/**
 * @module node-opcua-address-space
 */
/** biome-ignore-all lint/style/useLiteralEnumMembers: still needed */
import type { BaseNode, ISessionBase, ISessionContext, UAObject, UAObjectType } from "node-opcua-address-space-base";
import { type Certificate } from "node-opcua-crypto/web";
import { AccessRestrictionsFlag, PermissionFlag } from "node-opcua-data-model";
import type { PreciseClock } from "node-opcua-date-time";
import { type NodeId, type NodeIdLike } from "node-opcua-nodeid";
import { PermissionType, type RolePermissionType } from "node-opcua-types";
export { PermissionType, RolePermissionType, RolePermissionTypeOptions } from "node-opcua-types";
/**
 *
 */
export declare enum WellKnownRoles {
    Anonymous = 15644,
    AuthenticatedUser = 15656,
    ConfigureAdmin = 15716,
    Engineer = 16036,
    Observer = 15668,
    Operator = 15680,
    SecurityAdmin = 15704,
    Supervisor = 15692
}
export declare enum WellKnownRolesNodeId {
    Anonymous = 15644,
    AuthenticatedUser = 15656,
    ConfigureAdmin = 15716,
    Engineer = 16036,
    Observer = 15668,
    Operator = 15680,
    SecurityAdmin = 15704,
    Supervisor = 15692
}
/**
 * OPC Unified Architecture, Part 3 13 Release 1.04
 * 4.8.2 Well Known Roles
 * All Servers should support the well-known Roles which are defined in Table 2. The NodeIds
 * for the well-known Roles are defined in Part 6.
 * Table 2 – Well-Known Roles
 * BrowseName           Suggested Permissions
 *
 * Anonymous            The Role has very limited access for use when a Session has anonymous credentials.
 * AuthenticatedUser    The Role has limited access for use when a Session has valid non-anonymous credentials
 *                      but has not been explicitly granted access to a Role.
 * Observer             The Role is allowed to browse, read live data, read historical data/events or subscribe to data/events.
 * Operator             The Role is allowed to browse, read live data, read historical data/events or subscribe to data/events.
 *                      In addition, the Session is allowed to write some live data and call some Methods.
 * Engineer             The Role is allowed to browse, read/write configuration data, read historical data/events,
 *                      call Methods or subscribe to data/events.
 * Supervisor           The Role is allowed to browse, read live data, read historical data/events, call Methods or
 *                      subscribe to data/events.
 * ConfigureAdmin       The Role is allowed to change the non-security related config
 * SecurityAdmin	    The Role is allowed to change security related settings.
 */
export type WellKnownRolesSemiColumnSeparated = string;
export interface IUserManager {
    /**
     * retrieve the roles of the given user
     *  @returns semicolon separated list of roles
     */
    getUserRoles?: (user: string) => NodeId[];
}
/**
 * A temporary override for role resolution.
 *
 * When set on the server, `getUserRoles` is called
 * **before** the default `userManager`. Returning
 * a `NodeId[]` overrides the roles; returning `null`
 * falls through to the default resolution.
 */
export interface IRolePolicyOverride {
    getUserRoles(username: string): NodeId[] | null;
}
export interface IServerBase {
    userManager?: IUserManager;
    rolePolicyOverride?: IRolePolicyOverride | null;
}
export interface SessionContextOptions {
    session?: ISessionBase;
    object?: UAObject | UAObjectType;
    server?: IServerBase;
}
export declare function makeRoles(roleIds: NodeIdLike[] | string | WellKnownRoles): NodeId[];
export declare class SessionContext implements ISessionContext {
    static defaultContext: SessionContext;
    object: UAObject | UAObjectType | undefined;
    currentTime?: PreciseClock;
    continuationPoints: Buffer[];
    readonly session?: ISessionBase;
    readonly server?: IServerBase;
    constructor(options?: SessionContextOptions);
    /**
     * The client's application-instance certificate,
     * or `null` if no secure channel is available.
     */
    get clientCertificate(): Certificate | null;
    /**
     * The application URI extracted from the client
     * certificate's SubjectAltName, or `null` if
     * no certificate is available.
     */
    get clientApplicationUri(): string | null;
    toJSON(): Record<string, string | null>;
    toString(): string;
    getUserName(): string;
    /**
     * getCurrentUserRoles
     *
     * guest   => anonymous user (unauthenticated)
     * default => default authenticated user
     *
     */
    getCurrentUserRoles(): NodeId[];
    getApplicableRolePermissions(node: BaseNode): RolePermissionType[] | null;
    getPermissions(node: BaseNode): PermissionFlag;
    getAccessRestrictions(node: BaseNode): AccessRestrictionsFlag;
    /**
     *
     * @param node
     * @returns true if the browse is denied (access is restricted)
     */
    isBrowseAccessRestricted(node: BaseNode): boolean;
    /**
     *
     * @param node
     * @returns true  if the context is access restricted
     */
    isAccessRestricted(node: BaseNode): boolean;
    /**
     */
    checkPermission(node: BaseNode, requestedPermission: PermissionType): boolean;
    currentUserHasRole(role: NodeIdLike): boolean;
}