package io.hops.hopsworks.common.security;

import com.google.common.cache.Cache;
import com.google.common.cache.CacheBuilder;
import com.hazelcast.config.MapConfig;
import com.hazelcast.core.HazelcastInstance;
import com.hazelcast.topic.ITopic;
import io.hops.hopsworks.common.dao.command.SystemCommandFacade;
import io.hops.hopsworks.common.dao.host.HostsFacade;
import io.hops.hopsworks.common.dao.kafka.KafkaConst;
import io.hops.hopsworks.common.dao.user.UserFacade;
import io.hops.hopsworks.common.message.MessageController;
import io.hops.hopsworks.common.util.Settings;
import io.hops.hopsworks.exceptions.EncryptionMasterPasswordException;
import io.hops.hopsworks.persistence.entity.command.Operation;
import io.hops.hopsworks.persistence.entity.command.SystemCommand;
import io.hops.hopsworks.persistence.entity.host.Hosts;
import java.io.File;
import java.io.IOException;
import java.nio.charset.Charset;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.attribute.PosixFileAttributeView;
import java.nio.file.attribute.PosixFilePermission;
import java.nio.file.attribute.PosixFilePermissions;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.Random;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.PostConstruct;
import javax.ejb.Asynchronous;
import javax.ejb.ConcurrencyManagement;
import javax.ejb.ConcurrencyManagementType;
import javax.ejb.EJB;
import javax.ejb.Lock;
import javax.ejb.LockType;
import javax.ejb.Singleton;
import javax.ejb.TransactionAttribute;
import javax.ejb.TransactionAttributeType;
import javax.enterprise.inject.Any;
import javax.enterprise.inject.Instance;
import javax.inject.Inject;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.io.FileUtils;

@Singleton
@ConcurrencyManagement(ConcurrencyManagementType.CONTAINER)
/* loaded from: input_file:io/hops/hopsworks/common/security/CertificatesMgmService.class */
public class CertificatesMgmService {

    @EJB
    private Settings settings;

    @EJB
    private UserFacade userFacade;

    @EJB
    private MessageController messageController;

    @EJB
    private SystemCommandFacade systemCommandFacade;

    @EJB
    private HostsFacade hostsFacade;

    @Inject
    @Any
    private Instance<MasterPasswordHandler> handlers;

    @Inject
    private HazelcastInstance hazelcastInstance;

    @EJB
    private CertificateMasterPwdMgm certificateMasterPwdMgm;
    private File masterPasswordFile;
    private Cache<Integer, UPDATE_STATUS> updateStatus;
    private Random rand;
    private ITopic<String> masterPasswordUpdatedTopic;
    private static final String MAP_NAME = "certificatesMgmUpdateStatus";
    public static final String PASSWORD_UPDATED_TOPIC_NAME = "masterPasswordUpdated";
    private final Logger LOG = Logger.getLogger(CertificatesMgmService.class.getName());
    private final Map<Class, MasterPasswordChangeResult> handlersResult = new HashMap();

    /* loaded from: input_file:io/hops/hopsworks/common/security/CertificatesMgmService$UPDATE_STATUS.class */
    public enum UPDATE_STATUS {
        OK,
        WORKING,
        FAILED,
        NOT_FOUND
    }

    private void initHazelcast() {
        if (this.hazelcastInstance == null) {
            this.updateStatus = CacheBuilder.newBuilder().maximumSize(100L).expireAfterWrite(12L, TimeUnit.HOURS).build();
            return;
        }
        if (this.hazelcastInstance.getConfig().getMapConfigOrNull(MAP_NAME) == null) {
            MapConfig mapConfig = new MapConfig(MAP_NAME);
            mapConfig.setMaxIdleSeconds((int) TimeUnit.HOURS.toSeconds(12L));
            this.hazelcastInstance.getConfig().addMapConfig(mapConfig);
        }
        this.masterPasswordUpdatedTopic = this.hazelcastInstance.getReliableTopic(PASSWORD_UPDATED_TOPIC_NAME);
    }

    private UPDATE_STATUS getIfPresentUpdateStatusCache(Integer num) {
        return this.hazelcastInstance != null ? (UPDATE_STATUS) this.hazelcastInstance.getMap(MAP_NAME).get(num) : (UPDATE_STATUS) this.updateStatus.getIfPresent(num);
    }

    private void putUpdateStatusCache(Integer num, UPDATE_STATUS update_status) {
        if (this.hazelcastInstance != null) {
            this.hazelcastInstance.getMap(MAP_NAME).put(num, update_status);
        } else {
            this.updateStatus.put(num, update_status);
        }
    }

    @PostConstruct
    public void init() {
        this.masterPasswordFile = new File(this.settings.getHopsworksMasterEncPasswordFile());
        if (!this.masterPasswordFile.exists()) {
            throw new IllegalStateException("Master encryption file does not exist");
        }
        try {
            PosixFileAttributeView posixFileAttributeView = (PosixFileAttributeView) Files.getFileAttributeView(this.masterPasswordFile.toPath(), PosixFileAttributeView.class, LinkOption.NOFOLLOW_LINKS);
            Set<PosixFilePermission> permissions = posixFileAttributeView.readAttributes().permissions();
            boolean contains = permissions.contains(PosixFilePermission.OWNER_READ);
            boolean contains2 = permissions.contains(PosixFilePermission.OWNER_WRITE);
            boolean contains3 = permissions.contains(PosixFilePermission.OWNER_EXECUTE);
            boolean contains4 = permissions.contains(PosixFilePermission.GROUP_READ);
            boolean contains5 = permissions.contains(PosixFilePermission.GROUP_WRITE);
            boolean contains6 = permissions.contains(PosixFilePermission.GROUP_EXECUTE);
            boolean contains7 = permissions.contains(PosixFilePermission.OTHERS_READ);
            boolean contains8 = permissions.contains(PosixFilePermission.OTHERS_WRITE);
            boolean contains9 = permissions.contains(PosixFilePermission.OTHERS_EXECUTE);
            if (!contains || !contains2 || !contains3 || contains4 || contains5 || contains6 || contains7 || contains8 || contains9) {
                throw new IllegalStateException("Wrong permissions for file " + this.masterPasswordFile.getAbsolutePath() + ", it should be 700");
            }
            this.LOG.log(Level.INFO, "Passed permissions check for file " + this.masterPasswordFile.getAbsolutePath() + ". Owner: " + posixFileAttributeView.readAttributes().owner().getName() + " Group: " + posixFileAttributeView.readAttributes().group().getName() + " Permissions: " + PosixFilePermissions.toString(permissions));
            initHazelcast();
            this.rand = new Random();
        } catch (IOException e) {
            throw new IllegalStateException("Error while getting POSIX permissions of " + this.masterPasswordFile.getAbsolutePath());
        } catch (UnsupportedOperationException e2) {
            this.LOG.log(Level.WARNING, "Associated filesystem is not POSIX compliant. Continue without checking the permissions of " + this.masterPasswordFile.getAbsolutePath() + " This might be a security problem.");
        }
    }

    @Lock(LockType.READ)
    public String getMasterEncryptionPassword() throws IOException {
        return this.certificateMasterPwdMgm.getMasterEncryptionPassword(this.masterPasswordFile);
    }

    @Lock(LockType.READ)
    public void checkPassword(String str, String str2) throws IOException, EncryptionMasterPasswordException {
        this.certificateMasterPwdMgm.checkPassword(str, str2, this.masterPasswordFile, this.userFacade);
    }

    @Lock(LockType.WRITE)
    public Integer initUpdateOperation() {
        Integer valueOf = Integer.valueOf(this.rand.nextInt());
        putUpdateStatusCache(valueOf, UPDATE_STATUS.WORKING);
        return valueOf;
    }

    @Lock(LockType.READ)
    public UPDATE_STATUS getOperationStatus(Integer num) {
        UPDATE_STATUS ifPresentUpdateStatusCache = getIfPresentUpdateStatusCache(num);
        return ifPresentUpdateStatusCache != null ? ifPresentUpdateStatusCache : UPDATE_STATUS.NOT_FOUND;
    }

    @Lock(LockType.WRITE)
    @Asynchronous
    public void resetMasterEncryptionPassword(Integer num, String str, String str2) throws ExecutionException, InterruptedException {
        try {
            MasterPasswordResetResult masterPasswordResetResult = this.certificateMasterPwdMgm.resetMasterEncryptionPassword(str, this.masterPasswordFile, this.handlers, this.handlersResult).get();
            if (!UPDATE_STATUS.OK.equals(masterPasswordResetResult.getUpdateStatus())) {
                sendUnsuccessfulMessage(masterPasswordResetResult.getErrorLog(), str2);
                putUpdateStatusCache(num, UPDATE_STATUS.FAILED);
                return;
            }
            sendSuccessfulMessage(masterPasswordResetResult.getSuccessLog(), str2);
            putUpdateStatusCache(num, UPDATE_STATUS.OK);
            if (this.masterPasswordUpdatedTopic != null) {
                this.masterPasswordUpdatedTopic.publish(DigestUtils.sha256Hex(str));
            }
        } catch (InterruptedException | ExecutionException e) {
            sendUnsuccessfulMessage(e.getMessage(), str2);
            putUpdateStatusCache(num, UPDATE_STATUS.FAILED);
            throw e;
        }
    }

    @Lock(LockType.WRITE)
    public void updateMasterEncryptionPassword(String str) throws IOException {
        FileUtils.writeStringToFile(this.masterPasswordFile, str, Charset.defaultCharset());
    }

    @TransactionAttribute(TransactionAttributeType.REQUIRES_NEW)
    public void issueServiceKeyRotationCommand() {
        Iterator it = this.hostsFacade.findAll().iterator();
        while (it.hasNext()) {
            this.systemCommandFacade.persist(new SystemCommand((Hosts) it.next(), Operation.SERVICE_KEY_ROTATION));
        }
    }

    private void sendSuccessfulMessage(String str, String str2) {
        sendInbox(str, "Changed successfully", str2);
    }

    private void sendUnsuccessfulMessage(String str, String str2) {
        sendInbox(str, "Change failed!", str2);
    }

    private void sendInbox(String str, String str2, String str3) {
        this.messageController.send(this.userFacade.findByEmail(str3), this.userFacade.findByEmail(this.settings.getAdminEmail()), "Master encryption password changed", str2, str, KafkaConst.KAFKA_ENDPOINT_IDENTIFICATION_ALGORITHM);
    }
}
