SY-3801: Fix Anonymous Auth on Encrypted OPC UA Connections (#2031)

SY-3801: Fix Anonymous Auth on Encrypted OPC UA Connections

Author: sy-nico

.github/PULL_REQUEST_TEMPLATE/rc.md

@@ -402,7 +402,6 @@ I can successfully:
 
 - [ ] Enable and disable OPC UA integration when starting the server.
 - [ ] Connect to and read data from a physical device.
-- [ ] Connect to an encrypted OPC UA server (Write and Read).
 
 ### Modbus
 

alamos/py/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "alamos"
-version = "0.52.2"
+version = "0.52.3"
 authors = [{ name = "Emiliano Bonilla", email = "ebonilla@synnaxlabs.com" }]
 requires-python = ">=3.10,<4"
 dependencies = [

alamos/ts/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@synnaxlabs/alamos",
-  "version": "0.52.2",
+  "version": "0.52.3",
   "type": "module",
   "description": "Distributed instrumentation for Synnax",
   "repository": "https://github.com/synnaxlabs/synnax/tree/main/freighter/ts",

client/py/examples/opcua/README.md

@@ -22,7 +22,23 @@ Follow these scripts in order:
 If you don't have a real OPC UA server, start the included test server:
 
 ```bash
-uv run python examples/opcua/server.py
+uv run python -m examples.opcua.server
+```
+
+To start a TLS-encrypted server (Basic256Sha256, port 4842):
+
+```bash
+uv run python -m examples.opcua.server --tls
+```
+
+To start a TLS-encrypted server with username/password authentication (port 4843):
+
+```python
+from examples.opcua import OPCUATLSAuthSim
+import synnax as sy
+
+sim = OPCUATLSAuthSim(rate=50 * sy.Rate.HZ)
+sim.start()
 ```
 
 This server simulates:
@@ -33,8 +49,8 @@ This server simulates:
 - **Boolean variables** (my_bool_0, my_bool_1): Square wave patterns
 - **Command variables** (command_0, command_1, command_2): Writable float values
 
-The server runs on `opc.tcp://127.0.0.1:4841/` by default and prints node IDs on
-startup.
+The server runs on `opc.tcp://127.0.0.1:4841/` by default (port 4842 with `--tls`, port
+4843 for TLS with username/password) and prints node IDs on startup.
 
 ### 2. Connect Your OPC UA Server
 
@@ -44,24 +60,40 @@ Register your OPC UA server with Synnax:
 uv run python examples/opcua/connect_server.py
 ```
 
+To connect a TLS-encrypted server (Basic256Sha256, port 4842):
+
+```bash
+uv run python examples/opcua/connect_server.py --tls
+```
+
+To connect a TLS-encrypted server with username/password auth (port 4843):
+
+```bash
+uv run python examples/opcua/connect_server.py --tls-auth
+```
+
 This script will:
 
 - Check if the server is already registered
 - Register the server with the embedded Synnax rack
-- Set up the server configuration
+- Set up the server configuration (including security settings and credentials)
 
 **Configuration**: Edit the constants at the top of `connect_server.py` to match your
 server:
 
-- `DEVICE_NAME`: A friendly name for your OPC UA server
-- `ENDPOINT`: OPC UA endpoint URL (e.g., `opc.tcp://127.0.0.1:4841/`)
+- `PLAIN_DEVICE_NAME` / `TLS_DEVICE_NAME` / `TLS_AUTH_DEVICE_NAME`: Friendly names for
+  your OPC UA servers
+- `PLAIN_ENDPOINT` / `TLS_ENDPOINT` / `TLS_AUTH_ENDPOINT`: OPC UA endpoint URLs
+- `TLS_AUTH_USERNAME` / `TLS_AUTH_PASSWORD`: Credentials for username/password auth
 
 ### 3. Read Float Data from OPC UA Nodes
 
 Read scalar float values from the server:
 
 ```bash
 uv run python examples/opcua/read_task.py
+uv run python examples/opcua/read_task.py --tls
+uv run python examples/opcua/read_task.py --tls-auth
 ```
 
 This example:
@@ -74,14 +106,16 @@ This example:
 **What you'll see**: Real-time sine wave values from my_float_0 and my_float_1.
 
 **Node IDs**: The example uses node IDs like `NS=2;I=8` to identify OPC UA variables.
-These IDs are printed by `server_extended.py` on startup.
+These IDs are printed by `server.py` on startup.
 
 ### 4. Read Array Data from OPC UA Nodes
 
 Read array data in high-performance array mode:
 
 ```bash
 uv run python examples/opcua/read_task_array.py
+uv run python examples/opcua/read_task_array.py --tls
+uv run python examples/opcua/read_task_array.py --tls-auth
 ```
 
 This example:
@@ -103,6 +137,8 @@ Read boolean (digital) values from the server:
 
 ```bash
 uv run python examples/opcua/read_task_boolean.py
+uv run python examples/opcua/read_task_boolean.py --tls
+uv run python examples/opcua/read_task_boolean.py --tls-auth
 ```
 
 This example:
@@ -122,6 +158,8 @@ Send commands to writable OPC UA nodes:
 
 ```bash
 uv run python examples/opcua/write_task.py
+uv run python examples/opcua/write_task.py --tls
+uv run python examples/opcua/write_task.py --tls-auth
 ```
 
 This example:
@@ -142,6 +180,8 @@ When finished, remove the server registration:
 
 ```bash
 uv run python examples/opcua/delete_server.py
+uv run python examples/opcua/delete_server.py --tls
+uv run python examples/opcua/delete_server.py --tls-auth
 ```
 
 This will remove the server and all associated tasks from Synnax.
@@ -232,8 +272,40 @@ OPC UA supports various security policies:
 - **Aes128-Sha256-RsaOaep**: High security
 - **Aes256-Sha256-RsaPss**: Highest security
 
-**Note**: The current examples use `SecurityPolicy.None` for simplicity. For production
-deployments, configure security in `device_props()`.
+### TLS Test Server
+
+The included test server supports TLS encryption via the `OPCUATLSSim` class, which runs
+on port 4842 with `Basic256Sha256_SignAndEncrypt`. Self-signed certificates for both
+server and client are generated automatically under `examples/opcua/certificates/`.
+
+```python
+from examples.opcua import OPCUATLSSim
+
+sim = OPCUATLSSim()
+sim.start()   # Starts TLS server on opc.tcp://127.0.0.1:4842/
+sim.stop()
+```
+
+### TLS Test Server with Username/Password
+
+The `OPCUATLSAuthSim` class adds username/password authentication on top of TLS
+encryption. It runs on port 4843 with `Basic256Sha256_SignAndEncrypt` and requires
+credentials (`testuser` / `testpass`).
+
+```python
+from examples.opcua import OPCUATLSAuthSim
+
+sim = OPCUATLSAuthSim()
+sim.start()   # Starts on opc.tcp://127.0.0.1:4843/
+sim.stop()
+```
+
+All three server variants expose the same full set of variables (floats, bools, arrays,
+commands, timestamps).
+
+**Note**: The default `OPCUASim` uses no encryption for simplicity. For production
+deployments, configure security mode, policy, and credentials when registering the
+device.
 
 ## Sample Rates
 

client/py/examples/opcua/__init__.py

@@ -7,8 +7,18 @@
 #  License, use of this software will be governed by the Apache License, Version 2.0,
 #  included in the file licenses/APL.txt.
 
-"""OPC UA example package."""
+"""OPC UA example package.
 
-from .server import OPCUASim, run_server
+Lazy imports avoid the RuntimeWarning when running
+``python -m examples.opcua.server``.
+"""
 
-__all__ = ["run_server", "OPCUASim"]
+__all__ = ["run_server", "OPCUASim", "OPCUATLSSim", "OPCUATLSAuthSim"]
+
+
+def __getattr__(name: str):
+    if name in __all__:
+        from . import server
+
+        return getattr(server, name)
+    raise AttributeError(f"module {__name__!r} has no attribute {name!r}")

client/py/examples/opcua/connect_server.py

@@ -17,26 +17,68 @@
 1. Start the Synnax Driver (if not already running).
 
 2. Start the OPC UA test server:
-   uv run python driver/opc/dev/server_extended.py
+   uv run python -m examples.opcua.server
+
+   For a TLS-encrypted server:
+   uv run python -m examples.opcua.server --tls
 
 3. Login to Synnax (if not already logged in):
    uv run sy login
 
 4. Run this script:
-   uv run python examples/opcua/connect_opc_server.py
+   uv run python examples/opcua/connect_server.py
+
+   For a TLS-encrypted server:
+   uv run python examples/opcua/connect_server.py --tls
 
 Configuration:
     Modify the constants below to match your OPC UA server configuration.
 """
 
-import json
-from uuid import uuid4
+import argparse
+from pathlib import Path
 
 import synnax as sy
 
-# Configuration
-DEVICE_NAME = "OPC UA Server"
-ENDPOINT = "opc.tcp://127.0.0.1:4841/"
+# Certificate directory (auto-generated by the encrypted test server)
+CERT_DIR = Path(__file__).parent / "certificates"
+
+# Plain server config
+PLAIN_DEVICE_NAME = "OPC UA Server"
+PLAIN_ENDPOINT = "opc.tcp://127.0.0.1:4841/"
+
+# TLS-encrypted server config
+TLS_DEVICE_NAME = "OPC UA TLS Server"
+TLS_ENDPOINT = "opc.tcp://127.0.0.1:4842/"
+
+# TLS-encrypted + username/password server config
+TLS_AUTH_DEVICE_NAME = "OPC UA TLS Auth Server"
+TLS_AUTH_ENDPOINT = "opc.tcp://127.0.0.1:4843/"
+TLS_AUTH_USERNAME = "testuser"
+TLS_AUTH_PASSWORD = "testpass"
+
+parser = argparse.ArgumentParser(description="Connect an OPC UA server to Synnax")
+parser.add_argument(
+    "--tls",
+    action="store_true",
+    help="Connect to the TLS-encrypted server (port 4842)",
+)
+parser.add_argument(
+    "--tls-auth",
+    action="store_true",
+    help="Connect to the TLS-encrypted server with username/password (port 4843)",
+)
+args = parser.parse_args()
+
+if args.tls_auth:
+    DEVICE_NAME = TLS_AUTH_DEVICE_NAME
+    ENDPOINT = TLS_AUTH_ENDPOINT
+elif args.tls:
+    DEVICE_NAME = TLS_DEVICE_NAME
+    ENDPOINT = TLS_ENDPOINT
+else:
+    DEVICE_NAME = PLAIN_DEVICE_NAME
+    ENDPOINT = PLAIN_ENDPOINT
 
 # Connect to Synnax
 client = sy.Synnax()
@@ -46,6 +88,10 @@
 print("=" * 70)
 print(f"Target Device Name: {DEVICE_NAME}")
 print(f"Endpoint: {ENDPOINT}")
+if args.tls_auth:
+    print("Security: Basic256Sha256 SignAndEncrypt + Username/Password")
+elif args.tls:
+    print("Security: Basic256Sha256 SignAndEncrypt")
 print()
 
 # Check if device already exists
@@ -81,21 +127,40 @@
         rack = client.racks.retrieve_embedded_rack()
         print(f"Using rack: {rack.name} (key={rack.key})")
 
-        # Create the device with proper connection properties
-        device = sy.opcua.Device(
-            endpoint=ENDPOINT,
-            name=DEVICE_NAME,
-            location=ENDPOINT,
-            rack=rack.key,
-        )
-
+        # Build device kwargs
+        device_kwargs: dict = {
+            "endpoint": ENDPOINT,
+            "name": DEVICE_NAME,
+            "location": ENDPOINT,
+            "rack": rack.key,
+        }
+
+        if args.tls_auth or args.tls:
+            device_kwargs.update(
+                security_mode="SignAndEncrypt",
+                security_policy="Basic256Sha256",
+                server_cert=str(CERT_DIR / "server-certificate.der"),
+                client_cert=str(CERT_DIR / "client-certificate.der"),
+                client_private_key=str(CERT_DIR / "client-private-key.pem"),
+            )
+        if args.tls_auth:
+            device_kwargs.update(
+                username=TLS_AUTH_USERNAME,
+                password=TLS_AUTH_PASSWORD,
+            )
+
+        device = sy.opcua.Device(**device_kwargs)
         created_device = client.devices.create(device)
 
         print("✓ Device connected successfully!")
         print(f"  - Name: {created_device.name}")
         print(f"  - Key: {created_device.key}")
         print(f"  - Location: {created_device.location}")
         print(f"  - Rack: {rack.name}")
+        if args.tls_auth:
+            print("  - Security: Basic256Sha256 SignAndEncrypt + Username/Password")
+        elif args.tls:
+            print("  - Security: Basic256Sha256 SignAndEncrypt")
         print()
         print("Device is ready to use.")
         print("=" * 70)
@@ -116,5 +181,11 @@
     print(f"   - Name: {DEVICE_NAME}")
     print(f"   - Endpoint: {ENDPOINT}")
     print("   - Make: opc")
+    if args.tls:
+        print("   - Security Mode: SignAndEncrypt")
+        print("   - Security Policy: Basic256Sha256")
+        print(f"   - Server Certificate: {CERT_DIR / 'server-certificate.der'}")
+        print(f"   - Client Certificate: {CERT_DIR / 'client-certificate.der'}")
+        print(f"   - Client Private Key: {CERT_DIR / 'client-private-key.pem'}")
     print("=" * 70)
     exit(1)