Support by filtering endpoints against both, MessageSecurityMode and SecurityPolicyUri (#1247)

* Support by filtering endpoints against both, MessageSecurityMode and SecurityPolicyUri

* Small cleanup

* Nicer check

Author: codepitbull

modules/hivemq-edge-module-opcua/src/main/java/com/hivemq/edge/adapters/opcua/OpcUaClientConnection.java

@@ -24,7 +24,9 @@
 import com.hivemq.edge.adapters.opcua.client.OpcUaClientConfigurator;
 import com.hivemq.edge.adapters.opcua.client.OpcUaEndpointFilter;
 import com.hivemq.edge.adapters.opcua.client.ParsedConfig;
+import com.hivemq.edge.adapters.opcua.config.MsgSecurityMode;
 import com.hivemq.edge.adapters.opcua.config.OpcUaSpecificAdapterConfig;
+import com.hivemq.edge.adapters.opcua.config.SecPolicy;
 import com.hivemq.edge.adapters.opcua.config.tag.OpcuaTag;
 import com.hivemq.edge.adapters.opcua.listeners.OpcUaServiceFaultListener;
 import com.hivemq.edge.adapters.opcua.listeners.OpcUaSessionActivityListener;
@@ -35,6 +37,7 @@
 import org.eclipse.milo.opcua.sdk.client.subscriptions.OpcUaSubscription;
 import org.eclipse.milo.opcua.stack.core.UaException;
 import org.eclipse.milo.opcua.stack.core.types.builtin.unsigned.UInteger;
+import org.eclipse.milo.opcua.stack.core.types.enumerated.MessageSecurityMode;
 import org.jetbrains.annotations.NotNull;
 import org.jetbrains.annotations.Nullable;
 import org.slf4j.Logger;
@@ -86,7 +89,31 @@ synchronized boolean start(final ParsedConfig parsedConfig) {
         final OpcUaClient client;
         final var faultListener = new OpcUaServiceFaultListener(protocolAdapterMetricsService, eventService, adapterId);
         final var activityListener = new OpcUaSessionActivityListener(protocolAdapterMetricsService, eventService, adapterId, protocolAdapterState);
-        final var endpointFilter = new OpcUaEndpointFilter(adapterId, config.getSecurity().policy().getSecurityPolicy().getUri(), config);
+
+        // Determine preferred MessageSecurityMode with intelligent defaults
+        final MessageSecurityMode preferredMode;
+        final MsgSecurityMode configuredMode = config.getSecurity().messageSecurityMode();
+        if (configuredMode != null) {
+            // Explicitly configured mode
+            preferredMode = configuredMode.getMiloMode();
+            if (log.isDebugEnabled()) {
+                log.debug("Using configured message security mode: {}", preferredMode);
+            }
+        } else {
+            // Intelligent default based on security policy
+            final SecPolicy policy = config.getSecurity().policy();
+            if (policy == SecPolicy.NONE) {
+                preferredMode = MessageSecurityMode.None;
+            } else {
+                // For all secure policies, prefer SignAndEncrypt (most secure)
+                preferredMode = MessageSecurityMode.SignAndEncrypt;
+                if (log.isDebugEnabled()) {
+                    log.debug("No message security mode configured, defaulting to SignAndEncrypt for policy {}", policy);
+                }
+            }
+        }
+
+        final var endpointFilter = new OpcUaEndpointFilter(adapterId, config.getSecurity().policy().getSecurityPolicy().getUri(), preferredMode, config);
         try {
             client = OpcUaClient
                 .create(

modules/hivemq-edge-module-opcua/src/main/java/com/hivemq/edge/adapters/opcua/client/OpcUaEndpointFilter.java

@@ -18,9 +18,11 @@
 import com.hivemq.edge.adapters.opcua.config.OpcUaSpecificAdapterConfig;
 import com.hivemq.edge.adapters.opcua.config.SecPolicy;
 import org.eclipse.milo.opcua.stack.core.security.SecurityPolicy;
+import org.eclipse.milo.opcua.stack.core.types.enumerated.MessageSecurityMode;
 import org.eclipse.milo.opcua.stack.core.types.structured.EndpointDescription;
 import org.eclipse.milo.opcua.stack.core.util.EndpointUtil;
 import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
 import org.slf4j.Logger;
 import org.slf4j.LoggerFactory;
 
@@ -33,24 +35,42 @@ public class OpcUaEndpointFilter implements Function<List<EndpointDescription>,
 
     private final @NotNull String adapterId;
     private final @NotNull String configPolicyUri;
+    private final @Nullable MessageSecurityMode preferredMode;
     private final @NotNull OpcUaSpecificAdapterConfig adapterConfig;
 
     public OpcUaEndpointFilter(
             final @NotNull String adapterId,
             final @NotNull String configPolicyUri,
+            final @Nullable MessageSecurityMode preferredMode,
             final @NotNull OpcUaSpecificAdapterConfig adapterConfig) {
         this.adapterId = adapterId;
         this.configPolicyUri = configPolicyUri;
+        this.preferredMode = preferredMode;
         this.adapterConfig = adapterConfig;
     }
 
     @Override
     public @NotNull Optional<EndpointDescription> apply(final List<EndpointDescription> endpointDescriptions) {
         return endpointDescriptions.stream().filter(endpointDescription -> {
             final String policyUri = endpointDescription.getSecurityPolicyUri();
+
+            // Filter by SecurityPolicyUri
             if (!configPolicyUri.equals(policyUri)) {
                 return false;
             }
+
+            // Filter by MessageSecurityMode if specified
+            if (preferredMode != null) {
+                final MessageSecurityMode endpointMode = endpointDescription.getSecurityMode();
+                if (!preferredMode.equals(endpointMode)) {
+                    if (log.isDebugEnabled()) {
+                        log.debug("Endpoint {} has mode {} but preferred mode is {}, skipping",
+                                endpointDescription.getEndpointUrl(), endpointMode, preferredMode);
+                    }
+                    return false;
+                }
+            }
+
             if (policyUri.equals(SecurityPolicy.None.getUri())) {
                 return true;
             }

modules/hivemq-edge-module-opcua/src/main/java/com/hivemq/edge/adapters/opcua/config/MsgSecurityMode.java

@@ -0,0 +1,86 @@
+/*
+ * Copyright 2023-present HiveMQ GmbH
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License");
+ * you may not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ *     http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS,
+ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+package com.hivemq.edge.adapters.opcua.config;
+
+import com.fasterxml.jackson.annotation.JsonCreator;
+import com.fasterxml.jackson.annotation.JsonProperty;
+import org.eclipse.milo.opcua.stack.core.types.enumerated.MessageSecurityMode;
+import org.jetbrains.annotations.NotNull;
+import org.jetbrains.annotations.Nullable;
+
+/**
+ * OPC UA Message Security Mode configuration enum.
+ * Maps to Eclipse Milo's MessageSecurityMode.
+ */
+public enum MsgSecurityMode {
+
+    @JsonProperty("None")
+    NONE(MessageSecurityMode.None),
+
+    @JsonProperty("Sign")
+    SIGN(MessageSecurityMode.Sign),
+
+    @JsonProperty("SignAndEncrypt")
+    SIGN_AND_ENCRYPT(MessageSecurityMode.SignAndEncrypt);
+
+    private final @NotNull MessageSecurityMode miloMode;
+
+    MsgSecurityMode(final @NotNull MessageSecurityMode miloMode) {
+        this.miloMode = miloMode;
+    }
+
+    /**
+     * @return the corresponding Eclipse Milo MessageSecurityMode
+     */
+    public @NotNull MessageSecurityMode getMiloMode() {
+        return miloMode;
+    }
+
+    /**
+     * Find the MsgSecurityMode enum for a given Milo MessageSecurityMode.
+     *
+     * @param mode the Milo MessageSecurityMode
+     * @return the corresponding MsgSecurityMode, or null if not found
+     */
+    public static @Nullable MsgSecurityMode forMiloMode(final @NotNull MessageSecurityMode mode) {
+        for (final var value : values()) {
+            if (value.miloMode == mode) {
+                return value;
+            }
+        }
+        return null;
+    }
+
+    /**
+     * Jackson creator method for deserialization.
+     *
+     * @param value the string value from JSON
+     * @return the corresponding MsgSecurityMode
+     */
+    @JsonCreator
+    public static @Nullable MsgSecurityMode fromString(final @Nullable String value) {
+        if (value == null || value.isBlank()) {
+            return null;
+        }
+        for (final var mode : values()) {
+            if (mode.name().equalsIgnoreCase(value) ||
+                    mode.name().replace("_", "").equalsIgnoreCase(value)) {
+                return mode;
+            }
+        }
+        return null;
+    }
+}

modules/hivemq-edge-module-opcua/src/main/java/com/hivemq/edge/adapters/opcua/config/Security.java

@@ -15,6 +15,7 @@
  */
 package com.hivemq.edge.adapters.opcua.config;
 
+import com.fasterxml.jackson.annotation.JsonInclude;
 import com.fasterxml.jackson.annotation.JsonProperty;
 import com.fasterxml.jackson.core.JsonParser;
 import com.fasterxml.jackson.databind.DeserializationContext;
@@ -32,10 +33,22 @@
 @JsonDeserialize(using = Security.SecurityDeserializer.class)
 public record Security(@JsonProperty("policy") @ModuleConfigField(title = "OPC UA security policy",
                                                                   description = "Security policy to use for communication with the server.",
-                                                                  defaultValue = "NONE") @NotNull SecPolicy policy) {
+                                                                  defaultValue = "NONE") @NotNull SecPolicy policy,
+                       @JsonProperty("messageSecurityMode")
+                       @JsonInclude(JsonInclude.Include.NON_NULL)
+                       @ModuleConfigField(title = "Message Security Mode",
+                                         description = "Message security mode (None, Sign, SignAndEncrypt). If not specified, defaults based on policy: None→None, others→SignAndEncrypt.",
+                                         required = false) @Nullable MsgSecurityMode messageSecurityMode) {
 
-    public Security(@JsonProperty("policy") final @Nullable SecPolicy policy) {
+    public Security(@JsonProperty("policy") final @Nullable SecPolicy policy,
+                    @JsonProperty("messageSecurityMode") final @Nullable MsgSecurityMode messageSecurityMode) {
         this.policy = Objects.requireNonNullElse(policy, Constants.DEFAULT_SECURITY_POLICY);
+        this.messageSecurityMode = messageSecurityMode;
+    }
+
+    // Backwards compatibility constructor
+    public Security(final @Nullable SecPolicy policy) {
+        this(policy, null);
     }
 
     @Override
@@ -50,13 +63,13 @@ static class SecurityDeserializer extends JsonDeserializer<Security> {
                 final @NotNull DeserializationContext context) throws IOException {
             final String text = parser.getText();
             if (text != null && text.isEmpty()) {
-                return new Security(Constants.DEFAULT_SECURITY_POLICY);
+                return new Security(Constants.DEFAULT_SECURITY_POLICY, null);
             }
 
             try {
                 final Map<String, Object> map = parser.readValueAs(Map.class);
                 if (map == null || map.isEmpty()) {
-                    return new Security(Constants.DEFAULT_SECURITY_POLICY);
+                    return new Security(Constants.DEFAULT_SECURITY_POLICY, null);
                 }
 
                 final Object policyValue = map.get("policy");
@@ -66,9 +79,18 @@ static class SecurityDeserializer extends JsonDeserializer<Security> {
                 } else {
                     policy = Constants.DEFAULT_SECURITY_POLICY;
                 }
-                return new Security(policy);
+
+                final Object modeValue = map.get("messageSecurityMode");
+                final MsgSecurityMode messageSecurityMode;
+                if (modeValue instanceof String) {
+                    messageSecurityMode = MsgSecurityMode.fromString((String) modeValue);
+                } else {
+                    messageSecurityMode = null;
+                }
+
+                return new Security(policy, messageSecurityMode);
             } catch (final IOException e) {
-                return new Security(Constants.DEFAULT_SECURITY_POLICY);
+                return new Security(Constants.DEFAULT_SECURITY_POLICY, null);
             }
         }
     }