package org.apache.iotdb.db.pipe.connector.protocol.opcua;

import com.google.common.collect.Lists;
import java.io.File;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.attribute.FileAttribute;
import java.security.KeyPair;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.LinkedHashSet;
import java.util.Objects;
import java.util.Set;
import org.apache.iotdb.commons.pipe.config.constant.PipeConnectorConstant;
import org.apache.iotdb.db.queryengine.transformation.dag.column.unary.scalar.SubStringFunctionColumnTransformer;
import org.apache.iotdb.db.utils.constant.SqlConstant;
import org.apache.iotdb.pipe.api.exception.PipeException;
import org.eclipse.milo.opcua.sdk.server.OpcUaServer;
import org.eclipse.milo.opcua.sdk.server.api.config.OpcUaServerConfig;
import org.eclipse.milo.opcua.sdk.server.identity.CompositeValidator;
import org.eclipse.milo.opcua.sdk.server.identity.IdentityValidator;
import org.eclipse.milo.opcua.sdk.server.identity.UsernameIdentityValidator;
import org.eclipse.milo.opcua.sdk.server.identity.X509IdentityValidator;
import org.eclipse.milo.opcua.sdk.server.model.nodes.objects.ServerTypeNode;
import org.eclipse.milo.opcua.sdk.server.nodes.UaNode;
import org.eclipse.milo.opcua.sdk.server.util.HostnameUtil;
import org.eclipse.milo.opcua.stack.core.Identifiers;
import org.eclipse.milo.opcua.stack.core.UaRuntimeException;
import org.eclipse.milo.opcua.stack.core.security.DefaultCertificateManager;
import org.eclipse.milo.opcua.stack.core.security.DefaultTrustListManager;
import org.eclipse.milo.opcua.stack.core.security.SecurityPolicy;
import org.eclipse.milo.opcua.stack.core.transport.TransportProfile;
import org.eclipse.milo.opcua.stack.core.types.builtin.DateTime;
import org.eclipse.milo.opcua.stack.core.types.builtin.LocalizedText;
import org.eclipse.milo.opcua.stack.core.types.builtin.unsigned.Unsigned;
import org.eclipse.milo.opcua.stack.core.types.enumerated.MessageSecurityMode;
import org.eclipse.milo.opcua.stack.core.types.structured.BuildInfo;
import org.eclipse.milo.opcua.stack.core.types.structured.UserTokenPolicy;
import org.eclipse.milo.opcua.stack.core.util.CertificateUtil;
import org.eclipse.milo.opcua.stack.core.util.SelfSignedCertificateGenerator;
import org.eclipse.milo.opcua.stack.core.util.SelfSignedHttpsCertificateBuilder;
import org.eclipse.milo.opcua.stack.server.EndpointConfiguration;
import org.eclipse.milo.opcua.stack.server.security.DefaultServerCertificateValidator;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/iotdb/db/pipe/connector/protocol/opcua/OpcUaServerBuilder.class */
public class OpcUaServerBuilder {
    private static final Logger LOGGER = LoggerFactory.getLogger(OpcUaServerBuilder.class);
    private static final String WILD_CARD_ADDRESS = "0.0.0.0";
    private int tcpBindPort = 12686;
    private int httpsBindPort = 8443;
    private String user = SqlConstant.ROOT;
    private String password = SqlConstant.ROOT;
    private Path securityDir = Paths.get(PipeConnectorConstant.CONNECTOR_OPC_UA_SECURITY_DIR_DEFAULT_VALUE, new String[0]);

    public OpcUaServerBuilder setTcpBindPort(int i) {
        this.tcpBindPort = i;
        return this;
    }

    public OpcUaServerBuilder setHttpsBindPort(int i) {
        this.httpsBindPort = i;
        return this;
    }

    public OpcUaServerBuilder setUser(String str) {
        this.user = str;
        return this;
    }

    public OpcUaServerBuilder setPassword(String str) {
        this.password = str;
        return this;
    }

    public OpcUaServerBuilder setSecurityDir(String str) {
        this.securityDir = Paths.get(str, new String[0]);
        return this;
    }

    public OpcUaServer build() throws Exception {
        Files.createDirectories(this.securityDir, new FileAttribute[0]);
        if (!Files.exists(this.securityDir, new LinkOption[0])) {
            throw new PipeException("Unable to create security dir: " + this.securityDir);
        }
        File file = this.securityDir.resolve("pki").toFile();
        LoggerFactory.getLogger(OpcUaServerBuilder.class).info("Security dir: {}", this.securityDir.toAbsolutePath());
        LoggerFactory.getLogger(OpcUaServerBuilder.class).info("Security pki dir: {}", file.getAbsolutePath());
        OpcUaKeyStoreLoader load = new OpcUaKeyStoreLoader().load(this.securityDir, this.password.toCharArray());
        DefaultCertificateManager defaultCertificateManager = new DefaultCertificateManager(load.getServerKeyPair(), load.getServerCertificate());
        DefaultTrustListManager defaultTrustListManager = new DefaultTrustListManager(file);
        LOGGER.info("Certificate directory is: {}, Please move certificates from the reject dir to the trusted directory to allow encrypted access", file.getAbsolutePath());
        KeyPair generateRsaKeyPair = SelfSignedCertificateGenerator.generateRsaKeyPair(2048);
        SelfSignedHttpsCertificateBuilder selfSignedHttpsCertificateBuilder = new SelfSignedHttpsCertificateBuilder(generateRsaKeyPair);
        selfSignedHttpsCertificateBuilder.setCommonName(HostnameUtil.getHostname());
        Set hostnames = HostnameUtil.getHostnames(WILD_CARD_ADDRESS);
        Objects.requireNonNull(selfSignedHttpsCertificateBuilder);
        hostnames.forEach(selfSignedHttpsCertificateBuilder::addDnsName);
        X509Certificate build = selfSignedHttpsCertificateBuilder.build();
        DefaultServerCertificateValidator defaultServerCertificateValidator = new DefaultServerCertificateValidator(defaultTrustListManager);
        IdentityValidator usernameIdentityValidator = new UsernameIdentityValidator(true, authenticationChallenge -> {
            return authenticationChallenge.getUsername().equals(this.user) && authenticationChallenge.getPassword().equals(this.password);
        });
        IdentityValidator x509IdentityValidator = new X509IdentityValidator(x509Certificate -> {
            return true;
        });
        X509Certificate x509Certificate2 = (X509Certificate) defaultCertificateManager.getCertificates().stream().findFirst().orElseThrow(() -> {
            return new UaRuntimeException(2156462080L, "No certificate found");
        });
        OpcUaServer opcUaServer = new OpcUaServer(OpcUaServerConfig.builder().setApplicationUri((String) CertificateUtil.getSanUri(x509Certificate2).orElseThrow(() -> {
            return new UaRuntimeException(2156462080L, "Certificate is missing the application URI");
        })).setApplicationName(LocalizedText.english("Apache IoTDB OPC UA server")).setEndpoints(createEndpointConfigurations(x509Certificate2, this.tcpBindPort, this.httpsBindPort)).setBuildInfo(new BuildInfo("urn:apache:iotdb:opc-ua-server", "apache", "Apache IoTDB OPC UA server", OpcUaServer.SDK_VERSION, SubStringFunctionColumnTransformer.EMPTY_STRING, DateTime.now())).setCertificateManager(defaultCertificateManager).setTrustListManager(defaultTrustListManager).setCertificateValidator(defaultServerCertificateValidator).setHttpsKeyPair(generateRsaKeyPair).setHttpsCertificateChain(new X509Certificate[]{build}).setIdentityValidator(new CompositeValidator(new IdentityValidator[]{usernameIdentityValidator, x509IdentityValidator})).setProductUri("urn:apache:iotdb:opc-ua-server").build());
        ServerTypeNode serverTypeNode = (UaNode) opcUaServer.getAddressSpaceManager().getManagedNode(Identifiers.Server).orElse(null);
        if (serverTypeNode instanceof ServerTypeNode) {
            serverTypeNode.setEventNotifier(Unsigned.ubyte(1));
        }
        return opcUaServer;
    }

    private Set<EndpointConfiguration> createEndpointConfigurations(X509Certificate x509Certificate, int i, int i2) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        ArrayList<String> newArrayList = Lists.newArrayList();
        newArrayList.add(WILD_CARD_ADDRESS);
        LinkedHashSet linkedHashSet2 = new LinkedHashSet();
        linkedHashSet2.add(HostnameUtil.getHostname());
        linkedHashSet2.addAll(HostnameUtil.getHostnames(WILD_CARD_ADDRESS));
        for (String str : newArrayList) {
            Iterator it = linkedHashSet2.iterator();
            while (it.hasNext()) {
                EndpointConfiguration.Builder addTokenPolicies = EndpointConfiguration.newBuilder().setBindAddress(str).setHostname((String) it.next()).setPath("/iotdb").setCertificate(x509Certificate).addTokenPolicies(new UserTokenPolicy[]{OpcUaServerConfig.USER_TOKEN_POLICY_ANONYMOUS, OpcUaServerConfig.USER_TOKEN_POLICY_USERNAME, OpcUaServerConfig.USER_TOKEN_POLICY_X509});
                EndpointConfiguration.Builder securityMode = addTokenPolicies.copy().setSecurityPolicy(SecurityPolicy.None).setSecurityMode(MessageSecurityMode.None);
                linkedHashSet.add(buildTcpEndpoint(securityMode, i));
                linkedHashSet.add(buildHttpsEndpoint(securityMode, i2));
                linkedHashSet.add(buildTcpEndpoint(addTokenPolicies.copy().setSecurityPolicy(SecurityPolicy.Basic256Sha256).setSecurityMode(MessageSecurityMode.SignAndEncrypt), i));
                linkedHashSet.add(buildHttpsEndpoint(addTokenPolicies.copy().setSecurityPolicy(SecurityPolicy.Basic256Sha256).setSecurityMode(MessageSecurityMode.Sign), i2));
                EndpointConfiguration.Builder securityMode2 = addTokenPolicies.copy().setPath("/iotdb/discovery").setSecurityPolicy(SecurityPolicy.None).setSecurityMode(MessageSecurityMode.None);
                linkedHashSet.add(buildTcpEndpoint(securityMode2, i));
                linkedHashSet.add(buildHttpsEndpoint(securityMode2, i2));
            }
        }
        return linkedHashSet;
    }

    private EndpointConfiguration buildTcpEndpoint(EndpointConfiguration.Builder builder, int i) {
        return builder.copy().setTransportProfile(TransportProfile.TCP_UASC_UABINARY).setBindPort(i).build();
    }

    private EndpointConfiguration buildHttpsEndpoint(EndpointConfiguration.Builder builder, int i) {
        return builder.copy().setTransportProfile(TransportProfile.HTTPS_UABINARY).setBindPort(i).build();
    }
}
