package io.hops.hopsworks.common.security.secrets;

import com.google.common.base.Strings;
import io.hops.hopsworks.common.dao.kafka.KafkaConst;
import io.hops.hopsworks.common.dao.project.ProjectFacade;
import io.hops.hopsworks.common.dao.project.team.ProjectTeamFacade;
import io.hops.hopsworks.common.dao.user.UserFacade;
import io.hops.hopsworks.common.dao.user.security.secrets.SecretPlaintext;
import io.hops.hopsworks.common.dao.user.security.secrets.SecretsFacade;
import io.hops.hopsworks.common.security.CertificatesMgmService;
import io.hops.hopsworks.common.security.SymmetricEncryptionDescriptor;
import io.hops.hopsworks.common.security.SymmetricEncryptionService;
import io.hops.hopsworks.common.util.DateUtils;
import io.hops.hopsworks.exceptions.ProjectException;
import io.hops.hopsworks.exceptions.ServiceException;
import io.hops.hopsworks.exceptions.UserException;
import io.hops.hopsworks.persistence.entity.project.Project;
import io.hops.hopsworks.persistence.entity.project.team.ProjectTeam;
import io.hops.hopsworks.persistence.entity.user.Users;
import io.hops.hopsworks.persistence.entity.user.security.secrets.Secret;
import io.hops.hopsworks.persistence.entity.user.security.secrets.SecretId;
import io.hops.hopsworks.persistence.entity.user.security.secrets.VisibilityType;
import io.hops.hopsworks.restutils.RESTCodes;
import java.io.IOException;
import java.nio.charset.Charset;
import java.security.GeneralSecurityException;
import java.sql.SQLIntegrityConstraintViolationException;
import java.util.Iterator;
import java.util.List;
import java.util.logging.Level;
import java.util.logging.Logger;
import java.util.stream.Collectors;
import javax.ejb.EJB;
import javax.ejb.EJBException;
import javax.ejb.Stateless;
import javax.ejb.TransactionAttribute;
import javax.ejb.TransactionAttributeType;

@TransactionAttribute(TransactionAttributeType.SUPPORTS)
@Stateless
/* loaded from: input_file:io/hops/hopsworks/common/security/secrets/SecretsController.class */
public class SecretsController {
    private static final Logger LOG = Logger.getLogger(SecretsController.class.getName());

    @EJB
    private SecretsFacade secretsFacade;

    @EJB
    private SymmetricEncryptionService symmetricEncryptionService;

    @EJB
    private CertificatesMgmService certificatesMgmService;

    @EJB
    private UserFacade userFacade;

    @EJB
    private ProjectFacade projectFacade;

    @EJB
    private ProjectTeamFacade projectTeamFacade;

    public Secret add(Users users, String str, String str2, VisibilityType visibilityType, Integer num) throws UserException {
        SecretId secretId = new SecretId(users.getUid(), str);
        if (this.secretsFacade.findById(secretId) != null) {
            throw new UserException(RESTCodes.UserErrorCode.SECRET_EXISTS, Level.FINE, "Secret already exists", "Secret with name " + str + " already exists for user " + users.getUsername());
        }
        Secret validateAndCreateSecret = validateAndCreateSecret(secretId, users, str2, visibilityType, num);
        this.secretsFacade.persist(validateAndCreateSecret);
        return validateAndCreateSecret;
    }

    public Secret createSecretForProject(Users users, String str, String str2, Integer num) throws UserException, ProjectException {
        Project find = this.projectFacade.find(num);
        if (find == null) {
            throw new ProjectException(RESTCodes.ProjectErrorCode.PROJECT_NOT_FOUND, Level.FINE, "Project with ID " + num + " does not exist!", "User " + users.getUsername() + " requested shared Secret " + str + " but Project with ID " + num + "does not exist");
        }
        if (!this.projectTeamFacade.isUserMemberOfProject(find, users)) {
            throw new ProjectException(RESTCodes.ProjectErrorCode.TEAM_MEMBER_NOT_FOUND, Level.FINE, "User not a member of project with ID " + num + ".");
        }
        SecretId secretId = new SecretId(users.getUid(), str);
        if (this.secretsFacade.findById(secretId) != null) {
            throw new UserException(RESTCodes.UserErrorCode.SECRET_EXISTS, Level.FINE, "Secret already exists", "Secret with name " + str + " already exists for user " + users.getUsername());
        }
        return validateAndCreateSecret(secretId, users, str2, VisibilityType.PROJECT, num);
    }

    public Secret validateAndCreateSecret(SecretId secretId, Users users, String str, VisibilityType visibilityType, Integer num) throws UserException {
        checkIfUserIsNull(users);
        checkIfNameIsNullOrEmpty(secretId.getName());
        if (Strings.isNullOrEmpty(secretId.getName()) || Strings.isNullOrEmpty(str)) {
            throw new UserException(RESTCodes.UserErrorCode.SECRET_EMPTY, Level.FINE, "Secret value is either null or empty", "Secret name or value is empty or null");
        }
        try {
            Secret secret = new Secret(secretId, encryptSecret(str), DateUtils.localDateTime2Date(DateUtils.getNow()));
            secret.setVisibilityType(visibilityType);
            if (visibilityType.equals(VisibilityType.PRIVATE)) {
                secret.setProjectIdScope((Integer) null);
            } else {
                if (num == null) {
                    throw new UserException(RESTCodes.UserErrorCode.SECRET_EMPTY, Level.FINE, "Secret visibility is PROJECT but there is not Project ID scope", "Project scope for shared secret " + secretId.getName() + " is null");
                }
                if (this.projectFacade.find(num) == null) {
                    throw new UserException(RESTCodes.UserErrorCode.SECRET_EMPTY, Level.FINE, "Could not find a project for Project ID scope " + num);
                }
                secret.setProjectIdScope(num);
            }
            return secret;
        } catch (IOException | GeneralSecurityException e) {
            throw new UserException(RESTCodes.UserErrorCode.SECRET_ENCRYPTION_ERROR, Level.SEVERE, "Error encrypting secret", "Could not encrypt Secret " + secretId.getName(), e);
        }
    }

    public List<SecretPlaintext> getAllForUser(Users users) throws UserException {
        checkIfUserIsNull(users);
        return (List) this.secretsFacade.findAllForUser(users).stream().map(secret -> {
            return constructSecretView(users, secret);
        }).collect(Collectors.toList());
    }

    public void delete(Users users, String str) throws UserException {
        checkIfUserIsNull(users);
        checkIfNameIsNullOrEmpty(str);
        try {
            this.secretsFacade.deleteSecret(new SecretId(users.getUid(), str));
        } catch (EJBException e) {
            Throwable rootCause = getRootCause(e);
            if (!(rootCause instanceof SQLIntegrityConstraintViolationException)) {
                throw e;
            }
            throw new UserException(RESTCodes.UserErrorCode.SECRET_DELETION_FAILED, Level.FINE, "Cannot delete secret. Secret is in use by a connector. Try deleting the connector first. ", rootCause.getMessage());
        }
    }

    private Throwable getRootCause(Throwable th) {
        Throwable th2 = th;
        while (th != null) {
            th2 = th;
            th = th.getCause();
        }
        return th2;
    }

    public void deleteAll(Users users) throws UserException {
        checkIfUserIsNull(users);
        try {
            this.secretsFacade.deleteSecretsForUser(users);
        } catch (EJBException e) {
            Throwable rootCause = getRootCause(e);
            if (!(rootCause instanceof SQLIntegrityConstraintViolationException)) {
                throw e;
            }
            throw new UserException(RESTCodes.UserErrorCode.SECRET_DELETION_FAILED, Level.FINE, "Cannot delete secrets. One or more secrets are in use by a connector. Try deleting the connectors first. ", rootCause.getMessage());
        }
    }

    public List<Secret> getAllCiphered() {
        return this.secretsFacade.findAll();
    }

    public SecretPlaintext get(Users users, String str) throws UserException {
        checkIfUserIsNull(users);
        checkIfNameIsNullOrEmpty(str);
        Secret findById = this.secretsFacade.findById(new SecretId(users.getUid(), str));
        checkIfSecretIsNull(findById, str, users);
        try {
            return decrypt(users, findById);
        } catch (IOException | GeneralSecurityException e) {
            throw new UserException(RESTCodes.UserErrorCode.SECRET_ENCRYPTION_ERROR, Level.SEVERE, "Error decrypting Secret", "Could not decrypt Secret " + str, e);
        }
    }

    public SecretPlaintext getShared(Users users, String str, String str2) throws UserException, ServiceException, ProjectException {
        return getShared(users, this.userFacade.findByUsername(str), str2);
    }

    public SecretPlaintext getShared(Users users, Users users2, String str) throws UserException, ServiceException, ProjectException {
        checkIfUserIsNull(users);
        checkIfNameIsNullOrEmpty(str);
        checkIfUserIsNull(users2);
        Secret findById = this.secretsFacade.findById(new SecretId(users2.getUid(), str));
        checkIfSecretIsNull(findById, str, users2);
        if (findById.getVisibilityType() == null || findById.getVisibilityType().equals(VisibilityType.PRIVATE)) {
            throw new UserException(RESTCodes.UserErrorCode.ACCESS_CONTROL, Level.FINE, "Secret is Private", "User " + users.getUsername() + " requested PRIVATE secret <" + users2.getUid() + ", " + str + ">");
        }
        Integer projectIdScope = findById.getProjectIdScope();
        if (projectIdScope == null) {
            throw new ServiceException(RESTCodes.ServiceErrorCode.SERVICE_GENERIC_ERROR, Level.WARNING, "Visibility's Project ID is empty", "Secret " + str + " visibility is PROJECT but Project ID is null");
        }
        Project find = this.projectFacade.find(projectIdScope);
        if (find == null) {
            throw new ProjectException(RESTCodes.ProjectErrorCode.PROJECT_NOT_FOUND, Level.FINE, "Project with ID " + projectIdScope + " does not exist!", "User " + users.getUsername() + " requested shared Secret " + str + " but Project with ID " + projectIdScope + "does not exist");
        }
        Iterator it = find.getProjectTeamCollection().iterator();
        while (it.hasNext()) {
            if (users.getUid().equals(((ProjectTeam) it.next()).getUser().getUid())) {
                try {
                    return decrypt(users2, findById);
                } catch (IOException | GeneralSecurityException e) {
                    throw new UserException(RESTCodes.UserErrorCode.SECRET_ENCRYPTION_ERROR, Level.SEVERE, "Error decrypting Secret", "Could not decrypt Secret " + str, e);
                }
            }
        }
        throw new UserException(RESTCodes.UserErrorCode.ACCESS_CONTROL, Level.FINE, "Not authorized to access Secret " + str, "User " + users.getUsername() + " tried to access shared Secret " + str + " but they are not member of Project " + find.getName());
    }

    private void checkIfUserIsNull(Users users) throws UserException {
        if (users == null) {
            throw new UserException(RESTCodes.UserErrorCode.USER_DOES_NOT_EXIST, Level.FINE);
        }
    }

    private void checkIfNameIsNullOrEmpty(String str) throws UserException {
        if (Strings.isNullOrEmpty(str)) {
            throw new UserException(RESTCodes.UserErrorCode.SECRET_EMPTY, Level.FINE, "Secret is either null or empty", "Secret name or key is empty or null");
        }
    }

    private void checkIfSecretIsNull(Secret secret, String str, Users users) throws UserException {
        if (secret == null) {
            throw new UserException(RESTCodes.UserErrorCode.SECRET_EMPTY, Level.FINE, "Could not find Secret for user", "Could not find Secret with name " + str + " for user " + users.getUsername());
        }
    }

    private SecretPlaintext constructSecretView(Users users, Secret secret) {
        return SecretPlaintext.newInstance(users, secret.getId().getName(), KafkaConst.KAFKA_ENDPOINT_IDENTIFICATION_ALGORITHM, secret.getAddedOn(), secret.getVisibilityType(), secret.getProjectIdScope());
    }

    private SecretPlaintext decrypt(Users users, Secret secret) throws IOException, GeneralSecurityException {
        String masterEncryptionPassword = this.certificatesMgmService.getMasterEncryptionPassword();
        byte[][] splitPayloadFromCryptoPrimitives = this.symmetricEncryptionService.splitPayloadFromCryptoPrimitives(secret.getSecret());
        return SecretPlaintext.newInstance(users, secret.getId().getName(), bytes2string(this.symmetricEncryptionService.decrypt(new SymmetricEncryptionDescriptor.Builder().setPassword(masterEncryptionPassword).setSalt(splitPayloadFromCryptoPrimitives[0]).setIV(splitPayloadFromCryptoPrimitives[1]).setInput(splitPayloadFromCryptoPrimitives[2]).build()).getOutput()), secret.getAddedOn(), secret.getVisibilityType(), secret.getProjectIdScope());
    }

    public byte[] encryptSecret(String str) throws IOException, GeneralSecurityException {
        SymmetricEncryptionDescriptor encrypt = this.symmetricEncryptionService.encrypt(new SymmetricEncryptionDescriptor.Builder().setInput(string2bytes(str)).setPassword(this.certificatesMgmService.getMasterEncryptionPassword()).build());
        return this.symmetricEncryptionService.mergePayloadWithCryptoPrimitives(encrypt.getSalt(), encrypt.getIv(), encrypt.getOutput());
    }

    private byte[] string2bytes(String str) {
        return str.getBytes(Charset.defaultCharset());
    }

    private String bytes2string(byte[] bArr) {
        return new String(bArr, Charset.defaultCharset());
    }

    @TransactionAttribute(TransactionAttributeType.SUPPORTS)
    public void checkCanAccessSecret(Secret secret, Users users) throws ProjectException {
        if (secret != null && !this.projectTeamFacade.isUserMemberOfProject(this.projectFacade.find(secret.getProjectIdScope()), users)) {
            throw new ProjectException(RESTCodes.ProjectErrorCode.TEAM_MEMBER_NOT_FOUND, Level.FINE, "User not a member of project with ID " + secret.getProjectIdScope() + ". Can not delete secret in project with id " + secret.getProjectIdScope());
        }
    }
}
