Allow regular users to do write requests

Author: cziebuhr

asyncua/crypto/permission_rules.py

@@ -1,8 +1,7 @@
 from asyncua import ua
 from asyncua.server.users import UserRole
 
-WRITE_TYPES = [
-    ua.ObjectIds.WriteRequest_Encoding_DefaultBinary,
+ADMIN_TYPES = [
     ua.ObjectIds.RegisterServerRequest_Encoding_DefaultBinary,
     ua.ObjectIds.RegisterServer2Request_Encoding_DefaultBinary,
     ua.ObjectIds.AddNodesRequest_Encoding_DefaultBinary,
@@ -11,11 +10,12 @@
     ua.ObjectIds.DeleteReferencesRequest_Encoding_DefaultBinary,
 ]
 
-READ_TYPES = [
+USER_TYPES = [
     ua.ObjectIds.CreateSessionRequest_Encoding_DefaultBinary,
     ua.ObjectIds.CloseSessionRequest_Encoding_DefaultBinary,
     ua.ObjectIds.ActivateSessionRequest_Encoding_DefaultBinary,
     ua.ObjectIds.ReadRequest_Encoding_DefaultBinary,
+    ua.ObjectIds.WriteRequest_Encoding_DefaultBinary,
     ua.ObjectIds.BrowseRequest_Encoding_DefaultBinary,
     ua.ObjectIds.GetEndpointsRequest_Encoding_DefaultBinary,
     ua.ObjectIds.FindServersRequest_Encoding_DefaultBinary,
@@ -49,15 +49,15 @@ def check_validity(self, user, action_type, body):
 class SimpleRoleRuleset(PermissionRuleset):
     """
     Standard simple role-based ruleset.
-    Admins alone can write, admins and users can read, and anonymous users can't do anything.
+    Admins alone can change address space, admins and users can read/write, and anonymous users can't do anything.
     """
 
     def __init__(self):
-        write_ids = list(map(ua.NodeId, WRITE_TYPES))
-        read_ids = list(map(ua.NodeId, READ_TYPES))
+        admin_ids = list(map(ua.NodeId, ADMIN_TYPES))
+        user_ids = list(map(ua.NodeId, USER_TYPES))
         self._permission_dict = {
-            UserRole.Admin: set().union(write_ids, read_ids),
-            UserRole.User: set().union(read_ids),
+            UserRole.Admin: set().union(admin_ids, user_ids),
+            UserRole.User: set().union(user_ids),
             UserRole.Anonymous: set()
         }
 

tests/test_permissions.py

@@ -88,9 +88,9 @@ async def test_permissions_admin(srv_crypto_one_cert):
         assert await clt.get_objects_node().get_children()
         objects = clt.nodes.objects
         child = await objects.get_child(['0:MyObject', '0:MyVariable'])
-        await child.read_value()
         await child.set_value(42.0)
-
+        assert await child.read_value() == 42.0
+        await child.add_property(0, "MyProperty1", 3)
 
 async def test_permissions_user(srv_crypto_one_cert):
     clt = Client(uri_crypto_cert)
@@ -106,9 +106,10 @@ async def test_permissions_user(srv_crypto_one_cert):
         assert await clt.get_objects_node().get_children()
         objects = clt.nodes.objects
         child = await objects.get_child(['0:MyObject', '0:MyVariable'])
-        await child.read_value()
+        await child.set_value(44.0)
+        assert await child.read_value() == 44.0
         with pytest.raises(ua.uaerrors.BadUserAccessDenied):
-            await child.set_value(42)
+            await child.add_property(0, "MyProperty2", 3)
 
 
 async def test_permissions_anonymous(srv_crypto_one_cert):
@@ -121,6 +122,7 @@ async def test_permissions_anonymous(srv_crypto_one_cert):
         server_certificate=srv_crypto_params[0][1],
         mode=ua.MessageSecurityMode.SignAndEncrypt
     )
-    await clt.connect()
-    await clt.get_endpoints()
-    await clt.disconnect()
+    async with clt:
+        await clt.get_endpoints()
+        with pytest.raises(ua.uaerrors.BadUserAccessDenied):
+            await clt.nodes.objects.get_children()