(session, username, password) {
+        throw new Error("Method not implemented.");
+    }
+    getIdentitiesForRole(role) {
+        return [];
+    }
+    bind(roleSet) {
+        /**  */
+    }
+}
+exports.UAUserManagerBase = UAUserManagerBase;
+class UAUserManager1 extends UAUserManagerBase {
+    constructor(options) {
+        super();
+        this.options = options;
+    }
+    getUserRoles(user) {
+        return this.options.getUserRoles(user);
+    }
+    isValidUser(session, username, password) {
+        return __awaiter(this, void 0, void 0, function* () {
+            if (typeof this.options.isValidUserAsync === "function") {
+                return new Promise((resolve, reject) => {
+                    var _a;
+                    (_a = this.options.isValidUserAsync) === null || _a === void 0 ? void 0 : _a.call(session, username, password, (err, isAuthorized) => {
+                        if (err)
+                            return reject();
+                        resolve(isAuthorized);
+                    });
+                });
+            }
+            else {
+                const authorized = this.options.isValidUser.call(session, username, password);
+                return authorized;
+            }
+        });
+    }
+    getIdentitiesForRole(role) {
+        return [];
+    }
+}
+exports.UAUserManager1 = UAUserManager1;
+function makeUserManager(options) {
+    if (options instanceof UAUserManagerBase) {
+        return options;
+    }
+    options = options || {};
+    if (typeof options.isValidUser !== "function") {
+        options.isValidUser = ( /*userName,password*/) => {
+            return false;
+        };
+    }
+    return new UAUserManager1(options);
+}
+exports.makeUserManager = makeUserManager;
+//# sourceMappingURL=user_manager.js.map

package/dist/user_manager.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"user_manager.js","sourceRoot":"","sources":["../source/user_manager.ts"],"names":[],"mappings":";;;;;;;;;;;;AA4BA,MAAsB,iBAAiB;IACnC,YAAY,CAAC,IAAY;QACrB,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC/C,CAAC;IACD,WAAW,CAAC,OAAsB,EAAE,QAAgB,EAAE,QAAgB;QAClE,MAAM,IAAI,KAAK,CAAC,yBAAyB,CAAC,CAAC;IAC/C,CAAC;IACD,oBAAoB,CAAC,IAAY;QAC7B,OAAO,EAAE,CAAC;IACd,CAAC;IACD,IAAI,CAAC,OAAkB;QACnB,OAAO;IACX,CAAC;CACJ;AAbD,8CAaC;AACD,MAAa,cAAe,SAAQ,iBAAiB;IACjD,YAAoB,OAAuB;QACvC,KAAK,EAAE,CAAC;QADQ,YAAO,GAAP,OAAO,CAAgB;IAE3C,CAAC;IACD,YAAY,CAAC,IAAY;QACrB,OAAO,IAAI,CAAC,OAAO,CAAC,YAAa,CAAC,IAAI,CAAC,CAAC;IAC5C,CAAC;IAEK,WAAW,CAAC,OAAsB,EAAE,QAAgB,EAAE,QAAgB;;YACxE,IAAI,OAAO,IAAI,CAAC,OAAO,CAAC,gBAAgB,KAAK,UAAU,EAAE;gBACrD,OAAO,IAAI,OAAO,CAAU,CAAC,OAAO,EAAE,MAAM,EAAE,EAAE;;oBAC5C,MAAA,IAAI,CAAC,OAAO,CAAC,gBAAgB,0CAAE,IAAI,CAAC,OAAO,EAAE,QAAQ,EAAE,QAAQ,EAAE,CAAC,GAAG,EAAE,YAAY,EAAE,EAAE;wBACnF,IAAI,GAAG;4BAAE,OAAO,MAAM,EAAE,CAAC;wBACzB,OAAO,CAAC,YAAa,CAAC,CAAC;oBAC3B,CAAC,CAAC,CAAC;gBACP,CAAC,CAAC,CAAC;aACN;iBAAM;gBACH,MAAM,UAAU,GAAG,IAAI,CAAC,OAAO,CAAC,WAAY,CAAC,IAAI,CAAC,OAAO,EAAE,QAAQ,EAAE,QAAQ,CAAC,CAAC;gBAC/E,OAAO,UAAU,CAAC;aACrB;QACL,CAAC;KAAA;IACD,oBAAoB,CAAC,IAAY;QAC7B,OAAO,EAAE,CAAC;IACd,CAAC;CACJ;AAxBD,wCAwBC;AAED,SAAgB,eAAe,CAAC,OAA4B;IACxD,IAAI,OAAO,YAAY,iBAAiB,EAAE;QACtC,OAAO,OAAO,CAAC;KAClB;IACD,OAAO,GAAG,OAAO,IAAI,EAAE,CAAC;IAExB,IAAI,OAAO,OAAO,CAAC,WAAW,KAAK,UAAU,EAAE;QAC3C,OAAO,CAAC,WAAW,GAAG,EAAC,qBAAqB,EAAE,EAAE;YAC5C,OAAO,KAAK,CAAC;QACjB,CAAC,CAAC;KACL;IACD,OAAO,IAAI,cAAc,CAAC,OAAyB,CAAC,CAAC;AACzD,CAAC;AAZD,0CAYC"}

package/dist/user_manager_ua.d.ts

@@ -0,0 +1,3 @@
+import { IAddressSpace } from "node-opcua-address-space";
+import { UAUserManagerBase } from "./user_manager";
+export declare function bindRoleSet(userManager: UAUserManagerBase, addressSpace: IAddressSpace): void;

package/dist/user_manager_ua.js

@@ -0,0 +1,40 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.bindRoleSet = void 0;
+const node_opcua_constants_1 = require("node-opcua-constants");
+const node_opcua_address_space_1 = require("node-opcua-address-space");
+const node_opcua_variant_1 = require("node-opcua-variant");
+const node_opcua_data_model_1 = require("node-opcua-data-model");
+function bindRoleSet(userManager, addressSpace) {
+    var _a;
+    const roleSet = addressSpace.findNode(node_opcua_constants_1.ObjectIds.Server_ServerCapabilities_RoleSet);
+    if (!roleSet)
+        return;
+    const components = roleSet.getComponents();
+    for (const component of components) {
+        (0, node_opcua_address_space_1.ensureObjectIsSecure)(component);
+        if (component.nodeClass !== node_opcua_data_model_1.NodeClass.Object) {
+            continue;
+        }
+        const o = component;
+        if (o.typeDefinitionObj.browseName.name !== "RoleType") {
+            continue;
+        }
+        const roleType = o;
+        const roleTypeProperties = roleType.findReferencesAsObject("HasChild", false);
+        for (const roleTypeProp of roleTypeProperties) {
+            (0, node_opcua_address_space_1.ensureObjectIsSecure)(roleTypeProp);
+        }
+        roleType.identities.setValueFromSource({ dataType: node_opcua_variant_1.DataType.ExtensionObject, value: [] });
+        (_a = roleType.endpoints) === null || _a === void 0 ? void 0 : _a.setValueFromSource({ dataType: node_opcua_variant_1.DataType.ExtensionObject, value: [] });
+        roleType.identities.bindVariable({
+            get: () => {
+                const identities = userManager.getIdentitiesForRole(roleType.nodeId);
+                return new node_opcua_variant_1.Variant({ dataType: node_opcua_variant_1.DataType.ExtensionObject, value: identities });
+            }
+        }, true);
+    }
+    userManager.bind(roleSet);
+}
+exports.bindRoleSet = bindRoleSet;
+//# sourceMappingURL=user_manager_ua.js.map

package/dist/user_manager_ua.js.map

@@ -0,0 +1 @@
+{"version":3,"file":"user_manager_ua.js","sourceRoot":"","sources":["../source/user_manager_ua.ts"],"names":[],"mappings":";;;AAAA,+DAAiD;AAEjD,uEAAgE;AAChE,2DAAuD;AACvD,iEAAkD;AAGlD,SAAgB,WAAW,CAAC,WAA8B,EAAE,YAA2B;;IACnF,MAAM,OAAO,GAAG,YAAY,CAAC,QAAQ,CAAC,gCAAS,CAAC,iCAAiC,CAAc,CAAC;IAChG,IAAI,CAAC,OAAO;QAAE,OAAO;IAErB,MAAM,UAAU,GAAG,OAAO,CAAC,aAAa,EAAE,CAAC;IAC3C,KAAK,MAAM,SAAS,IAAI,UAAU,EAAE;QAChC,IAAA,+CAAoB,EAAC,SAAS,CAAC,CAAC;QAChC,IAAI,SAAS,CAAC,SAAS,KAAK,iCAAS,CAAC,MAAM,EAAE;YAC1C,SAAS;SACZ;QACD,MAAM,CAAC,GAAG,SAAqB,CAAC;QAChC,IAAI,CAAC,CAAC,iBAAiB,CAAC,UAAU,CAAC,IAAI,KAAK,UAAU,EAAE;YACpD,SAAS;SACZ;QACD,MAAM,QAAQ,GAAG,CAAW,CAAC;QAC7B,MAAM,kBAAkB,GAAG,QAAQ,CAAC,sBAAsB,CAAC,UAAU,EAAE,KAAK,CAAC,CAAC;QAC9E,KAAK,MAAM,YAAY,IAAI,kBAAkB,EAAE;YAC3C,IAAA,+CAAoB,EAAC,YAAY,CAAC,CAAC;SACtC;QACD,QAAQ,CAAC,UAAU,CAAC,kBAAkB,CAAC,EAAE,QAAQ,EAAE,6BAAQ,CAAC,eAAe,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;QAE1F,MAAA,QAAQ,CAAC,SAAS,0CAAE,kBAAkB,CAAC,EAAE,QAAQ,EAAE,6BAAQ,CAAC,eAAe,EAAE,KAAK,EAAE,EAAE,EAAE,CAAC,CAAC;QAC1F,QAAQ,CAAC,UAAU,CAAC,YAAY,CAC5B;YACI,GAAG,EAAE,GAAG,EAAE;gBACN,MAAM,UAAU,GAAG,WAAW,CAAC,oBAAoB,CAAC,QAAQ,CAAC,MAAM,CAAC,CAAC;gBAErE,OAAO,IAAI,4BAAO,CAAC,EAAE,QAAQ,EAAE,6BAAQ,CAAC,eAAe,EAAE,KAAK,EAAE,UAAU,EAAE,CAAC,CAAC;YAClF,CAAC;SACJ,EACD,IAAI,CACP,CAAC;KACL;IAED,WAAW,CAAC,IAAI,CAAC,OAAO,CAAC,CAAC;AAE9B,CAAC;AApCD,kCAoCC"}

package/package.json

@@ -1,6 +1,6 @@
 {
     "name": "node-opcua-server",
-    "version": "2.66.1",
+    "version": "2.67.0",
     "description": "pure nodejs OPCUA SDK - module -server",
     "scripts": {
         "build": "tsc -b",
@@ -18,53 +18,54 @@
         "bonjour": "^3.5.0",
         "dequeue": "^1.0.5",
         "lodash": "4.17.21",
-        "node-opcua-address-space": "2.66.1",
+        "node-opcua-address-space": "2.67.0",
         "node-opcua-assert": "2.66.0",
-        "node-opcua-basic-types": "2.66.0",
-        "node-opcua-certificate-manager": "2.66.1",
-        "node-opcua-client": "2.66.1",
-        "node-opcua-client-dynamic-extension-object": "2.66.1",
-        "node-opcua-common": "2.66.0",
-        "node-opcua-constants": "2.66.0",
+        "node-opcua-basic-types": "2.67.0",
+        "node-opcua-certificate-manager": "2.67.0",
+        "node-opcua-client": "2.67.0",
+        "node-opcua-client-dynamic-extension-object": "2.67.0",
+        "node-opcua-common": "2.67.0",
+        "node-opcua-constants": "2.67.0",
         "node-opcua-crypto": "^1.10.0",
-        "node-opcua-data-access": "2.66.0",
-        "node-opcua-data-model": "2.66.0",
-        "node-opcua-data-value": "2.66.0",
-        "node-opcua-date-time": "2.66.0",
-        "node-opcua-debug": "2.66.0",
-        "node-opcua-enum": "2.66.0",
-        "node-opcua-extension-object": "2.66.0",
-        "node-opcua-factory": "2.66.0",
-        "node-opcua-hostname": "2.66.0",
-        "node-opcua-nodeid": "2.66.0",
+        "node-opcua-data-access": "2.67.0",
+        "node-opcua-data-model": "2.67.0",
+        "node-opcua-data-value": "2.67.0",
+        "node-opcua-date-time": "2.67.0",
+        "node-opcua-debug": "2.67.0",
+        "node-opcua-enum": "2.67.0",
+        "node-opcua-extension-object": "2.67.0",
+        "node-opcua-factory": "2.67.0",
+        "node-opcua-hostname": "2.67.0",
+        "node-opcua-nodeid": "2.67.0",
+        "node-opcua-nodeset-ua": "2.67.0",
         "node-opcua-nodesets": "2.66.0",
-        "node-opcua-numeric-range": "2.66.0",
-        "node-opcua-object-registry": "2.66.0",
-        "node-opcua-pki": "^2.15.1",
-        "node-opcua-secure-channel": "2.66.1",
-        "node-opcua-service-browse": "2.66.0",
-        "node-opcua-service-call": "2.66.0",
-        "node-opcua-service-discovery": "2.66.0",
-        "node-opcua-service-endpoints": "2.66.0",
-        "node-opcua-service-filter": "2.66.0",
-        "node-opcua-service-history": "2.66.0",
-        "node-opcua-service-node-management": "2.66.0",
-        "node-opcua-service-query": "2.66.1",
-        "node-opcua-service-read": "2.66.0",
-        "node-opcua-service-register-node": "2.66.0",
-        "node-opcua-service-secure-channel": "2.66.0",
-        "node-opcua-service-session": "2.66.0",
-        "node-opcua-service-subscription": "2.66.1",
-        "node-opcua-service-translate-browse-path": "2.66.0",
-        "node-opcua-service-write": "2.66.0",
-        "node-opcua-status-code": "2.66.0",
-        "node-opcua-transport": "2.66.0",
-        "node-opcua-types": "2.66.0",
-        "node-opcua-utils": "2.66.0",
-        "node-opcua-variant": "2.66.0"
+        "node-opcua-numeric-range": "2.67.0",
+        "node-opcua-object-registry": "2.67.0",
+        "node-opcua-pki": "^2.15.4",
+        "node-opcua-secure-channel": "2.67.0",
+        "node-opcua-service-browse": "2.67.0",
+        "node-opcua-service-call": "2.67.0",
+        "node-opcua-service-discovery": "2.67.0",
+        "node-opcua-service-endpoints": "2.67.0",
+        "node-opcua-service-filter": "2.67.0",
+        "node-opcua-service-history": "2.67.0",
+        "node-opcua-service-node-management": "2.67.0",
+        "node-opcua-service-query": "2.67.0",
+        "node-opcua-service-read": "2.67.0",
+        "node-opcua-service-register-node": "2.67.0",
+        "node-opcua-service-secure-channel": "2.67.0",
+        "node-opcua-service-session": "2.67.0",
+        "node-opcua-service-subscription": "2.67.0",
+        "node-opcua-service-translate-browse-path": "2.67.0",
+        "node-opcua-service-write": "2.67.0",
+        "node-opcua-status-code": "2.67.0",
+        "node-opcua-transport": "2.67.0",
+        "node-opcua-types": "2.67.0",
+        "node-opcua-utils": "2.67.0",
+        "node-opcua-variant": "2.67.0"
     },
     "devDependencies": {
-        "node-opcua-leak-detector": "2.66.0",
+        "node-opcua-leak-detector": "2.67.0",
         "node-opcua-test-helpers": "2.66.0",
         "should": "^13.2.3",
         "sinon": "^13.0.1"
@@ -84,5 +85,5 @@
         "internet of things"
     ],
     "homepage": "http://node-opcua.github.io/",
-    "gitHead": "1a6c8ca803eb794dcdd3af58ab34d1b48dcd7c18"
+    "gitHead": "74c2fd7d4ce3eb48d25a911258bf90a64218ea0e"
 }

package/source/index.ts

@@ -12,3 +12,4 @@ export * from "./server_capabilities";
 export * from "./server_engine";
 export * from "./opcua_server";
 export * from "./monitored_item";
+export * from "./user_manager";

package/source/opcua_server.ts

@@ -42,9 +42,13 @@ import {
 } from "node-opcua-address-space";
 import { getDefaultCertificateManager, OPCUACertificateManager } from "node-opcua-certificate-manager";
 import { ServerState } from "node-opcua-common";
-import { Certificate, exploreCertificate, makeSHA1Thumbprint, Nonce, toPem } from "node-opcua-crypto";
+import { Certificate, exploreCertificate, Nonce } from "node-opcua-crypto";
 import {
-    AttributeIds, DiagnosticInfo, filterDiagnosticInfoLevel, filterDiagnosticOperationLevel, filterDiagnosticServiceLevel, LocalizedText, NodeClass, RESPONSE_DIAGNOSTICS_MASK_ALL
+    AttributeIds,
+    filterDiagnosticOperationLevel,
+    filterDiagnosticServiceLevel,
+    NodeClass,
+    RESPONSE_DIAGNOSTICS_MASK_ALL
 } from "node-opcua-data-model";
 import { DataValue } from "node-opcua-data-value";
 import { dump, make_debugLog, make_errorLog, make_warningLog } from "node-opcua-debug";
@@ -162,26 +166,14 @@ import { ServerSession } from "./server_session";
 import { CreateMonitoredItemHook, DeleteMonitoredItemHook, Subscription } from "./server_subscription";
 import { ISocketData } from "./i_socket_data";
 import { IChannelData } from "./i_channel_data";
+import { UAUserManagerBase, makeUserManager, UserManagerOptions } from "./user_manager";
+import { bindRoleSet} from "./user_manager_ua";
+
 
 function isSubscriptionIdInvalid(subscriptionId: number): boolean {
     return subscriptionId < 0 || subscriptionId >= 0xffffffff;
 }
 
-export type ValidUserFunc = (this: ServerSession, username: string, password: string) => boolean;
-export type ValidUserAsyncFunc = (
-    this: ServerSession,
-    username: string,
-    password: string,
-    callback: (err: Error | null, isAuthorized?: boolean) => void
-) => void;
-
-export interface UserManagerOptions extends IUserManager {
-    /** synchronous function to check the credentials - can be overruled by isValidUserAsync */
-    isValidUser?: ValidUserFunc;
-    /** asynchronous function to check if the credentials - overrules isValidUser */
-    isValidUserAsync?: ValidUserAsyncFunc;
-}
-
 // tslint:disable-next-line:no-var-requires
 const thenify = require("thenify");
 // tslint:disable-next-line:no-var-requires
@@ -681,7 +673,10 @@ function validate_security_endpoint(
 
 export function filterDiagnosticInfo(returnDiagnostics: number, response: CallResponse): void {
     if (RESPONSE_DIAGNOSTICS_MASK_ALL & returnDiagnostics) {
-        response.responseHeader.serviceDiagnostics = filterDiagnosticServiceLevel(returnDiagnostics, response.responseHeader.serviceDiagnostics);
+        response.responseHeader.serviceDiagnostics = filterDiagnosticServiceLevel(
+            returnDiagnostics,
+            response.responseHeader.serviceDiagnostics
+        );
 
         if (response.diagnosticInfos && response.diagnosticInfos.length > 0) {
             response.diagnosticInfos = response.diagnosticInfos.map((d) => filterDiagnosticOperationLevel(returnDiagnostics, d));
@@ -692,8 +687,8 @@ export function filterDiagnosticInfo(returnDiagnostics: number, response: CallRe
         if (response.results) {
             for (const entry of response.results) {
                 if (entry.inputArgumentDiagnosticInfos && entry.inputArgumentDiagnosticInfos.length > 0) {
-                    entry.inputArgumentDiagnosticInfos = entry.inputArgumentDiagnosticInfos.map(
-                        (d) => filterDiagnosticOperationLevel(returnDiagnostics, d)
+                    entry.inputArgumentDiagnosticInfos = entry.inputArgumentDiagnosticInfos.map((d) =>
+                        filterDiagnosticOperationLevel(returnDiagnostics, d)
                     );
                 } else {
                     entry.inputArgumentDiagnosticInfos = [];
@@ -1059,7 +1054,8 @@ export class OPCUAServer extends OPCUABaseServer {
     /**
      * the user manager
      */
-    public userManager: UserManagerOptions;
+    public userManager: UAUserManagerBase;
+
     public readonly options: OPCUAServerOptions;
 
     private objectFactory?: Factory;
@@ -1093,12 +1089,7 @@ export class OPCUAServer extends OPCUABaseServer {
         buildInfo.productUri = buildInfo.productUri || this.serverInfo.productUri;
         this.serverInfo.productUri = this.serverInfo.productUri || buildInfo.productUri;
 
-        this.userManager = options.userManager || {};
-        if (typeof this.userManager.isValidUser !== "function") {
-            this.userManager.isValidUser = (/*userName,password*/) => {
-                return false;
-            };
-        }
+        this.userManager = makeUserManager(options.userManager);
 
         options.allowAnonymous = options.allowAnonymous === undefined ? true : !!options.allowAnonymous;
         /**
@@ -1212,6 +1203,7 @@ export class OPCUAServer extends OPCUABaseServer {
             .then(() => {
                 OPCUAServer.registry.register(this);
                 this.engine.initialize(this.options, () => {
+                    bindRoleSet(this.userManager, this.engine.addressSpace!);
                     setImmediate(() => {
                         this.emit("post_initialize");
                         done();
@@ -1596,12 +1588,10 @@ export class OPCUAServer extends OPCUABaseServer {
             password = buff.slice(4, 4 + length).toString("utf-8");
         }
 
-        if (typeof this.userManager.isValidUserAsync === "function") {
-            this.userManager.isValidUserAsync.call(session, userName, password, callback);
-        } else {
-            const authorized = this.userManager.isValidUser!.call(session, userName, password);
-            async.setImmediate(() => callback(null, authorized));
-        }
+        this.userManager
+            .isValidUser(session, userName, password)
+            .then((isValid) => callback(null, isValid))
+            .catch((err) => callback(err));
     }
 
     /**
@@ -2185,7 +2175,13 @@ export class OPCUAServer extends OPCUABaseServer {
         // --- check that provided session matches session attached to channel
         if (channel.channelId !== session.channelId) {
             if (!(request instanceof ActivateSessionRequest)) {
-                errorLog(chalk.red.bgWhite("ERROR: channel.channelId !== session.channelId  on processing request " + request.constructor.name), channel.channelId, session.channelId);
+                errorLog(
+                    chalk.red.bgWhite(
+                        "ERROR: channel.channelId !== session.channelId  on processing request " + request.constructor.name
+                    ),
+                    channel.channelId,
+                    session.channelId
+                );
             }
             message.session_statusCode = StatusCodes.BadSecureChannelIdInvalid;
         } else if (channel_has_session(channel, session)) {

package/source/server_engine.ts

@@ -28,7 +28,8 @@ import {
     ISessionContext,
     DTServerStatus,
     resolveOpaqueOnAddressSpace,
-    ContinuationData
+    ContinuationData,
+    UARole
 } from "node-opcua-address-space";
 import { generateAddressSpace } from "node-opcua-address-space/nodeJS";
 import { DataValue, coerceTimestampsToReturn, apply_timestamps_no_copy } from "node-opcua-data-value";
@@ -358,7 +359,7 @@ export class ServerEngine extends EventEmitter {
 
             // "http://opcfoundation.org/UA-Profile/Server/ReverseConnect",
             // "http://opcfoundation.org/UAProfile/Server/NodeManagement",
-            
+
             //  "Embedded UA Server Profile",
             // "Micro Embedded Device Server Profile",
             // "Nano Embedded Device Server Profile"
@@ -1077,6 +1078,8 @@ export class ServerEngine extends EventEmitter {
                 });
             };
 
+ 
+
             bindServerDiagnostics();
 
             bindServerStatus();

package/source/server_session.ts

@@ -26,7 +26,7 @@ import { assert } from "node-opcua-assert";
 import { minOPCUADate, randomGuid } from "node-opcua-basic-types";
 import { SessionDiagnosticsDataType, SessionSecurityDiagnosticsDataType, SubscriptionDiagnosticsDataType } from "node-opcua-common";
 import { QualifiedName, NodeClass } from "node-opcua-data-model";
-import { checkDebugFlag, make_debugLog } from "node-opcua-debug";
+import { checkDebugFlag, make_debugLog, make_errorLog } from "node-opcua-debug";
 import { makeNodeId, NodeId, NodeIdType, sameNodeId } from "node-opcua-nodeid";
 import { ObjectRegistry } from "node-opcua-object-registry";
 import { StatusCode, StatusCodes } from "node-opcua-status-code";
@@ -43,7 +43,9 @@ import { SubscriptionState } from "./server_subscription";
 import { ServerEngine } from "./server_engine";
 
 const debugLog = make_debugLog(__filename);
+const errorLog = make_errorLog(__filename);
 const doDebug = checkDebugFlag(__filename);
+
 const theWatchDog = new WatchDog();
 
 const registeredNodeNameSpace = 9999;
@@ -299,11 +301,11 @@ export class ServerSession extends EventEmitter implements ISubscriber, ISession
     public incrementRequestTotalCounter(counterName: string): void {
         if (this._sessionDiagnostics) {
             const propName = lowerFirstLetter(counterName + "Count");
+            // istanbul ignore next
             if (!Object.prototype.hasOwnProperty.call(this._sessionDiagnostics, propName)) {
-                console.log(" cannot find", propName);
+               errorLog("incrementRequestTotalCounter: cannot find", propName);
                 // xx return;
             } else {
-                //   console.log(self._sessionDiagnostics.toString());
                 (this._sessionDiagnostics as any)[propName].totalCount += 1;
             }
         }
@@ -313,8 +315,9 @@ export class ServerSession extends EventEmitter implements ISubscriber, ISession
         this.parent?.incrementRejectedRequestsCount();
         if (this._sessionDiagnostics) {
             const propName = lowerFirstLetter(counterName + "Count");
+            // istanbul ignore next
             if (!Object.prototype.hasOwnProperty.call(this._sessionDiagnostics, propName)) {
-                console.log(" cannot find", propName);
+                errorLog("incrementRequestErrorCounter: cannot find", propName);
                 // xx  return;
             } else {
                 (this._sessionDiagnostics as any)[propName].errorCount += 1;
@@ -428,7 +431,7 @@ export class ServerSession extends EventEmitter implements ISubscriber, ISession
 
         if (!deleteSubscriptions && this.currentSubscriptionCount !== 0) {
             // I don't know what to do yet if deleteSubscriptions is false
-            console.log("TO DO : Closing session without deleting subscription not yet implemented");
+            errorLog("TO DO : Closing session without deleting subscription not yet implemented");
             // to do: Put subscriptions in safe place for future transfer if any
         }
 
@@ -593,7 +596,6 @@ export class ServerSession extends EventEmitter implements ISubscriber, ISession
         const subscriptionDiagnostics = subscription.subscriptionDiagnostics;
         assert(subscriptionDiagnostics instanceof SubscriptionDiagnosticsDataType);
         if (subscriptionDiagnostics && subscriptionDiagnosticsArray) {
-            // console.log("GG => ServerSession **Unexposing** subscription diagnostics =>",
             // subscription.id,"on session", session.nodeId.toString());
             removeElement(subscriptionDiagnosticsArray, subscriptionDiagnostics);
         }

package/source/server_subscription.ts

@@ -123,7 +123,7 @@ function _adjust_maxNotificationsPerPublish(maxNotificationsPerPublish?: number)
 }
 
 function w(s: string | number, length: number): string {
-    return ("000" + s).substr(-length);
+    return ("000" + s).padStart(length);
 }
 
 function t(d: Date): string {

package/source/user_manager.ts

@@ -0,0 +1,81 @@
+import { IUserManager, UARoleSet } from "node-opcua-address-space";
+import { NodeId } from "node-opcua-nodeid";
+import { IdentityMappingRuleType } from "node-opcua-types";
+import { ServerSession } from "./server_session";
+
+export type ValidUserFunc = (this: ServerSession, username: string, password: string) => boolean;
+export type ValidUserAsyncFunc = (
+    this: ServerSession,
+    username: string,
+    password: string,
+    callback: (err: Error | null, isAuthorized?: boolean) => void
+) => void;
+
+export interface IUserManagerEx extends IUserManager {
+    /** synchronous function to check the credentials - can be overruled by isValidUserAsync */
+    isValidUser?: ValidUserFunc;
+    /** asynchronous function to check if the credentials - overrules isValidUser */
+    isValidUserAsync?: ValidUserAsyncFunc;
+}
+
+export type UserManagerOptions = IUserManagerEx | UAUserManagerBase;
+
+export interface IUAUserManager extends IUserManager {
+    getUserRoles(user: string): NodeId[];
+    isValidUser(session: ServerSession, username: string, password: string): Promise<boolean>;
+    getIdentitiesForRole(role: NodeId): IdentityMappingRuleType[];
+}
+
+export abstract class UAUserManagerBase implements IUAUserManager {
+    getUserRoles(user: string): NodeId[] {
+        throw new Error("Method not implemented.");
+    }
+    isValidUser(session: ServerSession, username: string, password: string): Promise<boolean> {
+        throw new Error("Method not implemented.");
+    }
+    getIdentitiesForRole(role: NodeId): IdentityMappingRuleType[] {
+        return [];
+    }
+    bind(roleSet: UARoleSet): void {
+        /**  */
+    }
+}
+export class UAUserManager1 extends UAUserManagerBase {
+    constructor(private options: IUserManagerEx) {
+        super();
+    }
+    getUserRoles(user: string): NodeId[] {
+        return this.options.getUserRoles!(user);
+    }
+
+    async isValidUser(session: ServerSession, username: string, password: string): Promise<boolean> {
+        if (typeof this.options.isValidUserAsync === "function") {
+            return new Promise<boolean>((resolve, reject) => {
+                this.options.isValidUserAsync?.call(session, username, password, (err, isAuthorized) => {
+                    if (err) return reject();
+                    resolve(isAuthorized!);
+                });
+            });
+        } else {
+            const authorized = this.options.isValidUser!.call(session, username, password);
+            return authorized;
+        }
+    }
+    getIdentitiesForRole(role: NodeId): IdentityMappingRuleType[] {
+        return [];
+    }
+}
+
+export function makeUserManager(options?: UserManagerOptions): UAUserManagerBase {
+    if (options instanceof UAUserManagerBase) {
+        return options;
+    }
+    options = options || {};
+
+    if (typeof options.isValidUser !== "function") {
+        options.isValidUser = (/*userName,password*/) => {
+            return false;
+        };
+    }
+    return new UAUserManager1(options as IUserManagerEx);
+}

package/source/user_manager_ua.ts

@@ -0,0 +1,44 @@
+import { ObjectIds } from "node-opcua-constants";
+import { IAddressSpace, UAObject, UARole , UARoleSet} from "node-opcua-address-space";
+import { ensureObjectIsSecure } from "node-opcua-address-space";
+import { Variant, DataType } from "node-opcua-variant";
+import { NodeClass } from "node-opcua-data-model";
+import { UAUserManagerBase } from "./user_manager";
+
+export function bindRoleSet(userManager: UAUserManagerBase, addressSpace: IAddressSpace) {
+    const roleSet = addressSpace.findNode(ObjectIds.Server_ServerCapabilities_RoleSet) as UARoleSet;
+    if (!roleSet) return;
+
+    const components = roleSet.getComponents();
+    for (const component of components) {
+        ensureObjectIsSecure(component);
+        if (component.nodeClass !== NodeClass.Object) {
+            continue;
+        }
+        const o = component as UAObject;
+        if (o.typeDefinitionObj.browseName.name !== "RoleType") {
+            continue;
+        }
+        const roleType = o as UARole;
+        const roleTypeProperties = roleType.findReferencesAsObject("HasChild", false);
+        for (const roleTypeProp of roleTypeProperties) {
+            ensureObjectIsSecure(roleTypeProp);
+        }
+        roleType.identities.setValueFromSource({ dataType: DataType.ExtensionObject, value: [] });
+
+        roleType.endpoints?.setValueFromSource({ dataType: DataType.ExtensionObject, value: [] });
+        roleType.identities.bindVariable(
+            {
+                get: () => {
+                    const identities = userManager.getIdentitiesForRole(roleType.nodeId);
+
+                    return new Variant({ dataType: DataType.ExtensionObject, value: identities });
+                }
+            },
+            true
+        );
+    }
+
+    userManager.bind(roleSet);
+
+}