package io.hops.hopsworks.ca.api.certificates;

import com.google.common.base.Strings;
import io.hops.hadoop.shaded.org.jline.console.Printer;
import io.hops.hopsworks.api.auth.key.ApiKeyRequired;
import io.hops.hopsworks.ca.api.filter.Audience;
import io.hops.hopsworks.ca.api.filter.NoCacheResponse;
import io.hops.hopsworks.ca.controllers.CAException;
import io.hops.hopsworks.ca.controllers.CAInitializationException;
import io.hops.hopsworks.ca.controllers.CertificateNotFoundException;
import io.hops.hopsworks.ca.controllers.CertificateType;
import io.hops.hopsworks.ca.controllers.PKI;
import io.hops.hopsworks.ca.controllers.PKIUtils;
import io.hops.hopsworks.jwt.annotation.JWTRequired;
import io.hops.hopsworks.persistence.entity.user.security.apiKey.ApiScope;
import io.hops.hopsworks.restutils.RESTCodes;
import io.swagger.v3.oas.annotations.Operation;
import io.swagger.v3.oas.annotations.Parameter;
import io.swagger.v3.oas.annotations.media.Content;
import io.swagger.v3.oas.annotations.media.Schema;
import io.swagger.v3.oas.annotations.responses.ApiResponse;
import io.swagger.v3.oas.annotations.tags.Tag;
import jakarta.ejb.EJB;
import jakarta.enterprise.context.RequestScoped;
import jakarta.ws.rs.Consumes;
import jakarta.ws.rs.DELETE;
import jakarta.ws.rs.GET;
import jakarta.ws.rs.POST;
import jakarta.ws.rs.Path;
import jakarta.ws.rs.Produces;
import jakarta.ws.rs.QueryParam;
import jakarta.ws.rs.core.GenericEntity;
import jakarta.ws.rs.core.Response;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Iterator;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.naming.InvalidNameException;
import org.apache.commons.lang3.tuple.Pair;
import org.bouncycastle.asn1.x500.X500Name;
import org.bouncycastle.operator.OperatorCreationException;

@RequestScoped
@Tag(name = "HostCertsResource", description = "Manage host certificates")
/* loaded from: input_file:WEB-INF/classes/io/hops/hopsworks/ca/api/certificates/HostCertsResource.class */
public class HostCertsResource {
    private static final String REVOKE_CERTIFICATES_PATTERN = "^%s__.*__[0-9]+.*";
    private static final Logger LOGGER = Logger.getLogger(HostCertsResource.class.getName());

    @EJB
    private NoCacheResponse noCacheResponse;

    @EJB
    private PKIUtils pkiUtils;

    @EJB
    private PKI pki;

    @Produces({"application/json"})
    @JWTRequired(acceptedTokens = {Audience.SERVICES}, allowedUserRoles = {"AGENT"})
    @Operation(summary = "Sing Host CSR with IntermediateHopsCA", responses = {@ApiResponse(content = {@Content(schema = @Schema(implementation = CSRView.class))}, description = "CSRView")})
    @ApiKeyRequired(acceptedScopes = {ApiScope.AUTH}, allowedUserRoles = {"AGENT"})
    @POST
    @Consumes({"application/json"})
    public Response signCSR(CSRView cSRView) throws CAException {
        if (cSRView == null || cSRView.getCsr() == null || cSRView.getCsr().isEmpty()) {
            throw new IllegalArgumentException("Empty CSR");
        }
        try {
            X509Certificate signCertificateSigningRequest = this.pki.signCertificateSigningRequest(cSRView.getCsr(), CertificateType.HOST, cSRView.getRegion());
            String convertToPEM = this.pkiUtils.convertToPEM(signCertificateSigningRequest);
            Pair<String, String> chainOfTrust = this.pki.getChainOfTrust(this.pkiUtils.getResponsibleCA(CertificateType.HOST));
            CSRView cSRView2 = new CSRView(convertToPEM, chainOfTrust.getLeft(), chainOfTrust.getRight());
            if (!Strings.isNullOrEmpty(cSRView.getPrivateKey())) {
                PKIUtils.KeyStores<String> createB64Keystores = this.pkiUtils.createB64Keystores(cSRView.getPrivateKey(), signCertificateSigningRequest, this.pkiUtils.loadCertificate(chainOfTrust.getRight()), this.pkiUtils.loadCertificate(chainOfTrust.getLeft()));
                cSRView2.setKeyStore(createB64Keystores.getKeyStore());
                cSRView2.setTrustStore(createB64Keystores.getTrustStore());
                cSRView2.setPassword(new String(createB64Keystores.getPassword()));
            }
            return this.noCacheResponse.getNoCacheResponseBuilder(Response.Status.OK).entity(new GenericEntity<CSRView>(cSRView2) { // from class: io.hops.hopsworks.ca.api.certificates.HostCertsResource.1
            }).build();
        } catch (CAInitializationException | IOException | GeneralSecurityException | OperatorCreationException e) {
            throw this.pkiUtils.csrSigningExceptionConvertToCAException(e, CertificateType.HOST);
        }
    }

    @JWTRequired(acceptedTokens = {Audience.SERVICES}, allowedUserRoles = {"AGENT"})
    @Operation(summary = "Revoke Host certificate")
    @ApiKeyRequired(acceptedScopes = {ApiScope.AUTH}, allowedUserRoles = {"AGENT"})
    @DELETE
    public Response revokeCertificate(@Parameter(description = "Identifier of the Certificate to revoke", required = true) @QueryParam("certId") String str, @Parameter(description = "Flag whether certId is a full RFC4514 Distinguished Name string") @QueryParam("exact") Boolean bool) throws CAException {
        if (Strings.isNullOrEmpty(str)) {
            throw new IllegalArgumentException("Empty certificate identifier");
        }
        ArrayList arrayList = new ArrayList();
        try {
            if (Boolean.TRUE.equals(bool)) {
                arrayList.add(new X500Name(str));
            } else {
                this.pkiUtils.findAllValidSubjectsWithPartialMatch(this.pkiUtils.parseCertificateSubjectName(str, CertificateType.HOST).toString()).forEach(str2 -> {
                    arrayList.add(new X500Name(str2));
                });
            }
            if (arrayList.isEmpty()) {
                throw new CertificateNotFoundException("Could not find a VALID certificate with ID: " + str + " Is exact X509 Name: " + bool);
            }
            Iterator it = arrayList.iterator();
            while (it.hasNext()) {
                this.pki.revokeCertificate((X500Name) it.next(), CertificateType.HOST);
            }
            return Response.ok().build();
        } catch (InvalidNameException | CAInitializationException | GeneralSecurityException e) {
            throw this.pkiUtils.certificateRevocationExceptionConvertToCAException(e, CertificateType.HOST);
        }
    }

    @JWTRequired(acceptedTokens = {Audience.SERVICES}, allowedUserRoles = {"AGENT"})
    @Operation(summary = "Revoke all Host certificates")
    @ApiKeyRequired(acceptedScopes = {ApiScope.AUTH}, allowedUserRoles = {"AGENT"})
    @Path(Printer.ALL)
    @DELETE
    public Response revokeCertificateGlob(@Parameter(description = "Hostname of the node to revoke certificates for", required = true) @QueryParam("hostname") String str) throws CAException {
        if (Strings.isNullOrEmpty(str)) {
            throw new IllegalArgumentException("Empty hostname to revoke");
        }
        try {
            Iterator<String> it = this.pkiUtils.findAllHostCertificateSubjectsForHost(str).iterator();
            while (it.hasNext()) {
                this.pki.revokeCertificate(new X500Name(it.next()), CertificateType.HOST);
            }
            return Response.ok().build();
        } catch (CAInitializationException | GeneralSecurityException e) {
            throw this.pkiUtils.certificateRevocationExceptionConvertToCAException(e, CertificateType.HOST);
        }
    }

    @Produces({"application/json"})
    @GET
    @Operation(summary = "Get chain of trust for this type of certificates")
    public Response getChainOfTrust() throws CAException {
        try {
            Pair<String, String> chainOfTrust = this.pki.getChainOfTrust(this.pkiUtils.getResponsibleCA(CertificateType.HOST));
            return this.noCacheResponse.getNoCacheResponseBuilder(Response.Status.OK).entity(new GenericEntity<CSRView>(new CSRView(chainOfTrust.getLeft(), chainOfTrust.getRight())) { // from class: io.hops.hopsworks.ca.api.certificates.HostCertsResource.2
            }).build();
        } catch (CAInitializationException | IOException | GeneralSecurityException e) {
            throw new CAException(RESTCodes.CAErrorCode.CA_INITIALIZATION_ERROR, Level.SEVERE, CertificateType.HOST, "Failed to get chain of trust", "Failed to get chain of trust for HOST certificates", e);
        }
    }
}
