Skip to content

Commit

Permalink
Concrete types for credentials (#2154)
Browse files Browse the repository at this point in the history 
* Update System.Web.Identity to latest
* Fix #2152
  • Loading branch information
@marcschier
marcschier authored Jan 10, 2024
1 parent e25e9eb commit d527fdd
Show file tree
Hide file tree
Showing 15 changed files with 316 additions and 121 deletions.
21 changes: 18 additions & 3 deletions docs/opc-publisher/definitions.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -389,12 +389,15 @@ Content filter

<a name="credentialmodel"></a>
### CredentialModel
Credential model
Credential model. For backwards compatibility
the actual credentials to pass to the server is set
through the value property.


|Name|Schema|
|---|---|
|**type** <br>*optional*|[CredentialType](definitions.md#credentialtype)|
|**value** <br>*optional*|[UserIdentityModel](definitions.md#useridentitymodel)|


<a name="credentialtype"></a>
Expand Down Expand Up @@ -733,7 +736,7 @@ Result of GetConfiguredNodesOnEndpoint method call
### HeartbeatBehavior
Heartbeat behavior

*Type* : enum (WatchdogLKV, WatchdogLKG, PeriodicLKV, PeriodicLKG, WatchdogLKVWithUpdatedTimestamps)
*Type* : enum (WatchdogLKV, WatchdogLKG, PeriodicLKV, PeriodicLKG, WatchdogLKVWithUpdatedTimestamps, WatchdogLKVDiagnosticsOnly)


<a name="historiceventmodel"></a>
Expand Down Expand Up @@ -2151,6 +2154,18 @@ connection endpoint
|**request** <br>*optional*|[UpdateValuesDetailsModelHistoryUpdateRequestModel](definitions.md#updatevaluesdetailsmodelhistoryupdaterequestmodel)|


<a name="useridentitymodel"></a>
### UserIdentityModel
User identity model


|Name|Description|Schema|
|---|---|---|
|**password** <br>*optional*|<br><br> For Azure.IIoT.OpcUa.Publisher.Models.CredentialType.UserName authentication<br> this is the password of the user.<br> <br><br><br> For Azure.IIoT.OpcUa.Publisher.Models.CredentialType.X509Certificate authentication<br> this is the passcode to export the configured certificate's<br> private key.<br> <br><br><br> Not used for the other authentication types.|string|
|**thumbprint** <br>*optional*|<br><br> For Azure.IIoT.OpcUa.Publisher.Models.CredentialType.X509Certificate authentication<br> this is the thumbprint of the configured certificate to use.<br> Either Azure.IIoT.OpcUa.Publisher.Models.UserIdentityModel.User or Azure.IIoT.OpcUa.Publisher.Models.UserIdentityModel.Thumbprint must be<br> used to select the certificate in the user certificate store.<br> <br><br><br> Not used for the other authentication types.|string|
|**user** <br>*optional*|<br><br> For Azure.IIoT.OpcUa.Publisher.Models.CredentialType.UserName authentication<br> this is the name of the user.<br> <br><br><br> For Azure.IIoT.OpcUa.Publisher.Models.CredentialType.X509Certificate authentication<br> this is the subject name of the certificate that has been<br> configured.<br> Either Azure.IIoT.OpcUa.Publisher.Models.UserIdentityModel.User or Azure.IIoT.OpcUa.Publisher.Models.UserIdentityModel.Thumbprint must be<br> used to select the certificate in the user certificate store.<br> <br><br><br> Not used for the other authentication types.|string|


<a name="valuereadrequestmodel"></a>
### ValueReadRequestModel
Request node value read
Expand Down Expand Up @@ -2356,7 +2371,7 @@ Result of attribute write
### WriterGroupTransport
Desired writer group transport

*Type* : enum (IoTHub, Mqtt, Dapr, Http, FileSystem)
*Type* : enum (IoTHub, Mqtt, Dapr, Http, FileSystem, Null)


<a name="x509certificatechainmodel"></a>
Expand Down
28 changes: 24 additions & 4 deletions docs/opc-publisher/openapi.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -3578,14 +3578,14 @@
}
},
"CredentialModel": {
"description": "Credential model",
"description": "Credential model. For backwards compatibility\r\nthe actual credentials to pass to the server is set\r\nthrough the value property.",
"type": "object",
"properties": {
"type": {
"$ref": "#/definitions/CredentialType"
},
"value": {
"description": "Credential to pass to server."
"$ref": "#/definitions/UserIdentityModel"
}
}
},
Expand Down Expand Up @@ -4217,7 +4217,8 @@
"WatchdogLKG",
"PeriodicLKV",
"PeriodicLKG",
"WatchdogLKVWithUpdatedTimestamps"
"WatchdogLKVWithUpdatedTimestamps",
"WatchdogLKVDiagnosticsOnly"
],
"type": "string",
"x-ms-enum": {
Expand Down Expand Up @@ -7105,6 +7106,24 @@
}
}
},
"UserIdentityModel": {
"description": "User identity model",
"type": "object",
"properties": {
"user": {
"description": "<br>\r\n For Azure.IIoT.OpcUa.Publisher.Models.CredentialType.UserName authentication\r\n this is the name of the user.\r\n \r\n<br>\r\n For Azure.IIoT.OpcUa.Publisher.Models.CredentialType.X509Certificate authentication\r\n this is the subject name of the certificate that has been\r\n configured.\r\n Either Azure.IIoT.OpcUa.Publisher.Models.UserIdentityModel.User or Azure.IIoT.OpcUa.Publisher.Models.UserIdentityModel.Thumbprint must be\r\n used to select the certificate in the user certificate store.\r\n \r\n<br>\r\n Not used for the other authentication types.\r\n ",
"type": "string"
},
"password": {
"description": "<br>\r\n For Azure.IIoT.OpcUa.Publisher.Models.CredentialType.UserName authentication\r\n this is the password of the user.\r\n \r\n<br>\r\n For Azure.IIoT.OpcUa.Publisher.Models.CredentialType.X509Certificate authentication\r\n this is the passcode to export the configured certificate's\r\n private key.\r\n \r\n<br>\r\n Not used for the other authentication types.\r\n ",
"type": "string"
},
"thumbprint": {
"description": "<br>\r\n For Azure.IIoT.OpcUa.Publisher.Models.CredentialType.X509Certificate authentication\r\n this is the thumbprint of the configured certificate to use.\r\n Either Azure.IIoT.OpcUa.Publisher.Models.UserIdentityModel.User or Azure.IIoT.OpcUa.Publisher.Models.UserIdentityModel.Thumbprint must be\r\n used to select the certificate in the user certificate store.\r\n \r\n<br>\r\n Not used for the other authentication types.\r\n ",
"type": "string"
}
}
},
"ValueReadRequestModel": {
"description": "Request node value read",
"type": "object",
Expand Down Expand Up @@ -7446,7 +7465,8 @@
"Mqtt",
"Dapr",
"Http",
"FileSystem"
"FileSystem",
"Null"
],
"type": "string",
"x-ms-enum": {
Expand Down
7 changes: 5 additions & 2 deletions docs/release-announcement.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -54,14 +54,17 @@ We are pleased to announce the release of version 2.9.4 of OPC Publisher and the

### Changes in 2.9.4

- Send the error of CreateMonitoredItem as part of the keyframe field and in heartbeats if WatchdogLKV heartbeat behavior is used (#2150).
- Credential based authentication uses concrete types for credentials now which are documented in openapi.json (#2152)
- OPC Publisher can now obtain TLS certificates from IoT Edge workload API to secure the HTTPS API (#2101)
- Fix release build issue which broke support for ARM64 images running on RPi4 (#2145).
- Update console diagnostics output to provide better naming and reflect other transports than IoT Edge Hub (#2141)
- Update console diagnostics output to provide better naming, additional diagnostics and reflect other transports than IoT Edge Hub (#2141)
- Add keep alive notification counts to Diagnostics output and messages
- Add a full version that includes runtime, framework and full version string to runtime state message, twin, diagnostic object, and in console output.
- When only using cyclic reads, the underlying dummy subscription should stay disabled (#2139)
- Recreate session if it expires on server (#2138)
- Log subscription keep alive error only when session is connected (#2137)
- Update OPC UA .net stack to latest version (1.4.372.106) to enable fully async reconnect
- Update OPC UA .net stack to latest version (1.4.372.116-preview) to enable fully async reconnect and fix several issues in previous versions.
- Fix issue where certain publish errors cause reconnect state machine to fail (#2104, #2136)

## Azure Industrial IoT OPC Publisher 2.9.3
Expand Down
21 changes: 18 additions & 3 deletions docs/web-api/definitions.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -371,12 +371,15 @@ Content filter

<a name="credentialmodel"></a>
### CredentialModel
Credential model
Credential model. For backwards compatibility
the actual credentials to pass to the server is set
through the value property.


|Name|Schema|
|---|---|
|**type** <br>*optional*|[CredentialType](definitions.md#credentialtype)|
|**value** <br>*optional*|[UserIdentityModel](definitions.md#useridentitymodel)|


<a name="credentialtype"></a>
Expand Down Expand Up @@ -802,7 +805,7 @@ Gateway registration update request
### HeartbeatBehavior
Heartbeat behavior

*Type* : enum (WatchdogLKV, WatchdogLKG, PeriodicLKV, PeriodicLKG, WatchdogLKVWithUpdatedTimestamps)
*Type* : enum (WatchdogLKV, WatchdogLKG, PeriodicLKV, PeriodicLKG, WatchdogLKVWithUpdatedTimestamps, WatchdogLKVDiagnosticsOnly)


<a name="historiceventmodel"></a>
Expand Down Expand Up @@ -1976,6 +1979,18 @@ Request node history update
|**nodeId** <br>*required*|Node to update <br>**Minimum length** : `1`|string|


<a name="useridentitymodel"></a>
### UserIdentityModel
User identity model


|Name|Description|Schema|
|---|---|---|
|**password** <br>*optional*|<br><br> For Azure.IIoT.OpcUa.Publisher.Models.CredentialType.UserName authentication<br> this is the password of the user.<br> <br><br><br> For Azure.IIoT.OpcUa.Publisher.Models.CredentialType.X509Certificate authentication<br> this is the passcode to export the configured certificate's<br> private key.<br> <br><br><br> Not used for the other authentication types.|string|
|**thumbprint** <br>*optional*|<br><br> For Azure.IIoT.OpcUa.Publisher.Models.CredentialType.X509Certificate authentication<br> this is the thumbprint of the configured certificate to use.<br> Either Azure.IIoT.OpcUa.Publisher.Models.UserIdentityModel.User or Azure.IIoT.OpcUa.Publisher.Models.UserIdentityModel.Thumbprint must be<br> used to select the certificate in the user certificate store.<br> <br><br><br> Not used for the other authentication types.|string|
|**user** <br>*optional*|<br><br> For Azure.IIoT.OpcUa.Publisher.Models.CredentialType.UserName authentication<br> this is the name of the user.<br> <br><br><br> For Azure.IIoT.OpcUa.Publisher.Models.CredentialType.X509Certificate authentication<br> this is the subject name of the certificate that has been<br> configured.<br> Either Azure.IIoT.OpcUa.Publisher.Models.UserIdentityModel.User or Azure.IIoT.OpcUa.Publisher.Models.UserIdentityModel.Thumbprint must be<br> used to select the certificate in the user certificate store.<br> <br><br><br> Not used for the other authentication types.|string|


<a name="valuereadrequestmodel"></a>
### ValueReadRequestModel
Request node value read
Expand Down Expand Up @@ -2116,7 +2131,7 @@ Result of attribute write
### WriterGroupTransport
Desired writer group transport

*Type* : enum (IoTHub, Mqtt, Dapr, Http, FileSystem)
*Type* : enum (IoTHub, Mqtt, Dapr, Http, FileSystem, Null)


<a name="x509certificatechainmodel"></a>
Expand Down
28 changes: 24 additions & 4 deletions docs/web-api/openapi.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -4908,14 +4908,14 @@
}
},
"CredentialModel": {
"description": "Credential model",
"description": "Credential model. For backwards compatibility\r\nthe actual credentials to pass to the server is set\r\nthrough the value property.",
"type": "object",
"properties": {
"type": {
"$ref": "#/definitions/CredentialType"
},
"value": {
"description": "Credential to pass to server."
"$ref": "#/definitions/UserIdentityModel"
}
}
},
Expand Down Expand Up @@ -5730,7 +5730,8 @@
"WatchdogLKG",
"PeriodicLKV",
"PeriodicLKG",
"WatchdogLKVWithUpdatedTimestamps"
"WatchdogLKVWithUpdatedTimestamps",
"WatchdogLKVDiagnosticsOnly"
],
"type": "string",
"x-ms-enum": {
Expand Down Expand Up @@ -8259,6 +8260,24 @@
}
}
},
"UserIdentityModel": {
"description": "User identity model",
"type": "object",
"properties": {
"user": {
"description": "<br>\r\n For Azure.IIoT.OpcUa.Publisher.Models.CredentialType.UserName authentication\r\n this is the name of the user.\r\n \r\n<br>\r\n For Azure.IIoT.OpcUa.Publisher.Models.CredentialType.X509Certificate authentication\r\n this is the subject name of the certificate that has been\r\n configured.\r\n Either Azure.IIoT.OpcUa.Publisher.Models.UserIdentityModel.User or Azure.IIoT.OpcUa.Publisher.Models.UserIdentityModel.Thumbprint must be\r\n used to select the certificate in the user certificate store.\r\n \r\n<br>\r\n Not used for the other authentication types.\r\n ",
"type": "string"
},
"password": {
"description": "<br>\r\n For Azure.IIoT.OpcUa.Publisher.Models.CredentialType.UserName authentication\r\n this is the password of the user.\r\n \r\n<br>\r\n For Azure.IIoT.OpcUa.Publisher.Models.CredentialType.X509Certificate authentication\r\n this is the passcode to export the configured certificate's\r\n private key.\r\n \r\n<br>\r\n Not used for the other authentication types.\r\n ",
"type": "string"
},
"thumbprint": {
"description": "<br>\r\n For Azure.IIoT.OpcUa.Publisher.Models.CredentialType.X509Certificate authentication\r\n this is the thumbprint of the configured certificate to use.\r\n Either Azure.IIoT.OpcUa.Publisher.Models.UserIdentityModel.User or Azure.IIoT.OpcUa.Publisher.Models.UserIdentityModel.Thumbprint must be\r\n used to select the certificate in the user certificate store.\r\n \r\n<br>\r\n Not used for the other authentication types.\r\n ",
"type": "string"
}
}
},
"ValueReadRequestModel": {
"description": "Request node value read",
"type": "object",
Expand Down Expand Up @@ -8524,7 +8543,8 @@
"Mqtt",
"Dapr",
"Http",
"FileSystem"
"FileSystem",
"Null"
],
"type": "string",
"x-ms-enum": {
Expand Down
10 changes: 6 additions & 4 deletions src/Azure.IIoT.OpcUa.Publisher.Models/src/CredentialModel.cs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,11 +5,12 @@

namespace Azure.IIoT.OpcUa.Publisher.Models
{
using Furly.Extensions.Serializers;
using System.Runtime.Serialization;

/// <summary>
/// Credential model
/// Credential model. For backwards compatibility
/// the actual credentials to pass to the server is set
/// through the value property.
/// </summary>
[DataContract]
public sealed record class CredentialModel
Expand All @@ -22,10 +23,11 @@ public sealed record class CredentialModel
public CredentialType? Type { get; set; }

/// <summary>
/// Credential to pass to server.
/// Credential to pass to server. Can be omitted in case of
/// <see cref="CredentialType.None"/>.
/// </summary>
[DataMember(Name = "value", Order = 1,
EmitDefaultValue = false)]
public VariantValue? Value { get; set; }
public UserIdentityModel? Value { get; set; }
}
}
69 changes: 69 additions & 0 deletions src/Azure.IIoT.OpcUa.Publisher.Models/src/UserIdentityModel.cs
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,69 @@
// ------------------------------------------------------------
// Copyright (c) Microsoft Corporation. All rights reserved.
// Licensed under the MIT License (MIT). See License.txt in the repo root for license information.
// ------------------------------------------------------------

namespace Azure.IIoT.OpcUa.Publisher.Models
{
using System.Runtime.Serialization;

/// <summary>
/// User identity model
/// </summary>
[DataContract]
public sealed record class UserIdentityModel
{
/// <summary>
/// <para>
/// For <see cref="CredentialType.UserName"/> authentication
/// this is the name of the user.
/// </para>
/// <para>
/// For <see cref="CredentialType.X509Certificate"/> authentication
/// this is the subject name of the certificate that has been
/// configured.
/// Either <see cref="User"/> or <see cref="Thumbprint"/> must be
/// used to select the certificate in the user certificate store.
/// </para>
/// <para>
/// Not used for the other authentication types.
/// </para>
/// </summary>
[DataMember(Name = "user", Order = 1,
EmitDefaultValue = false)]
public string? User { get; set; }

/// <summary>
/// <para>
/// For <see cref="CredentialType.UserName"/> authentication
/// this is the password of the user.
/// </para>
/// <para>
/// For <see cref="CredentialType.X509Certificate"/> authentication
/// this is the passcode to export the configured certificate's
/// private key.
/// </para>
/// <para>
/// Not used for the other authentication types.
/// </para>
/// </summary>
[DataMember(Name = "password", Order = 2,
EmitDefaultValue = false)]
public string? Password { get; set; }

/// <summary>
/// <para>
/// For <see cref="CredentialType.X509Certificate"/> authentication
/// this is the thumbprint of the configured certificate to use.
/// Either <see cref="User"/> or <see cref="Thumbprint"/> must be
/// used to select the certificate in the user certificate store.
/// </para>
/// <para>
/// Not used for the other authentication types.
/// </para>
/// </summary>
[DataMember(Name = "thumbprint", Order = 3,
EmitDefaultValue = false)]
public string? Thumbprint { get; set; }
}
}
2 changes: 1 addition & 1 deletion ....IIoT.OpcUa.Publisher.Service.WebApi/src/Azure.IIoT.OpcUa.Publisher.Service.WebApi.csproj
View file
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@
<PackageReference Include="Microsoft.AspNetCore.Authentication.JwtBearer" Version="8.0.1" />
<PackageReference Include="Microsoft.AspNetCore.SignalR.Protocols.NewtonsoftJson" Version="8.0.1" />
<PackageReference Include="Microsoft.AspNetCore.SignalR.Protocols.MessagePack" Version="8.0.1" />
<PackageReference Include="Microsoft.Identity.Web" Version="2.16.0" />
<PackageReference Include="Microsoft.Identity.Web" Version="2.16.1" />
<PackageReference Include="System.Security.Cryptography.Pkcs" Version="8.0.0" />
<PackageReference Include="OpenTelemetry.Extensions.Hosting" Version="1.7.0" />
<PackageReference Include="OpenTelemetry.Instrumentation.Http" Version="1.7.0" />
Expand Down
Loading

0 comments on commit d527fdd

Please sign in to comment.