Adding upstream version 1.34.4.

Signed-off-by: Daniel Baumann <daniel@debian.org>
2025-05-24 07:26:29 +02:00 · 2025-05-24 07:26:29 +02:00 · 4978089aab
commit 4978089aab
parent e393c3af3f
4963 changed files with 677545 additions and 0 deletions
--- a/plugins/common/opcua/opcua_util.go
+++ b/plugins/common/opcua/opcua_util.go
@ -0,0 +1,359 @@
+package opcua
+
+import (
+	"crypto/ecdsa"
+	"crypto/rand"
+	"crypto/rsa"
+	"crypto/tls"
+	"crypto/x509"
+	"crypto/x509/pkix"
+	"encoding/pem"
+	"errors"
+	"fmt"
+	"math/big"
+	"net"
+	"net/url"
+	"os"
+	"strings"
+	"time"
+
+	"github.com/gopcua/opcua"
+	"github.com/gopcua/opcua/debug"
+	"github.com/gopcua/opcua/ua"
+
+	"github.com/influxdata/telegraf/config"
+)
+
+// SELF SIGNED CERT FUNCTIONS
+
+func newTempDir() (string, error) {
+	dir, err := os.MkdirTemp("", "ssc")
+	return dir, err
+}
+
+func generateCert(host string, rsaBits int, certFile, keyFile string, dur time.Duration) (cert, key string, err error) {
+	dir, err := newTempDir()
+	if err != nil {
+		return "", "", fmt.Errorf("failed to create certificate: %w", err)
+	}
+
+	if len(host) == 0 {
+		return "", "", errors.New("missing required host parameter")
+	}
+	if rsaBits == 0 {
+		rsaBits = 2048
+	}
+	if len(certFile) == 0 {
+		certFile = dir + "/cert.pem"
+	}
+	if len(keyFile) == 0 {
+		keyFile = dir + "/key.pem"
+	}
+
+	priv, err := rsa.GenerateKey(rand.Reader, rsaBits)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to generate private key: %w", err)
+	}
+
+	notBefore := time.Now()
+	notAfter := notBefore.Add(dur)
+
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
+	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to generate serial number: %w", err)
+	}
+
+	template := x509.Certificate{
+		SerialNumber: serialNumber,
+		Subject: pkix.Name{
+			Organization: []string{"Telegraf OPC UA Client"},
+		},
+		NotBefore: notBefore,
+		NotAfter:  notAfter,
+
+		KeyUsage: x509.KeyUsageContentCommitment | x509.KeyUsageKeyEncipherment |
+			x509.KeyUsageDigitalSignature | x509.KeyUsageDataEncipherment | x509.KeyUsageCertSign,
+		ExtKeyUsage:           []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth, x509.ExtKeyUsageClientAuth},
+		BasicConstraintsValid: true,
+	}
+
+	hosts := strings.Split(host, ",")
+	for _, h := range hosts {
+		if ip := net.ParseIP(h); ip != nil {
+			template.IPAddresses = append(template.IPAddresses, ip)
+		} else {
+			template.DNSNames = append(template.DNSNames, h)
+		}
+		if uri, err := url.Parse(h); err == nil {
+			template.URIs = append(template.URIs, uri)
+		}
+	}
+
+	derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, publicKey(priv), priv)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to create certificate: %w", err)
+	}
+
+	certOut, err := os.Create(certFile)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to open %s for writing: %w", certFile, err)
+	}
+	if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
+		return "", "", fmt.Errorf("failed to write data to %s: %w", certFile, err)
+	}
+	if err := certOut.Close(); err != nil {
+		return "", "", fmt.Errorf("error closing %s: %w", certFile, err)
+	}
+
+	keyOut, err := os.OpenFile(keyFile, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
+	if err != nil {
+		return "", "", fmt.Errorf("failed to open %s for writing: %w", keyFile, err)
+	}
+	keyBlock, err := pemBlockForKey(priv)
+	if err != nil {
+		return "", "", fmt.Errorf("error generating block: %w", err)
+	}
+	if err := pem.Encode(keyOut, keyBlock); err != nil {
+		return "", "", fmt.Errorf("failed to write data to %s: %w", keyFile, err)
+	}
+	if err := keyOut.Close(); err != nil {
+		return "", "", fmt.Errorf("error closing %s: %w", keyFile, err)
+	}
+
+	return certFile, keyFile, nil
+}
+
+func publicKey(priv interface{}) interface{} {
+	switch k := priv.(type) {
+	case *rsa.PrivateKey:
+		return &k.PublicKey
+	case *ecdsa.PrivateKey:
+		return &k.PublicKey
+	default:
+		return nil
+	}
+}
+
+func pemBlockForKey(priv interface{}) (*pem.Block, error) {
+	switch k := priv.(type) {
+	case *rsa.PrivateKey:
+		return &pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(k)}, nil
+	case *ecdsa.PrivateKey:
+		b, err := x509.MarshalECPrivateKey(k)
+		if err != nil {
+			return nil, fmt.Errorf("unable to marshal ECDSA private key: %w", err)
+		}
+		return &pem.Block{Type: "EC PRIVATE KEY", Bytes: b}, nil
+	default:
+		return nil, nil
+	}
+}
+
+func (o *OpcUAClient) generateClientOpts(endpoints []*ua.EndpointDescription) ([]opcua.Option, error) {
+	appuri := "urn:telegraf:gopcua:client"
+	appname := "Telegraf"
+
+	// ApplicationURI is automatically read from the cert so is not required if a cert if provided
+	opts := []opcua.Option{
+		opcua.ApplicationURI(appuri),
+		opcua.ApplicationName(appname),
+		opcua.RequestTimeout(time.Duration(o.Config.RequestTimeout)),
+	}
+
+	if o.Config.SessionTimeout != 0 {
+		opts = append(opts, opcua.SessionTimeout(time.Duration(o.Config.SessionTimeout)))
+	}
+
+	certFile := o.Config.Certificate
+	keyFile := o.Config.PrivateKey
+	policy := o.Config.SecurityPolicy
+	mode := o.Config.SecurityMode
+	var err error
+	if certFile == "" && keyFile == "" {
+		if policy != "None" || mode != "None" {
+			certFile, keyFile, err = generateCert(appuri, 2048, certFile, keyFile, 365*24*time.Hour)
+			if err != nil {
+				return nil, err
+			}
+		}
+	}
+
+	var cert []byte
+	if certFile != "" && keyFile != "" {
+		debug.Printf("Loading cert/key from %s/%s", certFile, keyFile)
+		c, err := tls.LoadX509KeyPair(certFile, keyFile)
+		if err != nil {
+			o.Log.Warnf("Failed to load certificate: %s", err)
+		} else {
+			pk, ok := c.PrivateKey.(*rsa.PrivateKey)
+			if !ok {
+				return nil, errors.New("invalid private key")
+			}
+			cert = c.Certificate[0]
+			opts = append(opts, opcua.PrivateKey(pk), opcua.Certificate(cert))
+		}
+	}
+
+	var secPolicy string
+	switch {
+	case policy == "auto":
+		// set it later
+	case strings.HasPrefix(policy, ua.SecurityPolicyURIPrefix):
+		secPolicy = policy
+		policy = ""
+	case policy == "None" || policy == "Basic128Rsa15" || policy == "Basic256" || policy == "Basic256Sha256" ||
+		policy == "Aes128_Sha256_RsaOaep" || policy == "Aes256_Sha256_RsaPss":
+		secPolicy = ua.SecurityPolicyURIPrefix + policy
+		policy = ""
+	default:
+		return nil, fmt.Errorf("invalid security policy: %s", policy)
+	}
+
+	o.Log.Debugf("security policy from configuration %s", secPolicy)
+
+	// Select the most appropriate authentication mode from server capabilities and user input
+	authMode, authOption, err := o.generateAuth(o.Config.AuthMethod, cert, o.Config.Username, o.Config.Password)
+	if err != nil {
+		return nil, err
+	}
+
+	opts = append(opts, authOption)
+
+	var secMode ua.MessageSecurityMode
+	switch strings.ToLower(mode) {
+	case "auto":
+	case "none":
+		secMode = ua.MessageSecurityModeNone
+		mode = ""
+	case "sign":
+		secMode = ua.MessageSecurityModeSign
+		mode = ""
+	case "signandencrypt":
+		secMode = ua.MessageSecurityModeSignAndEncrypt
+		mode = ""
+	default:
+		return nil, fmt.Errorf("invalid security mode: %s", mode)
+	}
+
+	// Allow input of only one of sec-mode,sec-policy when choosing 'None'
+	if secMode == ua.MessageSecurityModeNone || secPolicy == ua.SecurityPolicyURINone {
+		secMode = ua.MessageSecurityModeNone
+		secPolicy = ua.SecurityPolicyURINone
+	}
+
+	// Find the best endpoint based on our input and server recommendation (highest SecurityMode+SecurityLevel)
+	var serverEndpoint *ua.EndpointDescription
+	switch {
+	case mode == "auto" && policy == "auto": // No user selection, choose best
+		for _, e := range endpoints {
+			if serverEndpoint == nil || (e.SecurityMode >= serverEndpoint.SecurityMode && e.SecurityLevel >= serverEndpoint.SecurityLevel) {
+				serverEndpoint = e
+			}
+		}
+
+	case mode != "auto" && policy == "auto": // User only cares about mode, select highest securitylevel with that mode
+		for _, e := range endpoints {
+			if e.SecurityMode == secMode && (serverEndpoint == nil || e.SecurityLevel >= serverEndpoint.SecurityLevel) {
+				serverEndpoint = e
+			}
+		}
+
+	case mode == "auto" && policy != "auto": // User only cares about policy, select highest securitylevel with that policy
+		for _, e := range endpoints {
+			if e.SecurityPolicyURI == secPolicy && (serverEndpoint == nil || e.SecurityLevel >= serverEndpoint.SecurityLevel) {
+				serverEndpoint = e
+			}
+		}
+
+	default: // User cares about both
+		o.Log.Debugf("User cares about both the policy (%s) and security mode (%s)", secPolicy, secMode)
+		o.Log.Debugf("Server has %d endpoints", len(endpoints))
+		for _, e := range endpoints {
+			o.Log.Debugf("Evaluating endpoint %s, policy %s, mode %s, level %d", e.EndpointURL, e.SecurityPolicyURI, e.SecurityMode, e.SecurityLevel)
+			if e.SecurityPolicyURI == secPolicy && e.SecurityMode == secMode && (serverEndpoint == nil || e.SecurityLevel >= serverEndpoint.SecurityLevel) {
+				serverEndpoint = e
+				o.Log.Debugf(
+					"Security policy and mode found. Using server endpoint %s for security. Policy %s",
+					serverEndpoint.EndpointURL,
+					serverEndpoint.SecurityPolicyURI,
+				)
+			}
+		}
+	}
+
+	if serverEndpoint == nil { // Didn't find an endpoint with matching policy and mode.
+		return nil, errors.New("unable to find suitable server endpoint with selected sec-policy and sec-mode")
+	}
+
+	secPolicy = serverEndpoint.SecurityPolicyURI
+	secMode = serverEndpoint.SecurityMode
+
+	// Check that the selected endpoint is a valid combo
+	err = validateEndpointConfig(endpoints, secPolicy, secMode, authMode)
+	if err != nil {
+		return nil, fmt.Errorf("error validating input: %w", err)
+	}
+
+	opts = append(opts, opcua.SecurityFromEndpoint(serverEndpoint, authMode))
+	return opts, nil
+}
+
+func (o *OpcUAClient) generateAuth(a string, cert []byte, user, passwd config.Secret) (ua.UserTokenType, opcua.Option, error) {
+	var authMode ua.UserTokenType
+	var authOption opcua.Option
+	switch strings.ToLower(a) {
+	case "anonymous":
+		authMode = ua.UserTokenTypeAnonymous
+		authOption = opcua.AuthAnonymous()
+	case "username":
+		authMode = ua.UserTokenTypeUserName
+
+		var username, password []byte
+		if !user.Empty() {
+			usecret, err := user.Get()
+			if err != nil {
+				return 0, nil, fmt.Errorf("error reading the username input: %w", err)
+			}
+			defer usecret.Destroy()
+			username = usecret.Bytes()
+		}
+
+		if !passwd.Empty() {
+			psecret, err := passwd.Get()
+			if err != nil {
+				return 0, nil, fmt.Errorf("error reading the password input: %w", err)
+			}
+			defer psecret.Destroy()
+			password = psecret.Bytes()
+		}
+		authOption = opcua.AuthUsername(string(username), string(password))
+	case "certificate":
+		authMode = ua.UserTokenTypeCertificate
+		authOption = opcua.AuthCertificate(cert)
+	case "issuedtoken":
+		// todo: this is unsupported, fail here or fail in the opcua package?
+		authMode = ua.UserTokenTypeIssuedToken
+		authOption = opcua.AuthIssuedToken([]byte(nil))
+	default:
+		o.Log.Warnf("unknown auth-mode, defaulting to Anonymous")
+		authMode = ua.UserTokenTypeAnonymous
+		authOption = opcua.AuthAnonymous()
+	}
+
+	return authMode, authOption, nil
+}
+
+func validateEndpointConfig(endpoints []*ua.EndpointDescription, secPolicy string, secMode ua.MessageSecurityMode, authMode ua.UserTokenType) error {
+	for _, e := range endpoints {
+		if e.SecurityMode == secMode && e.SecurityPolicyURI == secPolicy {
+			for _, t := range e.UserIdentityTokens {
+				if t.TokenType == authMode {
+					return nil
+				}
+			}
+		}
+	}
+
+	return fmt.Errorf("server does not support an endpoint with security: %q, %q", secPolicy, secMode)
+}