Type of issue

• Bug
• Enhancement
• Compliance
• Question
• Help wanted

Current Behavior

• A single OPC UA server providing a single “NodeManager” that:

  • Creates and exposes the whole address space.
  • Notifies each subscribed client through ClearChangeMasks method.
  • Supports User Authentication and Authorization by checking the UserIdentity.
  • Checks the session identity and sets up the UserAccessLevel property of the Node in the hook OnReadUserAccessLevel.

• Two clients (Client1 and Client2) connected (and subscribed to the same set of variables) to the server with two different users (User1 and User2).

  • User1 doesn’t have the permission to read.
  • User2 has the permission to read.

When Client1 and Client2 subscribe for the first time to the variable changes everything works, meaning that Client1 get an error during the subscription while Client2 can complete the subscription and reads the first value as expected.

When the “NodeManager” calls the ClearChangeMasks method it happens that both Client1 and Clien2 can’t read the just changed value.
Tracking the session acquired by the OnReadUserAccessLevel event handler, it appears empty.
This seems to be since the context passed to the ClearChangeMasks the one referenced by the “NodeNanager” doesn’t have a session in the time of that call.

Expected Behavior

When the “NodeManager” calls the ClearChangeMasks method it is expected that Client1 will still receive an authorization error while Client2 will be able to read the changed value.

Steps To Reproduce

• A single OPC UA server providing a single “NodeManager” that:

  • Creates and exposes the whole address space.
  • Notifies each subscribed client through ClearChangeMasks method.
  • Supports User Authentication and Authorization by checking the UserIdentity.
  • Checks the session identity and sets up the “UserAccessLevel” property of the Node in the hook OnReadUserAccessLevel.

• Two clients (Client1 and Client2) connected (and subscribed to the same set of variables) to the server with two different users (User1 and User2).

  • User1 doesn’t have the permission to read.
  • User2 has the permission to read.

Make the "NodeManager" calls the ClearChangeMasks method on one variable among those both clients are subscribed to, notifying a value change passing as the first argument the instance of "ISystemContext" provided by the "SystemContext" property of the "NodeManager".

Environment

- OS: Windows 10
- Environment: Visual Studio 2019 16.11.33
- Runtime: .NET Framework 4.8
- Nuget Version: 1.5.364.36
- Component: Opc.Ua.Server
- Server: Quickstarts.UserAuthenticationServer
- Client: UA Expert

Anything else?

I tried to fix the lack of session changing the context passed to the ClearChangeMasks method by looping through all available session. To do this I got the list of active session from the referenced “SessionManager” and, for each of them I created a copy of “SytemContext” providing it a new instance of “OperationContext” including the session and I passed the new context to the ClearChangeMasks.

As a result, when the “NodeManager” triggers the ClearChangeMasks it happens that both Client1 and Client2 can or can’t read depending on which was the first session connected.
Tracking the session acquired by the OnReadUserAccessLevel event handler, it appears that the identity included in it is always the one of the first session connected.

Thus, I thoroughly analyzed and debugged the library and I found a possible solution to this bug which involves a fix to the "Opc.Ua.Server" library.