package io.hops.hopsworks.ca.controllers;

import io.hops.hopsworks.ca.controllers.CAConf;
import java.io.IOException;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.HashMap;
import java.util.Map;
import java.util.TimeZone;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.annotation.PostConstruct;
import javax.ejb.EJB;
import javax.ejb.Stateless;
import org.apache.commons.io.FileUtils;
import org.javatuples.Pair;

@Stateless
/* loaded from: input_file:WEB-INF/classes/io/hops/hopsworks/ca/controllers/PKI.class */
public class PKI {

    @EJB
    private CAConf CAConf;
    private Map<CAType, String> caPubCertCache = new HashMap();
    private SimpleDateFormat dateFormat = null;
    private static final long TEN_YEARS = 3650;
    private static final String SUBJECT = "subject=";
    private static final String CERTIFICATE_TYPE_NOT_RECOGNIZED_ERR = "Certificate type not recognized";
    private static final String CA_TYPE_NOT_RECOGNIZED_ERR = "CA type not recognized";
    private static final Pattern TIME_CONF_PATTERN;
    private static final Pattern SUBJECT_PATTERN = Pattern.compile("(([\\w\\.]+\\s?)=(\\s?[\\w\\.\\-@~\\+\\?%:]+))");
    private static final Map<String, TimeUnit> TIME_SUFFIXES = new HashMap(5);

    /* loaded from: input_file:WEB-INF/classes/io/hops/hopsworks/ca/controllers/PKI$CAType.class */
    public enum CAType {
        ROOT,
        INTERMEDIATE,
        KUBECA
    }

    @PostConstruct
    public void init() {
        this.dateFormat = new SimpleDateFormat("yyMMddHHmmss");
        this.dateFormat.setTimeZone(TimeZone.getTimeZone("UTC"));
    }

    public String getCertFileName(CertificateType certificateType, Map<String, String> map) {
        switch (certificateType) {
            case APP:
                return map.get("CN") + "__" + map.get("O") + "__" + map.get("OU");
            case HOST:
                return map.get("CN") + "__" + map.get("OU");
            default:
                return map.get("CN");
        }
    }

    public String getValidityPeriod(CertificateType certificateType) {
        switch (certificateType) {
            case APP:
                return getAppCertificateValidityPeriod();
            case HOST:
                return getServiceCertificateValidityPeriod();
            case DELA:
            case KUBE:
            case PROJECT:
                return getExpirationDateASN1(TimeUnit.MILLISECONDS.convert(TEN_YEARS, TimeUnit.DAYS));
            default:
                throw new IllegalArgumentException(CERTIFICATE_TYPE_NOT_RECOGNIZED_ERR);
        }
    }

    private String getServiceCertificateValidityPeriod() {
        return getExpirationDateASN1(!this.CAConf.getBoolean(CAConf.CAConfKeys.SERVICE_KEY_ROTATION_ENABLED).booleanValue() ? TimeUnit.MILLISECONDS.convert(TEN_YEARS, TimeUnit.DAYS) : getCertificateValidityInMS(this.CAConf.getString(CAConf.CAConfKeys.SERVICE_KEY_ROTATION_INTERVAL) + TimeUnit.MILLISECONDS.convert(4L, TimeUnit.DAYS)));
    }

    private String getAppCertificateValidityPeriod() {
        return getExpirationDateASN1(getCertificateValidityInMS(this.CAConf.getString(CAConf.CAConfKeys.APPLICATION_CERTIFICATE_VALIDITY_PERIOD)));
    }

    private long getCertificateValidityInMS(String str) {
        Long confTimeValue = getConfTimeValue(str);
        return TimeUnit.MILLISECONDS.convert(confTimeValue.longValue(), getConfTimeTimeUnit(str));
    }

    private String getExpirationDateASN1(long j) {
        return this.dateFormat.format(new Date(System.currentTimeMillis() + j)) + 'Z';
    }

    public Map<String, String> getKeyValuesFromSubject(String str) {
        if (str == null || str.isEmpty()) {
            return null;
        }
        Matcher matcher = SUBJECT_PATTERN.matcher(str.replaceFirst(SUBJECT, ""));
        HashMap hashMap = new HashMap();
        while (matcher.find()) {
            hashMap.put(matcher.group(2).trim(), matcher.group(3).trim());
        }
        return hashMap;
    }

    public CAType getResponsibileCA(CertificateType certificateType) {
        switch (certificateType) {
            case APP:
            case HOST:
            case DELA:
            case PROJECT:
                return CAType.INTERMEDIATE;
            case KUBE:
                return CAType.KUBECA;
            default:
                throw new IllegalArgumentException(CERTIFICATE_TYPE_NOT_RECOGNIZED_ERR);
        }
    }

    public String getCAParentPath(CAType cAType) {
        switch (cAType) {
            case ROOT:
                return this.CAConf.getString(CAConf.CAConfKeys.CERTS_DIR);
            case INTERMEDIATE:
                return this.CAConf.getString(CAConf.CAConfKeys.CERTS_DIR) + "/intermediate";
            case KUBECA:
                return this.CAConf.getString(CAConf.CAConfKeys.CERTS_DIR) + "/kube";
            default:
                throw new IllegalArgumentException(CA_TYPE_NOT_RECOGNIZED_ERR);
        }
    }

    public String getCAKeyPassword(CAType cAType) {
        switch (cAType) {
            case ROOT:
            case INTERMEDIATE:
                return this.CAConf.getString(CAConf.CAConfKeys.HOPSWORKS_SSL_MASTER_PASSWORD);
            case KUBECA:
                return this.CAConf.getString(CAConf.CAConfKeys.KUBE_CA_PASSWORD);
            default:
                throw new IllegalArgumentException(CA_TYPE_NOT_RECOGNIZED_ERR);
        }
    }

    public Path getCAConfPath(CAType cAType) {
        switch (cAType) {
            case ROOT:
                return Paths.get(getCAParentPath(CAType.ROOT), "openssl-ca.cnf");
            case INTERMEDIATE:
                return Paths.get(getCAParentPath(CAType.INTERMEDIATE), "openssl-intermediate.cnf");
            case KUBECA:
                return Paths.get(getCAParentPath(CAType.KUBECA), "kube-ca.cnf");
            default:
                throw new IllegalArgumentException(CA_TYPE_NOT_RECOGNIZED_ERR);
        }
    }

    public Path getCACertsDir(CAType cAType) {
        return Paths.get(getCAParentPath(cAType), "certs");
    }

    public Path getCAKeysDir(CAType cAType) {
        return Paths.get(getCAParentPath(cAType), "private");
    }

    public Path getCACRLPath(CAType cAType) {
        switch (cAType) {
            case ROOT:
                return Paths.get(getCAParentPath(CAType.ROOT), "crl", "ca.crl.pem");
            case INTERMEDIATE:
                return Paths.get(getCAParentPath(CAType.INTERMEDIATE), "crl", "intermediate.crl.pem");
            case KUBECA:
                return Paths.get(getCAParentPath(CAType.KUBECA), "crl", "kube-ca.crl.pem");
            default:
                throw new IllegalArgumentException(CA_TYPE_NOT_RECOGNIZED_ERR);
        }
    }

    public String getEffectiveExtensions(CAType cAType) {
        switch (cAType) {
            case ROOT:
                return "v3_intermediate_ca";
            case INTERMEDIATE:
                return "usr_cert";
            case KUBECA:
                return "v3_ext";
            default:
                throw new IllegalArgumentException(CA_TYPE_NOT_RECOGNIZED_ERR);
        }
    }

    public Path getCertPath(CAType cAType, String str) {
        return Paths.get(getCACertsDir(cAType).toString(), str + ".cert.pem");
    }

    public Path getKeyPath(CAType cAType, String str) {
        return Paths.get(getCAKeysDir(cAType).toString(), str + ".cert.pem");
    }

    public Path getCACertPath(CAType cAType) {
        switch (cAType) {
            case ROOT:
                return getCertPath(cAType, "ca");
            case INTERMEDIATE:
                return getCertPath(cAType, "intermediate");
            case KUBECA:
                return getCertPath(cAType, "kube-ca");
            default:
                throw new IllegalArgumentException(CA_TYPE_NOT_RECOGNIZED_ERR);
        }
    }

    public Path getChainOfTrustFilePath(CAType cAType) {
        switch (cAType) {
            case ROOT:
                return getCertPath(cAType, "ca");
            case INTERMEDIATE:
            case KUBECA:
                return getCertPath(cAType, "ca-chain");
            default:
                throw new IllegalArgumentException(CA_TYPE_NOT_RECOGNIZED_ERR);
        }
    }

    public Pair<String, String> getChainOfTrust(CAType cAType) throws IOException {
        String str = null;
        if (cAType != CAType.ROOT) {
            str = getCert(cAType);
        }
        return new Pair<>(getCert(CAType.ROOT), str);
    }

    private String getCert(CAType cAType) throws IOException {
        String str = this.caPubCertCache.get(cAType);
        if (str == null) {
            synchronized (this.caPubCertCache) {
                if (this.caPubCertCache.get(cAType) == null) {
                    str = FileUtils.readFileToString(getCACertPath(cAType).toFile());
                    this.caPubCertCache.put(cAType, str);
                }
            }
        }
        return str;
    }

    private Long getConfTimeValue(String str) {
        Matcher matcher = TIME_CONF_PATTERN.matcher(str.toLowerCase());
        if (matcher.matches()) {
            return Long.valueOf(Long.parseLong(matcher.group(1)));
        }
        throw new IllegalArgumentException("Invalid time in configuration: " + str);
    }

    private TimeUnit getConfTimeTimeUnit(String str) {
        Matcher matcher = TIME_CONF_PATTERN.matcher(str.toLowerCase());
        if (!matcher.matches()) {
            throw new IllegalArgumentException("Invalid time in configuration: " + str);
        }
        String group = matcher.group(2);
        if (null == group || TIME_SUFFIXES.containsKey(group.toLowerCase())) {
            return group == null ? TimeUnit.MINUTES : TIME_SUFFIXES.get(group.toLowerCase());
        }
        throw new IllegalArgumentException("Invalid time suffix in configuration: " + str);
    }

    static {
        TIME_SUFFIXES.put("ms", TimeUnit.MILLISECONDS);
        TIME_SUFFIXES.put("s", TimeUnit.SECONDS);
        TIME_SUFFIXES.put("m", TimeUnit.MINUTES);
        TIME_SUFFIXES.put("h", TimeUnit.HOURS);
        TIME_SUFFIXES.put("d", TimeUnit.DAYS);
        TIME_CONF_PATTERN = Pattern.compile("([0-9]+)([a-z]+)?");
    }
}
