package org.apache.hadoop.hdds.security.x509.certificate.client;

import com.google.common.util.concurrent.ThreadFactoryBuilder;
import java.io.IOException;
import java.math.BigInteger;
import java.net.InetAddress;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyPair;
import java.security.cert.CertPath;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Set;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.function.Consumer;
import org.apache.hadoop.hdds.HddsUtils;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos;
import org.apache.hadoop.hdds.protocolPB.SCMSecurityProtocolClientSideTranslatorPB;
import org.apache.hadoop.hdds.security.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CAType;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateApprover;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateStore;
import org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultCAServer;
import org.apache.hadoop.hdds.security.x509.certificate.authority.profile.DefaultCAProfile;
import org.apache.hadoop.hdds.security.x509.certificate.authority.profile.PKIProfile;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateSignRequest;
import org.apache.hadoop.hdds.security.x509.exception.CertificateException;
import org.apache.hadoop.ozone.OzoneConsts;
import org.apache.hadoop.ozone.OzoneSecurityUtil;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/client/SCMCertificateClient.class */
public class SCMCertificateClient extends DefaultCertificateClient {
    private static final Logger LOG = LoggerFactory.getLogger(SCMCertificateClient.class);
    public static final String COMPONENT_NAME = Paths.get("scm", "sub-ca").toString();
    private String scmId;
    private String cId;
    private String scmHostname;
    private ExecutorService executorService;
    private boolean isPrimarySCM;
    private Consumer<String> saveCertIdCallback;

    /* renamed from: org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/client/SCMCertificateClient$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$CertificateClient$InitResponse = new int[CertificateClient.InitResponse.values().length];

        static {
            try {
                $SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$CertificateClient$InitResponse[CertificateClient.InitResponse.SUCCESS.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$CertificateClient$InitResponse[CertificateClient.InitResponse.GETCERT.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$CertificateClient$InitResponse[CertificateClient.InitResponse.FAILURE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* loaded from: input_file:org/apache/hadoop/hdds/security/x509/certificate/client/SCMCertificateClient$RefreshCACertificates.class */
    public class RefreshCACertificates implements Runnable {
        private final SCMSecurityProtocolClientSideTranslatorPB scmSecureClient;

        public RefreshCACertificates(SCMSecurityProtocolClientSideTranslatorPB sCMSecurityProtocolClientSideTranslatorPB) {
            this.scmSecureClient = sCMSecurityProtocolClientSideTranslatorPB;
        }

        @Override // java.lang.Runnable
        public void run() {
            try {
                List<String> allRootCaCertificates = this.scmSecureClient.getAllRootCaCertificates();
                Set<X509Certificate> allRootCaCerts = SCMCertificateClient.this.getAllRootCaCerts();
                Set<X509Certificate> allCaCerts = allRootCaCerts.isEmpty() ? SCMCertificateClient.this.getAllCaCerts() : allRootCaCerts;
                List<X509Certificate> convertToX509 = OzoneSecurityUtil.convertToX509(allRootCaCertificates);
                convertToX509.removeAll(allCaCerts);
                if (convertToX509.isEmpty()) {
                    SCMCertificateClient.LOG.info("CA certificates are not changed.");
                    return;
                }
                for (X509Certificate x509Certificate : convertToX509) {
                    SCMCertificateClient.LOG.info("Fetched new root CA certificate {} from leader SCM", x509Certificate.getSerialNumber().toString());
                    SCMCertificateClient.this.storeCertificate(CertificateCodec.getPEMEncodedString(x509Certificate), CAType.SUBORDINATE);
                }
                String bigInteger = SCMCertificateClient.this.getCertificate().getSerialNumber().toString();
                SCMCertificateClient.this.notifyNotificationReceivers(bigInteger, bigInteger);
            } catch (IOException e) {
                SCMCertificateClient.LOG.error("Failed to refresh CA certificates", e);
            }
        }
    }

    public SCMCertificateClient(SecurityConfig securityConfig, SCMSecurityProtocolClientSideTranslatorPB sCMSecurityProtocolClientSideTranslatorPB, String str, String str2, String str3, String str4, boolean z, Consumer<String> consumer) {
        super(securityConfig, sCMSecurityProtocolClientSideTranslatorPB, LOG, str3, COMPONENT_NAME, HddsUtils.threadNamePrefix(str), consumer, null);
        this.isPrimarySCM = false;
        this.scmId = str;
        this.cId = str2;
        this.scmHostname = str4;
        this.isPrimarySCM = z;
        this.saveCertIdCallback = consumer;
    }

    public SCMCertificateClient(SecurityConfig securityConfig, SCMSecurityProtocolClientSideTranslatorPB sCMSecurityProtocolClientSideTranslatorPB, String str, String str2, String str3, String str4) {
        this(securityConfig, sCMSecurityProtocolClientSideTranslatorPB, str, str2, str3, str4, COMPONENT_NAME);
    }

    private SCMCertificateClient(SecurityConfig securityConfig, SCMSecurityProtocolClientSideTranslatorPB sCMSecurityProtocolClientSideTranslatorPB, String str, String str2, String str3, String str4, String str5) {
        super(securityConfig, sCMSecurityProtocolClientSideTranslatorPB, LOG, str3, str5, HddsUtils.threadNamePrefix(str), null, null);
        this.isPrimarySCM = false;
        this.scmId = str;
        this.cId = str2;
        this.scmHostname = str4;
    }

    public SCMCertificateClient(SecurityConfig securityConfig, SCMSecurityProtocolClientSideTranslatorPB sCMSecurityProtocolClientSideTranslatorPB, String str) {
        this(securityConfig, sCMSecurityProtocolClientSideTranslatorPB, null, null, str, null, COMPONENT_NAME);
    }

    public SCMCertificateClient(SecurityConfig securityConfig, SCMSecurityProtocolClientSideTranslatorPB sCMSecurityProtocolClientSideTranslatorPB, String str, String str2, String str3) {
        this(securityConfig, sCMSecurityProtocolClientSideTranslatorPB, str2, null, str, null, str3);
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.client.DefaultCertificateClient
    public CertificateSignRequest.Builder getCSRBuilder() throws CertificateException {
        String str = "scm-sub@" + this.scmHostname;
        LOG.info("Creating csr for SCM->hostName:{},scmId:{},clusterId:{},subject:{}", new Object[]{this.scmHostname, this.scmId, this.cId, str});
        return super.getCSRBuilder().setSubject(str).setScmID(this.scmId).setClusterID(this.cId).setCA(true).setKey(new KeyPair(getPublicKey(), getPrivateKey()));
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.client.DefaultCertificateClient
    protected boolean shouldStartCertificateRenewerService() {
        return false;
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.client.DefaultCertificateClient
    public Logger getLogger() {
        return LOG;
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.client.DefaultCertificateClient
    protected SCMSecurityProtocolProtos.SCMGetCertResponseProto getCertificateSignResponse(PKCS10CertificationRequest pKCS10CertificationRequest) {
        throw new UnsupportedOperationException("getCertSignResponse of  SCMCertificateClient is not supported currently");
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.client.DefaultCertificateClient
    public String signAndStoreCertificate(PKCS10CertificationRequest pKCS10CertificationRequest, Path path, boolean z) throws CertificateException {
        try {
            SCMSecurityProtocolProtos.SCMGetCertResponseProto sCMCertChain = getScmSecureClient().getSCMCertChain(HddsProtos.ScmNodeDetailsProto.newBuilder().setClusterId(this.cId).setHostName(this.scmHostname).setScmNodeId(this.scmId).build(), CertificateSignRequest.getEncodedString(pKCS10CertificationRequest), true);
            CertificateCodec certificateCodec = new CertificateCodec(getSecurityConfig(), path);
            String x509Certificate = sCMCertChain.getX509Certificate();
            if (!sCMCertChain.hasX509CACertificate()) {
                throw new RuntimeException("Unable to retrieve SCM certificate chain");
            }
            storeCertificate(sCMCertChain.getX509CACertificate(), CAType.SUBORDINATE, certificateCodec, false, !z);
            storeCertificate(x509Certificate, CAType.NONE, certificateCodec, false, !z);
            certificateCodec.writeCertificate(certificateCodec.getLocation().toAbsolutePath(), getSecurityConfig().getCertificateFileName(), x509Certificate);
            return CertificateCodec.getX509Certificate(x509Certificate).getSerialNumber().toString();
        } catch (Throwable th) {
            LOG.error("Error while fetching/storing SCM signed certificate.", th);
            throw new RuntimeException(th);
        }
    }

    public void refreshCACertificates() throws IOException {
        if (this.executorService == null) {
            this.executorService = Executors.newSingleThreadExecutor(new ThreadFactoryBuilder().setNameFormat(threadNamePrefix() + getComponentName() + "-refreshCACertificates").setDaemon(true).build());
        }
        this.executorService.execute(new RefreshCACertificates(getScmSecureClient()));
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.client.DefaultCertificateClient
    public synchronized void close() throws IOException {
        super.close();
        if (this.executorService != null) {
            this.executorService.shutdownNow();
            this.executorService = null;
        }
    }

    @Override // org.apache.hadoop.hdds.security.x509.certificate.client.DefaultCertificateClient
    protected void recoverStateIfNeeded(CertificateClient.InitResponse initResponse) throws IOException {
        LOG.info("Init response: {}", initResponse);
        switch (AnonymousClass1.$SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$CertificateClient$InitResponse[initResponse.ordinal()]) {
            case 1:
                LOG.info("Initialization successful.");
                return;
            case 2:
                if (this.isPrimarySCM) {
                    getPrimarySCMSelfSignedCert();
                } else {
                    getRootCASignedSCMCert();
                }
                LOG.info("Successfully stored SCM signed certificate.");
                return;
            case 3:
            default:
                LOG.error("SCM security initialization failed. Init response: {}", initResponse);
                throw new RuntimeException("SCM security initialization failed.");
        }
    }

    private void getRootCASignedSCMCert() {
        try {
            PKCS10CertificationRequest build = getCSRBuilder().build();
            SCMSecurityProtocolProtos.SCMGetCertResponseProto sCMCertChain = getScmSecureClient().getSCMCertChain(HddsProtos.ScmNodeDetailsProto.newBuilder().setClusterId(this.cId).setHostName(this.scmHostname).setScmNodeId(this.scmId).build(), CertificateSignRequest.getEncodedString(build), false);
            String x509Certificate = sCMCertChain.getX509Certificate();
            if (!sCMCertChain.hasX509CACertificate()) {
                throw new RuntimeException("Unable to retrieve SCM certificate chain");
            }
            storeCertificate(sCMCertChain.getX509CACertificate(), CAType.SUBORDINATE);
            storeCertificate(x509Certificate, CAType.NONE);
            persistSubCACertificate(x509Certificate);
            this.saveCertIdCallback.accept(CertificateCodec.getX509Certificate(x509Certificate).getSerialNumber().toString());
        } catch (IOException | java.security.cert.CertificateException e) {
            LOG.error("Error while fetching/storing SCM signed certificate.", e);
            throw new RuntimeException(e);
        }
    }

    private void getPrimarySCMSelfSignedCert() {
        try {
            CertificateServer initializeRootCertificateServer = initializeRootCertificateServer(getSecurityConfig(), null, BigInteger.ONE, new DefaultCAProfile(), OzoneConsts.SCM_ROOT_CA_COMPONENT_NAME);
            String pEMEncodedString = CertificateCodec.getPEMEncodedString(initializeRootCertificateServer.getCaCertPath());
            CertPath certPath = initializeRootCertificateServer.requestCertificate(getCSRBuilder().build(), CertificateApprover.ApprovalType.KERBEROS_TRUSTED, HddsProtos.NodeType.SCM, BigInteger.ONE.add(BigInteger.ONE).toString()).get();
            String pEMEncodedString2 = CertificateCodec.getPEMEncodedString(certPath);
            storeCertificate(pEMEncodedString, CAType.SUBORDINATE);
            storeCertificate(pEMEncodedString2, CAType.NONE);
            persistSubCACertificate(pEMEncodedString2);
            this.saveCertIdCallback.accept(CertificateCodec.getCertificateHolder((X509Certificate) certPath.getCertificates().get(0)).getSerialNumber().toString());
        } catch (IOException | InterruptedException | java.security.cert.CertificateException | ExecutionException e) {
            LOG.error("Error while fetching/storing SCM signed certificate.", e);
            Thread.currentThread().interrupt();
            throw new RuntimeException(e);
        }
    }

    public CertificateServer initializeRootCertificateServer(SecurityConfig securityConfig, CertificateStore certificateStore, BigInteger bigInteger, PKIProfile pKIProfile, String str) throws IOException {
        DefaultCAServer defaultCAServer = new DefaultCAServer(String.format("scm@", bigInteger) + InetAddress.getLocalHost().getHostName(), this.cId, this.scmId, certificateStore, bigInteger, pKIProfile, str);
        defaultCAServer.init(securityConfig, CAType.ROOT);
        return defaultCAServer;
    }

    private void persistSubCACertificate(String str) throws IOException {
        CertificateCodec certificateCodec = new CertificateCodec(getSecurityConfig(), getComponentName());
        certificateCodec.writeCertificate(certificateCodec.getLocation().toAbsolutePath(), getSecurityConfig().getCertificateFileName(), str);
    }
}
