package de.fraunhofer.iosb.ilt.faaast.service.assetconnection.opcua.util;

import de.fraunhofer.iosb.ilt.faaast.service.assetconnection.AssetConnectionException;
import de.fraunhofer.iosb.ilt.faaast.service.assetconnection.opcua.OpcUaAssetConnectionConfig;
import de.fraunhofer.iosb.ilt.faaast.service.certificate.CertificateData;
import de.fraunhofer.iosb.ilt.faaast.service.certificate.util.KeyStoreHelper;
import de.fraunhofer.iosb.ilt.faaast.service.config.CertificateConfig;
import de.fraunhofer.iosb.ilt.faaast.service.exception.ConfigurationInitializationException;
import de.fraunhofer.iosb.ilt.faaast.service.util.Ensure;
import de.fraunhofer.iosb.ilt.faaast.service.util.StringHelper;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import java.security.GeneralSecurityException;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.ExecutionException;
import java.util.function.Consumer;
import java.util.stream.Collectors;
import org.apache.jena.atlas.json.io.JSWriter;
import org.eclipse.milo.opcua.sdk.client.OpcUaClient;
import org.eclipse.milo.opcua.sdk.client.api.identity.AnonymousProvider;
import org.eclipse.milo.opcua.sdk.client.api.identity.IdentityProvider;
import org.eclipse.milo.opcua.sdk.client.api.identity.UsernameProvider;
import org.eclipse.milo.opcua.sdk.client.api.identity.X509IdentityProvider;
import org.eclipse.milo.opcua.stack.client.security.DefaultClientCertificateValidator;
import org.eclipse.milo.opcua.stack.core.StatusCodes;
import org.eclipse.milo.opcua.stack.core.UaException;
import org.eclipse.milo.opcua.stack.core.UaServiceFaultException;
import org.eclipse.milo.opcua.stack.core.security.DefaultTrustListManager;
import org.eclipse.milo.opcua.stack.core.transport.TransportProfile;
import org.eclipse.milo.opcua.stack.core.types.builtin.DataValue;
import org.eclipse.milo.opcua.stack.core.types.builtin.ExpandedNodeId;
import org.eclipse.milo.opcua.stack.core.types.builtin.LocalizedText;
import org.eclipse.milo.opcua.stack.core.types.builtin.NodeId;
import org.eclipse.milo.opcua.stack.core.types.builtin.StatusCode;
import org.eclipse.milo.opcua.stack.core.types.builtin.Variant;
import org.eclipse.milo.opcua.stack.core.types.builtin.unsigned.Unsigned;
import org.eclipse.milo.opcua.stack.core.types.enumerated.TimestampsToReturn;
import org.eclipse.milo.opcua.stack.core.util.CertificateUtil;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:de/fraunhofer/iosb/ilt/faaast/service/assetconnection/opcua/util/OpcUaHelper.class */
public class OpcUaHelper {
    public static final String NODE_ID_SEPARATOR = ";";
    public static final String APPLICATION_URI = "urn:de:fraunhofer:iosb:ilt:faaast:service:assetconnection:opcua";
    public static final String APPLICATION_NAME = "FA³ST Asset Connection";
    private static final Logger LOGGER = LoggerFactory.getLogger((Class<?>) OpcUaHelper.class);
    private static final List<TransportProfile> SUPPORTED_TRANSPORT_SCHEMES = List.of(TransportProfile.TCP_UASC_UABINARY, TransportProfile.HTTPS_UABINARY, TransportProfile.WSS_UASC_UABINARY);

    private OpcUaHelper() {
    }

    public static void checkStatusCode(StatusCode statusCode, String str) throws AssetConnectionException {
        String str2 = str;
        if (statusCode.isBad()) {
            Optional<String[]> lookup = StatusCodes.lookup(statusCode.getValue());
            if (lookup.isPresent()) {
                if (lookup.get().length >= 1) {
                    str2 = str2 + " - " + lookup.get()[0];
                }
                if (lookup.get().length > 1) {
                    str2 = str2 + " (details: " + lookup.get()[1] + ")";
                }
            }
            throw new AssetConnectionException(str2);
        }
    }

    public static NodeId parseNodeId(OpcUaClient opcUaClient, String str) {
        try {
            return ExpandedNodeId.parse(str).toNodeIdOrThrow(opcUaClient.getNamespaceTable());
        } catch (Exception e) {
            throw new IllegalArgumentException(e.getMessage(), e);
        }
    }

    public static DataValue readValue(OpcUaClient opcUaClient, String str) throws UaException, InterruptedException, ExecutionException {
        return opcUaClient.readValue(0.0d, TimestampsToReturn.Neither, opcUaClient.getAddressSpace().getVariableNode(parseNodeId(opcUaClient, str)).getNodeId()).get();
    }

    public static StatusCode writeValue(OpcUaClient opcUaClient, String str, Object obj) throws UaException, InterruptedException, ExecutionException {
        return opcUaClient.writeValue(opcUaClient.getAddressSpace().getVariableNode(parseNodeId(opcUaClient, str)).getNodeId(), new DataValue(new Variant(obj))).get();
    }

    public static OpcUaClient connect(OpcUaAssetConnectionConfig opcUaAssetConnectionConfig, Consumer<OpcUaClient> consumer) throws AssetConnectionException, ConfigurationInitializationException {
        OpcUaClient createClient = createClient(opcUaAssetConnectionConfig);
        if (Objects.nonNull(consumer)) {
            consumer.accept(createClient);
        }
        return connect(createClient);
    }

    public static OpcUaClient connect(OpcUaAssetConnectionConfig opcUaAssetConnectionConfig) throws AssetConnectionException, ConfigurationInitializationException {
        return connect(createClient(opcUaAssetConnectionConfig));
    }

    private static IdentityProvider getIdentityProvider(OpcUaAssetConnectionConfig opcUaAssetConnectionConfig) throws ConfigurationInitializationException {
        IdentityProvider identityProvider;
        switch (opcUaAssetConnectionConfig.getUserTokenType()) {
            case Certificate:
                identityProvider = getIdentityProviderCertificate(opcUaAssetConnectionConfig);
                break;
            case UserName:
                if (!StringHelper.isBlank(opcUaAssetConnectionConfig.getUsername())) {
                    identityProvider = new UsernameProvider(opcUaAssetConnectionConfig.getUsername(), opcUaAssetConnectionConfig.getPassword());
                    break;
                } else {
                    throw new ConfigurationInitializationException("no user name specified!");
                }
            case Anonymous:
                identityProvider = AnonymousProvider.INSTANCE;
                break;
            default:
                throw new ConfigurationInitializationException(String.format("UserTokenType %s not supported", opcUaAssetConnectionConfig.getUserTokenType().toString()));
        }
        return identityProvider;
    }

    private static IdentityProvider getIdentityProviderCertificate(OpcUaAssetConnectionConfig opcUaAssetConnectionConfig) throws ConfigurationInitializationException {
        if (!Objects.nonNull(opcUaAssetConnectionConfig.getAuthenticationCertificate()) || !Objects.nonNull(opcUaAssetConnectionConfig.getAuthenticationCertificate().getKeyStorePath())) {
            throw new ConfigurationInitializationException("no authentication certificate specified!");
        }
        File file = new File(opcUaAssetConnectionConfig.getAuthenticationCertificate().getKeyStorePath());
        if (!file.exists()) {
            file = opcUaAssetConnectionConfig.getSecurityBaseDir().resolve(file.toPath()).toFile();
        }
        if (!file.exists()) {
            throw new ConfigurationInitializationException(String.format("OPC UA client authentication certificate file not found (file: %s)", opcUaAssetConnectionConfig.getAuthenticationCertificate().getKeyStorePath()));
        }
        try {
            CertificateData loadOrCreateCertificateData = KeyStoreHelper.loadOrCreateCertificateData(CertificateConfig.builder().keyStoreType(opcUaAssetConnectionConfig.getAuthenticationCertificate().getKeyStoreType()).keyStorePath(file).keyStorePassword(opcUaAssetConnectionConfig.getAuthenticationCertificate().getKeyStorePassword()).keyPassword(opcUaAssetConnectionConfig.getAuthenticationCertificate().getKeyPassword()).build(), OpcUaConstants.DEFAULT_APPLICATION_CERTIFICATE_INFO);
            return new X509IdentityProvider(loadOrCreateCertificateData.getCertificate(), loadOrCreateCertificateData.getKeyPair().getPrivate());
        } catch (IOException | GeneralSecurityException e) {
            throw new ConfigurationInitializationException(String.format("error loading OPC UA client authentication certificate file (file: %s)", opcUaAssetConnectionConfig.getAuthenticationCertificate().getKeyStorePath()), e);
        }
    }

    public static TransportProfile detectTransportProfile(String str) {
        Ensure.requireNonNull(str, "host must be non-null");
        return SUPPORTED_TRANSPORT_SCHEMES.stream().filter(transportProfile -> {
            return str.startsWith(transportProfile.getScheme());
        }).findFirst().orElseThrow(() -> {
            return new IllegalArgumentException(String.format("unsupported transport protocol scheme (host: %s, supported schemes: %s)", str, SUPPORTED_TRANSPORT_SCHEMES.stream().map(transportProfile2 -> {
                return transportProfile2.getScheme();
            }).collect(Collectors.joining(JSWriter.ArraySep))));
        });
    }

    private static Optional<CertificateData> loadCertificate(File file, String str, String str2, String str3, String str4) {
        try {
            return Optional.of(KeyStoreHelper.loadCertificateData(file, str, str2, str3, str4));
        } catch (IOException | GeneralSecurityException e) {
            return Optional.empty();
        }
    }

    public static CertificateData loadAuthenticationCertificate(Path path, File file, String str, String str2, String str3, String str4) throws ConfigurationInitializationException {
        return loadCertificate("authentication", path, file, str, str2, str3, str4);
    }

    public static CertificateData loadApplicationCertificate(Path path, File file, String str, String str2, String str3, String str4) throws ConfigurationInitializationException {
        return loadCertificate("application", path, file, str, str2, str3, str4);
    }

    private static CertificateData loadCertificate(String str, Path path, File file, String str2, String str3, String str4, String str5) throws ConfigurationInitializationException {
        Optional<CertificateData> loadCertificate = loadCertificate(file, str2, str3, str4, str5);
        if (loadCertificate.isPresent()) {
            LOGGER.debug("Using OPC UA client {} certificate from {}", str, file);
        } else {
            loadCertificate = loadCertificate(path.resolve(file.toPath()).toFile(), str2, str3, str4, str5);
            if (loadCertificate.isPresent()) {
                LOGGER.debug("Using OPC UA client {} certificate from {}", str, path.resolve(file.toPath()));
            } else {
                try {
                    loadCertificate = Optional.of(KeyStoreHelper.generateSelfSigned(OpcUaConstants.DEFAULT_APPLICATION_CERTIFICATE_INFO));
                    KeyStoreHelper.save(loadCertificate.get(), file.isAbsolute() ? file : path.resolve(file.toPath()).toFile(), str2, str3, str4, str5);
                    LOGGER.debug("Generating new OPC UA client {} certificate", str);
                } catch (IOException | GeneralSecurityException e) {
                    throw new ConfigurationInitializationException(String.format("error generating OPC UA client %s certificate", str), e);
                }
            }
        }
        return loadCertificate.orElseThrow(() -> {
            return new ConfigurationInitializationException(String.format("unable to load or generate OPC UA client %s certificate", str));
        });
    }

    private static OpcUaClient createClient(OpcUaAssetConnectionConfig opcUaAssetConnectionConfig) throws AssetConnectionException, ConfigurationInitializationException {
        CertificateData loadApplicationCertificate = loadApplicationCertificate(opcUaAssetConnectionConfig.getSecurityBaseDir(), new File(opcUaAssetConnectionConfig.getApplicationCertificate().getKeyStorePath()), opcUaAssetConnectionConfig.getApplicationCertificate().getKeyStoreType(), opcUaAssetConnectionConfig.getApplicationCertificate().getKeyAlias(), opcUaAssetConnectionConfig.getApplicationCertificate().getKeyPassword(), opcUaAssetConnectionConfig.getApplicationCertificate().getKeyStorePassword());
        try {
            Files.createDirectories(opcUaAssetConnectionConfig.getSecurityBaseDir(), new FileAttribute[0]);
            DefaultClientCertificateValidator defaultClientCertificateValidator = new DefaultClientCertificateValidator(new DefaultTrustListManager(SecurityPathHelper.pki(opcUaAssetConnectionConfig.getSecurityBaseDir()).toFile()));
            IdentityProvider identityProvider = getIdentityProvider(opcUaAssetConnectionConfig);
            try {
                return OpcUaClient.create(opcUaAssetConnectionConfig.getHost(), list -> {
                    return list.stream().filter(endpointDescription -> {
                        return endpointDescription.getSecurityPolicyUri().equals(opcUaAssetConnectionConfig.getSecurityPolicy().getUri());
                    }).filter(endpointDescription2 -> {
                        return endpointDescription2.getSecurityMode() == opcUaAssetConnectionConfig.getSecurityMode();
                    }).filter(endpointDescription3 -> {
                        return Objects.equals(opcUaAssetConnectionConfig.getTransportProfile().getUri(), endpointDescription3.getTransportProfileUri());
                    }).findFirst();
                }, opcUaClientConfigBuilder -> {
                    return opcUaClientConfigBuilder.setApplicationName(LocalizedText.english(OpcUaConstants.CERTIFICATE_APPLICATION_NAME)).setApplicationUri(CertificateUtil.getSanUri(loadApplicationCertificate.getCertificate()).orElse("urn:de:fraunhofer:iosb:ilt:faaast:service:assetconnection:opcua")).setIdentityProvider(identityProvider).setRequestTimeout(Unsigned.uint(opcUaAssetConnectionConfig.getRequestTimeout())).setAcknowledgeTimeout(Unsigned.uint(opcUaAssetConnectionConfig.getAcknowledgeTimeout())).setKeyPair(loadApplicationCertificate.getKeyPair()).setCertificate(loadApplicationCertificate.getCertificate()).setCertificateChain(loadApplicationCertificate.getCertificateChain()).setCertificateValidator(defaultClientCertificateValidator).build();
                });
            } catch (UaException e) {
                throw new AssetConnectionException(String.format("error creating OPC UA client (host: %s)", opcUaAssetConnectionConfig.getHost()), e);
            }
        } catch (IOException e2) {
            throw new ConfigurationInitializationException("unable to initialize OPC UA client security", e2);
        }
    }

    private static OpcUaClient connect(OpcUaClient opcUaClient) throws AssetConnectionException {
        try {
            opcUaClient.connect().get();
            return opcUaClient;
        } catch (InterruptedException | ExecutionException e) {
            if (e instanceof UaServiceFaultException) {
                checkUserAuthenticationError((UaServiceFaultException) e, opcUaClient.getConfig().getEndpoint().getEndpointUrl());
            } else if (e.getCause() instanceof UaServiceFaultException) {
                checkUserAuthenticationError((UaServiceFaultException) e.getCause(), opcUaClient.getConfig().getEndpoint().getEndpointUrl());
            }
            throw new AssetConnectionException(String.format("error opening OPC UA connection (host: %s)", opcUaClient.getConfig().getEndpoint().getEndpointUrl()), e);
        }
    }

    private static void checkUserAuthenticationError(UaServiceFaultException uaServiceFaultException, String str) {
        if (uaServiceFaultException.getStatusCode().getValue() == StatusCodes.Bad_IdentityTokenRejected || uaServiceFaultException.getStatusCode().getValue() == StatusCodes.Bad_IdentityTokenInvalid) {
            throw new IllegalArgumentException(String.format("Identity Token invalid (host: %s)", str));
        }
        if (uaServiceFaultException.getStatusCode().getValue() == StatusCodes.Bad_UserAccessDenied || uaServiceFaultException.getStatusCode().getValue() == StatusCodes.Bad_IdentityTokenInvalid) {
            throw new IllegalArgumentException(String.format("Access Denied (host: %s)", str));
        }
    }
}
