package io.hops.hopsworks.ca.api.certificates;

import com.google.common.base.Strings;
import io.hops.hopsworks.api.auth.key.ApiKeyRequired;
import io.hops.hopsworks.ca.api.filter.Audience;
import io.hops.hopsworks.ca.api.filter.NoCacheResponse;
import io.hops.hopsworks.ca.controllers.CAException;
import io.hops.hopsworks.ca.controllers.CAInitializationException;
import io.hops.hopsworks.ca.controllers.CertificateNotFoundException;
import io.hops.hopsworks.ca.controllers.CertificateType;
import io.hops.hopsworks.ca.controllers.PKI;
import io.hops.hopsworks.ca.controllers.PKIUtils;
import io.hops.hopsworks.jwt.annotation.JWTRequired;
import io.hops.hopsworks.persistence.entity.user.security.apiKey.ApiScope;
import io.hops.hopsworks.restutils.RESTCodes;
import io.swagger.v3.oas.annotations.OpenAPIDefinition;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.Parameter;
import io.swagger.v3.oas.annotations.info.Info;
import io.swagger.v3.oas.annotations.media.Content;
import io.swagger.v3.oas.annotations.media.Schema;
import io.swagger.v3.oas.annotations.responses.ApiResponse;
import jakarta.ejb.EJB;
import jakarta.enterprise.context.RequestScoped;
import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.DELETE;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.core.GenericEntity;
import jakarta.ws.rs.core.Response;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.logging.Level;
import javax.naming.InvalidNameException;
import org.apache.commons.lang3.tuple.Pair;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.operator.OperatorCreationException;

@RequestScoped
@OpenAPIDefinition(info = @Info(title = "Kubernetes certificate service", description = "Manage Kubernetes certificates"))
/* loaded from: input_file:WEB-INF/classes/io/hops/hopsworks/ca/api/certificates/KubeCertsResource.class */
public class KubeCertsResource {

    @EJB
    private NoCacheResponse noCacheResponse;

    @EJB
    private PKIUtils pkiUtils;

    @EJB
    private PKI pki;

    @Produces({"application/json"})
    @JWTRequired(acceptedTokens = {Audience.SERVICES}, allowedUserRoles = {"AGENT"})
    @Operation(summary = "Sign Kubernetes certificate with KubeCA", responses = {@ApiResponse(content = {@Content(schema = @Schema(implementation = CSRView.class))}, description = "CSRView")})
    @ApiKeyRequired(acceptedScopes = {ApiScope.AUTH}, allowedUserRoles = {"AGENT"})
    @POST
    @Consumes({"application/json"})
    public Response signCSR(CSRView cSRView) throws CAException {
        if (cSRView == null || cSRView.getCsr() == null || cSRView.getCsr().isEmpty()) {
            throw new IllegalArgumentException("Empty CSR");
        }
        try {
            String convertToPEM = this.pkiUtils.convertToPEM(this.pki.signCertificateSigningRequest(cSRView.getCsr(), CertificateType.KUBE, cSRView.getRegion()));
            Pair<String, String> chainOfTrust = this.pki.getChainOfTrust(this.pkiUtils.getResponsibleCA(CertificateType.KUBE));
            return this.noCacheResponse.getNoCacheResponseBuilder(Response.Status.OK).entity(new GenericEntity<CSRView>(new CSRView(convertToPEM, chainOfTrust.getLeft(), chainOfTrust.getRight())) { // from class: io.hops.hopsworks.ca.api.certificates.KubeCertsResource.1
            }).build();
        } catch (CAInitializationException | IOException | GeneralSecurityException | OperatorCreationException e) {
            throw this.pkiUtils.csrSigningExceptionConvertToCAException(e, CertificateType.KUBE);
        }
    }

    @JWTRequired(acceptedTokens = {Audience.SERVICES}, allowedUserRoles = {"AGENT"})
    @Operation(summary = "Revoke KubeCA certificates")
    @ApiKeyRequired(acceptedScopes = {ApiScope.AUTH}, allowedUserRoles = {"AGENT"})
    @DELETE
    public Response revokeCertificate(@Parameter(description = "Identifier of the Certificate to revoke", required = true) @QueryParam("certId") String str, @Parameter(description = "Flag whether certId is a full RFC4514 Distinguished Name string") @QueryParam("exact") Boolean bool) throws CAException {
        if (Strings.isNullOrEmpty(str)) {
            throw new IllegalArgumentException("Empty certificate identifier");
        }
        ArrayList arrayList = new ArrayList();
        try {
            if (Boolean.TRUE.equals(bool)) {
                arrayList.add(new X500Name(str));
            } else {
                this.pkiUtils.findAllValidSubjectsWithPartialMatch(this.pkiUtils.parseCertificateSubjectName(str, CertificateType.KUBE).toString()).forEach(str2 -> {
                    arrayList.add(new X500Name(str2));
                });
            }
            if (arrayList.isEmpty()) {
                throw new CertificateNotFoundException("Could not find a VALID certificate with ID: " + str + " Is exact X509 Name: " + bool);
            }
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                this.pki.revokeCertificate((X500Name) it.next(), CertificateType.KUBE);
            }
            return Response.ok().build();
        } catch (InvalidNameException | CAInitializationException | GeneralSecurityException e) {
            throw this.pkiUtils.certificateRevocationExceptionConvertToCAException(e, CertificateType.KUBE);
        }
    }

    @Produces({"application/json"})
    @JWTRequired(acceptedTokens = {Audience.SERVICES}, allowedUserRoles = {"AGENT"})
    @Operation(summary = "Get KubeCA certificate", responses = {@ApiResponse(content = {@Content(schema = @Schema(implementation = CSRView.class))}, description = "CSRView")})
    @ApiKeyRequired(acceptedScopes = {ApiScope.AUTH}, allowedUserRoles = {"AGENT"})
    @GET
    public Response getCACert() throws CAException {
        try {
            Pair<String, String> chainOfTrust = this.pki.getChainOfTrust(this.pkiUtils.getResponsibleCA(CertificateType.KUBE));
            return this.noCacheResponse.getNoCacheResponseBuilder(Response.Status.OK).entity(new GenericEntity<CSRView>(new CSRView(chainOfTrust.getLeft(), chainOfTrust.getRight())) { // from class: io.hops.hopsworks.ca.api.certificates.KubeCertsResource.2
            }).build();
        } catch (CAInitializationException | IOException | GeneralSecurityException e) {
            throw new CAException(RESTCodes.CAErrorCode.CA_INITIALIZATION_ERROR, Level.SEVERE, CertificateType.KUBE, "Failed to get chain of trust", "Failed to get chain of trust for KUBE certificates", e);
        }
    }

    @Produces({"application/json"})
    @Operation(summary = "Get chain of trust for this type of certificates")
    @GET
    @Path("chain")
    public Response getChainOfTrust() throws CAException {
        try {
            Pair<String, String> chainOfTrust = this.pki.getChainOfTrust(this.pkiUtils.getResponsibleCA(CertificateType.KUBE));
            return this.noCacheResponse.getNoCacheResponseBuilder(Response.Status.OK).entity(new GenericEntity<CSRView>(new CSRView(chainOfTrust.getLeft(), chainOfTrust.getRight())) { // from class: io.hops.hopsworks.ca.api.certificates.KubeCertsResource.3
            }).build();
        } catch (CAInitializationException | IOException | GeneralSecurityException e) {
            throw new CAException(RESTCodes.CAErrorCode.CA_INITIALIZATION_ERROR, Level.SEVERE, CertificateType.KUBE, "Failed to get chain of trust", "Failed to get chain of trust for KUBE certificates", e);
        }
    }
}
