npm - node-opcua-server-configuration - Versions diffs - 2.70.2 → 2.72.0 - Mend

node-opcua-server-configuration 2.70.2 → 2.72.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (29) hide show

package/source/server/push_certificate_manager_helpers.ts CHANGED Viewed

@@ -1,35 +1,46 @@
 /**
  * @module node-opcua-server-configuration
  */
-import { callbackify } from "util";
+import * as path from "path";
+import * as fs from "fs";
 import {
     AddressSpace,
     SessionContext,
     UAMethod,
     UATrustList,
-    UAObject,
-    UAVariable,
     UAServerConfiguration,
-    ISessionContext
+    ISessionContext,
+    UACertificateGroup,
+    UACertificateExpirationAlarmEx,
+    UACertificateExpirationAlarmImpl
 } from "node-opcua-address-space";
+import { UAObject, UAVariable, EventNotifierFlags } from "node-opcua-address-space-base";
 import { checkDebugFlag, make_debugLog, make_warningLog } from "node-opcua-debug";
 import { NodeId, resolveNodeId } from "node-opcua-nodeid";
 import { StatusCodes } from "node-opcua-status-code";
 import { CallMethodResultOptions } from "node-opcua-types";
 import { DataType, Variant, VariantArrayType } from "node-opcua-variant";
-import { AccessRestrictionsFlag, NodeClass } from "node-opcua-data-model";
+import {
+    AccessLevelFlag,
+    AccessRestrictionsFlag,
+    BrowseDirection,
+    coerceQualifiedName,
+    NodeClass,
+    QualifiedName
+} from "node-opcua-data-model";
 import { ByteString, UAString } from "node-opcua-basic-types";
-import { ObjectTypeIds } from "node-opcua-constants";
+import { ObjectIds, ObjectTypeIds } from "node-opcua-constants";
+import { CertificateManager } from "node-opcua-certificate-manager";
+import { Certificate, readCertificate } from "node-opcua-crypto";
 import { CreateSigningRequestResult, PushCertificateManager } from "../push_certificate_manager";
-import { installCertificateExpirationAlarm } from "./install_CertificateAlarm";
 import { PushCertificateManagerServerImpl, PushCertificateManagerServerOptions } from "./push_certificate_manager_server_impl";
 import { installAccessRestrictionOnTrustList, promoteTrustList } from "./promote_trust_list";
 import { hasEncryptedChannel, hasExpectedUserAccess } from "./tools";
 import { rolePermissionAdminOnly, rolePermissionRestricted } from "./roles_and_permissions";
+import { installCertificateFileWatcher } from "./install_certificate_file_watcher";
 const debugLog = make_debugLog("ServerConfiguration");
 const doDebug = checkDebugFlag("ServerConfiguration");
@@ -247,38 +258,136 @@ async function _applyChanges(
     return { statusCode };
 }
+function getCertificateFilename(certificateManager: CertificateManager): string {
+    return path.join(certificateManager.rootDir, "own/certs/certificate.pem"); // to do , find a better way
+}
+async function getCertificate(certificateManager: CertificateManager): Promise<Certificate | null> {
+    try {
+        const certificateFile = getCertificateFilename(certificateManager);
+        if (fs.existsSync(certificateFile)) {
+            const certificate = await readCertificate(certificateFile);
+            return certificate;
+        }
+        return null;
+    } catch (err) {
+        warningLog("getCertificate Error", (err as Error).message);
+        return null;
+    }
+}
+function bindCertificateGroup(certificateGroup: UACertificateGroup, certificateManager?: CertificateManager) {
+    if (certificateManager) {
+        const certificateFile = getCertificateFilename(certificateManager);
+        const changeDetector = installCertificateFileWatcher(certificateGroup, certificateFile);
+        changeDetector.on("certificateChange", () => {
+            debugLog("detecting certificate change", certificateFile);
+            updateCertificateAlarm();
+        });
+    }
+    async function updateCertificateAlarm() {
+        try {
+            debugLog("updateCertificateAlarm", certificateGroup.browseName.toString());
+            const certificateExpired = certificateGroup.getComponentByName("CertificateExpired");
+            if (certificateExpired && certificateManager) {
+                const certificateExpiredEx = certificateExpired as unknown as UACertificateExpirationAlarmEx;
+                const certificate = await getCertificate(certificateManager);
+                certificateExpiredEx.setCertificate(certificate);
+            }
+        } catch (err) {
+            warningLog("updateCertificateAlarm Error", (err as Error).message);
+        }
+    }
+    const addressSpace = certificateGroup.addressSpace;
+    if (!certificateManager) {
+        return;
+    }
+    const trustList = certificateGroup.getComponentByName("TrustList");
+    if (trustList) {
+        (trustList as any).$$certificateManager = certificateManager;
+    }
+    const certificateExpired = certificateGroup.getComponentByName("CertificateExpired");
+    if (certificateExpired) {
+        (certificateExpired as any).$$certificateManager = certificateManager;
+        // install alarm handling
+        const timerId = setInterval(updateCertificateAlarm, 60 * 1000);
+        addressSpace.registerShutdownTask(() => clearInterval(timerId));
+        updateCertificateAlarm();
+    }
+}
 function bindCertificateManager(addressSpace: AddressSpace, options: PushCertificateManagerServerOptions) {
     const serverConfiguration = addressSpace.rootFolder.objects.server.getChildByName(
         "ServerConfiguration"
     )! as UAServerConfiguration;
-    const defaultApplicationGroup = serverConfiguration.certificateGroups.getComponentByName("DefaultApplicationGroup");
+    const defaultApplicationGroup = serverConfiguration.certificateGroups.getComponentByName(
+        "DefaultApplicationGroup"
+    ) as UACertificateGroup | null;
     if (defaultApplicationGroup) {
-        const trustList = defaultApplicationGroup.getComponentByName("TrustList");
-        if (trustList) {
-            (trustList as any).$$certificateManager = options.applicationGroup;
-        }
+        bindCertificateGroup(defaultApplicationGroup, options.applicationGroup);
     }
-    const defaultTokenGroup = serverConfiguration.certificateGroups.getComponentByName("DefaultUserTokenGroup");
+    const defaultTokenGroup = serverConfiguration.certificateGroups.getComponentByName(
+        "DefaultUserTokenGroup"
+    ) as UACertificateGroup | null;
     if (defaultTokenGroup) {
-        const trustList = defaultTokenGroup.getComponentByName("TrustList");
-        if (trustList) {
-            (trustList as any).$$certificateManager = options.userTokenGroup;
-        }
+        bindCertificateGroup(defaultTokenGroup, options.userTokenGroup);
+    }
+}
+function setNotifierOfChain(childObject: UAObject | null) {
+    if (!childObject) {
+        return;
+    }
+    const parentObject: UAObject | null = childObject.parent as UAObject | null;
+    if (!parentObject) {
+        return;
     }
+    const notifierOf = childObject.findReferencesEx("HasNotifier", BrowseDirection.Inverse);
+    if (notifierOf.length === 0) {
+        const notifierOfNode = childObject.addReference({
+            referenceType: "HasNotifier",
+            nodeId: parentObject.nodeId,
+            isForward: false
+        });
+    }
+    parentObject.setEventNotifier(parentObject.eventNotifier | EventNotifierFlags.SubscribeToEvents);
+    if (parentObject.nodeId.namespace === 0 && parentObject.nodeId.value === ObjectIds.Server) {
+        return;
+    }
+    setNotifierOfChain(parentObject);
 }
-export async function promoteCertificateGroup(certificateGroup: UAObject) {
+export async function promoteCertificateGroup(certificateGroup: UACertificateGroup): Promise<void> {
     const trustList = certificateGroup.getChildByName("TrustList") as UATrustList;
     if (trustList) {
-        promoteTrustList(trustList);
-    }
+        await promoteTrustList(trustList);
+    }
+    if (!certificateGroup.certificateExpired) {
+        const namespace = certificateGroup.addressSpace.getOwnNamespace();
+        // certificateGroup.
+        UACertificateExpirationAlarmImpl.instantiate(namespace, "CertificateExpirationAlarmType", {
+            browseName: coerceQualifiedName("0:CertificateExpired"),
+            componentOf: certificateGroup,
+            conditionSource: null,
+            conditionOf: certificateGroup,
+            inputNode: NodeId.nullNodeId,
+            normalState: NodeId.nullNodeId,
+            optionals: ["ExpirationLimit"]
+        });
+    }
+    certificateGroup.setEventNotifier(EventNotifierFlags.SubscribeToEvents);
+    setNotifierOfChain(certificateGroup);
 }
 export async function installPushCertificateManagement(
     addressSpace: AddressSpace,
     options: PushCertificateManagerServerOptions
 ): Promise<void> {
+    addressSpace.installAlarmsAndConditionsService();
     const serverConfiguration = addressSpace.rootFolder.objects.server.getChildByName(
         "ServerConfiguration"
     )! as UAServerConfiguration;
@@ -322,8 +431,8 @@ export async function installPushCertificateManagement(
             }
         }
         for (const group of certificateGroups.getComponents()) {
-            group?.setRolePermissions(rolePermissionAdminOnly);
-            group?.setAccessRestrictions(AccessRestrictionsFlag.SigningRequired | AccessRestrictionsFlag.EncryptionRequired);
+            group.setRolePermissions(rolePermissionAdminOnly);
+            group.setAccessRestrictions(AccessRestrictionsFlag.SigningRequired | AccessRestrictionsFlag.EncryptionRequired);
             if (group.nodeClass === NodeClass.Object) {
                 installAccessRestrictionOnGroup(group as UAObject);
             }
@@ -359,7 +468,7 @@ export async function installPushCertificateManagement(
         serverConfiguration.applyChanges!.bindMethod(_applyChanges);
     }
-    installCertificateExpirationAlarm(addressSpace);
+    //xx installCertificateExpirationAlarm(addressSpace);
     const cg = serverConfiguration.certificateGroups.getComponents();
@@ -370,11 +479,18 @@ export async function installPushCertificateManagement(
         arrayType: VariantArrayType.Array,
         value: [resolveNodeId(ObjectTypeIds.RsaSha256ApplicationCertificateType)]
     });
+    const certificateGroupType = addressSpace.findObjectType("CertificateGroupType")!;
     for (const certificateGroup of cg) {
         if (certificateGroup.nodeClass !== NodeClass.Object) {
             continue;
         }
-        await promoteCertificateGroup(certificateGroup as UAObject);
+        const o = certificateGroup as UAObject;
+        if (!o.typeDefinitionObj.isSupertypeOf(certificateGroupType)) {
+            continue;
+        }
+        await promoteCertificateGroup(certificateGroup as UACertificateGroup);
     }
     await bindCertificateManager(addressSpace, options);
 }

package/source/server/push_certificate_manager_server_impl.ts CHANGED Viewed

@@ -6,11 +6,7 @@ import * as fs from "fs";
 import * as path from "path";
 import { promisify} from "util";
 import * as rimraf from "rimraf";
-// node 14 onward : import {  readFile, writeFile, readdir } from "fs/promises";
-const { readFile, writeFile, readdir } = fs.promises;
+import { SubjectOptions } from "node-opcua-pki";
 import { assert } from "node-opcua-assert";
 import { ByteString, StatusCodes } from "node-opcua-basic-types";
 import {
@@ -41,7 +37,10 @@ import {
     PushCertificateManager,
     UpdateCertificateResult
 } from "../push_certificate_manager";
-import { SubjectOptions } from "node-opcua-pki";
+// node 14 onward : import {  readFile, writeFile, readdir } from "fs/promises";
+const { readFile, writeFile, readdir } = fs.promises;
 const debugLog = make_debugLog("ServerConfiguration");
 const errorLog = make_errorLog("ServerConfiguration");
@@ -284,7 +283,7 @@ export class PushCertificateManagerServerImpl extends EventEmitter implements Pu
                 await fs.promises.mkdir(location);
             }
-            let destCertificateManager = certificateManager;
+            const destCertificateManager = certificateManager;
             const keySize = (certificateManager as any).keySize; // because keySize is private !
             certificateManager = new CertificateManager({
                 keySize,

package/source/server/tools.ts CHANGED Viewed

@@ -1,4 +1,4 @@
-import { ISessionContext, SessionContext, WellKnownRoles } from "node-opcua-address-space";
+import { ISessionContext, WellKnownRoles } from "node-opcua-address-space";
 import { MessageSecurityMode } from "node-opcua-secure-channel";
 export function hasExpectedUserAccess(context: ISessionContext) {

package/source/server/trust_list_server.ts CHANGED Viewed

@@ -1,8 +1,8 @@
-import { OPCUACertificateManager } from "node-opcua-certificate-manager";
-import { TrustListDataType } from "node-opcua-types";
 import *as fs from "fs";
 import * as path from "path";
+import { OPCUACertificateManager } from "node-opcua-certificate-manager";
+import { TrustListDataType } from "node-opcua-types";
 import { AbstractFs } from "node-opcua-file-transfer";
 import { BinaryStream } from "node-opcua-binary-stream";
 import { readCertificate, readCertificateRevocationList } from "node-opcua-crypto";