feat(apache#3822): Support OPC-UA certificate authentication (apache#3823)

Author: dominikriemer

streampipes-extensions/streampipes-connectors-opcua/src/main/java/org/apache/streampipes/extensions/connectors/opcua/OpcUaConnectorsModuleExport.java

@@ -29,7 +29,9 @@
 import org.apache.streampipes.extensions.connectors.opcua.migration.OpcUaAdapterMigrationV3;
 import org.apache.streampipes.extensions.connectors.opcua.migration.OpcUaAdapterMigrationV4;
 import org.apache.streampipes.extensions.connectors.opcua.migration.OpcUaAdapterMigrationV5;
+import org.apache.streampipes.extensions.connectors.opcua.migration.OpcUaAdapterMigrationV6;
 import org.apache.streampipes.extensions.connectors.opcua.migration.OpcUaSinkMigrationV1;
+import org.apache.streampipes.extensions.connectors.opcua.migration.OpcUaSinkMigrationV2;
 import org.apache.streampipes.extensions.connectors.opcua.sink.OpcUaSink;
 
 import java.util.List;
@@ -64,7 +66,9 @@ public List<IStreamPipesPipelineElement<?>> pipelineElements() {
         new OpcUaAdapterMigrationV3(),
         new OpcUaAdapterMigrationV4(),
         new OpcUaAdapterMigrationV5(),
-        new OpcUaSinkMigrationV1()
+        new OpcUaAdapterMigrationV6(),
+        new OpcUaSinkMigrationV1(),
+        new OpcUaSinkMigrationV2()
     );
   }
 }

streampipes-extensions/streampipes-connectors-opcua/src/main/java/org/apache/streampipes/extensions/connectors/opcua/adapter/OpcUaAdapter.java

@@ -237,7 +237,7 @@ public StaticProperty resolveConfiguration(String staticPropertyInternalName,
 
   @Override
   public IAdapterConfiguration declareConfig() {
-    var builder = AdapterConfigurationBuilder.create(ID, 5, () -> new OpcUaAdapter(clientProvider))
+    var builder = AdapterConfigurationBuilder.create(ID, 6, () -> new OpcUaAdapter(clientProvider))
         .withAssets(ExtensionAssetType.DOCUMENTATION, ExtensionAssetType.ICON)
         .withLocales(Locales.EN)
         .withCategory(AdapterType.Generic, AdapterType.Manufacturing)

streampipes-extensions/streampipes-connectors-opcua/src/main/java/org/apache/streampipes/extensions/connectors/opcua/config/SharedUserConfiguration.java

@@ -56,6 +56,9 @@ public class SharedUserConfiguration {
   public static final String SECURITY_POLICY = "securityPolicy";
   public static final String USER_AUTHENTICATION = "userAuthentication";
   public static final String USER_AUTHENTICATION_ANONYMOUS = "anonymous";
+  public static final String X509_GROUP = "x509Group";
+  public static final String X509_PRIVATE_KEY_PEM = "x509PrivateKeyPem";
+  public static final String X509_PUBLIC_KEY_PEM = "x509PublicKeyPem";
 
   public static OneOfStaticProperty makeNamingStrategyOption() {
     return StaticProperties.singleValueSelection(
@@ -72,6 +75,13 @@ public static void appendSharedOpcUaConfig(AbstractConfigurablePipelineElementBu
 
     var dependsOn = getDependsOn(adapterConfig);
 
+    var x509Group = StaticProperties.group(
+            Labels.withId(X509_GROUP),
+            StaticProperties.secretValue(Labels.withId(X509_PRIVATE_KEY_PEM)),
+            StaticProperties.stringFreeTextProperty(Labels.withId(X509_PUBLIC_KEY_PEM), true, false));
+
+    x509Group.setHorizontalRendering(false);
+
     builder
         .requiredSingleValueSelection(
             Labels.withId(SECURITY_MODE),
@@ -89,7 +99,8 @@ public static void appendSharedOpcUaConfig(AbstractConfigurablePipelineElementBu
                     StaticProperties.stringFreeTextProperty(
                         Labels.withId(USERNAME)),
                     StaticProperties.secretValue(Labels.withId(PASSWORD))
-                ))
+                )),
+            Alternatives.from(Labels.withId(X509_GROUP), x509Group)
         )
         .requiredAlternatives(Labels.withId(OPC_HOST_OR_URL),
             Alternatives.from(

streampipes-extensions/streampipes-connectors-opcua/src/main/java/org/apache/streampipes/extensions/connectors/opcua/config/SpOpcUaConfigExtractor.java

@@ -23,6 +23,7 @@
 import org.apache.streampipes.extensions.api.extractor.IStaticPropertyExtractor;
 import org.apache.streampipes.extensions.connectors.opcua.config.identity.AnonymousIdentityConfig;
 import org.apache.streampipes.extensions.connectors.opcua.config.identity.UsernamePasswordIdentityConfig;
+import org.apache.streampipes.extensions.connectors.opcua.config.identity.X509IdentityConfig;
 import org.apache.streampipes.extensions.connectors.opcua.config.security.SecurityConfig;
 import org.apache.streampipes.extensions.connectors.opcua.utils.OpcUaLabels;
 import org.apache.streampipes.extensions.connectors.opcua.utils.OpcUaNamingStrategy;
@@ -44,6 +45,7 @@
 import static org.apache.streampipes.extensions.connectors.opcua.utils.OpcUaLabels.PULLING_INTERVAL;
 import static org.apache.streampipes.extensions.connectors.opcua.utils.OpcUaLabels.PULL_MODE;
 import static org.apache.streampipes.extensions.connectors.opcua.utils.OpcUaLabels.USERNAME;
+import static org.apache.streampipes.extensions.connectors.opcua.utils.OpcUaLabels.USERNAME_GROUP;
 
 public class SpOpcUaConfigExtractor {
 
@@ -128,15 +130,16 @@ public static <T extends OpcUaConfig> T extractSharedConfig(IParameterExtractor
       config.setOpcServerURL(serverAddress + ":" + port);
     }
 
-    boolean unauthenticated = selectedAlternativeAuthentication.equals(
-        SharedUserConfiguration.USER_AUTHENTICATION_ANONYMOUS
-    );
-    if (unauthenticated) {
+    if (selectedAlternativeAuthentication.equals(SharedUserConfiguration.USER_AUTHENTICATION_ANONYMOUS)) {
       config.setIdentityConfig(new AnonymousIdentityConfig());
-    } else {
+    } else if (selectedAlternativeAuthentication.equals(USERNAME_GROUP.name())) {
       String username = extractor.singleValueParameter(USERNAME.name(), String.class);
       String password = extractor.secretValue(PASSWORD.name());
       config.setIdentityConfig(new UsernamePasswordIdentityConfig(username, password));
+    } else {
+      String privateKeyPem = extractor.secretValue(SharedUserConfiguration.X509_PRIVATE_KEY_PEM);
+      String publicKeyPem = extractor.textParameter(SharedUserConfiguration.X509_PUBLIC_KEY_PEM);
+      config.setIdentityConfig(new X509IdentityConfig(publicKeyPem, privateKeyPem));
     }
 
     return config;

streampipes-extensions/streampipes-connectors-opcua/src/main/java/org/apache/streampipes/extensions/connectors/opcua/config/identity/X509IdentityConfig.java

@@ -0,0 +1,114 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.apache.streampipes.extensions.connectors.opcua.config.identity;
+
+import org.apache.commons.codec.digest.DigestUtils;
+import org.eclipse.milo.opcua.sdk.client.api.config.OpcUaClientConfigBuilder;
+import org.eclipse.milo.opcua.sdk.client.api.identity.X509IdentityProvider;
+
+import java.io.ByteArrayInputStream;
+import java.nio.charset.StandardCharsets;
+import java.security.KeyFactory;
+import java.security.PrivateKey;
+import java.security.cert.CertificateFactory;
+import java.security.cert.X509Certificate;
+import java.security.spec.PKCS8EncodedKeySpec;
+import java.util.Base64;
+import java.util.Objects;
+
+public class X509IdentityConfig implements IdentityConfig {
+
+  private final X509Certificate certificate;
+  private final PrivateKey privateKey;
+
+  /**
+   * @param certificatePem String containing one X.509 certificate in PEM
+   *                       (-----BEGIN CERTIFICATE----- ... -----END CERTIFICATE-----)
+   * @param privateKeyPem  String containing a PKCS#8 private key in PEM
+   *                       (-----BEGIN PRIVATE KEY----- ... -----END PRIVATE KEY-----)
+   */
+  public X509IdentityConfig(String certificatePem, String privateKeyPem) {
+    this.certificate = parseCertificatePem(certificatePem);
+    this.privateKey  = parsePrivateKeyPem(privateKeyPem);
+  }
+
+  @Override
+  public void configureIdentity(OpcUaClientConfigBuilder builder) {
+    builder.setIdentityProvider(new X509IdentityProvider(certificate, privateKey));
+  }
+
+  @Override
+  public String toString() {
+    try {
+      String subject = certificate.getSubjectX500Principal().getName();
+      String thumb = DigestUtils.sha256Hex(certificate.getEncoded());
+      return String.format("%s [%s]", subject, thumb);
+    } catch (Exception e) {
+      return "X509PemIdentity";
+    }
+  }
+
+  private X509Certificate parseCertificatePem(String pem) {
+    Objects.requireNonNull(pem, "certificatePem");
+    byte[] der = extractPemBlock(pem, "CERTIFICATE");
+    try {
+      CertificateFactory cf = CertificateFactory.getInstance("X.509");
+      return (X509Certificate) cf.generateCertificate(new ByteArrayInputStream(der));
+    } catch (Exception e) {
+      throw new IllegalArgumentException("Failed to parse X.509 certificate PEM", e);
+    }
+  }
+
+  private PrivateKey parsePrivateKeyPem(String pem) {
+    Objects.requireNonNull(pem, "privateKeyPem");
+    byte[] der = extractPemBlock(pem, "PRIVATE KEY"); // PKCS#8
+    PKCS8EncodedKeySpec spec = new PKCS8EncodedKeySpec(der);
+
+    // Try common algorithms in order.
+    String[] algos = new String[] { "RSA", "EC", "Ed25519", "Ed448" };
+    for (String algo : algos) {
+      try {
+        KeyFactory kf = KeyFactory.getInstance(algo);
+        return kf.generatePrivate(spec);
+      } catch (Exception ignore) {
+        // try next
+      }
+    }
+    throw new IllegalArgumentException(
+        "Unsupported or invalid PKCS#8 private key. " +
+            "Make sure it is an unencrypted PKCS#8 key (BEGIN PRIVATE KEY).");
+  }
+
+  private static byte[] extractPemBlock(String pem, String type) {
+    String begin = "-----BEGIN " + type + "-----";
+    String end   = "-----END " + type + "-----";
+
+    String normalized = pem.replace("\r", "");
+    int start = normalized.indexOf(begin);
+    int stop  = normalized.indexOf(end);
+    if (start < 0 || stop < 0) {
+      throw new IllegalArgumentException("Missing PEM markers for " + type);
+    }
+    String base64 = normalized.substring(start + begin.length(), stop)
+        .replace("\n", "")
+        .replace("\t", "")
+        .replace(" ", "");
+    return Base64.getMimeDecoder().decode(base64.getBytes(StandardCharsets.US_ASCII));
+  }
+}

streampipes-extensions/streampipes-connectors-opcua/src/main/java/org/apache/streampipes/extensions/connectors/opcua/migration/OpcUaAdapterMigrationV6.java

@@ -0,0 +1,76 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.apache.streampipes.extensions.connectors.opcua.migration;
+
+import org.apache.streampipes.extensions.api.extractor.IParameterExtractor;
+import org.apache.streampipes.extensions.api.extractor.IStaticPropertyExtractor;
+import org.apache.streampipes.extensions.api.migration.IAdapterMigrator;
+import org.apache.streampipes.extensions.connectors.opcua.adapter.OpcUaAdapter;
+import org.apache.streampipes.model.connect.adapter.AdapterDescription;
+import org.apache.streampipes.model.extensions.svcdiscovery.SpServiceTagPrefix;
+import org.apache.streampipes.model.migration.MigrationResult;
+import org.apache.streampipes.model.migration.ModelMigratorConfig;
+import org.apache.streampipes.model.staticproperty.StaticProperty;
+import org.apache.streampipes.model.staticproperty.StaticPropertyAlternatives;
+import org.apache.streampipes.sdk.StaticProperties;
+import org.apache.streampipes.sdk.helpers.Alternatives;
+import org.apache.streampipes.sdk.helpers.Labels;
+
+import java.util.List;
+
+import static org.apache.streampipes.extensions.connectors.opcua.config.SharedUserConfiguration.X509_GROUP;
+import static org.apache.streampipes.extensions.connectors.opcua.config.SharedUserConfiguration.X509_PRIVATE_KEY_PEM;
+import static org.apache.streampipes.extensions.connectors.opcua.config.SharedUserConfiguration.X509_PUBLIC_KEY_PEM;
+
+public class OpcUaAdapterMigrationV6 implements IAdapterMigrator {
+  @Override
+  public ModelMigratorConfig config() {
+    return new ModelMigratorConfig(
+        OpcUaAdapter.ID,
+        SpServiceTagPrefix.ADAPTER,
+        5,
+        6
+    );
+  }
+
+  @Override
+  public MigrationResult<AdapterDescription> migrate(AdapterDescription element,
+                                                     IStaticPropertyExtractor extractor) throws RuntimeException {
+    var config = element.getConfig();
+    element.setConfig(migrate(config, 4));
+
+    return MigrationResult.success(element);
+  }
+
+  public List<StaticProperty> migrate(List<StaticProperty> staticProperties,
+                                      int authenticationConfigIndex) {
+    var authentication = staticProperties.get(authenticationConfigIndex);
+
+    if (authentication instanceof StaticPropertyAlternatives) {
+      var group = StaticProperties.group(
+          Labels.withId(X509_GROUP),
+          StaticProperties.secretValue(Labels.withId(X509_PRIVATE_KEY_PEM)),
+          StaticProperties.stringFreeTextProperty(Labels.withId(X509_PUBLIC_KEY_PEM), true, false));
+      group.setHorizontalRendering(false);
+      var x509Alternative = Alternatives.from(Labels.withId(X509_GROUP), group);
+      ((StaticPropertyAlternatives) authentication).getAlternatives().add(x509Alternative);
+    }
+    return staticProperties;
+  }
+}

streampipes-extensions/streampipes-connectors-opcua/src/main/java/org/apache/streampipes/extensions/connectors/opcua/migration/OpcUaSinkMigrationV2.java

@@ -0,0 +1,48 @@
+/*
+ * Licensed to the Apache Software Foundation (ASF) under one or more
+ * contributor license agreements.  See the NOTICE file distributed with
+ * this work for additional information regarding copyright ownership.
+ * The ASF licenses this file to You under the Apache License, Version 2.0
+ * (the "License"); you may not use this file except in compliance with
+ * the License.  You may obtain a copy of the License at
+ *
+ *    http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ */
+
+package org.apache.streampipes.extensions.connectors.opcua.migration;
+
+import org.apache.streampipes.extensions.api.extractor.IDataSinkParameterExtractor;
+import org.apache.streampipes.extensions.api.migration.IDataSinkMigrator;
+import org.apache.streampipes.extensions.connectors.opcua.sink.OpcUaSink;
+import org.apache.streampipes.model.extensions.svcdiscovery.SpServiceTagPrefix;
+import org.apache.streampipes.model.graph.DataSinkInvocation;
+import org.apache.streampipes.model.migration.MigrationResult;
+import org.apache.streampipes.model.migration.ModelMigratorConfig;
+
+public class OpcUaSinkMigrationV2 implements IDataSinkMigrator {
+  @Override
+  public ModelMigratorConfig config() {
+    return new ModelMigratorConfig(
+        OpcUaSink.ID,
+        SpServiceTagPrefix.DATA_SINK,
+        1,
+        2
+    );
+  }
+
+  @Override
+  public MigrationResult<DataSinkInvocation> migrate(DataSinkInvocation element,
+                                                     IDataSinkParameterExtractor extractor) throws RuntimeException {
+    var config = element.getStaticProperties();
+    var migratedConfigs = new OpcUaAdapterMigrationV6().migrate(config, 3);
+    element.setStaticProperties(migratedConfigs);
+    return MigrationResult.success(element);
+  }
+}

streampipes-extensions/streampipes-connectors-opcua/src/main/java/org/apache/streampipes/extensions/connectors/opcua/sink/OpcUaSink.java

@@ -57,7 +57,7 @@ public OpcUaSink(OpcUaClientProvider clientProvider) {
 
   @Override
   public IDataSinkConfiguration declareConfig() {
-    var builder = DataSinkBuilder.create(ID, 0)
+    var builder = DataSinkBuilder.create(ID, 2)
         .withLocales(Locales.EN)
         .withAssets(ExtensionAssetType.DOCUMENTATION, ExtensionAssetType.ICON)
         .category(DataSinkType.FORWARD)

streampipes-extensions/streampipes-connectors-opcua/src/main/resources/org.apache.streampipes.connect.iiot.adapters.opcua/strings.en

@@ -85,3 +85,12 @@ incomplete-event-handling.description=Select how events with missing values (e.g
 
 NAMING_STRATEGY.title=Naming Strategy
 NAMING_STRATEGY.description=Select how the runtime name of the OPC-UA nodes are generated.
+
+x509Group.title=X.509 Certificate
+x509Group.description=
+
+x509PrivateKeyPem.title=Private Key PEM
+x509PrivateKeyPem.description=Private key in PEM format
+
+x509PublicKeyPem.title=Certificate PEM
+x509PublicKeyPem.description=Public key in PEM format

streampipes-extensions/streampipes-connectors-opcua/src/main/resources/org.apache.streampipes.sinks.databases.jvm.opcua/strings.en

@@ -68,3 +68,12 @@ userAuthentication.description=Choose an authentication method for the user
 
 anonymous.title=Anonymous
 anonymous.description=
+
+x509Group.title=X.509 Certificate
+x509Group.description=
+
+x509PrivateKeyPem.title=Private Key PEM
+x509PrivateKeyPem.description=Private key in PEM format
+
+x509PublicKeyPem.title=Certificate PEM
+x509PublicKeyPem.description=Public key in PEM format