package io.hops.hopsworks.common.security;

import io.hops.hopsworks.common.exception.RESTCodes;
import io.hops.hopsworks.common.hdfs.Utils;
import io.hops.hopsworks.common.security.PKI;
import io.hops.hopsworks.common.util.Settings;
import io.hops.hopsworks.common.util.SystemCommandExecutor;
import java.io.File;
import java.io.FileWriter;
import java.io.IOException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Base64;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.ejb.AccessTimeout;
import javax.ejb.ConcurrencyManagement;
import javax.ejb.ConcurrencyManagementType;
import javax.ejb.DependsOn;
import javax.ejb.EJB;
import javax.ejb.Lock;
import javax.ejb.LockType;
import javax.ejb.Singleton;
import javax.ejb.TransactionAttribute;
import javax.ejb.TransactionAttributeType;
import org.apache.commons.io.FileUtils;

@DependsOn({"Settings"})
@ConcurrencyManagement(ConcurrencyManagementType.CONTAINER)
@Singleton
@AccessTimeout(120000)
@TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
/* loaded from: input_file:io/hops/hopsworks/common/security/OpensslOperations.class */
public class OpensslOperations {
    private static final Logger LOG = Logger.getLogger(OpensslOperations.class.getName());
    private static final String SUDO = "/usr/bin/sudo";
    private static final String OPENSSL = "openssl";
    private final Base64.Encoder b64encoder = Base64.getEncoder();

    @EJB
    private Settings settings;

    @EJB
    private PKI pki;

    @Lock(LockType.WRITE)
    public String createUserCertificate(String str, String str2, String str3, String str4, String str5, String str6, String str7, String str8) throws IOException {
        return createServiceCertificate(Utils.getProjectUsername(str, str2), str3, str4, str5, str6, str7, str8);
    }

    @Lock(LockType.WRITE)
    public String createServiceCertificate(String str, String str2, String str3, String str4, String str5, String str6, String str7) throws IOException {
        String cAParentPath = this.pki.getCAParentPath(PKI.CAType.INTERMEDIATE);
        File file = this.pki.getCertPath(PKI.CAType.INTERMEDIATE, str).toFile();
        File file2 = this.pki.getKeyPath(PKI.CAType.INTERMEDIATE, str).toFile();
        if (file.exists() || file2.exists()) {
            String str8 = "X.509 key-pair already exists in " + file.getAbsolutePath() + " and " + file2.getAbsolutePath();
            LOG.log(Level.SEVERE, str8);
            throw new IOException(str8);
        }
        ArrayList arrayList = new ArrayList(9);
        arrayList.add(SUDO);
        arrayList.add(Paths.get(cAParentPath, Settings.SSL_CREATE_CERT_SCRIPTNAME).toString());
        arrayList.add(str);
        arrayList.add(str2);
        arrayList.add(str3);
        arrayList.add(str4);
        arrayList.add(str5);
        arrayList.add(str6);
        arrayList.add(str7);
        return executeCommand(arrayList, false);
    }

    @Lock(LockType.WRITE)
    public String deleteUserCertificate(String str) throws IOException {
        String cAParentPath = this.pki.getCAParentPath(PKI.CAType.INTERMEDIATE);
        ArrayList arrayList = new ArrayList(3);
        arrayList.add(SUDO);
        arrayList.add(Paths.get(cAParentPath, Settings.SSL_DELETE_CERT_SCRIPTNAME).toString());
        arrayList.add(str);
        return executeCommand(arrayList, false);
    }

    @Lock(LockType.WRITE)
    public String deleteProjectCertificate(String str) throws IOException {
        String cAParentPath = this.pki.getCAParentPath(PKI.CAType.INTERMEDIATE);
        ArrayList arrayList = new ArrayList(3);
        arrayList.add(SUDO);
        arrayList.add(Paths.get(cAParentPath, Settings.SSL_DELETE_PROJECT_CERTS_SCRIPTNAME).toString());
        arrayList.add(str);
        return executeCommand(arrayList, false);
    }

    public boolean isPresentProjectCertificates(String str) {
        String[] list = this.pki.getCACertPath(PKI.CAType.INTERMEDIATE).toFile().list();
        if (list == null || list.length <= 0) {
            return false;
        }
        for (String str2 : list) {
            if (str2.startsWith(str + "__")) {
                return true;
            }
        }
        return false;
    }

    @Lock(LockType.WRITE)
    public String signCertificateRequest(String str, CertificateType certificateType) throws IOException {
        File createTempFile = File.createTempFile(System.getProperty("java.io.tmpdir"), ".csr");
        try {
            FileUtils.writeStringToFile(createTempFile, str);
            if (!verifyCSR(createTempFile)) {
                return null;
            }
            String signCSR = signCSR(createTempFile, str, certificateType);
            createTempFile.delete();
            return signCSR;
        } finally {
            createTempFile.delete();
        }
    }

    @Lock(LockType.WRITE)
    public void revokeCertificate(String str, CertificateType certificateType, boolean z, boolean z2) throws IOException, CAException {
        revokeCertificate(str, CertificatesMgmService.CERTIFICATE_SUFFIX, certificateType, z, z2);
    }

    @Lock(LockType.WRITE)
    public void revokeCertificate(String str, String str2, CertificateType certificateType, boolean z, boolean z2) throws IOException, CAException {
        LOG.log(Level.FINE, "Revoking certificate " + str + str2);
        PKI.CAType responsibileCA = this.pki.getResponsibileCA(certificateType);
        String path = this.pki.getCAConfPath(responsibileCA).toString();
        Path path2 = Paths.get(this.pki.getCACertsDir(responsibileCA).toString(), str + str2);
        File file = path2.toFile();
        if (!file.exists()) {
            throw new CAException(RESTCodes.CAErrorCode.CERTNOTFOUND, Level.WARNING, certificateType);
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(OPENSSL);
        arrayList.add("ca");
        arrayList.add("-batch");
        arrayList.add("-config");
        arrayList.add(path);
        arrayList.add("-passin");
        arrayList.add("pass:" + this.pki.getCAKeyPassword(responsibileCA));
        arrayList.add("-revoke");
        arrayList.add(path2.toString());
        executeCommand(arrayList, false);
        if (z) {
            createCRL(responsibileCA);
        }
        if (z2) {
            file.delete();
        }
    }

    @Lock(LockType.WRITE)
    public void pruneDatabase(PKI.CAType cAType) throws IOException {
        LOG.log(Level.FINE, "Pruning OpenSSL database");
        String path = this.pki.getCAConfPath(cAType).toString();
        ArrayList arrayList = new ArrayList();
        arrayList.add(OPENSSL);
        arrayList.add("ca");
        arrayList.add("-batch");
        arrayList.add("-config");
        arrayList.add(path);
        arrayList.add("-updatedb");
        arrayList.add("-passin");
        arrayList.add("pass:" + this.pki.getCAKeyPassword(cAType));
        executeCommand(arrayList, false);
    }

    @Lock(LockType.WRITE)
    public String createAndReadCRL(PKI.CAType cAType) throws IOException {
        createCRL(cAType);
        return FileUtils.readFileToString(this.pki.getCACRLPath(cAType).toFile());
    }

    @Lock(LockType.WRITE)
    public void createCRL(PKI.CAType cAType) throws IOException {
        pruneDatabase(cAType);
        LOG.log(Level.FINE, "Creating Certificate Revocation List");
        String path = this.pki.getCAConfPath(cAType).toString();
        String path2 = this.pki.getCACRLPath(cAType).toString();
        ArrayList arrayList = new ArrayList(10);
        arrayList.add(OPENSSL);
        arrayList.add("ca");
        arrayList.add("-batch");
        arrayList.add("-config");
        arrayList.add(path);
        arrayList.add("-gencrl");
        arrayList.add("-passin");
        arrayList.add("pass:" + this.pki.getCAKeyPassword(cAType));
        arrayList.add("-out");
        arrayList.add(path2);
        executeCommand(arrayList, false);
        LOG.log(Level.FINE, "Created CRL");
    }

    @Lock(LockType.WRITE)
    public void validateCertificate(X509Certificate x509Certificate, PKI.CAType cAType) throws IOException {
        File createTempFile = File.createTempFile("cert-", ".pem");
        try {
            try {
                FileWriter fileWriter = new FileWriter(createTempFile, false);
                Throwable th = null;
                try {
                    try {
                        fileWriter.write("-----BEGIN CERTIFICATE-----");
                        fileWriter.write("\n");
                        fileWriter.write(this.b64encoder.encodeToString(x509Certificate.getEncoded()));
                        fileWriter.write("\n");
                        fileWriter.write("-----END CERTIFICATE-----");
                        fileWriter.flush();
                        ArrayList arrayList = new ArrayList();
                        arrayList.add(OPENSSL);
                        arrayList.add("verify");
                        arrayList.add("-CAfile");
                        arrayList.add(this.pki.getChainOfTrustFilePath(cAType).toString());
                        arrayList.add("-crl_check");
                        arrayList.add("-CRLfile");
                        arrayList.add(this.pki.getCACRLPath(cAType).toString());
                        arrayList.add(createTempFile.getAbsolutePath());
                        executeCommand(arrayList, false);
                        if (fileWriter != null) {
                            if (0 != 0) {
                                try {
                                    fileWriter.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            } else {
                                fileWriter.close();
                            }
                        }
                    } finally {
                    }
                } catch (Throwable th3) {
                    if (fileWriter != null) {
                        if (th != null) {
                            try {
                                fileWriter.close();
                            } catch (Throwable th4) {
                                th.addSuppressed(th4);
                            }
                        } else {
                            fileWriter.close();
                        }
                    }
                    throw th3;
                }
            } catch (GeneralSecurityException e) {
                throw new IOException(e);
            }
        } finally {
            createTempFile.delete();
        }
    }

    private boolean verifyCSR(File file) throws IOException {
        LOG.log(Level.FINE, "Verifying Certificate Signing Request...");
        ArrayList arrayList = new ArrayList(6);
        arrayList.add(OPENSSL);
        arrayList.add("req");
        arrayList.add("-in");
        arrayList.add(file.getAbsolutePath());
        arrayList.add("-noout");
        arrayList.add("-verify");
        if (!executeCommand(arrayList, true).contains("verify OK")) {
            return false;
        }
        LOG.log(Level.INFO, "CSR verification passed for " + file.getAbsolutePath());
        return true;
    }

    private String signCSR(File file, String str, CertificateType certificateType) throws IOException {
        LOG.log(Level.FINE, "Signing Certificate Signing Request...");
        PKI.CAType responsibileCA = this.pki.getResponsibileCA(certificateType);
        String path = this.pki.getCAConfPath(responsibileCA).toString();
        String effectiveExtensions = this.pki.getEffectiveExtensions(responsibileCA);
        String path2 = Paths.get(this.settings.getHopsworksDomainDir(), "bin", "global-ca-sign-csr.sh").toString();
        try {
            String certFileName = this.pki.getCertFileName(certificateType, this.pki.getKeyValuesFromSubject(getSubjectFromCSR(str)));
            long validityPeriod = this.pki.getValidityPeriod(certificateType);
            File file2 = this.pki.getCertPath(responsibileCA, certFileName).toFile();
            ArrayList arrayList = new ArrayList();
            arrayList.add(SUDO);
            arrayList.add(path2);
            arrayList.add(path);
            arrayList.add(this.pki.getCAKeyPassword(responsibileCA));
            arrayList.add(effectiveExtensions);
            arrayList.add(file.getAbsolutePath());
            arrayList.add(file2.getAbsolutePath());
            arrayList.add(String.valueOf(validityPeriod));
            LOG.log(Level.FINE, executeCommand(arrayList, false));
            LOG.log(Level.INFO, "Signed CSR");
            return FileUtils.readFileToString(file2);
        } catch (IOException e) {
            LOG.log(Level.SEVERE, "Error while extracting CN out of CSR", (Throwable) e);
            throw e;
        }
    }

    @Lock(LockType.WRITE)
    public String getSerialNumberFromCert(String str) throws IOException {
        File createTempFile = File.createTempFile(System.getProperty("java.io.tmpdir"), ".pem");
        FileUtils.writeStringToFile(createTempFile, str);
        ArrayList arrayList = new ArrayList();
        arrayList.add(OPENSSL);
        arrayList.add("x509");
        arrayList.add("-in");
        arrayList.add(createTempFile.getAbsolutePath());
        arrayList.add("-noout");
        arrayList.add("-serial");
        return executeCommand(arrayList, true);
    }

    @Lock(LockType.WRITE)
    public String getSubjectFromCSR(String str) throws IOException {
        File createTempFile = File.createTempFile(System.getProperty("java.io.tmpdir"), ".csr");
        FileUtils.writeStringToFile(createTempFile, str);
        ArrayList arrayList = new ArrayList();
        arrayList.add(OPENSSL);
        arrayList.add("req");
        arrayList.add("-in");
        arrayList.add(createTempFile.getAbsolutePath());
        arrayList.add("-noout");
        arrayList.add("-subject");
        return executeCommand(arrayList, true);
    }

    private String executeCommand(List<String> list, boolean z) throws IOException {
        SystemCommandExecutor systemCommandExecutor = new SystemCommandExecutor(list, z);
        try {
            int executeCommand = systemCommandExecutor.executeCommand();
            String trim = systemCommandExecutor.getStandardOutputFromCommand().trim();
            String trim2 = systemCommandExecutor.getStandardErrorFromCommand().trim();
            if (executeCommand != 0) {
                throw new IOException(trim2);
            }
            return trim;
        } catch (InterruptedException e) {
            LOG.log(Level.SEVERE, "Error while waiting for OpenSSL command to execute");
            throw new IOException(e);
        }
    }
}
