package org.apache.knox.gateway.services.security.impl;

import java.security.cert.Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Map;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.StringUtils;
import org.apache.knox.gateway.GatewayMessages;
import org.apache.knox.gateway.GatewayServer;
import org.apache.knox.gateway.config.GatewayConfig;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.services.ServiceLifecycleException;
import org.apache.knox.gateway.services.config.client.RemoteConfigurationRegistryClient;
import org.apache.knox.gateway.services.config.client.RemoteConfigurationRegistryClientService;
import org.apache.knox.gateway.services.security.AliasService;
import org.apache.knox.gateway.services.security.AliasServiceException;
import org.apache.knox.gateway.services.security.EncryptionResult;
import org.apache.knox.gateway.services.security.MasterService;

/* loaded from: input_file:org/apache/knox/gateway/services/security/impl/RemoteAliasService.class */
public class RemoteAliasService implements AliasService {
    public static final String PATH_KNOX = "/knox";
    public static final String PATH_KNOX_SECURITY = "/knox/security";
    public static final String PATH_KNOX_ALIAS_STORE_TOPOLOGY = "/knox/security/topology";
    public static final String PATH_SEPARATOR = "/";
    public static final String DEFAULT_CLUSTER_NAME = "__gateway";
    public static final String GATEWAY_IDENTITY_PASSPHRASE = "gateway-identity-passphrase";
    private static final GatewayMessages LOG = (GatewayMessages) MessagesFactory.get(GatewayMessages.class);
    private static final RemoteConfigurationRegistryClient.EntryACL AUTHENTICATED_USERS_ALL = new RemoteConfigurationRegistryClient.EntryACL() { // from class: org.apache.knox.gateway.services.security.impl.RemoteAliasService.1
        public String getId() {
            return "";
        }

        public String getType() {
            return "auth";
        }

        public Object getPermissions() {
            return 31;
        }

        public boolean canRead() {
            return true;
        }

        public boolean canWrite() {
            return true;
        }
    };
    private RemoteConfigurationRegistryClient remoteClient;
    private ConfigurableEncryptor encryptor;
    private AliasService localAliasService;
    private RemoteConfigurationRegistryClientService registryClientService;
    private MasterService ms;
    private GatewayConfig config;
    private Map<String, String> options;

    /* renamed from: org.apache.knox.gateway.services.security.impl.RemoteAliasService$2, reason: invalid class name */
    /* loaded from: input_file:org/apache/knox/gateway/services/security/impl/RemoteAliasService$2.class */
    static /* synthetic */ class AnonymousClass2 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$knox$gateway$services$config$client$RemoteConfigurationRegistryClient$ChildEntryListener$Type = new int[RemoteConfigurationRegistryClient.ChildEntryListener.Type.values().length];

        static {
            try {
                $SwitchMap$org$apache$knox$gateway$services$config$client$RemoteConfigurationRegistryClient$ChildEntryListener$Type[RemoteConfigurationRegistryClient.ChildEntryListener.Type.REMOVED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$knox$gateway$services$config$client$RemoteConfigurationRegistryClient$ChildEntryListener$Type[RemoteConfigurationRegistryClient.ChildEntryListener.Type.ADDED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
        }
    }

    /* loaded from: input_file:org/apache/knox/gateway/services/security/impl/RemoteAliasService$RemoteAliasChildListener.class */
    private class RemoteAliasChildListener implements RemoteConfigurationRegistryClient.ChildEntryListener {
        final RemoteAliasService remoteAliasService;

        public RemoteAliasChildListener(RemoteAliasService remoteAliasService) {
            this.remoteAliasService = remoteAliasService;
        }

        public void childEvent(RemoteConfigurationRegistryClient remoteConfigurationRegistryClient, RemoteConfigurationRegistryClient.ChildEntryListener.Type type, String str) {
            AliasService aliasService;
            String substringAfter = StringUtils.substringAfter(str, "/knox/security/topology/");
            String[] split = StringUtils.split(substringAfter, '/');
            switch (AnonymousClass2.$SwitchMap$org$apache$knox$gateway$services$config$client$RemoteConfigurationRegistryClient$ChildEntryListener$Type[type.ordinal()]) {
                case 1:
                    try {
                        remoteConfigurationRegistryClient.removeEntryListener(str);
                        if (GatewayServer.getGatewayServices() != null && (aliasService = (AliasService) GatewayServer.getGatewayServices().getService("AliasService")) != null && split.length > 1 && (aliasService instanceof RemoteAliasService)) {
                            ((RemoteAliasService) aliasService).removeAliasForClusterLocally(split[0], split[1]);
                        }
                        return;
                    } catch (Exception e) {
                        RemoteAliasService.LOG.errorRemovingAliasLocally(split[0], split[1], e.toString());
                        return;
                    }
                case 2:
                    if (split.length > 1) {
                        RemoteAliasService.LOG.addAliasLocally(split[0], split[1]);
                        try {
                            remoteConfigurationRegistryClient.addEntryListener(str, new RemoteAliasEntryListener(split[0], split[1], this.remoteAliasService));
                            return;
                        } catch (Exception e2) {
                            RemoteAliasService.LOG.errorRemovingAliasLocally(split[0], split[1], e2.toString());
                            return;
                        }
                    }
                    if (substringAfter != null) {
                        RemoteAliasService.LOG.addRemoteListener(str);
                        try {
                            remoteConfigurationRegistryClient.addChildEntryListener(str, new RemoteAliasChildListener(this.remoteAliasService));
                            return;
                        } catch (Exception e3) {
                            RemoteAliasService.LOG.errorAddingRemoteListener(str, e3.toString());
                            return;
                        }
                    }
                    return;
                default:
                    return;
            }
        }
    }

    /* loaded from: input_file:org/apache/knox/gateway/services/security/impl/RemoteAliasService$RemoteAliasEntryListener.class */
    private static class RemoteAliasEntryListener implements RemoteConfigurationRegistryClient.EntryListener {
        final String cluster;
        final String alias;
        final RemoteAliasService remoteAliasService;

        public RemoteAliasEntryListener(String str, String str2, RemoteAliasService remoteAliasService) {
            this.cluster = str;
            this.alias = str2;
            this.remoteAliasService = remoteAliasService;
        }

        public void entryChanged(RemoteConfigurationRegistryClient remoteConfigurationRegistryClient, String str, byte[] bArr) {
            AliasService aliasService;
            if (GatewayServer.getGatewayServices() == null || (aliasService = (AliasService) GatewayServer.getGatewayServices().getService("AliasService")) == null || !(aliasService instanceof RemoteAliasService)) {
                return;
            }
            try {
                ((RemoteAliasService) aliasService).addAliasForClusterLocally(this.cluster, this.alias, this.remoteAliasService.decrypt(new String(bArr)));
            } catch (Exception e) {
                RemoteAliasService.LOG.errorAddingAliasLocally(this.cluster, this.alias, e.toString());
            }
        }
    }

    private static String buildAliasEntryName(String str, String str2) {
        return buildClusterEntryName(str) + PATH_SEPARATOR + str2;
    }

    private static String buildClusterEntryName(String str) {
        return "/knox/security/topology/" + str;
    }

    private static void ensureEntry(String str, RemoteConfigurationRegistryClient remoteConfigurationRegistryClient) {
        if (!remoteConfigurationRegistryClient.entryExists(str)) {
            remoteConfigurationRegistryClient.createEntry(str);
            return;
        }
        for (RemoteConfigurationRegistryClient.EntryACL entryACL : remoteConfigurationRegistryClient.getACL(str)) {
            if (entryACL.getType().equals("world") && entryACL.getId().equals("anyone")) {
                LOG.suspectWritableRemoteConfigurationEntry(str);
                if (remoteConfigurationRegistryClient.isAuthenticationConfigured()) {
                    LOG.correctingSuspectWritableRemoteConfigurationEntry(str);
                    remoteConfigurationRegistryClient.setACL(str, Collections.singletonList(AUTHENTICATED_USERS_ALL));
                }
            }
        }
    }

    private static void checkPathsExist(RemoteConfigurationRegistryClient remoteConfigurationRegistryClient) {
        ensureEntry(PATH_KNOX, remoteConfigurationRegistryClient);
        ensureEntry(PATH_KNOX_SECURITY, remoteConfigurationRegistryClient);
        ensureEntry(PATH_KNOX_ALIAS_STORE_TOPOLOGY, remoteConfigurationRegistryClient);
        ensureEntry("/knox/security/topology/__gateway", remoteConfigurationRegistryClient);
    }

    private static List<String> safe(List list) {
        return list == null ? Collections.EMPTY_LIST : list;
    }

    public void setRegistryClientService(RemoteConfigurationRegistryClientService remoteConfigurationRegistryClientService) {
        this.registryClientService = remoteConfigurationRegistryClientService;
    }

    public void setMasterService(MasterService masterService) {
        this.ms = masterService;
    }

    public void setLocalAliasService(AliasService aliasService) {
        this.localAliasService = aliasService;
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v24, types: [java.util.List] */
    public List<String> getAliasesForCluster(String str) throws AliasServiceException {
        ArrayList arrayList = new ArrayList();
        if (this.remoteClient != null && this.config.isRemoteAliasServiceEnabled()) {
            arrayList = this.remoteClient.listChildEntries(buildClusterEntryName(str));
        }
        for (String str2 : safe(this.localAliasService.getAliasesForCluster(str))) {
            if (!arrayList.contains(str2.toLowerCase())) {
                arrayList.add(str2);
            }
        }
        return arrayList;
    }

    public void addAliasForCluster(String str, String str2, String str3) throws AliasServiceException {
        String lowerCase = str2.toLowerCase();
        this.localAliasService.addAliasForCluster(str, lowerCase, str3);
        if (this.remoteClient == null || !this.config.isRemoteAliasServiceEnabled()) {
            return;
        }
        String buildAliasEntryName = buildAliasEntryName(str, lowerCase);
        checkPathsExist(this.remoteClient);
        ensureEntry(buildClusterEntryName(str), this.remoteClient);
        try {
            this.remoteClient.createEntry(buildAliasEntryName, encrypt(str3));
            if (this.remoteClient.getEntryData(buildAliasEntryName) == null) {
                throw new IllegalStateException(String.format("Failed to store alias %s for cluster %s in remote registry", lowerCase, str));
            }
        } catch (Exception e) {
            throw new AliasServiceException(e);
        }
    }

    public void removeAliasForCluster(String str, String str2) throws AliasServiceException {
        String lowerCase = str2.toLowerCase();
        this.localAliasService.removeAliasForCluster(str, lowerCase);
        if (this.remoteClient == null || !this.config.isRemoteAliasServiceEnabled()) {
            LOG.missingClientConfigurationForRemoteMonitoring();
            return;
        }
        String buildAliasEntryName = buildAliasEntryName(str, lowerCase);
        if (this.remoteClient.entryExists(buildAliasEntryName)) {
            this.remoteClient.deleteEntry(buildAliasEntryName);
            if (this.remoteClient.entryExists(buildAliasEntryName)) {
                throw new IllegalStateException(String.format("Failed to delete alias %s for cluster %s in remote registry", lowerCase, str));
            }
        }
    }

    public char[] getPasswordFromAliasForCluster(String str, String str2) throws AliasServiceException {
        return getPasswordFromAliasForCluster(str, str2, false);
    }

    public char[] getPasswordFromAliasForCluster(String str, String str2, boolean z) throws AliasServiceException {
        String lowerCase = str2.toLowerCase();
        char[] cArr = null;
        if (this.remoteClient != null && this.config.isRemoteAliasServiceEnabled()) {
            checkPathsExist(this.remoteClient);
            String str3 = null;
            if (this.remoteClient.entryExists(buildAliasEntryName(str, lowerCase))) {
                str3 = this.remoteClient.getEntryData(buildAliasEntryName(str, lowerCase));
            }
            if (str3 != null) {
                try {
                    cArr = decrypt(str3).toCharArray();
                } catch (Exception e) {
                    throw new AliasServiceException(e);
                }
            } else if (z) {
                generateAliasForCluster(str, lowerCase);
                cArr = getPasswordFromAliasForCluster(str, lowerCase);
            }
        }
        if (cArr == null) {
            cArr = this.localAliasService.getPasswordFromAliasForCluster(str, lowerCase, z);
        }
        return cArr;
    }

    public void generateAliasForCluster(String str, String str2) throws AliasServiceException {
        addAliasForCluster(str, str2.toLowerCase(), DefaultAliasService.generatePassword(16));
    }

    public char[] getPasswordFromAliasForGateway(String str) throws AliasServiceException {
        return getPasswordFromAliasForCluster(DEFAULT_CLUSTER_NAME, str);
    }

    public char[] getGatewayIdentityPassphrase() throws AliasServiceException {
        char[] passwordFromAliasForGateway = getPasswordFromAliasForGateway(GATEWAY_IDENTITY_PASSPHRASE);
        if (passwordFromAliasForGateway == null) {
            passwordFromAliasForGateway = this.ms.getMasterSecret();
        }
        return passwordFromAliasForGateway;
    }

    public void generateAliasForGateway(String str) throws AliasServiceException {
        generateAliasForCluster(DEFAULT_CLUSTER_NAME, str);
    }

    public Certificate getCertificateForGateway(String str) throws AliasServiceException {
        return this.localAliasService.getCertificateForGateway(str);
    }

    public void init(GatewayConfig gatewayConfig, Map<String, String> map) throws ServiceLifecycleException {
        this.config = gatewayConfig;
        this.options = map;
        this.encryptor = new ConfigurableEncryptor(new String(this.ms.getMasterSecret()));
        this.encryptor.init(gatewayConfig);
        String remoteConfigurationMonitorClientName = gatewayConfig.getRemoteConfigurationMonitorClientName();
        if (remoteConfigurationMonitorClientName == null) {
            LOG.missingClientConfigurationForRemoteMonitoring();
        } else {
            if (this.registryClientService == null) {
                throw new ServiceLifecycleException("Remote configuration registry not initialized");
            }
            this.remoteClient = this.registryClientService.get(remoteConfigurationMonitorClientName);
        }
    }

    public void start() throws ServiceLifecycleException {
        if (this.remoteClient != null && this.config.isRemoteAliasServiceEnabled()) {
            ensureEntries(this.remoteClient);
            if (this.remoteClient.listChildEntries(PATH_KNOX_ALIAS_STORE_TOPOLOGY) == null) {
                throw new IllegalStateException("Unable to access remote path: /knox/security/topology");
            }
            try {
                this.remoteClient.addChildEntryListener(PATH_KNOX_ALIAS_STORE_TOPOLOGY, new RemoteAliasChildListener(this));
            } catch (Exception e) {
                throw new IllegalStateException("Unable to add listener for path /knox/security/topology", e);
            }
        }
        if (this.config.isRemoteAliasServiceEnabled()) {
            LOG.remoteAliasServiceEnabled();
        } else {
            LOG.remoteAliasServiceDisabled();
        }
    }

    public void stop() throws ServiceLifecycleException {
        if (this.remoteClient == null || !this.config.isRemoteAliasServiceEnabled()) {
            return;
        }
        try {
            this.remoteClient.removeEntryListener(PATH_KNOX_ALIAS_STORE_TOPOLOGY);
        } catch (Exception e) {
            LOG.errorRemovingRemoteListener(PATH_KNOX_ALIAS_STORE_TOPOLOGY, e.toString());
        }
    }

    public void addAliasForClusterLocally(String str, String str2, String str3) throws AliasServiceException {
        this.localAliasService.addAliasForCluster(str, str2, str3);
    }

    public void removeAliasForClusterLocally(String str, String str2) throws AliasServiceException {
        LOG.removeAliasLocally(str, str2);
        this.localAliasService.removeAliasForCluster(str, str2);
    }

    private void ensureEntries(RemoteConfigurationRegistryClient remoteConfigurationRegistryClient) {
        ensureEntry(PATH_KNOX, remoteConfigurationRegistryClient);
        ensureEntry(PATH_KNOX_SECURITY, remoteConfigurationRegistryClient);
        ensureEntry(PATH_KNOX_ALIAS_STORE_TOPOLOGY, remoteConfigurationRegistryClient);
        ensureEntry("/knox/security/topology/__gateway", remoteConfigurationRegistryClient);
    }

    public String encrypt(String str) throws Exception {
        EncryptionResult encrypt = this.encryptor.encrypt(str);
        return Base64.encodeBase64String((Base64.encodeBase64String(encrypt.salt) + "::" + Base64.encodeBase64String(encrypt.iv) + "::" + Base64.encodeBase64String(encrypt.cipher)).getBytes("UTF8"));
    }

    public String decrypt(String str) throws Exception {
        String[] split = new String(Base64.decodeBase64(str)).split("::");
        return new String(this.encryptor.decrypt(Base64.decodeBase64(split[0]), Base64.decodeBase64(split[1]), Base64.decodeBase64(split[2])), "UTF8");
    }
}
