node-opcua-server-configuration 2.163.1 → 2.165.0

package/source/server/file_transaction_manager.ts

@@ -0,0 +1,253 @@
+/**
+ * @module node-opcua-server-configuration-server
+ */
+
+import crypto from "node:crypto";
+import fs from "node:fs";
+import os from "node:os";
+import path from "node:path";
+import { make_debugLog, make_errorLog, make_warningLog } from "node-opcua-debug";
+
+const debugLog = make_debugLog("ServerConfiguration");
+const errorLog = make_errorLog("ServerConfiguration");
+const warningLog = make_warningLog("ServerConfiguration");
+
+type Functor = () => Promise<void>;
+
+async function _copyFile(source: string, dest: string): Promise<void> {
+    try {
+        debugLog("copying file \n source ", source, "\n =>\n dest ", dest);
+        const sourceExist = fs.existsSync(source);
+        if (sourceExist) {
+            await fs.promises.copyFile(source, dest);
+        }
+    } catch (err) {
+        errorLog(err);
+    }
+}
+
+async function _deleteFile(file: string): Promise<void> {
+    try {
+        const exists = fs.existsSync(file);
+        if (exists) {
+            debugLog("deleting file ", file);
+            await fs.promises.unlink(file);
+        }
+    } catch (err) {
+        errorLog(err);
+    }
+}
+
+async function _moveFile(source: string, dest: string): Promise<void> {
+    debugLog("moving file file \n source ", source, "\n =>\n dest ", dest);
+    try {
+        await _copyFile(source, dest);
+        await _deleteFile(source);
+    } catch (err) {
+        errorLog(err);
+    }
+}
+
+async function _moveFileWithBackup(source: string, dest: string, backupPath: string): Promise<void> {
+    // let make a copy of the destination file
+    debugLog("moveFileWithBackup file \n source ", source, "\n =>\n dest ", dest);
+    await _copyFile(dest, backupPath);
+    await _moveFile(source, dest);
+}
+
+export class FileTransactionManager {
+    readonly #pendingFileOps: Functor[] = [];
+    readonly #cleanupTasks: Functor[] = [];
+    readonly #backupFiles: Map<string, string> = new Map();
+    #tmpdir?: string;
+
+    /**
+     * Gets or initializes the underlying temporary directory for the transaction.
+     */
+    public async getTmpDir(): Promise<string> {
+        if (!this.#tmpdir) {
+            const tempBase = path.join(os.tmpdir(), "node-opcua-tx-");
+            this.#tmpdir = await fs.promises.mkdtemp(tempBase);
+        }
+        return this.#tmpdir;
+    }
+
+    /**
+     * Stages a file for writing during the transaction.
+     * Writes the content to a temporary location and registers
+     * a move operation to atomically place it at destinationPath upon applyFileOps().
+     */
+    public async stageFile(destinationPath: string, content: Buffer | string, encoding?: BufferEncoding): Promise<void> {
+        // ensure tmpdir exists
+        const tmpDir = await this.getTmpDir();
+
+        const uniqueFileName = `${crypto.randomBytes(16).toString("hex")}.tmp`;
+        const tempFilePath = path.join(tmpDir, uniqueFileName);
+
+        if (encoding) {
+            await fs.promises.writeFile(tempFilePath, content as string, encoding);
+        } else {
+            await fs.promises.writeFile(tempFilePath, content);
+        }
+
+        this.addFileOp(() => this.#moveFileWithBackupTracked(tempFilePath, destinationPath));
+    }
+
+    public addFileOp(functor: Functor): void {
+        this.#pendingFileOps.push(functor);
+    }
+
+    public addCleanupTask(functor: Functor): void {
+        this.#cleanupTasks.push(functor);
+    }
+
+    public get pendingTasksCount(): number {
+        return this.#pendingFileOps.length;
+    }
+
+    /**
+     * Abort the current transaction by clearing pending file operations
+     * and deleting the temporary staging folder.
+     */
+    public async abortTransaction(): Promise<void> {
+        this.#pendingFileOps.length = 0;
+        await this.#executeCleanupTasks();
+        await this.#cleanupTempFolder();
+    }
+
+    /**
+     * Move file with backup and track the backup for potential rollback.
+     * This method creates a backup of the destination file and tracks it
+     * so it can be restored if the transaction fails.
+     */
+    async #moveFileWithBackupTracked(source: string, dest: string): Promise<void> {
+        const tmpDir = await this.getTmpDir();
+        const uniqueFileName = `${crypto.randomBytes(16).toString("hex")}_backup.tmp`;
+        const backupPath = path.join(tmpDir, uniqueFileName);
+
+        // Track the backup before creating it
+        this.#backupFiles.set(dest, backupPath);
+
+        // Perform the actual move with backup
+        await _moveFileWithBackup(source, dest, backupPath);
+    }
+
+    /**
+     * Commit the transaction by executing all pending file operations.
+     */
+    public async applyFileOps(): Promise<void> {
+        debugLog("start applyFileOps");
+        const fileOperation = this.#pendingFileOps.splice(0);
+
+        try {
+            while (fileOperation.length) {
+                const op = fileOperation.shift();
+                await op?.();
+            }
+            debugLog("end applyFileOps");
+
+            // Transaction successful - clean up backup files
+            await this.#cleanupBackupFiles();
+            await this.#executeCleanupTasks();
+            await this.#cleanupTempFolder();
+        } catch (err) {
+            errorLog("Error during applyFileOps:", (err as Error).message);
+            errorLog("Rolling back transaction to restore previous certificate state");
+
+            // Rollback: restore all backup files to their original locations
+            try {
+                await this.#rollbackTransaction();
+                debugLog("Transaction rollback successful");
+            } catch (rollbackErr) {
+                errorLog("Critical: Rollback failed:", (rollbackErr as Error).message);
+                errorLog("Certificate state may be inconsistent - manual intervention required");
+            }
+
+            // Clear backup tracking after rollback
+            this.#backupFiles.clear();
+            await this.#executeCleanupTasks();
+            await this.#cleanupTempFolder();
+
+            throw err;
+        }
+    }
+
+    /**
+     * Rollback the transaction by restoring all backup files.
+     * This restores files from their *_old backups to recover the previous state.
+     */
+    async #rollbackTransaction(): Promise<void> {
+        debugLog("Rolling back transaction, restoring", this.#backupFiles.size, "backup files");
+
+        const rollbackPromises: Promise<void>[] = [];
+
+        for (const [dest, backupPath] of this.#backupFiles.entries()) {
+            rollbackPromises.push(
+                (async () => {
+                    try {
+                        // Check if backup exists before trying to restore
+                        if (fs.existsSync(backupPath)) {
+                            debugLog("Restoring backup:", backupPath, "to", dest);
+                            await _copyFile(backupPath, dest);
+                            // Delete backup immediately after restoration
+                            await _deleteFile(backupPath);
+                        }
+                    } catch (err) {
+                        errorLog("Error restoring backup file", backupPath, "to", dest, ":", (err as Error).message);
+                    }
+                })()
+            );
+        }
+
+        await Promise.all(rollbackPromises);
+        debugLog("Transaction rollback completed");
+    }
+
+    /**
+     * Clean up backup files after successful transaction.
+     * Removes all *_old backup files that were created during the transaction.
+     */
+    async #cleanupBackupFiles(): Promise<void> {
+        debugLog("Cleaning up", this.#backupFiles.size, "backup files");
+
+        const cleanupPromises: Promise<void>[] = [];
+
+        for (const backupPath of this.#backupFiles.values()) {
+            cleanupPromises.push(
+                _deleteFile(backupPath).catch((err) => {
+                    warningLog("Failed to delete backup file", backupPath, ":", err);
+                })
+            );
+        }
+
+        await Promise.all(cleanupPromises);
+        this.#backupFiles.clear();
+    }
+
+    /**
+     * Clean up the temporary transaction folder.
+     */
+    async #cleanupTempFolder(): Promise<void> {
+        if (this.#tmpdir) {
+            try {
+                await fs.promises.rm(this.#tmpdir, { recursive: true, force: true });
+            } catch (err) {
+                warningLog("Failed to delete temporary transaction folder", this.#tmpdir, ":", err);
+            } finally {
+                this.#tmpdir = undefined;
+            }
+        }
+    }
+
+    async #executeCleanupTasks(): Promise<void> {
+        debugLog("Executing cleanup tasks");
+        const tasks = this.#cleanupTasks.splice(0);
+        for (const task of tasks) {
+            try {
+                await task();
+            } catch (err) {
+                errorLog("Error during cleanup task:", (err as Error).message);
+            }
+        }
+    }
+}

package/source/server/install_certificate_file_watcher.ts

@@ -1,6 +1,6 @@
-import fs from "fs";
-import path from "path";
-import { UAObject } from "node-opcua-address-space-base";
+import fs from "node:fs";
+import path from "node:path";
+import type { UAObject } from "node-opcua-address-space-base";
 import { make_debugLog } from "node-opcua-debug";
 
 const debugLog = make_debugLog("ServerConfiguration");
@@ -10,15 +10,19 @@ export interface ChangeDetector {
 }
 export function installCertificateFileWatcher(node: UAObject, certificateFile: string): ChangeDetector {
     const fileToWatch = path.basename(certificateFile);
-    const fsWatcher = fs.watch(path.dirname(certificateFile), { persistent: false }, (eventType: "rename" | "change", filename) => {
-        /** */
-        if (filename === fileToWatch) {
-            debugLog("filename changed = ", filename, fileToWatch);
-            node.emit("certificateChange");
+    const fsWatcher = fs.watch(
+        path.dirname(certificateFile),
+        { persistent: false },
+        (_eventType: "rename" | "change", filename) => {
+            /** */
+            if (filename === fileToWatch) {
+                debugLog("filename changed = ", filename, fileToWatch);
+                node.emit("certificateChange");
+            }
         }
-    });
-    const addressSpace = node.addressSpace!;
-    addressSpace.registerShutdownTask(() => {
+    );
+    const addressSpace = node.addressSpace;
+    addressSpace?.registerShutdownTask(() => {
         fsWatcher.close();
     });
     return node as unknown as ChangeDetector;

package/source/server/install_push_certitifate_management.ts

@@ -1,31 +1,24 @@
 /**
  * @module node-opcua-server-configuration-server
  */
-import fs from "fs";
-import os from "os";
-import path from "path";
+import fs from "node:fs";
+import path from "node:path";
 
-import { types } from "util";
 import chalk from "chalk";
 
-import { UAServerConfiguration, AddressSpace } from "node-opcua-address-space";
+import type { AddressSpace, UAServerConfiguration } from "node-opcua-address-space";
 import { assert } from "node-opcua-assert";
-import { OPCUACertificateManager } from "node-opcua-certificate-manager";
-import {
-    Certificate,
-    convertPEMtoDER,
-    PrivateKey,
-    split_der
-} from "node-opcua-crypto/web";
+import type { OPCUACertificateManager } from "node-opcua-certificate-manager";
+import type { ICertificateKeyPairProviderPriv } from "node-opcua-common";
 import { readPrivateKey } from "node-opcua-crypto";
+import { type Certificate, convertPEMtoDER, type PrivateKey, split_der } from "node-opcua-crypto/web";
 import { checkDebugFlag, make_debugLog, make_errorLog } from "node-opcua-debug";
-import { getFullyQualifiedDomainName } from "node-opcua-hostname";
-import { ICertificateKeyPairProviderPriv } from "node-opcua-common";
-import { OPCUAServer, OPCUAServerEndPoint } from "node-opcua-server";
-import { ApplicationDescriptionOptions } from "node-opcua-types";
+import { getFullyQualifiedDomainName, getIpAddresses } from "node-opcua-hostname";
+import type { OPCUAServer, OPCUAServerEndPoint } from "node-opcua-server";
+import type { ApplicationDescriptionOptions } from "node-opcua-types";
 
-import { installPushCertificateManagement } from "./push_certificate_manager_helpers";
-import { ActionQueue, PushCertificateManagerServerImpl } from "./push_certificate_manager_server_impl";
+import { installPushCertificateManagement } from "./push_certificate_manager_helpers.js";
+import type { ActionQueue, PushCertificateManagerServerImpl } from "./push_certificate_manager_server_impl.js";
 
 // node 14 onward : import {  readFile } from "fs/promises";
 const { readFile } = fs.promises;
@@ -33,7 +26,6 @@ const { readFile } = fs.promises;
 const debugLog = make_debugLog("ServerConfiguration");
 const errorLog = make_errorLog("ServerConfiguration");
 const doDebug = checkDebugFlag("ServerConfiguration");
-doDebug;
 
 export interface OPCUAServerPartial extends ICertificateKeyPairProviderPriv {
     serverInfo?: ApplicationDescriptionOptions;
@@ -51,7 +43,7 @@ function getCertificate(this: OPCUAServerPartial): Certificate {
         const certificateChain = getCertificateChain.call(this);
         this.$$certificate = split_der(certificateChain)[0];
     }
-    return this.$$certificate!;
+    return this.$$certificate;
 }
 
 function getCertificateChain(this: OPCUAServerPartial): Certificate {
@@ -62,41 +54,29 @@ function getCertificateChain(this: OPCUAServerPartial): Certificate {
 }
 
 function getPrivateKey(this: OPCUAServerPartial): PrivateKey {
-    // istanbul ignore next
+    // c8 ignore next
     if (!this.$$privateKey) {
         throw new Error("internal Error. cannot find $$privateKey");
     }
     return this.$$privateKey;
 }
 
-async function getIpAddresses(): Promise<string[]> {
-    const ipAddresses: string[] = [];
-    const netInterfaces = os.networkInterfaces();
-    for (const interfaceName of Object.keys(netInterfaces)) {
-        if (!netInterfaces[interfaceName]) {
-            continue;
-        }
-        for (const interFace of netInterfaces[interfaceName]!) {
-            if ("IPv4" !== interFace.family || interFace.internal !== false) {
-                // skip over internal (i.e. 127.0.0.1) and non-ipv4 addresses
-                continue;
-            }
-            ipAddresses.push(interFace.address);
-        }
-    }
-    return ipAddresses;
-}
+
 
 /**
  *
  */
 async function install(this: OPCUAServerPartial): Promise<void> {
-    debugLog("install push certificate management", this.serverCertificateManager.rootDir);
+    doDebug && debugLog("install push certificate management", this.serverCertificateManager.rootDir);
 
-    (this as any).__defineGetter__("privateKeyFile", () => this.serverCertificateManager.privateKey);
-    (this as any).__defineGetter__("certificateFile", () =>
-        path.join(this.serverCertificateManager.rootDir, "own/certs/certificate.pem")
-    );
+    Object.defineProperty(this, "privateKeyFile", {
+        get: () => this.serverCertificateManager.privateKey,
+        configurable: true
+    });
+    Object.defineProperty(this, "certificateFile", {
+        get: () => path.join(this.serverCertificateManager.rootDir, "own/certs/certificate.pem"),
+        configurable: true
+    });
 
     if (!this.$$privateKey) {
         this.$$privateKey = readPrivateKey(this.serverCertificateManager.privateKey);
@@ -112,7 +92,7 @@ async function install(this: OPCUAServerPartial): Promise<void> {
             const fqdn = await getFullyQualifiedDomainName();
             const ipAddresses = await getIpAddresses();
 
-            const applicationUri = (this.serverInfo ? this.serverInfo!.applicationUri! : null) || "uri:MISSING";
+            const applicationUri = (this.serverInfo ? this.serverInfo.applicationUri : null) || "uri:MISSING";
 
             const options = {
                 applicationUri,
@@ -120,7 +100,7 @@ async function install(this: OPCUAServerPartial): Promise<void> {
                 dns: [fqdn],
                 ip: ipAddresses,
 
-                subject: "/CN=" + applicationUri + ";/L=Paris",
+                subject: `/CN=${applicationUri};/L=Paris`,
 
                 startDate: new Date(),
 
@@ -130,7 +110,7 @@ async function install(this: OPCUAServerPartial): Promise<void> {
                 outputFile: certificateFile
             };
 
-            debugLog("creating self signed certificate", options);
+            doDebug && debugLog("creating self signed certificate", options);
             await this.serverCertificateManager.createSelfSignedCertificate(options);
         }
         const certificatePEM = await readFile(certificateFile, "utf8");
@@ -154,9 +134,9 @@ function getPrivateKeyEP(this: OPCUAServerEndPoint): PrivateKey {
 }
 
 async function onCertificateAboutToChange(server: OPCUAServer) {
-    debugLog(chalk.yellow(" onCertificateAboutToChange => Suspending End points"));
+    doDebug && debugLog(chalk.yellow(" onCertificateAboutToChange => Suspending End points"));
     await server.suspendEndPoints();
-    debugLog(chalk.yellow(" onCertificateAboutToChange => End points suspended"));
+    doDebug && debugLog(chalk.yellow(" onCertificateAboutToChange => End points suspended"));
 }
 
 /**
@@ -169,9 +149,9 @@ async function onCertificateAboutToChange(server: OPCUAServer) {
  * @param server
  */
 async function onCertificateChange(server: OPCUAServer) {
-    debugLog("on CertificateChanged");
+    doDebug && debugLog("on CertificateChanged");
 
-    const _server = server as any as OPCUAServerPartial;
+    const _server = server as unknown as OPCUAServerPartial;
 
     _server.$$privateKey = readPrivateKey(server.serverCertificateManager.privateKey);
     const certificateFile = path.join(server.serverCertificateManager.rootDir, "own/certs/certificate.pem");
@@ -188,19 +168,17 @@ async function onCertificateChange(server: OPCUAServer) {
 
     setTimeout(async () => {
         try {
-            debugLog(chalk.yellow(" onCertificateChange => shutting down channels"));
+            doDebug && debugLog(chalk.yellow(" onCertificateChange => shutting down channels"));
             await server.shutdownChannels();
-            debugLog(chalk.yellow(" onCertificateChange => channels shut down"));
+            doDebug && debugLog(chalk.yellow(" onCertificateChange => channels shut down"));
 
-            debugLog(chalk.yellow(" onCertificateChange => resuming end points"));
+            doDebug && debugLog(chalk.yellow(" onCertificateChange => resuming end points"));
             await server.resumeEndPoints();
-            debugLog(chalk.yellow(" onCertificateChange => end points resumed"));
+            doDebug && debugLog(chalk.yellow(" onCertificateChange => end points resumed"));
 
             debugLog(chalk.yellow("channels have been closed -> client should reconnect "));
         } catch (err) {
-            if (types.isNativeError(err)) {
-                errorLog("Error in CertificateChanged handler ", err.message);
-            }
+            errorLog("Error in CertificateChanged handler ", (err as Error).message);
             debugLog("err = ", err);
         }
     }, 2000);
@@ -209,6 +187,12 @@ async function onCertificateChange(server: OPCUAServer) {
 interface UAServerConfigurationEx extends UAServerConfiguration {
     $pushCertificateManager: PushCertificateManagerServerImpl;
 }
+
+type OPCUAServerEndPointEx = typeof OPCUAServerEndPoint & {
+    _certificateChain: Buffer | null;
+    _privateKey: PrivateKey | null;
+};
+
 export async function installPushCertificateManagementOnServer(server: OPCUAServer): Promise<void> {
     if (!server.engine || !server.engine.addressSpace) {
         throw new Error(
@@ -216,14 +200,14 @@ export async function installPushCertificateManagementOnServer(server: OPCUAServ
                 "you need to call installPushCertificateManagementOnServer after server has been initialized"
         );
     }
-    await install.call(server as any as OPCUAServerPartial);
+    await install.call(server as unknown as OPCUAServerPartial);
 
     server.getCertificate = getCertificate;
     server.getCertificateChain = getCertificateChain;
     server.getPrivateKey = getPrivateKey;
 
     for (const endpoint of server.endpoints) {
-        const endpointPriv = endpoint as any;
+        const endpointPriv: OPCUAServerEndPointEx = endpoint as unknown as OPCUAServerEndPointEx;
         endpointPriv._certificateChain = null;
         endpointPriv._privateKey = null;
 
@@ -231,9 +215,9 @@ export async function installPushCertificateManagementOnServer(server: OPCUAServ
         endpoint.getPrivateKey = getPrivateKeyEP;
 
         for (const e of endpoint.endpointDescriptions()) {
-            // e.serverCertificate = null;
-            (e as any).__defineGetter__("serverCertificate", function (this: any) {
-                return endpoint.getCertificate();
+            Object.defineProperty(e, "serverCertificate", {
+                get: () => endpoint.getCertificate(),
+                configurable: true
             });
         }
     }
@@ -242,25 +226,25 @@ export async function installPushCertificateManagementOnServer(server: OPCUAServ
         applicationGroup: server.serverCertificateManager,
         userTokenGroup: server.userCertificateManager,
 
-        applicationUri: server.serverInfo.applicationUri! || "InvalidURI"
+        applicationUri: server.serverInfo.applicationUri || "InvalidURI"
     });
 
-    const serverConfiguration = server.engine.addressSpace.rootFolder.objects.server.getChildByName("ServerConfiguration")!;
+    const serverConfiguration = server.engine.addressSpace.rootFolder.objects.server.getChildByName("ServerConfiguration");
     const serverConfigurationPriv = serverConfiguration as UAServerConfigurationEx;
     assert(serverConfigurationPriv.$pushCertificateManager);
 
     serverConfigurationPriv.$pushCertificateManager.on("CertificateAboutToChange", (actionQueue: ActionQueue) => {
         actionQueue.push(async (): Promise<void> => {
-            debugLog("CertificateAboutToChange Event received");
+            doDebug && debugLog("CertificateAboutToChange Event received");
             await onCertificateAboutToChange(server);
-            debugLog("CertificateAboutToChange Event processed");
+            doDebug && debugLog("CertificateAboutToChange Event processed");
         });
     });
     serverConfigurationPriv.$pushCertificateManager.on("CertificateChanged", (actionQueue: ActionQueue) => {
         actionQueue.push(async (): Promise<void> => {
-            debugLog("CertificateChanged Event received");
+            doDebug && debugLog("CertificateChanged Event received");
             await onCertificateChange(server);
-            debugLog("CertificateChanged Event processed");
+            doDebug && debugLog("CertificateChanged Event processed");
         });
     });
 }