package io.hops.hopsworks.ca.controllers;

import io.hops.hopsworks.ca.controllers.CAConf;
import io.hops.hopsworks.ca.controllers.PKI;
import io.hops.hopsworks.restutils.RESTCodes;
import java.io.BufferedReader;
import java.io.File;
import java.io.IOException;
import java.io.InputStream;
import java.io.InputStreamReader;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.ArrayList;
import java.util.List;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.Future;
import java.util.concurrent.TimeUnit;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.annotation.Resource;
import javax.ejb.AccessTimeout;
import javax.ejb.ConcurrencyManagement;
import javax.ejb.ConcurrencyManagementType;
import javax.ejb.DependsOn;
import javax.ejb.EJB;
import javax.ejb.Lock;
import javax.ejb.LockType;
import javax.ejb.Singleton;
import javax.ejb.TransactionAttribute;
import javax.ejb.TransactionAttributeType;
import javax.enterprise.concurrent.ManagedExecutorService;
import org.apache.commons.io.FileUtils;

@DependsOn({"CAConf"})
@ConcurrencyManagement(ConcurrencyManagementType.CONTAINER)
@Singleton
@AccessTimeout(120000)
@TransactionAttribute(TransactionAttributeType.NOT_SUPPORTED)
/* loaded from: input_file:WEB-INF/classes/io/hops/hopsworks/ca/controllers/OpensslOperations.class */
public class OpensslOperations {
    private static final Logger LOGGER = Logger.getLogger(OpensslOperations.class.getName());
    private static final String SUDO = "/usr/bin/sudo";
    private static final String OPENSSL = "openssl";
    private static final String CERTIFICATE_SUFFIX = ".cert.pem";

    @Resource(lookup = "concurrent/hopsExecutorService")
    private ManagedExecutorService executorService;

    @EJB
    private CAConf CAConf;

    @EJB
    private PKI pki;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/classes/io/hops/hopsworks/ca/controllers/OpensslOperations$OpenSSLOutputReader.class */
    public class OpenSSLOutputReader implements Runnable {
        private InputStream in;
        private String opensslOutput;

        public OpenSSLOutputReader(InputStream inputStream) {
            this.in = null;
            this.in = inputStream;
        }

        @Override // java.lang.Runnable
        public void run() {
            StringBuilder sb = new StringBuilder();
            BufferedReader bufferedReader = new BufferedReader(new InputStreamReader(this.in));
            char[] cArr = new char[1000];
            try {
                while (true) {
                    try {
                        int read = bufferedReader.read(cArr, 0, 1000);
                        if (read == -1) {
                            break;
                        } else {
                            sb.append(cArr, 0, read);
                        }
                    } catch (IOException e) {
                        OpensslOperations.LOGGER.log(Level.WARNING, "Could not read the Openssl output", (Throwable) e);
                        try {
                            bufferedReader.close();
                        } catch (IOException e2) {
                        }
                    }
                }
                try {
                    bufferedReader.close();
                } catch (IOException e3) {
                }
                this.opensslOutput = sb.toString();
            } catch (Throwable th) {
                try {
                    bufferedReader.close();
                } catch (IOException e4) {
                }
                throw th;
            }
        }

        public String getOpensslOutput() {
            return this.opensslOutput;
        }
    }

    @Lock(LockType.WRITE)
    public String signCertificateRequest(String str, CertificateType certificateType) throws IOException, CAException {
        File createTempFile = File.createTempFile(System.getProperty("java.io.tmpdir"), ".csr");
        try {
            FileUtils.writeStringToFile(createTempFile, str);
            if (!verifyCSR(createTempFile)) {
                return null;
            }
            String signCSR = signCSR(createTempFile, str, certificateType);
            createTempFile.delete();
            return signCSR;
        } finally {
            createTempFile.delete();
        }
    }

    @Lock(LockType.WRITE)
    public void revokeCertificate(String str, CertificateType certificateType) throws IOException, CAException {
        LOGGER.log(Level.FINE, "Revoking certificate " + str + CERTIFICATE_SUFFIX);
        PKI.CAType responsibileCA = this.pki.getResponsibileCA(certificateType);
        String path = this.pki.getCAConfPath(responsibileCA).toString();
        Path path2 = Paths.get(this.pki.getCACertsDir(responsibileCA).toString(), str + CERTIFICATE_SUFFIX);
        File file = path2.toFile();
        if (!file.exists()) {
            throw new CAException(RESTCodes.CAErrorCode.CERTNOTFOUND, Level.WARNING, certificateType);
        }
        ArrayList arrayList = new ArrayList();
        arrayList.add(OPENSSL);
        arrayList.add("ca");
        arrayList.add("-batch");
        arrayList.add("-config");
        arrayList.add(path);
        arrayList.add("-passin");
        arrayList.add("pass:" + this.pki.getCAKeyPassword(responsibileCA));
        arrayList.add("-revoke");
        arrayList.add(path2.toString());
        executeCommand(arrayList, false);
        createCRL(responsibileCA);
        file.delete();
    }

    private void pruneDatabase(PKI.CAType cAType) throws IOException {
        LOGGER.log(Level.FINE, "Pruning OpenSSL database");
        String path = this.pki.getCAConfPath(cAType).toString();
        ArrayList arrayList = new ArrayList();
        arrayList.add(OPENSSL);
        arrayList.add("ca");
        arrayList.add("-batch");
        arrayList.add("-config");
        arrayList.add(path);
        arrayList.add("-updatedb");
        arrayList.add("-passin");
        arrayList.add("pass:" + this.pki.getCAKeyPassword(cAType));
        executeCommand(arrayList, false);
    }

    private void createCRL(PKI.CAType cAType) throws IOException {
        pruneDatabase(cAType);
        LOGGER.log(Level.FINE, "Creating Certificate Revocation List");
        String path = this.pki.getCAConfPath(cAType).toString();
        String path2 = this.pki.getCACRLPath(cAType).toString();
        ArrayList arrayList = new ArrayList(10);
        arrayList.add(OPENSSL);
        arrayList.add("ca");
        arrayList.add("-batch");
        arrayList.add("-config");
        arrayList.add(path);
        arrayList.add("-gencrl");
        arrayList.add("-passin");
        arrayList.add("pass:" + this.pki.getCAKeyPassword(cAType));
        arrayList.add("-out");
        arrayList.add(path2);
        executeCommand(arrayList, false);
        LOGGER.log(Level.FINE, "Created CRL");
    }

    private boolean verifyCSR(File file) throws IOException {
        LOGGER.log(Level.FINE, "Verifying Certificate Signing Request...");
        ArrayList arrayList = new ArrayList(6);
        arrayList.add(OPENSSL);
        arrayList.add("req");
        arrayList.add("-in");
        arrayList.add(file.getAbsolutePath());
        arrayList.add("-noout");
        arrayList.add("-verify");
        if (!executeCommand(arrayList, true).contains("verify OK")) {
            return false;
        }
        LOGGER.log(Level.INFO, "CSR verification passed for " + file.getAbsolutePath());
        return true;
    }

    private String signCSR(File file, String str, CertificateType certificateType) throws IOException, CAException {
        LOGGER.log(Level.FINE, "Signing Certificate Signing Request...");
        PKI.CAType responsibileCA = this.pki.getResponsibileCA(certificateType);
        String path = this.pki.getCAConfPath(responsibileCA).toString();
        String effectiveExtensions = this.pki.getEffectiveExtensions(responsibileCA);
        String path2 = Paths.get(this.CAConf.getString(CAConf.CAConfKeys.SUDOERS_DIR), "global-ca-sign-csr.sh").toString();
        try {
            String certFileName = this.pki.getCertFileName(certificateType, this.pki.getKeyValuesFromSubject(getSubjectFromCSR(str)));
            String validityPeriod = this.pki.getValidityPeriod(certificateType);
            File file2 = this.pki.getCertPath(responsibileCA, certFileName).toFile();
            if (file2.exists()) {
                throw new CAException(RESTCodes.CAErrorCode.CERTEXISTS, Level.FINE, CertificateType.PROJECT);
            }
            ArrayList arrayList = new ArrayList();
            arrayList.add(SUDO);
            arrayList.add(path2);
            arrayList.add(path);
            arrayList.add(this.pki.getCAKeyPassword(responsibileCA));
            arrayList.add(effectiveExtensions);
            arrayList.add(file.getAbsolutePath());
            arrayList.add(file2.getAbsolutePath());
            arrayList.add(validityPeriod);
            executeCommand(arrayList, false);
            LOGGER.log(Level.FINE, "Signed CSR");
            return FileUtils.readFileToString(file2);
        } catch (IOException e) {
            LOGGER.log(Level.SEVERE, "Error while extracting CN out of CSR", (Throwable) e);
            throw e;
        }
    }

    @Lock(LockType.WRITE)
    public String getSubjectFromCSR(String str) throws IOException {
        File createTempFile = File.createTempFile(System.getProperty("java.io.tmpdir"), ".csr");
        FileUtils.writeStringToFile(createTempFile, str);
        ArrayList arrayList = new ArrayList();
        arrayList.add(OPENSSL);
        arrayList.add("req");
        arrayList.add("-in");
        arrayList.add(createTempFile.getAbsolutePath());
        arrayList.add("-noout");
        arrayList.add("-subject");
        return executeCommand(arrayList, false).trim();
    }

    private String executeCommand(List<String> list, boolean z) throws IOException {
        ProcessBuilder processBuilder = new ProcessBuilder(list);
        processBuilder.redirectErrorStream(z);
        try {
            Process start = processBuilder.start();
            OpenSSLOutputReader openSSLOutputReader = new OpenSSLOutputReader(start.getInputStream());
            OpenSSLOutputReader openSSLOutputReader2 = new OpenSSLOutputReader(start.getErrorStream());
            Future submit = this.executorService.submit(openSSLOutputReader);
            Future submit2 = this.executorService.submit(openSSLOutputReader2);
            if (start.waitFor(2L, TimeUnit.MINUTES) && start.exitValue() == 0) {
                submit.get();
                return openSSLOutputReader.getOpensslOutput();
            }
            submit2.get();
            throw new IOException(openSSLOutputReader2.getOpensslOutput());
        } catch (InterruptedException | ExecutionException e) {
            LOGGER.log(Level.SEVERE, "Error while waiting for OpenSSL command to execute");
            throw new IOException(e);
        }
    }
}
