package io.hops.hopsworks.common.security;

import io.hops.hopsworks.common.dao.certificates.CertsFacade;
import io.hops.hopsworks.common.dao.certificates.UserCerts;
import io.hops.hopsworks.common.dao.project.Project;
import io.hops.hopsworks.common.dao.project.team.ProjectTeam;
import io.hops.hopsworks.common.dao.user.Users;
import io.hops.hopsworks.common.exception.HopsSecurityException;
import io.hops.hopsworks.common.exception.RESTCodes;
import io.hops.hopsworks.common.security.PKI;
import io.hops.hopsworks.common.util.HopsUtils;
import io.hops.security.HopsUtil;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.cert.X509Certificate;
import java.util.Enumeration;
import java.util.Iterator;
import java.util.concurrent.Future;
import java.util.concurrent.locks.ReentrantLock;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.ejb.AsyncResult;
import javax.ejb.Asynchronous;
import javax.ejb.EJB;
import javax.ejb.Stateless;
import javax.ejb.TransactionAttribute;
import javax.ejb.TransactionAttributeType;
import javax.enterprise.inject.Any;
import javax.enterprise.inject.Instance;
import javax.inject.Inject;

@TransactionAttribute(TransactionAttributeType.NEVER)
@Stateless
/* loaded from: input_file:io/hops/hopsworks/common/security/CertificatesController.class */
public class CertificatesController {
    private static final Logger LOG = Logger.getLogger(CertificatesController.class.getName());

    @EJB
    private CertsFacade certsFacade;

    @EJB
    private CertificatesMgmService certificatesMgmService;

    @EJB
    private OpensslOperations opensslOperations;

    @Inject
    @Any
    private Instance<CertificateHandler> certificateHandlers;

    /* loaded from: input_file:io/hops/hopsworks/common/security/CertificatesController$CertsResult.class */
    public class CertsResult {
        private final String projectName;
        private final String username;

        public CertsResult(String str, String str2) {
            this.projectName = str;
            this.username = str2;
        }

        public String getProjectName() {
            return this.projectName;
        }

        public String getUsername() {
            return this.username;
        }
    }

    @TransactionAttribute(TransactionAttributeType.REQUIRES_NEW)
    @Asynchronous
    public Future<CertsResult> generateCertificates(Project project, Users users, boolean z) throws Exception {
        String randomString = HopsUtils.randomString(64);
        String encrypt = HopsUtils.encrypt(users.getPassword(), randomString, this.certificatesMgmService.getMasterEncryptionPassword());
        ReentrantLock opensslLock = this.certificatesMgmService.getOpensslLock();
        try {
            opensslLock.lock();
            this.opensslOperations.createUserCertificate(project.getName(), users.getUsername(), users.getAddress().getCountry(), users.getAddress().getCity(), users.getOrganization().getOrgName(), users.getEmail(), users.getOrcid(), randomString);
            LOG.log(Level.FINE, "Created project specific certificates for user: " + project.getName() + "__" + users.getUsername());
            opensslLock.unlock();
            if (z) {
                try {
                    opensslLock.lock();
                    this.opensslOperations.createServiceCertificate(project.getProjectGenericUser(), users.getAddress().getCountry(), users.getAddress().getCity(), users.getOrganization().getOrgName(), users.getEmail(), users.getOrcid(), randomString);
                    opensslLock.unlock();
                    this.certsFacade.putProjectGenericUserCerts(project.getProjectGenericUser(), encrypt);
                    LOG.log(Level.FINE, "Created project generic certificates for project: " + project.getName());
                } finally {
                }
            }
            UserCerts putUserCerts = this.certsFacade.putUserCerts(project.getName(), users.getUsername(), encrypt);
            Iterator it = this.certificateHandlers.iterator();
            while (it.hasNext()) {
                ((CertificateHandler) it.next()).generate(project, users, putUserCerts);
            }
            return new AsyncResult(new CertsResult(project.getName(), users.getUsername()));
        } finally {
        }
    }

    @TransactionAttribute(TransactionAttributeType.REQUIRES_NEW)
    public void deleteProjectCertificates(Project project) throws CAException, IOException {
        String name = project.getName();
        ReentrantLock opensslLock = this.certificatesMgmService.getOpensslLock();
        try {
            opensslLock.lock();
            for (ProjectTeam projectTeam : project.getProjectTeamCollection()) {
                String str = name + "__" + projectTeam.getUser().getUsername();
                this.opensslOperations.revokeCertificate(str, CertificateType.PROJECT_USER, false, false);
                this.opensslOperations.deleteUserCertificate(str);
                Iterator it = this.certificateHandlers.iterator();
                while (it.hasNext()) {
                    ((CertificateHandler) it.next()).revoke(project, projectTeam.getUser());
                }
            }
            this.opensslOperations.revokeCertificate(project.getProjectGenericUser(), CertificateType.PROJECT_USER, false, false);
            this.opensslOperations.deleteProjectCertificate(name);
            this.opensslOperations.createCRL(PKI.CAType.INTERMEDIATE);
            opensslLock.unlock();
            this.certsFacade.removeProjectGenericCertificates(project.getProjectGenericUser());
        } catch (Throwable th) {
            this.opensslOperations.createCRL(PKI.CAType.INTERMEDIATE);
            opensslLock.unlock();
            throw th;
        }
    }

    @TransactionAttribute(TransactionAttributeType.REQUIRES_NEW)
    public void deleteUserSpecificCertificates(Project project, Users users) throws CAException, IOException {
        String str = project.getName() + "__" + users.getUsername();
        ReentrantLock opensslLock = this.certificatesMgmService.getOpensslLock();
        try {
            opensslLock.lock();
            this.opensslOperations.revokeCertificate(str, CertificateType.PROJECT_USER, true, false);
            this.opensslOperations.deleteUserCertificate(str);
            opensslLock.unlock();
            this.certsFacade.removeUserProjectCerts(project.getName(), users.getUsername());
            Iterator it = this.certificateHandlers.iterator();
            while (it.hasNext()) {
                ((CertificateHandler) it.next()).revoke(project, users);
            }
        } catch (Throwable th) {
            opensslLock.unlock();
            throw th;
        }
    }

    @TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
    public String extractCNFromCertificate(byte[] bArr, char[] cArr) throws HopsSecurityException {
        return extractCNFromCertificate(bArr, cArr, null);
    }

    @TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
    public String extractCNFromCertificate(byte[] bArr, char[] cArr, String str) throws HopsSecurityException {
        try {
            X509Certificate certificateFromKeyStore = getCertificateFromKeyStore(bArr, cArr, str);
            if (certificateFromKeyStore == null) {
                throw new GeneralSecurityException("Could not get certificate from keystore");
            }
            String extractCNFromSubject = HopsUtil.extractCNFromSubject(certificateFromKeyStore.getSubjectX500Principal().getName("RFC2253"));
            if (extractCNFromSubject == null) {
                throw new KeyStoreException("Could not extract CN from client certificate");
            }
            return extractCNFromSubject;
        } catch (IOException | GeneralSecurityException e) {
            throw new HopsSecurityException(RESTCodes.SecurityErrorCode.CERT_CN_EXTRACT_ERROR, Level.SEVERE, "certificateAlias: " + str, e.getMessage(), e);
        }
    }

    @TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
    public String validateCertificate(byte[] bArr, char[] cArr) throws GeneralSecurityException, IOException {
        X509Certificate certificateFromKeyStore = getCertificateFromKeyStore(bArr, cArr, null);
        if (certificateFromKeyStore == null) {
            throw new GeneralSecurityException("Could not get certificate from keystore");
        }
        this.opensslOperations.validateCertificate(certificateFromKeyStore, PKI.CAType.INTERMEDIATE);
        return certificateFromKeyStore.getSubjectX500Principal().getName("RFC2253");
    }

    private X509Certificate getCertificateFromKeyStore(byte[] bArr, char[] cArr, String str) throws GeneralSecurityException, IOException {
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(new ByteArrayInputStream(bArr), cArr);
        if (str == null) {
            Enumeration<String> aliases = keyStore.aliases();
            while (aliases.hasMoreElements()) {
                str = aliases.nextElement();
                if (!str.equals("caroot")) {
                    break;
                }
            }
        }
        return (X509Certificate) keyStore.getCertificate(str.toLowerCase());
    }
}
