feat(binding-opcua): move OPCUA security schema to binding-opcua #1401

Author: erossignon

packages/binding-opcua/src/index.ts

@@ -16,4 +16,5 @@
 export * from "./factory";
 export * from "./codec";
 export * from "./opcua-protocol-client";
+export * from "./security_scheme";
 // no protocol_client here => get access from factor

packages/binding-opcua/src/opcua-protocol-client.ts

@@ -26,8 +26,6 @@ import {
     Form,
     SecurityScheme,
     createLoggers,
-    OPCUACAuthenticationScheme,
-    OPCUAChannelSecurityScheme,
     AllOfSecurityScheme,
     OneOfSecurityScheme,
 } from "@node-wot/core";
@@ -64,12 +62,13 @@ import { AttributeIds, BrowseDirection, makeResultMask } from "node-opcua-data-m
 import { makeBrowsePath } from "node-opcua-service-translate-browse-path";
 import { StatusCodes } from "node-opcua-status-code";
 import { coercePrivateKeyPem, convertPEMtoDER, readPrivateKey } from "node-opcua-crypto";
-
-import { schemaDataValue } from "./codec";
 import { opcuaJsonEncodeVariant } from "node-opcua-json";
 import { Argument, BrowseDescription, BrowseResult, MessageSecurityMode, UserTokenType } from "node-opcua-types";
 import { isGoodish2, OPCUACertificateManager, ReferenceTypeIds } from "node-opcua";
 
+import { schemaDataValue } from "./codec";
+import { OPCUACAuthenticationScheme, OPCUAChannelSecurityScheme } from "./security_scheme";
+
 const { debug } = createLoggers("binding-opcua", "opcua-protocol-client");
 
 const env = envPath("binding-opcua", { suffix: "node-wot" });

packages/binding-opcua/src/security_scheme.ts

@@ -0,0 +1,93 @@
+/********************************************************************************
+ * Copyright (c) 2025 Contributors to the Eclipse Foundation
+ *
+ * See the NOTICE file(s) distributed with this work for additional
+ * information regarding copyright ownership.
+ *
+ * This program and the accompanying materials are made available under the
+ * terms of the Eclipse Public License v. 2.0 which is available at
+ * http://www.eclipse.org/legal/epl-2.0, or the W3C Software Notice and
+ * Document License (2015-05-13) which is available at
+ * https://www.w3.org/Consortium/Legal/2015/copyright-software-and-document.
+ *
+ * SPDX-License-Identifier: EPL-2.0 OR W3C-20150513
+ ********************************************************************************/
+
+// global W3C WoT Scripting API definitions
+import * as TDT from "wot-thing-description-types";
+import { SecurityScheme } from "@node-wot/core";
+export interface OPCUASecuritySchemeBase extends SecurityScheme, TDT.AdditionalSecurityScheme {
+    scheme: "uav:channel-security" | "uav:authentication";
+}
+
+export type ValidOPCUASecurityPolicy =
+    | "Basic128"
+    | "http://opcfoundation.org/UA/SecurityPolicy#Basic128"
+    | "Basic192"
+    | "http://opcfoundation.org/UA/SecurityPolicy#Basic192"
+    | "Basic192Rsa15"
+    | "http://opcfoundation.org/UA/SecurityPolicy#Basic192Rsa15"
+    | "Basic256Rsa15"
+    | "http://opcfoundation.org/UA/SecurityPolicy#Basic256Rsa15"
+    | "Basic256Sha256"
+    | "http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256"
+    | "Aes128_Sha256_RsaOaep"
+    | "http://opcfoundation.org/UASecurityPolicy#Aes128_Sha256_RsaOaep"
+    | "Aes256_Sha256_RsaPss"
+    | "http://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss"
+    | "PubSub_Aes128_CTR"
+    | "http://opcfoundation.org/UA/SecurityPolicy#PubSub_Aes128_CTR"
+    | "PubSub_Aes256_CTR"
+    | "http://opcfoundation.org/UA/SecurityPolicy#PubSub_Aes256_CTR";
+// deprecated  | "Basic128Rsa15" | "http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15"
+// deprecated |  "Basic256" | "http://opcfoundation.org/UA/SecurityPolicy#Basic256"
+
+/**
+ *
+ */
+export interface OPCUASecureSecurityScheme extends OPCUASecuritySchemeBase {
+    scheme: "uav:channel-security";
+    policy: ValidOPCUASecurityPolicy;
+    messageMode: "sign" | "sign_encrypt";
+}
+export interface OPCUAUnsecureChannelScheme extends OPCUASecuritySchemeBase {
+    scheme: "uav:channel-security";
+    policy: never;
+    messageMode: "none";
+}
+
+export type OPCUAChannelSecurityScheme = OPCUASecureSecurityScheme | OPCUAUnsecureChannelScheme;
+export interface OPCUACAuthenticationSchemeBase extends OPCUASecuritySchemeBase {
+    scheme: "uav:authentication";
+    tokenType: "username" | "certificate" | "anonymous";
+}
+
+export interface OPCUACUserNameAuthenticationScheme extends OPCUACAuthenticationSchemeBase {
+    scheme: "uav:authentication";
+    tokenType: "username";
+    userName: string;
+    password?: string;
+}
+export interface OPCUACertificateAuthenticationScheme extends OPCUACAuthenticationSchemeBase {
+    scheme: "uav:authentication";
+    tokenType: "certificate";
+    // the certificate in PEM format
+    //  -----BEGIN CERTIFICATE----
+    //  ...
+    //  -----END CERTIFICATE-----
+    certificate: string;
+    // the private key in PEM format that is associated with the certificate
+    // For instance
+    //  -----BEGIN PRIVATE KEY-----
+    //  ...
+    //  -----END PRIVATE KEY-----
+    privateKey?: string;
+}
+export interface OPCUAAnonymousAuthenticationScheme extends OPCUACAuthenticationSchemeBase {
+    scheme: "uav:authentication";
+    tokenType: "anonymous";
+}
+export type OPCUACAuthenticationScheme =
+    | OPCUAAnonymousAuthenticationScheme
+    | OPCUACertificateAuthenticationScheme
+    | OPCUACUserNameAuthenticationScheme;

packages/binding-opcua/test/opcua-security-test.ts

@@ -17,18 +17,19 @@
 
 import { expect } from "chai";
 import path from "path";
+import { Servient, createLoggers } from "@node-wot/core";
+import { InteractionOptions } from "wot-typescript-definitions";
+
+import { MessageSecurityMode, OPCUAClient, OPCUAServer, SecurityPolicy } from "node-opcua";
+import { coercePrivateKeyPem, readCertificate, readCertificatePEM, readPrivateKey } from "node-opcua-crypto";
 import {
+    OPCUAClientFactory,
+    OPCUAProtocolClient,
     OPCUACUserNameAuthenticationScheme,
     OPCUACertificateAuthenticationScheme,
     OPCUAChannelSecurityScheme,
-    Servient,
-    createLoggers,
-} from "@node-wot/core";
-import { InteractionOptions } from "wot-typescript-definitions";
+} from "../src";
 
-import { MessageSecurityMode, OPCUAClient, OPCUAServer, SecurityPolicy } from "node-opcua";
-import { coercePrivateKeyPem, readCertificate, readCertificatePEM, readPrivateKey } from "node-opcua-crypto";
-import { OPCUAClientFactory, OPCUAProtocolClient } from "../src";
 import { startServer } from "./fixture/basic-opcua-server";
 const endpoint = "opc.tcp://localhost:7890";
 
@@ -428,7 +429,6 @@ describe("Testing OPCUA Security Combination", () => {
 
                 const expected = inferExpectedSecurityMode(security);
                 expect(whoAmI).to.eql(expected);
-                // infer expected result from security string
             } finally {
                 await servient.shutdown();
             }

packages/core/src/thing-description.ts

@@ -144,10 +144,7 @@ export type SecurityType =
     | OAuth2SecurityScheme
     | PSKSecurityScheme
     | AllOfSecurityScheme
-    | OneOfSecurityScheme
-    | OPCUAChannelSecurityScheme
-    | OPCUACUserNameAuthenticationScheme
-    | OPCUACertificateAuthenticationScheme;
+    | OneOfSecurityScheme;
 
 export interface SecurityScheme {
     scheme: string;
@@ -196,82 +193,6 @@ export interface AllOfSecurityScheme extends SecurityScheme {
 }
 export type ComboSecurityScheme = AllOfSecurityScheme | OneOfSecurityScheme;
 
-export interface OPCUASecuritySchemeBase extends SecurityScheme, TDT.AdditionalSecurityScheme {
-    scheme: "uav:channel-security" | "uav:authentication";
-}
-
-export type ValidOPCUASecurityPolicy =
-    | "Basic128"
-    | "http://opcfoundation.org/UA/SecurityPolicy#Basic128"
-    | "Basic192"
-    | "http://opcfoundation.org/UA/SecurityPolicy#Basic192"
-    | "Basic192Rsa15"
-    | "http://opcfoundation.org/UA/SecurityPolicy#Basic192Rsa15"
-    | "Basic256Rsa15"
-    | "http://opcfoundation.org/UA/SecurityPolicy#Basic256Rsa15"
-    | "Basic256Sha256"
-    | "http://opcfoundation.org/UA/SecurityPolicy#Basic256Sha256"
-    | "Aes128_Sha256_RsaOaep"
-    | "http://opcfoundation.org/UASecurityPolicy#Aes128_Sha256_RsaOaep"
-    | "Aes256_Sha256_RsaPss"
-    | "http://opcfoundation.org/UA/SecurityPolicy#Aes256_Sha256_RsaPss"
-    | "PubSub_Aes128_CTR"
-    | "http://opcfoundation.org/UA/SecurityPolicy#PubSub_Aes128_CTR"
-    | "PubSub_Aes256_CTR"
-    | "http://opcfoundation.org/UA/SecurityPolicy#PubSub_Aes256_CTR";
-// deprecated  | "Basic128Rsa15" | "http://opcfoundation.org/UA/SecurityPolicy#Basic128Rsa15"
-// deprecated |  "Basic256" | "http://opcfoundation.org/UA/SecurityPolicy#Basic256"
-
-/**
- *
- */
-export interface OPCUASecureSecurityScheme extends OPCUASecuritySchemeBase {
-    scheme: "uav:channel-security";
-    policy: ValidOPCUASecurityPolicy;
-    messageMode: "sign" | "sign_encrypt";
-}
-export interface OPCUAUnsecureChannelScheme extends OPCUASecuritySchemeBase {
-    scheme: "uav:channel-security";
-    policy: never;
-    messageMode: "none";
-}
-
-export type OPCUAChannelSecurityScheme = OPCUASecureSecurityScheme | OPCUAUnsecureChannelScheme;
-export interface OPCUACAuthenticationSchemeBase extends OPCUASecuritySchemeBase {
-    scheme: "uav:authentication";
-    tokenType: "username" | "certificate" | "anonymous";
-}
-
-export interface OPCUACUserNameAuthenticationScheme extends OPCUACAuthenticationSchemeBase {
-    scheme: "uav:authentication";
-    tokenType: "username";
-    userName: string;
-    password?: string;
-}
-export interface OPCUACertificateAuthenticationScheme extends OPCUACAuthenticationSchemeBase {
-    scheme: "uav:authentication";
-    tokenType: "certificate";
-    // the certificate in PEM format
-    //  -----BEGIN CERTIFICATE----
-    //  ...
-    //  -----END CERTIFICATE-----
-    certificate: string;
-    // the private key in PEM format that is associated with the certificate
-    // For instance
-    //  -----BEGIN PRIVATE KEY-----
-    //  ...
-    //  -----END PRIVATE KEY-----
-    privateKey?: string;
-}
-export interface OPCUAAnonymousAuthenticationScheme extends OPCUACAuthenticationSchemeBase {
-    scheme: "uav:authentication";
-    tokenType: "anonymous";
-}
-export type OPCUACAuthenticationScheme =
-    | OPCUAAnonymousAuthenticationScheme
-    | OPCUACertificateAuthenticationScheme
-    | OPCUACUserNameAuthenticationScheme;
-
 /** Implements the Thing Property description */
 export abstract class ThingProperty extends BaseSchema {
     // writable: boolean;