package io.hops.hopsworks.common.security;

import io.hops.hopsworks.common.dao.certificates.CertsFacade;
import io.hops.hopsworks.common.dao.certificates.UserCerts;
import io.hops.hopsworks.common.dao.project.Project;
import io.hops.hopsworks.common.dao.user.Users;
import io.hops.hopsworks.common.proxies.CAProxy;
import io.hops.hopsworks.common.util.HopsUtils;
import io.hops.hopsworks.common.util.Settings;
import io.hops.hopsworks.exceptions.GenericException;
import io.hops.hopsworks.exceptions.HopsSecurityException;
import io.hops.hopsworks.restutils.RESTCodes;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.StringReader;
import java.io.StringWriter;
import java.io.UnsupportedEncodingException;
import java.math.BigInteger;
import java.security.Key;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Security;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Iterator;
import java.util.Set;
import java.util.concurrent.Future;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import javax.annotation.PostConstruct;
import javax.ejb.AsyncResult;
import javax.ejb.Asynchronous;
import javax.ejb.ConcurrencyManagement;
import javax.ejb.ConcurrencyManagementType;
import javax.ejb.EJB;
import javax.ejb.Singleton;
import javax.ejb.TransactionAttribute;
import javax.ejb.TransactionAttributeType;
import javax.enterprise.inject.Any;
import javax.enterprise.inject.Instance;
import javax.inject.Inject;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.asn1.x500.X500NameBuilder;
import org.bouncycastle.asn1.x500.style.BCStyle;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemReader;
import org.javatuples.Pair;

@Singleton
@TransactionAttribute(TransactionAttributeType.NEVER)
@ConcurrencyManagement(ConcurrencyManagementType.BEAN)
/* loaded from: input_file:io/hops/hopsworks/common/security/CertificatesController.class */
public class CertificatesController {
    private static final Logger LOGGER = Logger.getLogger(CertificatesController.class.getName());
    private static final String SECURITY_PROVIDER = "BC";
    private static final String KEY_ALGORITHM = "RSA";
    private static final String SIGNATURE_ALGORITHM = "SHA256withRSA";
    private static final String CERTIFICATE_TYPE = "X.509";
    private static final int KEY_SIZE = 1024;

    @EJB
    private CertsFacade certsFacade;

    @EJB
    private CertificatesMgmService certificatesMgmService;

    @EJB
    private Settings settings;

    @Inject
    @Any
    private Instance<CertificateHandler> certificateHandlers;

    @EJB
    private CAProxy caProxy;
    private KeyPairGenerator keyPairGenerator = null;
    private CertificateFactory certificateFactory = null;

    /* loaded from: input_file:io/hops/hopsworks/common/security/CertificatesController$CertsResult.class */
    public class CertsResult {
        private final String projectName;
        private final String username;

        public CertsResult(String str, String str2) {
            this.projectName = str;
            this.username = str2;
        }

        public String getProjectName() {
            return this.projectName;
        }

        public String getUsername() {
            return this.username;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:io/hops/hopsworks/common/security/CertificatesController$Endpoint.class */
    public enum Endpoint {
        PROJECT("project"),
        DELA("dela");

        private final String endpointPath;

        Endpoint(String str) {
            this.endpointPath = str;
        }

        @Override // java.lang.Enum
        public String toString() {
            return this.endpointPath;
        }
    }

    @PostConstruct
    public void init() {
        Security.addProvider(new BouncyCastleProvider());
        try {
            this.keyPairGenerator = KeyPairGenerator.getInstance(KEY_ALGORITHM, SECURITY_PROVIDER);
            this.keyPairGenerator.initialize(KEY_SIZE);
            this.certificateFactory = CertificateFactory.getInstance(CERTIFICATE_TYPE);
        } catch (Exception e) {
            LOGGER.log(Level.SEVERE, "Could not initialize the key generator", (Throwable) e);
        }
    }

    @Asynchronous
    public Future<CertsResult> generateCertificates(Project project, Users users) throws Exception {
        String randomString = HopsUtils.randomString(64);
        String encrypt = HopsUtils.encrypt(users.getPassword(), randomString, this.certificatesMgmService.getMasterEncryptionPassword());
        Pair<KeyStore, KeyStore> generateStores = generateStores(project.getName() + "__" + users.getUsername(), randomString, Endpoint.PROJECT);
        UserCerts putUserCerts = this.certsFacade.putUserCerts(project.getName(), users.getUsername(), convertKeystoreToByteArray((KeyStore) generateStores.getValue0(), randomString), convertKeystoreToByteArray((KeyStore) generateStores.getValue1(), randomString), encrypt);
        Iterator it = this.certificateHandlers.iterator();
        while (it.hasNext()) {
            ((CertificateHandler) it.next()).generate(project, users, putUserCerts);
        }
        LOGGER.log(Level.FINE, "Created project generic certificates for project: " + project.getName());
        return new AsyncResult(new CertsResult(project.getName(), users.getUsername()));
    }

    public void revokeProjectCertificates(Project project) throws GenericException, HopsSecurityException, IOException {
        revokeProjectCertificates(project, null);
    }

    public void revokeProjectCertificates(Project project, Users users) throws GenericException, HopsSecurityException, IOException {
        String name = project.getName();
        Set<Users> set = (Set) project.getProjectTeamCollection().stream().map((v0) -> {
            return v0.getUser();
        }).collect(Collectors.toSet());
        if (users != null) {
            set.add(users);
        }
        for (Users users2 : set) {
            revokeCertificate(name + "__" + users2.getUsername(), Endpoint.PROJECT);
            Iterator it = this.certificateHandlers.iterator();
            while (it.hasNext()) {
                ((CertificateHandler) it.next()).revoke(project, users2);
            }
        }
    }

    public void revokeUserSpecificCertificates(Project project, Users users) throws GenericException, HopsSecurityException, IOException {
        String str = project.getName() + "__" + users.getUsername();
        this.certsFacade.removeUserProjectCerts(project.getName(), users.getUsername());
        revokeCertificate(str, Endpoint.PROJECT);
        Iterator it = this.certificateHandlers.iterator();
        while (it.hasNext()) {
            ((CertificateHandler) it.next()).revoke(project, users);
        }
    }

    public CSR signDelaClusterCertificate(CSR csr) throws GenericException, HopsSecurityException, UnsupportedEncodingException {
        return signCSR(csr, Endpoint.DELA);
    }

    public void revokeDelaClusterCertificate(String str) throws GenericException, HopsSecurityException {
        revokeCertificate(str, Endpoint.DELA);
    }

    public BigInteger extractSerialNumberFromCert(String str) throws CertificateException {
        return ((X509Certificate) CertificateFactory.getInstance(CERTIFICATE_TYPE).generateCertificate(new ByteArrayInputStream(str.getBytes()))).getSerialNumber();
    }

    public X500Name extractSubjectFromCSR(String str) throws IOException {
        PemReader pemReader = new PemReader(new StringReader(str));
        PemObject readPemObject = pemReader.readPemObject();
        pemReader.close();
        return new PKCS10CertificationRequest(readPemObject.getContent()).getSubject();
    }

    private byte[] convertKeystoreToByteArray(KeyStore keyStore, String str) throws IOException, CertificateException, NoSuchAlgorithmException, KeyStoreException {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        keyStore.store(byteArrayOutputStream, str.toCharArray());
        return byteArrayOutputStream.toByteArray();
    }

    private Pair<KeyStore, KeyStore> generateStores(String str, String str2, Endpoint endpoint) throws HopsSecurityException, GenericException {
        try {
            KeyPair generateKeyPair = this.keyPairGenerator.generateKeyPair();
            return buildStores(str, str2, generateKeyPair.getPrivate(), signCSR(generateCSR(str, generateKeyPair), endpoint));
        } catch (OperatorCreationException | IOException e) {
            throw new HopsSecurityException(RESTCodes.SecurityErrorCode.CERT_CREATION_ERROR, Level.SEVERE, (String) null, (String) null, e);
        }
    }

    private CSR generateCSR(String str, KeyPair keyPair) throws OperatorCreationException, IOException {
        PemObject pemObject = new PemObject("CERTIFICATE REQUEST", new JcaPKCS10CertificationRequestBuilder(new X500NameBuilder(BCStyle.INSTANCE).addRDN(BCStyle.CN, str).build(), keyPair.getPublic()).build(new JcaContentSignerBuilder(SIGNATURE_ALGORITHM).setProvider(SECURITY_PROVIDER).build(keyPair.getPrivate())).getEncoded());
        StringWriter stringWriter = new StringWriter();
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
        jcaPEMWriter.writeObject(pemObject);
        jcaPEMWriter.close();
        stringWriter.close();
        return new CSR(stringWriter.toString());
    }

    private CSR signCSR(CSR csr, Endpoint endpoint) throws HopsSecurityException, GenericException, UnsupportedEncodingException {
        switch (endpoint) {
            case PROJECT:
                return this.caProxy.signProjectCSR(csr);
            case DELA:
                return this.caProxy.signDelaCSR(csr);
            default:
                throw new HopsSecurityException(RESTCodes.SecurityErrorCode.CSR_ERROR, Level.FINE, (String) null, "Unknown CSR type " + endpoint.toString());
        }
    }

    private void revokeCertificate(String str, Endpoint endpoint) throws GenericException, HopsSecurityException {
        switch (endpoint) {
            case PROJECT:
                this.caProxy.revokeProjectX509(str);
                return;
            case DELA:
                this.caProxy.revokeDelaX509(str);
                return;
            default:
                throw new HopsSecurityException(RESTCodes.SecurityErrorCode.CERTIFICATE_REVOKATION_ERROR, Level.FINE, (String) null, "Unknown revocation type " + endpoint.toString());
        }
    }

    private Pair<KeyStore, KeyStore> buildStores(String str, String str2, Key key, CSR csr) throws HopsSecurityException {
        try {
            X509Certificate x509Certificate = (X509Certificate) this.certificateFactory.generateCertificate(new ByteArrayInputStream(csr.getSignedCert().getBytes()));
            X509Certificate x509Certificate2 = (X509Certificate) this.certificateFactory.generateCertificate(new ByteArrayInputStream(csr.getIntermediateCaCert().getBytes()));
            X509Certificate x509Certificate3 = (X509Certificate) this.certificateFactory.generateCertificate(new ByteArrayInputStream(csr.getRootCaCert().getBytes()));
            KeyStore keyStore = KeyStore.getInstance("JKS");
            keyStore.load(null, null);
            keyStore.setKeyEntry(str, key, str2.toCharArray(), new X509Certificate[]{x509Certificate, x509Certificate2});
            KeyStore keyStore2 = KeyStore.getInstance("JKS");
            keyStore2.load(null, null);
            keyStore2.setCertificateEntry("hops_root_ca", x509Certificate3);
            return new Pair<>(keyStore, keyStore2);
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new HopsSecurityException(RESTCodes.SecurityErrorCode.CERT_CREATION_ERROR, Level.SEVERE, (String) null, (String) null, e);
        }
    }
}
