package io.hops.hopsworks.common.security;

import io.hops.hopsworks.common.dao.certificates.CertsFacade;
import io.hops.hopsworks.common.dao.certificates.ProjectGenericUserCerts;
import io.hops.hopsworks.common.dao.certificates.UserCerts;
import io.hops.hopsworks.common.dao.command.SystemCommand;
import io.hops.hopsworks.common.dao.command.SystemCommandFacade;
import io.hops.hopsworks.common.dao.dela.certs.ClusterCertificate;
import io.hops.hopsworks.common.dao.dela.certs.ClusterCertificateFacade;
import io.hops.hopsworks.common.dao.host.Hosts;
import io.hops.hopsworks.common.dao.host.HostsFacade;
import io.hops.hopsworks.common.dao.project.ProjectFacade;
import io.hops.hopsworks.common.dao.user.UserFacade;
import io.hops.hopsworks.common.dao.user.Users;
import io.hops.hopsworks.common.exception.EncryptionMasterPasswordException;
import io.hops.hopsworks.common.message.MessageController;
import io.hops.hopsworks.common.util.HopsUtils;
import io.hops.hopsworks.common.util.Settings;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.attribute.PosixFileAttributeView;
import java.nio.file.attribute.PosixFilePermission;
import java.nio.file.attribute.PosixFilePermissions;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.locks.ReentrantLock;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.PostConstruct;
import javax.ejb.AccessTimeout;
import javax.ejb.Asynchronous;
import javax.ejb.ConcurrencyManagement;
import javax.ejb.ConcurrencyManagementType;
import javax.ejb.EJB;
import javax.ejb.Lock;
import javax.ejb.LockType;
import javax.ejb.Singleton;
import javax.ejb.TransactionAttribute;
import javax.ejb.TransactionAttributeType;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.io.FileUtils;

@Singleton
@ConcurrencyManagement(ConcurrencyManagementType.CONTAINER)
/* loaded from: input_file:io/hops/hopsworks/common/security/CertificatesMgmService.class */
public class CertificatesMgmService {
    public static final String CERTIFICATE_SUFFIX = ".cert.pem";

    @EJB
    private Settings settings;

    @EJB
    private UserFacade userFacade;

    @EJB
    private ProjectFacade projectFacade;

    @EJB
    private CertsFacade certsFacade;

    @EJB
    private ClusterCertificateFacade clusterCertificateFacade;

    @EJB
    private MessageController messageController;

    @EJB
    private SystemCommandFacade systemCommandFacade;

    @EJB
    private HostsFacade hostsFacade;

    @EJB
    private OpensslOperations opensslOperations;

    @EJB
    private ServiceCertificateRotationTimer serviceCertificateRotationTimer;
    private File masterPasswordFile;
    private final Logger LOG = Logger.getLogger(CertificatesMgmService.class.getName());
    private final Map<Class, MasterPasswordChangeHandler> handlersMap = new ConcurrentHashMap();
    private final ReentrantLock opensslLock = new ReentrantLock(true);

    /* loaded from: input_file:io/hops/hopsworks/common/security/CertificatesMgmService$MasterPasswordChangeHandler.class */
    public interface MasterPasswordChangeHandler<T> {
        void setFacade(T t);

        List<String> handleMasterPasswordChange(String str, String str2) throws EncryptionMasterPasswordException;

        void rollback();

        default String getNewUserPassword(String str, String str2, String str3, String str4) throws Exception {
            return HopsUtils.encrypt(str, HopsUtils.decrypt(str, str2, str3), str4);
        }
    }

    @PostConstruct
    public void init() {
        PosixFileAttributeView posixFileAttributeView;
        Set<PosixFilePermission> permissions;
        boolean contains;
        boolean contains2;
        boolean contains3;
        boolean contains4;
        boolean contains5;
        boolean contains6;
        boolean contains7;
        boolean contains8;
        boolean contains9;
        this.masterPasswordFile = new File(this.settings.getHopsworksMasterEncPasswordFile());
        if (!this.masterPasswordFile.exists()) {
            throw new IllegalStateException("Master encryption file does not exist");
        }
        try {
            posixFileAttributeView = (PosixFileAttributeView) Files.getFileAttributeView(this.masterPasswordFile.toPath(), PosixFileAttributeView.class, LinkOption.NOFOLLOW_LINKS);
            permissions = posixFileAttributeView.readAttributes().permissions();
            contains = permissions.contains(PosixFilePermission.OWNER_READ);
            contains2 = permissions.contains(PosixFilePermission.OWNER_WRITE);
            contains3 = permissions.contains(PosixFilePermission.OWNER_EXECUTE);
            contains4 = permissions.contains(PosixFilePermission.GROUP_READ);
            contains5 = permissions.contains(PosixFilePermission.GROUP_WRITE);
            contains6 = permissions.contains(PosixFilePermission.GROUP_EXECUTE);
            contains7 = permissions.contains(PosixFilePermission.OTHERS_READ);
            contains8 = permissions.contains(PosixFilePermission.OTHERS_WRITE);
            contains9 = permissions.contains(PosixFilePermission.OTHERS_EXECUTE);
        } catch (IOException e) {
            throw new IllegalStateException("Error while getting POSIX permissions of " + this.masterPasswordFile.getAbsolutePath());
        } catch (UnsupportedOperationException e2) {
            this.LOG.log(Level.WARNING, "Associated filesystem is not POSIX compliant. Continue without checking the permissions of " + this.masterPasswordFile.getAbsolutePath() + " This might be a security problem.");
        }
        if (!contains || !contains2 || !contains3 || contains4 || contains5 || contains6 || contains7 || contains8 || contains9) {
            throw new IllegalStateException("Wrong permissions for file " + this.masterPasswordFile.getAbsolutePath() + ", it should be 700");
        }
        this.LOG.log(Level.INFO, "Passed permissions check for file " + this.masterPasswordFile.getAbsolutePath() + ". Owner: " + posixFileAttributeView.readAttributes().owner().getName() + " Group: " + posixFileAttributeView.readAttributes().group().getName() + " Permissions: " + PosixFilePermissions.toString(permissions));
        PSUserCertsMasterPasswordHandler pSUserCertsMasterPasswordHandler = new PSUserCertsMasterPasswordHandler(this.userFacade);
        pSUserCertsMasterPasswordHandler.setFacade((PSUserCertsMasterPasswordHandler) this.certsFacade);
        registerMasterPasswordChangeHandler(UserCerts.class, pSUserCertsMasterPasswordHandler);
        PGUserCertsMasterPasswordHandler pGUserCertsMasterPasswordHandler = new PGUserCertsMasterPasswordHandler(this.projectFacade);
        pGUserCertsMasterPasswordHandler.setFacade((PGUserCertsMasterPasswordHandler) this.certsFacade);
        registerMasterPasswordChangeHandler(ProjectGenericUserCerts.class, pGUserCertsMasterPasswordHandler);
        DelaCertsMasterPasswordHandler delaCertsMasterPasswordHandler = new DelaCertsMasterPasswordHandler(this.settings);
        delaCertsMasterPasswordHandler.setFacade((DelaCertsMasterPasswordHandler) this.clusterCertificateFacade);
        registerMasterPasswordChangeHandler(ClusterCertificate.class, delaCertsMasterPasswordHandler);
    }

    public ReentrantLock getOpensslLock() {
        return this.opensslLock;
    }

    @AccessTimeout(value = 3, unit = TimeUnit.SECONDS)
    @Lock(LockType.READ)
    public String getMasterEncryptionPassword() throws IOException {
        return FileUtils.readFileToString(this.masterPasswordFile).trim();
    }

    @AccessTimeout(value = 3, unit = TimeUnit.SECONDS)
    @Lock(LockType.READ)
    public void checkPassword(String str, String str2) throws IOException, EncryptionMasterPasswordException {
        if (getMasterEncryptionPassword().equals(DigestUtils.sha256Hex(str))) {
            return;
        }
        Users findByEmail = this.userFacade.findByEmail(str2);
        if (findByEmail != null) {
            this.LOG.log(Level.INFO, "*** Attempt to change master encryption password with wrong credentials by user <" + findByEmail.getUsername() + ">");
        } else {
            this.LOG.log(Level.INFO, "*** Attempt to change master encryption password with wrong credentials");
        }
        throw new EncryptionMasterPasswordException("Provided password is incorrect");
    }

    @AccessTimeout(500)
    @Lock(LockType.WRITE)
    @Asynchronous
    public void resetMasterEncryptionPassword(String str, String str2) {
        try {
            String sha256Hex = DigestUtils.sha256Hex(str);
            List<String> callUpdateHandlers = callUpdateHandlers(sha256Hex);
            updateMasterEncryptionPassword(sha256Hex);
            sendSuccessfulMessage(callUpdateHandlers, str2);
            this.LOG.log(Level.INFO, "Master encryption password changed!");
        } catch (EncryptionMasterPasswordException e) {
            this.LOG.log(Level.SEVERE, "*** Master encryption password update failed!!! Rolling back...", (Throwable) e);
            callRollbackHandlers();
            sendUnsuccessfulMessage("*** Master encryption password update failed!!! Rolling back...\n" + e.getMessage(), str2);
        } catch (IOException e2) {
            String str3 = "*** Failed to write new encryption password to file: " + this.masterPasswordFile.getAbsolutePath() + ". Rolling back...";
            this.LOG.log(Level.SEVERE, str3, (Throwable) e2);
            callRollbackHandlers();
            sendUnsuccessfulMessage(str3 + "\n" + e2.getMessage(), str2);
        }
    }

    @TransactionAttribute(TransactionAttributeType.REQUIRES_NEW)
    public void issueServiceKeyRotationCommand() {
        Iterator<Hosts> it = this.hostsFacade.find().iterator();
        while (it.hasNext()) {
            this.systemCommandFacade.persist(new SystemCommand(it.next(), SystemCommandFacade.OP.SERVICE_KEY_ROTATION));
        }
    }

    @TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
    public void deleteServiceCertificate(Hosts hosts, Integer num) throws IOException, CAException {
        try {
            this.opensslOperations.revokeCertificate(hosts.getHostname(), this.serviceCertificateRotationTimer.getToBeRevokedSuffix(Integer.toString(num.intValue())), CertificateType.HOST, true, true);
        } catch (IllegalArgumentException e) {
        }
    }

    private List<String> callUpdateHandlers(String str) throws EncryptionMasterPasswordException, IOException {
        ArrayList arrayList = new ArrayList();
        for (Map.Entry<Class, MasterPasswordChangeHandler> entry : this.handlersMap.entrySet()) {
            this.LOG.log(Level.FINE, "Calling master password UPDATE handler for <" + entry.getKey().getName() + ">");
            arrayList.addAll(entry.getValue().handleMasterPasswordChange(getMasterEncryptionPassword(), str));
        }
        return arrayList;
    }

    private void callRollbackHandlers() {
        for (Map.Entry<Class, MasterPasswordChangeHandler> entry : this.handlersMap.entrySet()) {
            this.LOG.log(Level.SEVERE, "Calling master password ROLLBACK handler for <" + entry.getKey().getName() + ">");
            entry.getValue().rollback();
        }
    }

    private void registerMasterPasswordChangeHandler(Class cls, MasterPasswordChangeHandler masterPasswordChangeHandler) {
        this.handlersMap.putIfAbsent(cls, masterPasswordChangeHandler);
    }

    private void updateMasterEncryptionPassword(String str) throws IOException {
        FileUtils.writeStringToFile(this.masterPasswordFile, str);
    }

    private void sendSuccessfulMessage(List<String> list, String str) {
        StringBuilder sb = new StringBuilder();
        sb.append("CertificateMgmService successfully updated the following certificates password:").append("\n");
        list.stream().forEach(str2 -> {
            sb.append("* ").append(str2).append("\n");
        });
        sendInbox(sb.toString(), "Changed successfully", str);
    }

    private void sendUnsuccessfulMessage(String str, String str2) {
        sendInbox(str, "Change failed!", str2);
    }

    private void sendInbox(String str, String str2, String str3) {
        this.messageController.send(this.userFacade.findByEmail(str3), this.userFacade.findByEmail(Settings.SITE_EMAIL), "Master encryption password changed", str2, str, "");
    }
}
