package cern.c2mon.daq.opcua.connection;

import cern.c2mon.daq.opcua.config.AppConfigProperties;
import cern.c2mon.daq.opcua.config.UriModifier;
import cern.c2mon.daq.opcua.exceptions.CommunicationException;
import cern.c2mon.daq.opcua.exceptions.ConfigurationException;
import cern.c2mon.daq.opcua.exceptions.ExceptionContext;
import cern.c2mon.daq.opcua.exceptions.OPCUAException;
import cern.c2mon.daq.opcua.scope.EquipmentScoped;
import cern.c2mon.daq.opcua.security.CertificateGenerator;
import cern.c2mon.daq.opcua.security.CertificateLoader;
import cern.c2mon.daq.opcua.security.Certifier;
import cern.c2mon.daq.opcua.security.NoSecurityCertifier;
import io.netty.util.internal.StringUtil;
import java.io.File;
import java.io.IOException;
import java.net.UnknownHostException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Comparator;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.concurrent.CompletionException;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import org.eclipse.milo.opcua.sdk.client.OpcUaClient;
import org.eclipse.milo.opcua.sdk.client.api.config.OpcUaClientConfig;
import org.eclipse.milo.opcua.sdk.client.api.config.OpcUaClientConfigBuilder;
import org.eclipse.milo.opcua.stack.client.security.ClientCertificateValidator;
import org.eclipse.milo.opcua.stack.client.security.DefaultClientCertificateValidator;
import org.eclipse.milo.opcua.stack.core.UaException;
import org.eclipse.milo.opcua.stack.core.security.DefaultTrustListManager;
import org.eclipse.milo.opcua.stack.core.types.builtin.LocalizedText;
import org.eclipse.milo.opcua.stack.core.types.builtin.unsigned.Unsigned;
import org.eclipse.milo.opcua.stack.core.types.structured.EndpointDescription;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@EquipmentScoped
/* loaded from: input_file:cern/c2mon/daq/opcua/connection/SecurityModule.class */
public class SecurityModule {
    private static final Logger log = LoggerFactory.getLogger(SecurityModule.class);
    private final AppConfigProperties config;
    private final UriModifier modifier;
    private final CertificateLoader loader;
    private final CertificateGenerator generator;
    private final NoSecurityCertifier noSecurity;
    private final List<AppConfigProperties.CertifierMode> certifiers = new ArrayList();
    private OpcUaClientConfigBuilder builder;

    public OpcUaClient createClient(String str, Collection<EndpointDescription> collection) throws OPCUAException {
        this.builder = OpcUaClientConfig.builder().setApplicationName(LocalizedText.english(this.config.getApplicationName())).setApplicationUri(this.config.getApplicationUri()).setRequestTimeout(Unsigned.uint(this.config.getRequestTimeout())).setCertificateValidator(getValidator());
        List<EndpointDescription> list = (List) collection.stream().map(endpointDescription -> {
            return new EndpointDescription(this.modifier.updateEndpointUrl(str, endpointDescription.getEndpointUrl()), endpointDescription.getServer(), endpointDescription.getServerCertificate(), endpointDescription.getSecurityMode(), endpointDescription.getSecurityPolicyUri(), endpointDescription.getUserIdentityTokens(), endpointDescription.getTransportProfileUri(), endpointDescription.getSecurityLevel());
        }).sorted(Comparator.comparing((v0) -> {
            return v0.getSecurityLevel();
        }).reversed()).collect(Collectors.toList());
        sortCertifiers();
        return attemptConnection(list);
    }

    private ClientCertificateValidator getValidator() throws ConfigurationException {
        if (this.config.isTrustAllServers()) {
            return new ClientCertificateValidator.InsecureValidator();
        }
        if (StringUtil.isNullOrEmpty(this.config.getPkiBaseDir())) {
            throw new ConfigurationException(ExceptionContext.PKI_ERROR);
        }
        try {
            return new DefaultClientCertificateValidator(new DefaultTrustListManager(new File(this.config.getPkiBaseDir())));
        } catch (IOException e) {
            throw new ConfigurationException(ExceptionContext.PKI_ERROR, e);
        }
    }

    private void sortCertifiers() {
        if (this.certifiers.isEmpty() && this.config.getCertifierPriority() != null) {
            this.certifiers.addAll((Collection) this.config.getCertifierPriority().entrySet().stream().filter(entry -> {
                return ((Integer) entry.getValue()).intValue() != 0;
            }).sorted((entry2, entry3) -> {
                return Integer.compare(((Integer) entry3.getValue()).intValue(), ((Integer) entry2.getValue()).intValue());
            }).map((v0) -> {
                return v0.getKey();
            }).collect(Collectors.toList()));
            log.info("Sorted certifiers into order: {}", this.certifiers.stream().map((v0) -> {
                return v0.name();
            }).collect(Collectors.joining(", ")));
        }
        if (this.certifiers.isEmpty()) {
            this.certifiers.add(AppConfigProperties.CertifierMode.NO_SECURITY);
        }
    }

    private OpcUaClient attemptConnection(List<EndpointDescription> list) throws OPCUAException {
        OpcUaClient opcUaClient = null;
        for (int i = 0; i < this.certifiers.size(); i++) {
            Certifier certifierForMode = getCertifierForMode(this.certifiers.get(i));
            log.info("Attempt connection with Certifier '{}'! ", certifierForMode.getClass().getName());
            try {
                opcUaClient = attemptConnectionWithCertifier(list, certifierForMode);
                break;
            } catch (OPCUAException e) {
                log.info("Unable to connect with Certifier {}. Last encountered exception: ", certifierForMode.getClass().getName(), e);
                if (i >= this.certifiers.size() - 1) {
                    throw e;
                }
            }
        }
        return opcUaClient;
    }

    private Certifier getCertifierForMode(AppConfigProperties.CertifierMode certifierMode) {
        switch (certifierMode) {
            case LOAD:
                return this.loader;
            case GENERATE:
                return this.generator;
            default:
                return this.noSecurity;
        }
    }

    private OpcUaClient attemptConnectionWithCertifier(List<EndpointDescription> list, Certifier certifier) throws OPCUAException {
        CompletionException completionException = null;
        Stream<EndpointDescription> stream = list.stream();
        Objects.requireNonNull(certifier);
        Iterator it = ((List) stream.filter(certifier::supportsAlgorithm).collect(Collectors.toList())).iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            EndpointDescription endpointDescription = (EndpointDescription) it.next();
            if (certifier.canCertify(endpointDescription)) {
                log.info("Attempt authentication with mode {} and algorithm {}. ", endpointDescription.getSecurityMode(), endpointDescription.getSecurityPolicyUri());
                certifier.certify(this.builder, endpointDescription);
                try {
                    OpcUaClient opcUaClient = (OpcUaClient) OpcUaClient.create(this.builder.build()).connect().join();
                    certifier.uncertify(this.builder);
                    return opcUaClient;
                } catch (CompletionException e) {
                    completionException = e;
                    if (!handleAndShouldContinue(certifier, e)) {
                        certifier.uncertify(this.builder);
                        break;
                    }
                    certifier.uncertify(this.builder);
                } catch (UaException e2) {
                    try {
                        completionException = e2;
                        log.debug("Unsupported transport in endpoint URI. Attempting less secure endpoint", e2);
                        certifier.uncertify(this.builder);
                    } catch (Throwable th) {
                        certifier.uncertify(this.builder);
                        throw th;
                    }
                }
            }
        }
        if (completionException == null) {
            throw new CommunicationException(ExceptionContext.AUTH_ERROR);
        }
        throw OPCUAException.of(ExceptionContext.AUTH_ERROR, completionException, false);
    }

    private boolean handleAndShouldContinue(Certifier certifier, CompletionException completionException) {
        UaException cause = completionException.getCause();
        log.debug("Authentication error: ", cause);
        if (cause instanceof UnknownHostException) {
            log.debug("The host is unknown. Check if the server returns local URIs and configure replacement if required.");
            return false;
        }
        if (!(cause instanceof UaException)) {
            log.debug("Unexpected error in connection.");
            return false;
        }
        long value = cause.getStatusCode().getValue();
        if (OPCUAException.isSecurityIssue(cause)) {
            log.error("Your app security settings for Certifier {} seem to be invalid.", certifier.getClass().getName());
            return false;
        }
        if (certifier.isSevereError(value)) {
            log.error("Cannot connect to this server with Certifier {}.", certifier.getClass().getName());
            return false;
        }
        log.debug("Attempting less secure endpoint: ", completionException);
        return true;
    }

    public SecurityModule(AppConfigProperties appConfigProperties, UriModifier uriModifier, CertificateLoader certificateLoader, CertificateGenerator certificateGenerator, NoSecurityCertifier noSecurityCertifier) {
        this.config = appConfigProperties;
        this.modifier = uriModifier;
        this.loader = certificateLoader;
        this.generator = certificateGenerator;
        this.noSecurity = noSecurityCertifier;
    }
}
