package io.hops.hopsworks.expat.migrations.serving;

import io.fabric8.kubernetes.api.model.ObjectMetaBuilder;
import io.fabric8.kubernetes.api.model.Secret;
import io.fabric8.kubernetes.api.model.SecretBuilder;
import io.fabric8.kubernetes.client.KubernetesClient;
import io.fabric8.kubernetes.client.KubernetesClientException;
import io.fabric8.kubernetes.client.dsl.AnyNamespaceOperation;
import io.fabric8.kubernetes.client.dsl.FilterWatchListDeletable;
import io.fabric8.kubernetes.client.dsl.NonNamespaceOperation;
import io.hops.hopsworks.expat.configuration.ConfigurationBuilder;
import io.hops.hopsworks.expat.configuration.ExpatConf;
import io.hops.hopsworks.expat.db.DbConnectionFactory;
import io.hops.hopsworks.expat.db.dao.util.ExpatVariables;
import io.hops.hopsworks.expat.db.dao.util.ExpatVariablesFacade;
import io.hops.hopsworks.expat.kubernetes.KubernetesClientFactory;
import io.hops.hopsworks.expat.migrations.MigrateStep;
import io.hops.hopsworks.expat.migrations.MigrationException;
import io.hops.hopsworks.expat.migrations.RollbackException;
import io.hops.hopsworks.expat.migrations.elk.BeamKibana;
import java.nio.charset.StandardCharsets;
import java.security.SecureRandom;
import java.sql.Connection;
import java.sql.PreparedStatement;
import java.sql.ResultSet;
import java.sql.SQLException;
import java.util.Base64;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.stream.Collectors;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.configuration2.ex.ConfigurationException;
import org.apache.commons.lang.RandomStringUtils;
import org.javatuples.Triplet;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/hops/hopsworks/expat/migrations/serving/ServingApiKeysMigration.class */
public class ServingApiKeysMigration implements MigrateStep {
    private static final Logger LOGGER = LoggerFactory.getLogger(ServingApiKeysMigration.class);
    protected Connection connection;
    private KubernetesClient kubeClient;
    private boolean dryRun;
    private ExpatVariablesFacade expatVariablesFacade;
    private SecureRandom secureRandom;
    private static final String UPDATE_API_KEY_SCOPES = "UPDATE api_key_scope SET `scope` = ? WHERE `scope` = ?";
    private static final String GET_ACTIVATED_USERS = "SELECT uid, username, email FROM users WHERE email NOT IN ('serving@hopsworks.se', 'agent@hops.io', 'onlinefs@hopsworks.ai') AND status = 2";
    private static final String GET_PROJECTS_BY_USER = "SELECT projectname FROM project WHERE id IN (SELECT project_id FROM project_team WHERE team_member = ?)";
    private static final String GET_API_KEY_BY_PREFIX = "SELECT id FROM api_key WHERE prefix = ?";
    private static final String GET_API_KEY_BY_NAME = "SELECT id FROM api_key WHERE `name` = ? AND user_id = ? AND reserved = 1";
    private static final String GET_API_KEY_WITH_SERVING_BY_USER = "SELECT prefix, secret, salt, created, `name` FROM api_key WHERE user_id = ? AND reserved = 0 AND id IN (SELECT api_key FROM api_key_scope WHERE `scope` = 'SERVING')";
    private static final String INSERT_API_KEY = "REPLACE INTO api_key (prefix, secret, salt, created, modified, `name`, user_id, reserved) VALUES (?, ?, ?, ?, ?, ?, ?, ?)";
    private static final String INSERT_API_KEY_SCOPE = "REPLACE INTO api_key_scope (api_key, `scope`) VALUES (?, ?)";
    private static final String DELETE_API_KEY_SCOPES = "DELETE FROM api_key_scope WHERE api_key = ?";
    private static final String DELETE_API_KEYS = "DELETE FROM api_key WHERE id = ?";
    private final String SERVING_API_KEY_NAME = BeamKibana.ELASTIC_SERVING_INDEX;
    private final String[] SERVING_API_KEY_NAME_SCOPES = {"SERVING", "DATASET_VIEW", "KAFKA", "PROJECT", "FEATURESTORE"};
    private final int RANDOM_KEY_LEN = 64;
    private final int RANDOM_PREFIX_KEY_LEN = 16;
    private static final String HOPS_SYSTEM_NAMESPACE = "hops-system";
    private static final String LABEL_PREFIX = "serving.hops.works";
    private static final String API_KEY_NAME_LABEL_NAME = "serving.hops.works/name";
    private static final String API_KEY_RESERVED_LABEL_NAME = "serving.hops.works/reserved";
    private static final String API_KEY_SCOPE_LABEL_NAME = "serving.hops.works/scope";
    private static final String API_KEY_USER_LABEL_NAME = "serving.hops.works/user";
    private static final String API_KEY_MODIFIED_LABEL_NAME = "serving.hops.works/modified";
    private static final String API_KEY_SECRET_KEY = "secret";
    private static final String API_KEY_SALT_KEY = "salt";
    private static final String API_KEY_USER_KEY = "user";
    private static final String SERVING_API_KEY_SECRET_KEY = "apiKey";
    private static final String SERVING_API_KEY_SECRET_SUFFIX = "--serving";
    private static final String SERVING_API_KEY_SECRET_PREFIX = "api-key";

    @Override // io.hops.hopsworks.expat.migrations.MigrateStep
    public void migrate() throws MigrationException {
        LOGGER.info("Starting serving api keys migration");
        try {
            setup();
            PreparedStatement preparedStatement = null;
            PreparedStatement preparedStatement2 = null;
            PreparedStatement preparedStatement3 = null;
            PreparedStatement preparedStatement4 = null;
            PreparedStatement preparedStatement5 = null;
            PreparedStatement preparedStatement6 = null;
            PreparedStatement preparedStatement7 = null;
            PreparedStatement preparedStatement8 = null;
            PreparedStatement preparedStatement9 = null;
            try {
                try {
                    this.connection.setAutoCommit(false);
                    PreparedStatement prepareStatement = this.connection.prepareStatement(UPDATE_API_KEY_SCOPES);
                    prepareStatement.setString(1, "SERVING");
                    prepareStatement.setString(2, "INFERENCE");
                    if (this.dryRun) {
                        LOGGER.info(prepareStatement.toString());
                    } else {
                        prepareStatement.executeUpdate();
                    }
                    try {
                        if (Boolean.parseBoolean(this.expatVariablesFacade.findById("kube_kfserving_installed").getValue())) {
                            try {
                                this.kubeClient = KubernetesClientFactory.getClient();
                                preparedStatement2 = this.connection.prepareStatement(INSERT_API_KEY, 1);
                                preparedStatement3 = this.connection.prepareStatement(INSERT_API_KEY_SCOPE);
                                preparedStatement5 = this.connection.prepareStatement(GET_API_KEY_BY_PREFIX);
                                preparedStatement7 = this.connection.prepareStatement(DELETE_API_KEY_SCOPES);
                                preparedStatement8 = this.connection.prepareStatement(DELETE_API_KEYS);
                                preparedStatement9 = this.connection.prepareStatement(GET_API_KEY_BY_NAME);
                                preparedStatement = this.connection.prepareStatement(GET_ACTIVATED_USERS);
                                ResultSet executeQuery = preparedStatement.executeQuery();
                                while (executeQuery.next()) {
                                    int i = executeQuery.getInt(1);
                                    String string = executeQuery.getString(2);
                                    String string2 = executeQuery.getString(3);
                                    preparedStatement6 = this.connection.prepareStatement(GET_API_KEY_WITH_SERVING_BY_USER);
                                    preparedStatement6.setInt(1, i);
                                    createKubeApiKeySecrets(string, preparedStatement6);
                                    preparedStatement6.close();
                                    String servingApiKeyName = getServingApiKeyName(string, i);
                                    Date date = new Date();
                                    java.sql.Date date2 = new java.sql.Date(date.getTime());
                                    Triplet<String, String, String> generateApiKey = generateApiKey(preparedStatement5);
                                    String sha256Hex = DigestUtils.sha256Hex(((String) generateApiKey.getValue1()) + ((String) generateApiKey.getValue2()));
                                    deleteServingApiKey(i, servingApiKeyName, preparedStatement9, preparedStatement7, preparedStatement8, false);
                                    insertServingApiKey(i, servingApiKeyName, generateApiKey, sha256Hex, date2, preparedStatement2, preparedStatement3);
                                    preparedStatement4 = this.connection.prepareStatement(GET_PROJECTS_BY_USER);
                                    preparedStatement4.setString(1, string2);
                                    createKubeServingApiKeySecrets(servingApiKeyName, generateApiKey, sha256Hex, string, date, preparedStatement4);
                                    preparedStatement4.close();
                                }
                                executeQuery.close();
                            } catch (ConfigurationException e) {
                                throw new MigrationException("Cannot read kube client configuration", e);
                            }
                        }
                        this.connection.commit();
                        this.connection.setAutoCommit(true);
                        closeConnections(prepareStatement, preparedStatement, preparedStatement2, preparedStatement3, preparedStatement4, preparedStatement5, preparedStatement6, preparedStatement7, preparedStatement8, preparedStatement9);
                        if (this.kubeClient != null) {
                            this.kubeClient.close();
                        }
                        LOGGER.info("Finished serving api keys migration");
                    } catch (IllegalAccessException | InstantiationException | SQLException e2) {
                        LOGGER.error("Could not migrate serving api keys");
                        throw new MigrationException("Could not migrate serving api keys", e2);
                    }
                } catch (IllegalStateException | SQLException e3) {
                    LOGGER.error("Could not migrate serving api keys");
                    throw new MigrationException("Could not migrate serving api keys", e3);
                }
            } catch (Throwable th) {
                closeConnections(null, null, null, null, null, null, null, null, null, null);
                if (this.kubeClient != null) {
                    this.kubeClient.close();
                }
                throw th;
            }
        } catch (SQLException | ConfigurationException e4) {
            LOGGER.error("Could not initialize database connection");
            throw new MigrationException("Could not initialize database connection", e4);
        }
    }

    @Override // io.hops.hopsworks.expat.migrations.MigrateStep
    public void rollback() throws RollbackException {
        LOGGER.info("Starting serving api keys rollback");
        try {
            setup();
            PreparedStatement preparedStatement = null;
            PreparedStatement preparedStatement2 = null;
            PreparedStatement preparedStatement3 = null;
            PreparedStatement preparedStatement4 = null;
            try {
                try {
                    this.connection.setAutoCommit(false);
                    PreparedStatement prepareStatement = this.connection.prepareStatement(UPDATE_API_KEY_SCOPES);
                    prepareStatement.setString(1, "INFERENCE");
                    prepareStatement.setString(2, "SERVING");
                    if (this.dryRun) {
                        LOGGER.info(prepareStatement.toString());
                    } else {
                        prepareStatement.executeUpdate();
                    }
                    try {
                        if (Boolean.parseBoolean(this.expatVariablesFacade.findById("kube_kfserving_installed").getValue())) {
                            try {
                                this.kubeClient = KubernetesClientFactory.getClient();
                                preparedStatement2 = this.connection.prepareStatement(DELETE_API_KEYS);
                                preparedStatement = this.connection.prepareStatement(DELETE_API_KEY_SCOPES);
                                preparedStatement4 = this.connection.prepareStatement(GET_API_KEY_BY_NAME);
                                preparedStatement3 = this.connection.prepareStatement(GET_ACTIVATED_USERS);
                                ResultSet executeQuery = preparedStatement3.executeQuery();
                                while (executeQuery.next()) {
                                    int i = executeQuery.getInt(1);
                                    String string = executeQuery.getString(2);
                                    deleteServingApiKey(i, getServingApiKeyName(string, i), preparedStatement4, preparedStatement, preparedStatement2, true);
                                    deleteKubeSecrets(string);
                                }
                                executeQuery.close();
                                if (this.dryRun) {
                                    LOGGER.info(preparedStatement.toString());
                                    LOGGER.info(preparedStatement2.toString());
                                } else {
                                    preparedStatement.executeBatch();
                                    preparedStatement2.executeBatch();
                                }
                            } catch (ConfigurationException e) {
                                throw new RollbackException("Cannot read kube client configuration", e);
                            }
                        }
                        this.connection.commit();
                        this.connection.setAutoCommit(true);
                        closeConnections(prepareStatement, preparedStatement, preparedStatement2, preparedStatement3, preparedStatement4);
                        this.kubeClient.close();
                        LOGGER.info("Finished serving api keys rollback");
                    } catch (IllegalAccessException | InstantiationException | SQLException e2) {
                        LOGGER.error("Could not rollback serving api keys");
                        throw new RollbackException("Could not rollback serving api keys", e2);
                    }
                } catch (IllegalStateException | SQLException e3) {
                    LOGGER.error("Could not migrate serving api keys");
                    throw new RollbackException("Could not migrate serving api keys", e3);
                }
            } catch (Throwable th) {
                closeConnections(null, null, null, null, null);
                this.kubeClient.close();
                throw th;
            }
        } catch (SQLException | ConfigurationException e4) {
            LOGGER.error("Could not initialize database connection");
            throw new RollbackException("Could not initialize database connection", e4);
        }
    }

    private void insertServingApiKey(int i, String str, Triplet<String, String, String> triplet, String str2, java.sql.Date date, PreparedStatement preparedStatement, PreparedStatement preparedStatement2) throws SQLException {
        preparedStatement.setString(1, (String) triplet.getValue0());
        preparedStatement.setString(2, str2);
        preparedStatement.setString(3, (String) triplet.getValue2());
        preparedStatement.setDate(4, date);
        preparedStatement.setDate(5, date);
        preparedStatement.setString(6, str);
        preparedStatement.setInt(7, i);
        preparedStatement.setInt(8, 1);
        if (this.dryRun) {
            LOGGER.info(preparedStatement.toString());
            return;
        }
        preparedStatement.executeUpdate();
        ResultSet generatedKeys = preparedStatement.getGeneratedKeys();
        generatedKeys.next();
        int i2 = generatedKeys.getInt(1);
        generatedKeys.close();
        for (String str3 : this.SERVING_API_KEY_NAME_SCOPES) {
            preparedStatement2.setInt(1, i2);
            preparedStatement2.setString(2, str3);
            preparedStatement2.addBatch();
        }
        preparedStatement2.executeBatch();
        LOGGER.info("Serving api key " + str + " created for user " + i);
    }

    private void deleteServingApiKey(int i, String str, PreparedStatement preparedStatement, PreparedStatement preparedStatement2, PreparedStatement preparedStatement3, boolean z) throws SQLException {
        String str2;
        preparedStatement.setString(1, str);
        preparedStatement.setInt(2, i);
        ResultSet executeQuery = preparedStatement.executeQuery();
        if (!executeQuery.next()) {
            executeQuery.close();
            return;
        }
        int i2 = executeQuery.getInt(1);
        executeQuery.close();
        preparedStatement2.setInt(1, i2);
        preparedStatement3.setInt(1, i2);
        if (z) {
            preparedStatement2.addBatch();
            preparedStatement3.addBatch();
            str2 = " queued for removal";
        } else {
            preparedStatement2.execute();
            preparedStatement3.execute();
            str2 = " removed";
        }
        LOGGER.info("Serving api key " + str + " of user " + i + str2);
    }

    private void deleteKubeSecrets(String str) {
        Map<String, String> apiKeySecretLabels = getApiKeySecretLabels(null, null, str, null);
        if (this.dryRun) {
            LOGGER.info("Delete secrets in any namespace with labels: " + ((String) apiKeySecretLabels.entrySet().stream().map(entry -> {
                return ((String) entry.getKey()) + ":" + ((String) entry.getValue());
            }).collect(Collectors.joining(","))));
        } else {
            LOGGER.info("Delete secrets in any namespace with labels: " + ((String) apiKeySecretLabels.entrySet().stream().map(entry2 -> {
                return ((String) entry2.getKey()) + ":" + ((String) entry2.getValue());
            }).collect(Collectors.joining(","))));
            ((FilterWatchListDeletable) ((AnyNamespaceOperation) this.kubeClient.secrets().inAnyNamespace()).withLabels(apiKeySecretLabels)).delete();
        }
        LOGGER.info("Serving api key secrets removed in any namespace for user: " + str);
    }

    private void createKubeServingApiKeySecrets(String str, Triplet<String, String, String> triplet, String str2, String str3, Date date, PreparedStatement preparedStatement) throws SQLException {
        String servingApiKeySecretName = getServingApiKeySecretName((String) triplet.getValue0());
        Map<String, String> apiKeySecretLabels = getApiKeySecretLabels(true, str, str3, date);
        createKubeSecret(HOPS_SYSTEM_NAMESPACE, servingApiKeySecretName, getApiKeySecretData((String) triplet.getValue2(), str2, str3, getApiKey(triplet)), apiKeySecretLabels);
        LOGGER.info("Serving api key secret created for user " + str3 + " in hops-system");
        ResultSet executeQuery = preparedStatement.executeQuery();
        while (executeQuery.next()) {
            String string = executeQuery.getString(1);
            String replaceAll = string.toLowerCase().replaceAll("[^a-z0-9-]", "-");
            String projectServingApiKeySecretName = getProjectServingApiKeySecretName(str3);
            HashMap hashMap = new HashMap();
            hashMap.put(SERVING_API_KEY_SECRET_KEY, getApiKey(triplet).getBytes());
            createKubeSecret(replaceAll, projectServingApiKeySecretName, hashMap, apiKeySecretLabels);
            LOGGER.info("Serving api key secret created for user " + str3 + " in project " + string);
        }
        executeQuery.close();
    }

    private void createKubeApiKeySecrets(String str, PreparedStatement preparedStatement) throws SQLException {
        ResultSet executeQuery = preparedStatement.executeQuery();
        while (executeQuery.next()) {
            String string = executeQuery.getString(1);
            String string2 = executeQuery.getString(2);
            String string3 = executeQuery.getString(3);
            java.sql.Date date = executeQuery.getDate(4);
            String string4 = executeQuery.getString(5);
            String servingApiKeySecretName = getServingApiKeySecretName(string);
            createKubeSecret(HOPS_SYSTEM_NAMESPACE, servingApiKeySecretName, getApiKeySecretData(string3, string2, str, null), getApiKeySecretLabels(false, string4, str, date));
            LOGGER.info("Personal api key secret created for user " + str + " with name " + servingApiKeySecretName);
        }
        executeQuery.close();
    }

    private void createKubeSecret(String str, String str2, Map<String, byte[]> map, Map<String, String> map2) throws KubernetesClientException {
        Secret build = new SecretBuilder().withMetadata(new ObjectMetaBuilder().withName(str2).withLabels(map2).build()).withData((Map) map.entrySet().stream().collect(Collectors.toMap((v0) -> {
            return v0.getKey();
        }, entry -> {
            return Base64.getEncoder().encodeToString((byte[]) entry.getValue());
        }))).build();
        if (this.dryRun) {
            LOGGER.info("Create secret with name " + str2 + " in namespace: " + str);
        } else {
            ((NonNamespaceOperation) this.kubeClient.secrets().inNamespace(str)).createOrReplace(build);
        }
    }

    private String getServingApiKeyName(String str, int i) {
        return "serving_" + str + "_" + i;
    }

    private String getServingApiKeySecretName(String str) {
        StringBuilder sb = new StringBuilder("api-key-" + str.toLowerCase() + "-");
        for (char c : str.toCharArray()) {
            sb.append(Character.isUpperCase(c) ? '1' : '0');
        }
        return sb.toString();
    }

    private String getProjectServingApiKeySecretName(String str) {
        return "api-key-" + str + SERVING_API_KEY_SECRET_SUFFIX;
    }

    private Map<String, String> getApiKeySecretLabels(final Boolean bool, final String str, final String str2, final Date date) {
        return new HashMap<String, String>() { // from class: io.hops.hopsworks.expat.migrations.serving.ServingApiKeysMigration.1
            {
                put(ServingApiKeysMigration.API_KEY_SCOPE_LABEL_NAME, BeamKibana.ELASTIC_SERVING_INDEX);
                if (bool != null) {
                    put(ServingApiKeysMigration.API_KEY_RESERVED_LABEL_NAME, String.valueOf(bool));
                }
                if (str != null) {
                    put(ServingApiKeysMigration.API_KEY_NAME_LABEL_NAME, str);
                }
                if (str2 != null) {
                    put(ServingApiKeysMigration.API_KEY_USER_LABEL_NAME, str2);
                }
                if (date != null) {
                    put(ServingApiKeysMigration.API_KEY_MODIFIED_LABEL_NAME, String.valueOf(date.getTime()));
                }
            }
        };
    }

    private Map<String, byte[]> getApiKeySecretData(final String str, final String str2, final String str3, final String str4) {
        return new HashMap<String, byte[]>() { // from class: io.hops.hopsworks.expat.migrations.serving.ServingApiKeysMigration.2
            {
                put(ServingApiKeysMigration.API_KEY_SECRET_KEY, str2.getBytes());
                put(ServingApiKeysMigration.API_KEY_SALT_KEY, str.getBytes());
                put(ServingApiKeysMigration.API_KEY_USER_KEY, str3.getBytes());
                if (str4 != null) {
                    put(ServingApiKeysMigration.SERVING_API_KEY_SECRET_KEY, str4.getBytes());
                }
            }
        };
    }

    private String getApiKey(Triplet<String, String, String> triplet) {
        return ((String) triplet.getValue0()) + "." + ((String) triplet.getValue1());
    }

    private String generateRandomString(int i) {
        return RandomStringUtils.random(i, 0, 0, true, true, (char[]) null, this.secureRandom);
    }

    private String generateSecureRandomString(int i) {
        byte[] bArr = new byte[i];
        this.secureRandom.nextBytes(bArr);
        return new String(Base64.getEncoder().encode(bArr), StandardCharsets.UTF_8);
    }

    private Triplet<String, String, String> generateApiKey(PreparedStatement preparedStatement) throws MigrationException, SQLException {
        String str;
        int i = 10;
        String generateRandomString = generateRandomString(16);
        String generateRandomString2 = generateRandomString(64);
        String generateSecureRandomString = generateSecureRandomString(64);
        while (true) {
            str = generateSecureRandomString;
            if (!apiKeyWithPrefixExists(generateRandomString, preparedStatement)) {
                break;
            }
            int i2 = i;
            i--;
            if (i2 <= 0) {
                break;
            }
            generateRandomString = generateRandomString(16);
            generateRandomString2 = generateRandomString(64);
            generateSecureRandomString = generateSecureRandomString(64);
        }
        if (i >= 1) {
            return new Triplet<>(generateRandomString, generateRandomString2, str);
        }
        LOGGER.error("Could not migrate serving api keys");
        throw new MigrationException("Could not migrate serving api keys");
    }

    private boolean apiKeyWithPrefixExists(String str, PreparedStatement preparedStatement) throws SQLException {
        preparedStatement.setString(1, str);
        ResultSet executeQuery = preparedStatement.executeQuery();
        boolean next = executeQuery.next();
        executeQuery.close();
        return next;
    }

    private void setup() throws SQLException, ConfigurationException {
        this.dryRun = ConfigurationBuilder.getConfiguration().getBoolean(ExpatConf.DRY_RUN);
        this.connection = DbConnectionFactory.getConnection();
        this.expatVariablesFacade = new ExpatVariablesFacade(ExpatVariables.class, this.connection);
        this.secureRandom = new SecureRandom();
    }

    private void closeConnections(PreparedStatement... preparedStatementArr) {
        try {
            for (PreparedStatement preparedStatement : preparedStatementArr) {
                if (preparedStatement != null) {
                    preparedStatement.close();
                }
            }
        } catch (SQLException e) {
        }
    }
}
