npm - node-opcua-server-configuration - Versions diffs - 2.97.0 → 2.98.1 - Mend

node-opcua-server-configuration 2.97.0 → 2.98.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (32) hide show

package/dist/clientTools/index.d.ts +1 -1
package/dist/clientTools/index.js +17 -17
package/dist/clientTools/push_certificate_management_client.d.ts +176 -176
package/dist/clientTools/push_certificate_management_client.js +463 -463
package/dist/clientTools/push_certificate_management_client.js.map +1 -1
package/dist/index.d.ts +10 -10
package/dist/index.js +27 -27
package/dist/push_certificate_manager.d.ts +141 -141
package/dist/push_certificate_manager.js +2 -2
package/dist/server/install_certificate_file_watcher.d.ts +5 -5
package/dist/server/install_certificate_file_watcher.js +23 -23
package/dist/server/install_push_certitifate_management.d.ts +19 -19
package/dist/server/install_push_certitifate_management.js +215 -215
package/dist/server/promote_trust_list.d.ts +6 -6
package/dist/server/promote_trust_list.js +175 -175
package/dist/server/push_certificate_manager_helpers.d.ts +4 -4
package/dist/server/push_certificate_manager_helpers.js +411 -411
package/dist/server/push_certificate_manager_server_impl.d.ts +47 -47
package/dist/server/push_certificate_manager_server_impl.js +525 -525
package/dist/server/roles_and_permissions.d.ts +3 -3
package/dist/server/roles_and_permissions.js +38 -38
package/dist/server/tools.d.ts +3 -3
package/dist/server/tools.js +19 -19
package/dist/server/trust_list_server.d.ts +13 -13
package/dist/server/trust_list_server.js +89 -89
package/dist/standard_certificate_types.d.ts +6 -6
package/dist/standard_certificate_types.js +13 -13
package/dist/trust_list.d.ts +79 -79
package/dist/trust_list.js +2 -2
package/dist/trust_list_impl.js +25 -25
package/package.json +32 -28
package/bin/configurator.ts +0 -304

package/dist/server/push_certificate_manager_helpers.js CHANGED Viewed

@@ -1,412 +1,412 @@
-"use strict";
-var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
-    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
-    return new (P || (P = Promise))(function (resolve, reject) {
-        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
-        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
-        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
-        step((generator = generator.apply(thisArg, _arguments || [])).next());
-    });
-};
-Object.defineProperty(exports, "__esModule", { value: true });
-exports.installPushCertificateManagement = exports.promoteCertificateGroup = void 0;
-/**
- * @module node-opcua-server-configuration
- */
-const path = require("path");
-const fs = require("fs");
-const node_opcua_address_space_1 = require("node-opcua-address-space");
-const node_opcua_address_space_base_1 = require("node-opcua-address-space-base");
-const node_opcua_debug_1 = require("node-opcua-debug");
-const node_opcua_nodeid_1 = require("node-opcua-nodeid");
-const node_opcua_status_code_1 = require("node-opcua-status-code");
-const node_opcua_variant_1 = require("node-opcua-variant");
-const node_opcua_data_model_1 = require("node-opcua-data-model");
-const node_opcua_constants_1 = require("node-opcua-constants");
-const node_opcua_crypto_1 = require("node-opcua-crypto");
-const push_certificate_manager_server_impl_1 = require("./push_certificate_manager_server_impl");
-const promote_trust_list_1 = require("./promote_trust_list");
-const tools_1 = require("./tools");
-const roles_and_permissions_1 = require("./roles_and_permissions");
-const install_certificate_file_watcher_1 = require("./install_certificate_file_watcher");
-const debugLog = (0, node_opcua_debug_1.make_debugLog)("ServerConfiguration");
-const doDebug = (0, node_opcua_debug_1.checkDebugFlag)("ServerConfiguration");
-const warningLog = (0, node_opcua_debug_1.make_warningLog)("ServerConfiguration");
-const errorLog = debugLog;
-function expected(variant, dataType, variantArrayType) {
-    if (!variant) {
-        return false;
-    }
-    if (variant.dataType !== dataType) {
-        return false;
-    }
-    if (variant.arrayType !== variantArrayType) {
-        return false;
-    }
-    return true;
-}
-function getPushCertificateManager(method) {
-    const serverConfiguration = method.addressSpace.rootFolder.objects.server.getChildByName("ServerConfiguration");
-    const serverConfigurationPriv = serverConfiguration;
-    if (serverConfigurationPriv.$pushCertificateManager) {
-        return serverConfigurationPriv.$pushCertificateManager;
-    }
-    // throw new Error("Cannot find pushCertificateManager object");
-    return null;
-}
-function _createSigningRequest(inputArguments, context) {
-    return __awaiter(this, void 0, void 0, function* () {
-        const certificateGroupIdVariant = inputArguments[0];
-        const certificateTypeIdVariant = inputArguments[1];
-        const subjectNameVariant = inputArguments[2];
-        const regeneratePrivateKeyVariant = inputArguments[3];
-        const nonceVariant = inputArguments[4];
-        if (!expected(certificateGroupIdVariant, node_opcua_variant_1.DataType.NodeId, node_opcua_variant_1.VariantArrayType.Scalar)) {
-            warningLog("expecting an NodeId for certificateGroupId - 0");
-            return { statusCode: node_opcua_status_code_1.StatusCodes.BadInvalidArgument };
-        }
-        if (!expected(certificateTypeIdVariant, node_opcua_variant_1.DataType.NodeId, node_opcua_variant_1.VariantArrayType.Scalar)) {
-            warningLog("expecting an NodeId for certificateTypeId - 1");
-            return { statusCode: node_opcua_status_code_1.StatusCodes.BadInvalidArgument };
-        }
-        if (!expected(subjectNameVariant, node_opcua_variant_1.DataType.String, node_opcua_variant_1.VariantArrayType.Scalar)) {
-            warningLog("expecting an String for subjectName - 2");
-            return { statusCode: node_opcua_status_code_1.StatusCodes.BadInvalidArgument };
-        }
-        if (!expected(regeneratePrivateKeyVariant, node_opcua_variant_1.DataType.Boolean, node_opcua_variant_1.VariantArrayType.Scalar)) {
-            warningLog("expecting an Boolean for regeneratePrivateKey - 3");
-            return { statusCode: node_opcua_status_code_1.StatusCodes.BadInvalidArgument };
-        }
-        if (!expected(nonceVariant, node_opcua_variant_1.DataType.ByteString, node_opcua_variant_1.VariantArrayType.Scalar)) {
-            warningLog("expecting an ByteString for nonceVariant - 4");
-            return { statusCode: node_opcua_status_code_1.StatusCodes.BadInvalidArgument };
-        }
-        if (!(0, tools_1.hasEncryptedChannel)(context)) {
-            return { statusCode: node_opcua_status_code_1.StatusCodes.BadSecurityModeInsufficient };
-        }
-        if (!(0, tools_1.hasExpectedUserAccess)(context)) {
-            return { statusCode: node_opcua_status_code_1.StatusCodes.BadUserAccessDenied };
-        }
-        const certificateGroupId = certificateGroupIdVariant.value;
-        const certificateTypeId = certificateTypeIdVariant.value;
-        const subjectName = subjectNameVariant.value;
-        const regeneratePrivateKey = regeneratePrivateKeyVariant.value;
-        const nonce = nonceVariant.value;
-        const pushCertificateManager = getPushCertificateManager(this);
-        if (!pushCertificateManager) {
-            return { statusCode: node_opcua_status_code_1.StatusCodes.BadNotImplemented };
-        }
-        const result = yield pushCertificateManager.createSigningRequest(certificateGroupId, certificateTypeId, subjectName, regeneratePrivateKey, nonce);
-        if (result.statusCode.isNotGood()) {
-            return { statusCode: result.statusCode };
-        }
-        const callMethodResult = {
-            outputArguments: [
-                {
-                    dataType: node_opcua_variant_1.DataType.ByteString,
-                    value: result.certificateSigningRequest
-                }
-            ],
-            statusCode: result.statusCode
-        };
-        return callMethodResult;
-    });
-}
-function _updateCertificate(inputArguments, context) {
-    return __awaiter(this, void 0, void 0, function* () {
-        const certificateGroupId = inputArguments[0].value;
-        const certificateTypeId = inputArguments[1].value;
-        const certificate = inputArguments[2].value;
-        const issuerCertificates = inputArguments[3].value;
-        const privateKeyFormat = inputArguments[4].value;
-        const privateKey = inputArguments[5].value;
-        // This Method requires an encrypted channel and that the Client provides credentials with
-        // administrative rights on the Server
-        if (!(0, tools_1.hasEncryptedChannel)(context)) {
-            return { statusCode: node_opcua_status_code_1.StatusCodes.BadSecurityModeInsufficient };
-        }
-        if (!(0, tools_1.hasExpectedUserAccess)(context)) {
-            return { statusCode: node_opcua_status_code_1.StatusCodes.BadUserAccessDenied };
-        }
-        if (privateKeyFormat && privateKeyFormat !== "" && privateKeyFormat.toLowerCase() !== "pem") {
-            errorLog("_updateCertificate: Invalid PEM format requested " + privateKeyFormat);
-            return { statusCode: node_opcua_status_code_1.StatusCodes.BadInvalidArgument };
-        }
-        const pushCertificateManager = getPushCertificateManager(this);
-        if (!pushCertificateManager) {
-            return { statusCode: node_opcua_status_code_1.StatusCodes.BadNotImplemented };
-        }
-        const result = yield pushCertificateManager.updateCertificate(certificateGroupId, certificateTypeId, certificate, issuerCertificates, privateKeyFormat, privateKey);
-        // todo   raise a CertificateUpdatedAuditEventType
-        if (result.statusCode.isNotGood()) {
-            return { statusCode: result.statusCode };
-        }
-        const callMethodResult = {
-            outputArguments: [
-                {
-                    dataType: node_opcua_variant_1.DataType.Boolean,
-                    value: !!result.applyChangesRequired
-                }
-            ],
-            statusCode: result.statusCode
-        };
-        return callMethodResult;
-    });
-}
-function _getRejectedList(inputArguments, context) {
-    return __awaiter(this, void 0, void 0, function* () {
-        if (!(0, tools_1.hasEncryptedChannel)(context)) {
-            return { statusCode: node_opcua_status_code_1.StatusCodes.BadSecurityModeInsufficient };
-        }
-        if (!(0, tools_1.hasExpectedUserAccess)(context)) {
-            return { statusCode: node_opcua_status_code_1.StatusCodes.BadUserAccessDenied };
-        }
-        const pushCertificateManager = getPushCertificateManager(this);
-        if (!pushCertificateManager) {
-            return { statusCode: node_opcua_status_code_1.StatusCodes.BadNotImplemented };
-        }
-        const result = yield pushCertificateManager.getRejectedList();
-        if (result.statusCode.isNotGood()) {
-            return { statusCode: result.statusCode };
-        }
-        return {
-            outputArguments: [
-                {
-                    arrayType: node_opcua_variant_1.VariantArrayType.Array,
-                    dataType: node_opcua_variant_1.DataType.ByteString,
-                    value: result.certificates
-                }
-            ],
-            statusCode: node_opcua_status_code_1.StatusCodes.Good
-        };
-    });
-}
-function _applyChanges(inputArguments, context) {
-    return __awaiter(this, void 0, void 0, function* () {
-        // This Method requires an encrypted channel and that the Client provide credentials with
-        // administrative rights on the Server.
-        if (!(0, tools_1.hasEncryptedChannel)(context)) {
-            return { statusCode: node_opcua_status_code_1.StatusCodes.BadSecurityModeInsufficient };
-        }
-        if (!(0, tools_1.hasExpectedUserAccess)(context)) {
-            return { statusCode: node_opcua_status_code_1.StatusCodes.BadUserAccessDenied };
-        }
-        const pushCertificateManager = getPushCertificateManager(this);
-        if (!pushCertificateManager) {
-            return { statusCode: node_opcua_status_code_1.StatusCodes.BadNotImplemented };
-        }
-        const statusCode = yield pushCertificateManager.applyChanges();
-        return { statusCode };
-    });
-}
-function getCertificateFilename(certificateManager) {
-    return path.join(certificateManager.rootDir, "own/certs/certificate.pem"); // to do , find a better way
-}
-function getCertificate(certificateManager) {
-    return __awaiter(this, void 0, void 0, function* () {
-        try {
-            const certificateFile = getCertificateFilename(certificateManager);
-            if (fs.existsSync(certificateFile)) {
-                const certificate = yield (0, node_opcua_crypto_1.readCertificate)(certificateFile);
-                return certificate;
-            }
-            return null;
-        }
-        catch (err) {
-            warningLog("getCertificate Error", err.message);
-            return null;
-        }
-    });
-}
-function bindCertificateGroup(certificateGroup, certificateManager) {
-    if (certificateManager) {
-        const certificateFile = getCertificateFilename(certificateManager);
-        const changeDetector = (0, install_certificate_file_watcher_1.installCertificateFileWatcher)(certificateGroup, certificateFile);
-        changeDetector.on("certificateChange", () => {
-            debugLog("detecting certificate change", certificateFile);
-            updateCertificateAlarm();
-        });
-    }
-    function updateCertificateAlarm() {
-        return __awaiter(this, void 0, void 0, function* () {
-            try {
-                debugLog("updateCertificateAlarm", certificateGroup.browseName.toString());
-                const certificateExpired = certificateGroup.getComponentByName("CertificateExpired");
-                if (certificateExpired && certificateManager) {
-                    const certificateExpiredEx = certificateExpired;
-                    const certificate = yield getCertificate(certificateManager);
-                    certificateExpiredEx.setCertificate(certificate);
-                }
-            }
-            catch (err) {
-                warningLog("updateCertificateAlarm Error", err.message);
-            }
-        });
-    }
-    const addressSpace = certificateGroup.addressSpace;
-    if (!certificateManager) {
-        return;
-    }
-    const trustList = certificateGroup.getComponentByName("TrustList");
-    if (trustList) {
-        trustList.$$certificateManager = certificateManager;
-    }
-    const certificateExpired = certificateGroup.getComponentByName("CertificateExpired");
-    if (certificateExpired) {
-        certificateExpired.$$certificateManager = certificateManager;
-        // install alarm handling
-        const timerId = setInterval(updateCertificateAlarm, 60 * 1000);
-        addressSpace.registerShutdownTask(() => clearInterval(timerId));
-        updateCertificateAlarm();
-    }
-}
-function bindCertificateManager(addressSpace, options) {
-    const serverConfiguration = addressSpace.rootFolder.objects.server.getChildByName("ServerConfiguration");
-    const defaultApplicationGroup = serverConfiguration.certificateGroups.getComponentByName("DefaultApplicationGroup");
-    if (defaultApplicationGroup) {
-        bindCertificateGroup(defaultApplicationGroup, options.applicationGroup);
-    }
-    const defaultTokenGroup = serverConfiguration.certificateGroups.getComponentByName("DefaultUserTokenGroup");
-    if (defaultTokenGroup) {
-        bindCertificateGroup(defaultTokenGroup, options.userTokenGroup);
-    }
-}
-function setNotifierOfChain(childObject) {
-    if (!childObject) {
-        return;
-    }
-    const parentObject = childObject.parent;
-    if (!parentObject) {
-        return;
-    }
-    const notifierOf = childObject.findReferencesEx("HasNotifier", node_opcua_data_model_1.BrowseDirection.Inverse);
-    if (notifierOf.length === 0) {
-        const notifierOfNode = childObject.addReference({
-            referenceType: "HasNotifier",
-            nodeId: parentObject.nodeId,
-            isForward: false
-        });
-    }
-    parentObject.setEventNotifier(parentObject.eventNotifier | node_opcua_address_space_base_1.EventNotifierFlags.SubscribeToEvents);
-    if (parentObject.nodeId.namespace === 0 && parentObject.nodeId.value === node_opcua_constants_1.ObjectIds.Server) {
-        return;
-    }
-    setNotifierOfChain(parentObject);
-}
-function promoteCertificateGroup(certificateGroup) {
-    return __awaiter(this, void 0, void 0, function* () {
-        const trustList = certificateGroup.getChildByName("TrustList");
-        if (trustList) {
-            yield (0, promote_trust_list_1.promoteTrustList)(trustList);
-        }
-        if (!certificateGroup.certificateExpired) {
-            const namespace = certificateGroup.addressSpace.getOwnNamespace();
-            // certificateGroup.
-            (0, node_opcua_address_space_1.instantiateCertificateExpirationAlarm)(namespace, "CertificateExpirationAlarmType", {
-                browseName: (0, node_opcua_data_model_1.coerceQualifiedName)("0:CertificateExpired"),
-                componentOf: certificateGroup,
-                conditionSource: null,
-                conditionOf: certificateGroup,
-                inputNode: node_opcua_nodeid_1.NodeId.nullNodeId,
-                normalState: node_opcua_nodeid_1.NodeId.nullNodeId,
-                optionals: ["ExpirationLimit"],
-                conditionName: "CertificateExpired",
-                conditionClass: (0, node_opcua_nodeid_1.resolveNodeId)("CertificateExpirationAlarmType"),
-            });
-        }
-        certificateGroup.setEventNotifier(node_opcua_address_space_base_1.EventNotifierFlags.SubscribeToEvents);
-        setNotifierOfChain(certificateGroup);
-    });
-}
-exports.promoteCertificateGroup = promoteCertificateGroup;
-;
-function installPushCertificateManagement(addressSpace, options) {
-    return __awaiter(this, void 0, void 0, function* () {
-        addressSpace.installAlarmsAndConditionsService();
-        const serverConfiguration = addressSpace.rootFolder.objects.server.getChildByName("ServerConfiguration");
-        const serverConfigurationPriv = serverConfiguration;
-        if (serverConfigurationPriv.$pushCertificateManager) {
-            warningLog("PushCertificateManagement has already been installed");
-            return;
-        }
-        const accessRestrictionFlag = node_opcua_data_model_1.AccessRestrictionsFlag.SigningRequired | node_opcua_data_model_1.AccessRestrictionsFlag.EncryptionRequired;
-        function installAccessRestrictions(serverConfiguration) {
-            serverConfiguration.setRolePermissions(roles_and_permissions_1.rolePermissionRestricted);
-            serverConfiguration.setAccessRestrictions(node_opcua_data_model_1.AccessRestrictionsFlag.None);
-            const applyName = serverConfiguration.getMethodByName("ApplyChanges");
-            applyName === null || applyName === void 0 ? void 0 : applyName.setRolePermissions(roles_and_permissions_1.rolePermissionAdminOnly);
-            applyName === null || applyName === void 0 ? void 0 : applyName.setAccessRestrictions(node_opcua_data_model_1.AccessRestrictionsFlag.SigningRequired | node_opcua_data_model_1.AccessRestrictionsFlag.EncryptionRequired);
-            const createSigningRequest = serverConfiguration.getMethodByName("CreateSigningRequest");
-            createSigningRequest === null || createSigningRequest === void 0 ? void 0 : createSigningRequest.setRolePermissions(roles_and_permissions_1.rolePermissionAdminOnly);
-            createSigningRequest === null || createSigningRequest === void 0 ? void 0 : createSigningRequest.setAccessRestrictions(accessRestrictionFlag);
-            const getRejectedList = serverConfiguration.getMethodByName("GetRejectedList");
-            getRejectedList === null || getRejectedList === void 0 ? void 0 : getRejectedList.setRolePermissions(roles_and_permissions_1.rolePermissionAdminOnly);
-            getRejectedList === null || getRejectedList === void 0 ? void 0 : getRejectedList.setAccessRestrictions(accessRestrictionFlag);
-            const updateCertificate = serverConfiguration.getMethodByName("UpdateCertificate");
-            updateCertificate === null || updateCertificate === void 0 ? void 0 : updateCertificate.setRolePermissions(roles_and_permissions_1.rolePermissionAdminOnly);
-            updateCertificate === null || updateCertificate === void 0 ? void 0 : updateCertificate.setAccessRestrictions(accessRestrictionFlag);
-            const certificateGroups = serverConfiguration.getComponentByName("CertificateGroups");
-            certificateGroups.setRolePermissions(roles_and_permissions_1.rolePermissionRestricted);
-            certificateGroups.setAccessRestrictions(node_opcua_data_model_1.AccessRestrictionsFlag.None);
-            function installAccessRestrictionOnGroup(group) {
-                const trustList = group.getComponentByName("TrustList");
-                if (trustList) {
-                    (0, promote_trust_list_1.installAccessRestrictionOnTrustList)(trustList);
-                }
-            }
-            for (const group of certificateGroups.getComponents()) {
-                group.setRolePermissions(roles_and_permissions_1.rolePermissionAdminOnly);
-                group.setAccessRestrictions(node_opcua_data_model_1.AccessRestrictionsFlag.SigningRequired | node_opcua_data_model_1.AccessRestrictionsFlag.EncryptionRequired);
-                if (group.nodeClass === node_opcua_data_model_1.NodeClass.Object) {
-                    installAccessRestrictionOnGroup(group);
-                }
-            }
-        }
-        installAccessRestrictions(serverConfiguration);
-        serverConfigurationPriv.$pushCertificateManager = new push_certificate_manager_server_impl_1.PushCertificateManagerServerImpl(options);
-        serverConfiguration.supportedPrivateKeyFormats.setValueFromSource({
-            arrayType: node_opcua_variant_1.VariantArrayType.Array,
-            dataType: node_opcua_variant_1.DataType.String,
-            value: ["PEM"]
-        });
-        function install_method_handle_on_type(addressSpace) {
-            const serverConfigurationType = addressSpace.findObjectType("ServerConfigurationType");
-            if (serverConfigurationType.createSigningRequest.isBound()) {
-                return;
-            }
-            serverConfigurationType.createSigningRequest.bindMethod(_createSigningRequest);
-            serverConfigurationType.getRejectedList.bindMethod(_getRejectedList);
-            serverConfigurationType.updateCertificate.bindMethod(_updateCertificate);
-            serverConfigurationType.applyChanges.bindMethod(_applyChanges);
-        }
-        install_method_handle_on_type(addressSpace);
-        serverConfiguration.createSigningRequest.bindMethod(_createSigningRequest);
-        serverConfiguration.updateCertificate.bindMethod(_updateCertificate);
-        serverConfiguration.getRejectedList.bindMethod(_getRejectedList);
-        if (serverConfiguration.applyChanges) {
-            serverConfiguration.applyChanges.bindMethod(_applyChanges);
-        }
-        const cg = serverConfiguration.certificateGroups.getComponents();
-        const defaultApplicationGroup = serverConfiguration.certificateGroups.getComponentByName("DefaultApplicationGroup");
-        const certificateTypes = defaultApplicationGroup.getPropertyByName("CertificateTypes");
-        certificateTypes.setValueFromSource({
-            dataType: node_opcua_variant_1.DataType.NodeId,
-            arrayType: node_opcua_variant_1.VariantArrayType.Array,
-            value: [(0, node_opcua_nodeid_1.resolveNodeId)(node_opcua_constants_1.ObjectTypeIds.RsaSha256ApplicationCertificateType)]
-        });
-        const certificateGroupType = addressSpace.findObjectType("CertificateGroupType");
-        for (const certificateGroup of cg) {
-            if (certificateGroup.nodeClass !== node_opcua_data_model_1.NodeClass.Object) {
-                continue;
-            }
-            const o = certificateGroup;
-            if (!o.typeDefinitionObj.isSubtypeOf(certificateGroupType)) {
-                continue;
-            }
-            yield promoteCertificateGroup(certificateGroup);
-        }
-        yield bindCertificateManager(addressSpace, options);
-    });
-}
-exports.installPushCertificateManagement = installPushCertificateManagement;
+"use strict";
+var __awaiter = (this && this.__awaiter) || function (thisArg, _arguments, P, generator) {
+    function adopt(value) { return value instanceof P ? value : new P(function (resolve) { resolve(value); }); }
+    return new (P || (P = Promise))(function (resolve, reject) {
+        function fulfilled(value) { try { step(generator.next(value)); } catch (e) { reject(e); } }
+        function rejected(value) { try { step(generator["throw"](value)); } catch (e) { reject(e); } }
+        function step(result) { result.done ? resolve(result.value) : adopt(result.value).then(fulfilled, rejected); }
+        step((generator = generator.apply(thisArg, _arguments || [])).next());
+    });
+};
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.installPushCertificateManagement = exports.promoteCertificateGroup = void 0;
+/**
+ * @module node-opcua-server-configuration
+ */
+const path = require("path");
+const fs = require("fs");
+const node_opcua_address_space_1 = require("node-opcua-address-space");
+const node_opcua_address_space_base_1 = require("node-opcua-address-space-base");
+const node_opcua_debug_1 = require("node-opcua-debug");
+const node_opcua_nodeid_1 = require("node-opcua-nodeid");
+const node_opcua_status_code_1 = require("node-opcua-status-code");
+const node_opcua_variant_1 = require("node-opcua-variant");
+const node_opcua_data_model_1 = require("node-opcua-data-model");
+const node_opcua_constants_1 = require("node-opcua-constants");
+const node_opcua_crypto_1 = require("node-opcua-crypto");
+const push_certificate_manager_server_impl_1 = require("./push_certificate_manager_server_impl");
+const promote_trust_list_1 = require("./promote_trust_list");
+const tools_1 = require("./tools");
+const roles_and_permissions_1 = require("./roles_and_permissions");
+const install_certificate_file_watcher_1 = require("./install_certificate_file_watcher");
+const debugLog = (0, node_opcua_debug_1.make_debugLog)("ServerConfiguration");
+const doDebug = (0, node_opcua_debug_1.checkDebugFlag)("ServerConfiguration");
+const warningLog = (0, node_opcua_debug_1.make_warningLog)("ServerConfiguration");
+const errorLog = debugLog;
+function expected(variant, dataType, variantArrayType) {
+    if (!variant) {
+        return false;
+    }
+    if (variant.dataType !== dataType) {
+        return false;
+    }
+    if (variant.arrayType !== variantArrayType) {
+        return false;
+    }
+    return true;
+}
+function getPushCertificateManager(method) {
+    const serverConfiguration = method.addressSpace.rootFolder.objects.server.getChildByName("ServerConfiguration");
+    const serverConfigurationPriv = serverConfiguration;
+    if (serverConfigurationPriv.$pushCertificateManager) {
+        return serverConfigurationPriv.$pushCertificateManager;
+    }
+    // throw new Error("Cannot find pushCertificateManager object");
+    return null;
+}
+function _createSigningRequest(inputArguments, context) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const certificateGroupIdVariant = inputArguments[0];
+        const certificateTypeIdVariant = inputArguments[1];
+        const subjectNameVariant = inputArguments[2];
+        const regeneratePrivateKeyVariant = inputArguments[3];
+        const nonceVariant = inputArguments[4];
+        if (!expected(certificateGroupIdVariant, node_opcua_variant_1.DataType.NodeId, node_opcua_variant_1.VariantArrayType.Scalar)) {
+            warningLog("expecting an NodeId for certificateGroupId - 0");
+            return { statusCode: node_opcua_status_code_1.StatusCodes.BadInvalidArgument };
+        }
+        if (!expected(certificateTypeIdVariant, node_opcua_variant_1.DataType.NodeId, node_opcua_variant_1.VariantArrayType.Scalar)) {
+            warningLog("expecting an NodeId for certificateTypeId - 1");
+            return { statusCode: node_opcua_status_code_1.StatusCodes.BadInvalidArgument };
+        }
+        if (!expected(subjectNameVariant, node_opcua_variant_1.DataType.String, node_opcua_variant_1.VariantArrayType.Scalar)) {
+            warningLog("expecting an String for subjectName - 2");
+            return { statusCode: node_opcua_status_code_1.StatusCodes.BadInvalidArgument };
+        }
+        if (!expected(regeneratePrivateKeyVariant, node_opcua_variant_1.DataType.Boolean, node_opcua_variant_1.VariantArrayType.Scalar)) {
+            warningLog("expecting an Boolean for regeneratePrivateKey - 3");
+            return { statusCode: node_opcua_status_code_1.StatusCodes.BadInvalidArgument };
+        }
+        if (!expected(nonceVariant, node_opcua_variant_1.DataType.ByteString, node_opcua_variant_1.VariantArrayType.Scalar)) {
+            warningLog("expecting an ByteString for nonceVariant - 4");
+            return { statusCode: node_opcua_status_code_1.StatusCodes.BadInvalidArgument };
+        }
+        if (!(0, tools_1.hasEncryptedChannel)(context)) {
+            return { statusCode: node_opcua_status_code_1.StatusCodes.BadSecurityModeInsufficient };
+        }
+        if (!(0, tools_1.hasExpectedUserAccess)(context)) {
+            return { statusCode: node_opcua_status_code_1.StatusCodes.BadUserAccessDenied };
+        }
+        const certificateGroupId = certificateGroupIdVariant.value;
+        const certificateTypeId = certificateTypeIdVariant.value;
+        const subjectName = subjectNameVariant.value;
+        const regeneratePrivateKey = regeneratePrivateKeyVariant.value;
+        const nonce = nonceVariant.value;
+        const pushCertificateManager = getPushCertificateManager(this);
+        if (!pushCertificateManager) {
+            return { statusCode: node_opcua_status_code_1.StatusCodes.BadNotImplemented };
+        }
+        const result = yield pushCertificateManager.createSigningRequest(certificateGroupId, certificateTypeId, subjectName, regeneratePrivateKey, nonce);
+        if (result.statusCode.isNotGood()) {
+            return { statusCode: result.statusCode };
+        }
+        const callMethodResult = {
+            outputArguments: [
+                {
+                    dataType: node_opcua_variant_1.DataType.ByteString,
+                    value: result.certificateSigningRequest
+                }
+            ],
+            statusCode: result.statusCode
+        };
+        return callMethodResult;
+    });
+}
+function _updateCertificate(inputArguments, context) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const certificateGroupId = inputArguments[0].value;
+        const certificateTypeId = inputArguments[1].value;
+        const certificate = inputArguments[2].value;
+        const issuerCertificates = inputArguments[3].value;
+        const privateKeyFormat = inputArguments[4].value;
+        const privateKey = inputArguments[5].value;
+        // This Method requires an encrypted channel and that the Client provides credentials with
+        // administrative rights on the Server
+        if (!(0, tools_1.hasEncryptedChannel)(context)) {
+            return { statusCode: node_opcua_status_code_1.StatusCodes.BadSecurityModeInsufficient };
+        }
+        if (!(0, tools_1.hasExpectedUserAccess)(context)) {
+            return { statusCode: node_opcua_status_code_1.StatusCodes.BadUserAccessDenied };
+        }
+        if (privateKeyFormat && privateKeyFormat !== "" && privateKeyFormat.toLowerCase() !== "pem") {
+            errorLog("_updateCertificate: Invalid PEM format requested " + privateKeyFormat);
+            return { statusCode: node_opcua_status_code_1.StatusCodes.BadInvalidArgument };
+        }
+        const pushCertificateManager = getPushCertificateManager(this);
+        if (!pushCertificateManager) {
+            return { statusCode: node_opcua_status_code_1.StatusCodes.BadNotImplemented };
+        }
+        const result = yield pushCertificateManager.updateCertificate(certificateGroupId, certificateTypeId, certificate, issuerCertificates, privateKeyFormat, privateKey);
+        // todo   raise a CertificateUpdatedAuditEventType
+        if (result.statusCode.isNotGood()) {
+            return { statusCode: result.statusCode };
+        }
+        const callMethodResult = {
+            outputArguments: [
+                {
+                    dataType: node_opcua_variant_1.DataType.Boolean,
+                    value: !!result.applyChangesRequired
+                }
+            ],
+            statusCode: result.statusCode
+        };
+        return callMethodResult;
+    });
+}
+function _getRejectedList(inputArguments, context) {
+    return __awaiter(this, void 0, void 0, function* () {
+        if (!(0, tools_1.hasEncryptedChannel)(context)) {
+            return { statusCode: node_opcua_status_code_1.StatusCodes.BadSecurityModeInsufficient };
+        }
+        if (!(0, tools_1.hasExpectedUserAccess)(context)) {
+            return { statusCode: node_opcua_status_code_1.StatusCodes.BadUserAccessDenied };
+        }
+        const pushCertificateManager = getPushCertificateManager(this);
+        if (!pushCertificateManager) {
+            return { statusCode: node_opcua_status_code_1.StatusCodes.BadNotImplemented };
+        }
+        const result = yield pushCertificateManager.getRejectedList();
+        if (result.statusCode.isNotGood()) {
+            return { statusCode: result.statusCode };
+        }
+        return {
+            outputArguments: [
+                {
+                    arrayType: node_opcua_variant_1.VariantArrayType.Array,
+                    dataType: node_opcua_variant_1.DataType.ByteString,
+                    value: result.certificates
+                }
+            ],
+            statusCode: node_opcua_status_code_1.StatusCodes.Good
+        };
+    });
+}
+function _applyChanges(inputArguments, context) {
+    return __awaiter(this, void 0, void 0, function* () {
+        // This Method requires an encrypted channel and that the Client provide credentials with
+        // administrative rights on the Server.
+        if (!(0, tools_1.hasEncryptedChannel)(context)) {
+            return { statusCode: node_opcua_status_code_1.StatusCodes.BadSecurityModeInsufficient };
+        }
+        if (!(0, tools_1.hasExpectedUserAccess)(context)) {
+            return { statusCode: node_opcua_status_code_1.StatusCodes.BadUserAccessDenied };
+        }
+        const pushCertificateManager = getPushCertificateManager(this);
+        if (!pushCertificateManager) {
+            return { statusCode: node_opcua_status_code_1.StatusCodes.BadNotImplemented };
+        }
+        const statusCode = yield pushCertificateManager.applyChanges();
+        return { statusCode };
+    });
+}
+function getCertificateFilename(certificateManager) {
+    return path.join(certificateManager.rootDir, "own/certs/certificate.pem"); // to do , find a better way
+}
+function getCertificate(certificateManager) {
+    return __awaiter(this, void 0, void 0, function* () {
+        try {
+            const certificateFile = getCertificateFilename(certificateManager);
+            if (fs.existsSync(certificateFile)) {
+                const certificate = yield (0, node_opcua_crypto_1.readCertificate)(certificateFile);
+                return certificate;
+            }
+            return null;
+        }
+        catch (err) {
+            warningLog("getCertificate Error", err.message);
+            return null;
+        }
+    });
+}
+function bindCertificateGroup(certificateGroup, certificateManager) {
+    if (certificateManager) {
+        const certificateFile = getCertificateFilename(certificateManager);
+        const changeDetector = (0, install_certificate_file_watcher_1.installCertificateFileWatcher)(certificateGroup, certificateFile);
+        changeDetector.on("certificateChange", () => {
+            debugLog("detecting certificate change", certificateFile);
+            updateCertificateAlarm();
+        });
+    }
+    function updateCertificateAlarm() {
+        return __awaiter(this, void 0, void 0, function* () {
+            try {
+                debugLog("updateCertificateAlarm", certificateGroup.browseName.toString());
+                const certificateExpired = certificateGroup.getComponentByName("CertificateExpired");
+                if (certificateExpired && certificateManager) {
+                    const certificateExpiredEx = certificateExpired;
+                    const certificate = yield getCertificate(certificateManager);
+                    certificateExpiredEx.setCertificate(certificate);
+                }
+            }
+            catch (err) {
+                warningLog("updateCertificateAlarm Error", err.message);
+            }
+        });
+    }
+    const addressSpace = certificateGroup.addressSpace;
+    if (!certificateManager) {
+        return;
+    }
+    const trustList = certificateGroup.getComponentByName("TrustList");
+    if (trustList) {
+        trustList.$$certificateManager = certificateManager;
+    }
+    const certificateExpired = certificateGroup.getComponentByName("CertificateExpired");
+    if (certificateExpired) {
+        certificateExpired.$$certificateManager = certificateManager;
+        // install alarm handling
+        const timerId = setInterval(updateCertificateAlarm, 60 * 1000);
+        addressSpace.registerShutdownTask(() => clearInterval(timerId));
+        updateCertificateAlarm();
+    }
+}
+function bindCertificateManager(addressSpace, options) {
+    const serverConfiguration = addressSpace.rootFolder.objects.server.getChildByName("ServerConfiguration");
+    const defaultApplicationGroup = serverConfiguration.certificateGroups.getComponentByName("DefaultApplicationGroup");
+    if (defaultApplicationGroup) {
+        bindCertificateGroup(defaultApplicationGroup, options.applicationGroup);
+    }
+    const defaultTokenGroup = serverConfiguration.certificateGroups.getComponentByName("DefaultUserTokenGroup");
+    if (defaultTokenGroup) {
+        bindCertificateGroup(defaultTokenGroup, options.userTokenGroup);
+    }
+}
+function setNotifierOfChain(childObject) {
+    if (!childObject) {
+        return;
+    }
+    const parentObject = childObject.parent;
+    if (!parentObject) {
+        return;
+    }
+    const notifierOf = childObject.findReferencesEx("HasNotifier", node_opcua_data_model_1.BrowseDirection.Inverse);
+    if (notifierOf.length === 0) {
+        const notifierOfNode = childObject.addReference({
+            referenceType: "HasNotifier",
+            nodeId: parentObject.nodeId,
+            isForward: false
+        });
+    }
+    parentObject.setEventNotifier(parentObject.eventNotifier | node_opcua_address_space_base_1.EventNotifierFlags.SubscribeToEvents);
+    if (parentObject.nodeId.namespace === 0 && parentObject.nodeId.value === node_opcua_constants_1.ObjectIds.Server) {
+        return;
+    }
+    setNotifierOfChain(parentObject);
+}
+function promoteCertificateGroup(certificateGroup) {
+    return __awaiter(this, void 0, void 0, function* () {
+        const trustList = certificateGroup.getChildByName("TrustList");
+        if (trustList) {
+            yield (0, promote_trust_list_1.promoteTrustList)(trustList);
+        }
+        if (!certificateGroup.certificateExpired) {
+            const namespace = certificateGroup.addressSpace.getOwnNamespace();
+            // certificateGroup.
+            (0, node_opcua_address_space_1.instantiateCertificateExpirationAlarm)(namespace, "CertificateExpirationAlarmType", {
+                browseName: (0, node_opcua_data_model_1.coerceQualifiedName)("0:CertificateExpired"),
+                componentOf: certificateGroup,
+                conditionSource: null,
+                conditionOf: certificateGroup,
+                inputNode: node_opcua_nodeid_1.NodeId.nullNodeId,
+                normalState: node_opcua_nodeid_1.NodeId.nullNodeId,
+                optionals: ["ExpirationLimit"],
+                conditionName: "CertificateExpired",
+                conditionClass: (0, node_opcua_nodeid_1.resolveNodeId)("CertificateExpirationAlarmType"),
+            });
+        }
+        certificateGroup.setEventNotifier(node_opcua_address_space_base_1.EventNotifierFlags.SubscribeToEvents);
+        setNotifierOfChain(certificateGroup);
+    });
+}
+exports.promoteCertificateGroup = promoteCertificateGroup;
+;
+function installPushCertificateManagement(addressSpace, options) {
+    return __awaiter(this, void 0, void 0, function* () {
+        addressSpace.installAlarmsAndConditionsService();
+        const serverConfiguration = addressSpace.rootFolder.objects.server.getChildByName("ServerConfiguration");
+        const serverConfigurationPriv = serverConfiguration;
+        if (serverConfigurationPriv.$pushCertificateManager) {
+            warningLog("PushCertificateManagement has already been installed");
+            return;
+        }
+        const accessRestrictionFlag = node_opcua_data_model_1.AccessRestrictionsFlag.SigningRequired | node_opcua_data_model_1.AccessRestrictionsFlag.EncryptionRequired;
+        function installAccessRestrictions(serverConfiguration) {
+            serverConfiguration.setRolePermissions(roles_and_permissions_1.rolePermissionRestricted);
+            serverConfiguration.setAccessRestrictions(node_opcua_data_model_1.AccessRestrictionsFlag.None);
+            const applyName = serverConfiguration.getMethodByName("ApplyChanges");
+            applyName === null || applyName === void 0 ? void 0 : applyName.setRolePermissions(roles_and_permissions_1.rolePermissionAdminOnly);
+            applyName === null || applyName === void 0 ? void 0 : applyName.setAccessRestrictions(node_opcua_data_model_1.AccessRestrictionsFlag.SigningRequired | node_opcua_data_model_1.AccessRestrictionsFlag.EncryptionRequired);
+            const createSigningRequest = serverConfiguration.getMethodByName("CreateSigningRequest");
+            createSigningRequest === null || createSigningRequest === void 0 ? void 0 : createSigningRequest.setRolePermissions(roles_and_permissions_1.rolePermissionAdminOnly);
+            createSigningRequest === null || createSigningRequest === void 0 ? void 0 : createSigningRequest.setAccessRestrictions(accessRestrictionFlag);
+            const getRejectedList = serverConfiguration.getMethodByName("GetRejectedList");
+            getRejectedList === null || getRejectedList === void 0 ? void 0 : getRejectedList.setRolePermissions(roles_and_permissions_1.rolePermissionAdminOnly);
+            getRejectedList === null || getRejectedList === void 0 ? void 0 : getRejectedList.setAccessRestrictions(accessRestrictionFlag);
+            const updateCertificate = serverConfiguration.getMethodByName("UpdateCertificate");
+            updateCertificate === null || updateCertificate === void 0 ? void 0 : updateCertificate.setRolePermissions(roles_and_permissions_1.rolePermissionAdminOnly);
+            updateCertificate === null || updateCertificate === void 0 ? void 0 : updateCertificate.setAccessRestrictions(accessRestrictionFlag);
+            const certificateGroups = serverConfiguration.getComponentByName("CertificateGroups");
+            certificateGroups.setRolePermissions(roles_and_permissions_1.rolePermissionRestricted);
+            certificateGroups.setAccessRestrictions(node_opcua_data_model_1.AccessRestrictionsFlag.None);
+            function installAccessRestrictionOnGroup(group) {
+                const trustList = group.getComponentByName("TrustList");
+                if (trustList) {
+                    (0, promote_trust_list_1.installAccessRestrictionOnTrustList)(trustList);
+                }
+            }
+            for (const group of certificateGroups.getComponents()) {
+                group.setRolePermissions(roles_and_permissions_1.rolePermissionAdminOnly);
+                group.setAccessRestrictions(node_opcua_data_model_1.AccessRestrictionsFlag.SigningRequired | node_opcua_data_model_1.AccessRestrictionsFlag.EncryptionRequired);
+                if (group.nodeClass === node_opcua_data_model_1.NodeClass.Object) {
+                    installAccessRestrictionOnGroup(group);
+                }
+            }
+        }
+        installAccessRestrictions(serverConfiguration);
+        serverConfigurationPriv.$pushCertificateManager = new push_certificate_manager_server_impl_1.PushCertificateManagerServerImpl(options);
+        serverConfiguration.supportedPrivateKeyFormats.setValueFromSource({
+            arrayType: node_opcua_variant_1.VariantArrayType.Array,
+            dataType: node_opcua_variant_1.DataType.String,
+            value: ["PEM"]
+        });
+        function install_method_handle_on_type(addressSpace) {
+            const serverConfigurationType = addressSpace.findObjectType("ServerConfigurationType");
+            if (serverConfigurationType.createSigningRequest.isBound()) {
+                return;
+            }
+            serverConfigurationType.createSigningRequest.bindMethod(_createSigningRequest);
+            serverConfigurationType.getRejectedList.bindMethod(_getRejectedList);
+            serverConfigurationType.updateCertificate.bindMethod(_updateCertificate);
+            serverConfigurationType.applyChanges.bindMethod(_applyChanges);
+        }
+        install_method_handle_on_type(addressSpace);
+        serverConfiguration.createSigningRequest.bindMethod(_createSigningRequest);
+        serverConfiguration.updateCertificate.bindMethod(_updateCertificate);
+        serverConfiguration.getRejectedList.bindMethod(_getRejectedList);
+        if (serverConfiguration.applyChanges) {
+            serverConfiguration.applyChanges.bindMethod(_applyChanges);
+        }
+        const cg = serverConfiguration.certificateGroups.getComponents();
+        const defaultApplicationGroup = serverConfiguration.certificateGroups.getComponentByName("DefaultApplicationGroup");
+        const certificateTypes = defaultApplicationGroup.getPropertyByName("CertificateTypes");
+        certificateTypes.setValueFromSource({
+            dataType: node_opcua_variant_1.DataType.NodeId,
+            arrayType: node_opcua_variant_1.VariantArrayType.Array,
+            value: [(0, node_opcua_nodeid_1.resolveNodeId)(node_opcua_constants_1.ObjectTypeIds.RsaSha256ApplicationCertificateType)]
+        });
+        const certificateGroupType = addressSpace.findObjectType("CertificateGroupType");
+        for (const certificateGroup of cg) {
+            if (certificateGroup.nodeClass !== node_opcua_data_model_1.NodeClass.Object) {
+                continue;
+            }
+            const o = certificateGroup;
+            if (!o.typeDefinitionObj.isSubtypeOf(certificateGroupType)) {
+                continue;
+            }
+            yield promoteCertificateGroup(certificateGroup);
+        }
+        yield bindCertificateManager(addressSpace, options);
+    });
+}
+exports.installPushCertificateManagement = installPushCertificateManagement;
 //# sourceMappingURL=push_certificate_manager_helpers.js.map