package com.dremio.jdbc.shaded.com.dremio.exec.rpc.ssl;

import com.dremio.jdbc.shaded.com.dremio.config.DremioConfig;
import com.dremio.jdbc.shaded.com.dremio.security.SecurityFolder;
import com.dremio.jdbc.shaded.com.dremio.services.credentials.CredentialsException;
import com.dremio.jdbc.shaded.com.dremio.services.credentials.CredentialsService;
import com.dremio.jdbc.shaded.com.dremio.ssl.SSLConfig;
import com.dremio.jdbc.shaded.com.google.common.annotations.VisibleForTesting;
import com.dremio.jdbc.shaded.com.google.common.base.Preconditions;
import com.dremio.jdbc.shaded.com.google.common.base.Strings;
import com.dremio.jdbc.shaded.com.google.common.io.BaseEncoding;
import com.dremio.jdbc.shaded.com.google.common.net.InetAddresses;
import com.dremio.jdbc.shaded.org.apache.commons.lang3.RandomStringUtils;
import com.dremio.jdbc.shaded.org.apache.logging.log4j.message.ParameterizedMessage;
import com.dremio.jdbc.shaded.org.bouncycastle.asn1.DERSequence;
import com.dremio.jdbc.shaded.org.bouncycastle.asn1.x500.X500NameBuilder;
import com.dremio.jdbc.shaded.org.bouncycastle.asn1.x500.style.BCStyle;
import com.dremio.jdbc.shaded.org.bouncycastle.asn1.x509.Extension;
import com.dremio.jdbc.shaded.org.bouncycastle.asn1.x509.GeneralName;
import com.dremio.jdbc.shaded.org.bouncycastle.cert.jcajce.JcaX509CertificateConverter;
import com.dremio.jdbc.shaded.org.bouncycastle.cert.jcajce.JcaX509v3CertificateBuilder;
import com.dremio.jdbc.shaded.org.bouncycastle.operator.OperatorCreationException;
import com.dremio.jdbc.shaded.org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import com.dremio.jdbc.shaded.org.joda.time.DateTime;
import com.dremio.jdbc.shaded.org.slf4j.Logger;
import com.dremio.jdbc.shaded.org.slf4j.LoggerFactory;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.math.BigInteger;
import java.nio.file.CopyOption;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardOpenOption;
import java.nio.file.attribute.PosixFilePermission;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.MessageDigest;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.X509Certificate;
import java.util.Date;
import java.util.EnumSet;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import javax.inject.Provider;

/* loaded from: input_file:com/dremio/jdbc/shaded/com/dremio/exec/rpc/ssl/SSLConfigurator.class */
public class SSLConfigurator {
    private static final Logger logger;

    @VisibleForTesting
    public static final String UNSECURE_PASSWORD = "averylongandunsecurepasswordfordremiokeystore";
    private static final char[] UNSECURE_PASSWORD_CHAR_ARRAY;
    public static final String KEY_STORE_FILE = "keystore";
    public static final String TRUST_STORE_FILE = "certs";
    public static final Set<PosixFilePermission> TRUST_STORE_FILE_PERMISSIONS;
    private final DremioConfig config;
    private final Provider<CredentialsService> credentialsServiceProvider;
    private final String prefix;
    private final String communicationPath;
    static final /* synthetic */ boolean $assertionsDisabled;

    public SSLConfigurator(DremioConfig dremioConfig, Provider<CredentialsService> provider, String str, String str2) {
        this.config = dremioConfig;
        this.credentialsServiceProvider = provider;
        this.prefix = str;
        this.communicationPath = str2;
    }

    public Optional<SSLConfig> getSSLConfig(boolean z, String str, String... strArr) throws GeneralSecurityException, IOException {
        if (!getBooleanConfig(DremioConfig.SSL_ENABLED)) {
            return Optional.empty();
        }
        SSLConfig.Builder newBuilderForServer = SSLConfig.newBuilderForServer();
        newBuilderForServer.setDisablePeerVerification(z);
        if (!getBooleanConfig(DremioConfig.SSL_AUTO_GENERATED_CERTIFICATE)) {
            configureUsingConfFile(newBuilderForServer);
            return Optional.of(newBuilderForServer.build());
        }
        logger.warn("*** Using generated self-signed SSL settings for server ('{}' component) ***\nUsing auto-generated certificates is not secure. Please consider switching to your own certificates.", this.communicationPath);
        SecurityFolder of = SecurityFolder.of(this.config);
        String string = this.config.getString(DremioConfig.LOCAL_WRITE_PATH_STRING);
        if (!configureUsingPreviouslyGeneratedStores(newBuilderForServer, of, string)) {
            logger.info("No previous keystore detected, creating certificate. This operation might take time...");
            generateCertificatesAndConfigure(newBuilderForServer, of, string, str, strArr);
        }
        newBuilderForServer.setDisablePeerVerification(true);
        return Optional.of(newBuilderForServer.build());
    }

    private Optional<String> getStringConfig(String str) {
        if (!$assertionsDisabled && !this.config.hasPath(this.prefix + str)) {
            throw new AssertionError();
        }
        String string = this.config.getString(this.prefix + str);
        return Strings.isNullOrEmpty(string) ? Optional.empty() : Optional.of(string);
    }

    private boolean getBooleanConfig(String str) {
        if ($assertionsDisabled || this.config.hasPath(this.prefix + str)) {
            return this.config.getBoolean(this.prefix + str);
        }
        throw new AssertionError();
    }

    private boolean configureUsingPreviouslyGeneratedStores(SSLConfig.Builder builder, SecurityFolder securityFolder, String str) throws GeneralSecurityException, IOException {
        if (!securityFolder.exists(KEY_STORE_FILE)) {
            return false;
        }
        logger.debug("Using previously generated keystore/truststore");
        moveTrustStoreIfNecessary(securityFolder, str);
        Path path = Paths.get(str, TRUST_STORE_FILE);
        Preconditions.checkState(Files.exists(path, new LinkOption[0]), "auto-generated trust store is missing");
        builder.setKeyStorePath(securityFolder.resolve(KEY_STORE_FILE).toString()).setKeyStorePassword(UNSECURE_PASSWORD).setTrustStorePath(path.toString()).setTrustStorePassword(UNSECURE_PASSWORD);
        return true;
    }

    private void moveTrustStoreIfNecessary(SecurityFolder securityFolder, String str) {
        Path path = Paths.get(str, TRUST_STORE_FILE);
        if (Files.exists(path, new LinkOption[0])) {
            return;
        }
        Path resolve = securityFolder.resolve(TRUST_STORE_FILE);
        Preconditions.checkState(Files.exists(resolve, new LinkOption[0]));
        logger.info("Moving trust store from '{}' to '{}'", resolve, path);
        try {
            Files.move(resolve, path, new CopyOption[0]);
            try {
                Files.setPosixFilePermissions(path, TRUST_STORE_FILE_PERMISSIONS);
            } catch (IOException e) {
                String format = String.format("Failed to set 644 permissions on trust store at '%s'. Please do so manually.", path);
                logger.error(format, (Throwable) e);
                throw new RuntimeException(format, e);
            }
        } catch (IOException e2) {
            String format2 = String.format("Failed to move trust store from '%s' to '%s'. Please do so manually. Also, set permissions to 644 on trust store.", resolve, path);
            logger.error(format2, (Throwable) e2);
            throw new RuntimeException(format2, e2);
        }
    }

    private void generateCertificatesAndConfigure(SSLConfig.Builder builder, SecurityFolder securityFolder, String str, String str2, String... strArr) throws GeneralSecurityException, IOException {
        String defaultType = KeyStore.getDefaultType();
        KeyStore keyStore = KeyStore.getInstance(defaultType);
        keyStore.load(null, null);
        KeyStore keyStore2 = KeyStore.getInstance(defaultType);
        keyStore2.load(null, null);
        SecureRandom secureRandom = new SecureRandom();
        KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance("RSA");
        keyPairGenerator.initialize(2048, secureRandom);
        KeyPair generateKeyPair = keyPairGenerator.generateKeyPair();
        DateTime now = DateTime.now();
        X500NameBuilder addRDN = new X500NameBuilder(BCStyle.INSTANCE).addRDN(BCStyle.CN, str2).addRDN(BCStyle.OU, "Dremio Corp. (auto-generated)").addRDN(BCStyle.O, "Dremio Corp. (auto-generated)").addRDN(BCStyle.L, "Mountain View").addRDN(BCStyle.ST, "California").addRDN(BCStyle.C, "US");
        Date date = now.minusDays(1).toDate();
        Date date2 = now.plusYears(1).toDate();
        BigInteger bigInteger = new BigInteger(128, secureRandom);
        GeneralName[] generalNameArr = new GeneralName[strArr.length + 1];
        generalNameArr[0] = newGeneralName(str2);
        for (int i = 0; i < strArr.length; i++) {
            generalNameArr[i + 1] = newGeneralName(strArr[i]);
        }
        try {
            X509Certificate certificate = new JcaX509CertificateConverter().getCertificate(new JcaX509v3CertificateBuilder(addRDN.build(), bigInteger, date, date2, addRDN.build(), generateKeyPair.getPublic()).addExtension(Extension.subjectAlternativeName, false, new DERSequence(generalNameArr)).build(new JcaContentSignerBuilder("SHA256WithRSAEncryption").build(generateKeyPair.getPrivate())));
            certificate.checkValidity(now.toDate());
            certificate.verify(certificate.getPublicKey());
            logger.info("Certificate created (SHA-256 fingerprint: {})", BaseEncoding.base16().withSeparator(ParameterizedMessage.ERROR_MSG_SEPARATOR, 2).encode(MessageDigest.getInstance("SHA-256").digest(certificate.getEncoded())));
            keyStore.setKeyEntry("DremioAutoGeneratedPrivateKey", generateKeyPair.getPrivate(), UNSECURE_PASSWORD_CHAR_ARRAY, new Certificate[]{certificate});
            keyStore2.setEntry("DremioAutoGeneratedCert" + RandomStringUtils.randomNumeric(5), new KeyStore.TrustedCertificateEntry(certificate), null);
            OutputStream newSecureOutputStream = securityFolder.newSecureOutputStream(KEY_STORE_FILE, SecurityFolder.OpenOption.CREATE_ONLY);
            try {
                keyStore.store(newSecureOutputStream, UNSECURE_PASSWORD_CHAR_ARRAY);
                if (newSecureOutputStream != null) {
                    newSecureOutputStream.close();
                }
                Path path = Paths.get(str, TRUST_STORE_FILE);
                OutputStream newOutputStream = Files.newOutputStream(path, StandardOpenOption.CREATE_NEW);
                try {
                    keyStore2.store(newOutputStream, UNSECURE_PASSWORD_CHAR_ARRAY);
                    if (newOutputStream != null) {
                        newOutputStream.close();
                    }
                    Files.setPosixFilePermissions(path, TRUST_STORE_FILE_PERMISSIONS);
                    builder.setKeyStoreType(defaultType).setKeyStorePath(securityFolder.resolve(KEY_STORE_FILE).toString()).setKeyStorePassword(UNSECURE_PASSWORD).setTrustStoreType(defaultType).setTrustStorePath(path.toString()).setTrustStorePassword(UNSECURE_PASSWORD);
                } catch (Throwable th) {
                    if (newOutputStream != null) {
                        try {
                            newOutputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } catch (Throwable th3) {
                if (newSecureOutputStream != null) {
                    try {
                        newSecureOutputStream.close();
                    } catch (Throwable th4) {
                        th3.addSuppressed(th4);
                    }
                }
                throw th3;
            }
        } catch (OperatorCreationException e) {
            throw new GeneralSecurityException((Throwable) e);
        }
    }

    private static GeneralName newGeneralName(String str) {
        return new GeneralName(InetAddresses.isInetAddress(str) ? 7 : 2, str);
    }

    private String lookupPassword(String str, Provider<CredentialsService> provider) {
        try {
            return ((CredentialsService) provider.get()).lookup(str);
        } catch (CredentialsException e) {
            throw new RuntimeException((Throwable) e);
        } catch (IllegalArgumentException e2) {
            logger.warn("The string used to locate secret is not a valid URI.");
            return str;
        }
    }

    private void configureUsingConfFile(SSLConfig.Builder builder) {
        Optional<String> stringConfig = getStringConfig(DremioConfig.SSL_KEY_STORE_PATH);
        if (!stringConfig.isPresent()) {
            throw new IllegalArgumentException(String.format("No keystore configured, and certificate auto-generation is disabled. But SSL is enabled for '%s' path", this.communicationPath));
        }
        logger.info("Using configured keystore for '{}' component at '{}'", this.communicationPath, stringConfig);
        Objects.requireNonNull(builder);
        stringConfig.ifPresent(builder::setKeyStorePath);
        getStringConfig(DremioConfig.SSL_KEY_STORE_PASSWORD).ifPresent(str -> {
            builder.setKeyStorePassword(lookupPassword(str, this.credentialsServiceProvider));
        });
        getStringConfig(DremioConfig.SSL_KEY_PASSWORD).ifPresent(str2 -> {
            builder.setKeyPassword(lookupPassword(str2, this.credentialsServiceProvider));
        });
        Optional<String> stringConfig2 = getStringConfig(DremioConfig.SSL_KEY_STORE_TYPE);
        Objects.requireNonNull(builder);
        stringConfig2.ifPresent(builder::setKeyStoreType);
        Optional<String> stringConfig3 = getStringConfig("trustStoreType");
        Objects.requireNonNull(builder);
        stringConfig3.ifPresent(builder::setTrustStoreType);
        Optional<String> stringConfig4 = getStringConfig("trustStore");
        Objects.requireNonNull(builder);
        stringConfig4.ifPresent(builder::setTrustStorePath);
        getStringConfig("trustStorePassword").ifPresent(str3 -> {
            builder.setTrustStorePassword(lookupPassword(str3, this.credentialsServiceProvider));
        });
    }

    public Optional<KeyStore> getTrustStore() throws GeneralSecurityException, IOException {
        String path;
        char[] cArr;
        Optional<String> stringConfig = getStringConfig("trustStore");
        if (stringConfig.isPresent()) {
            logger.info("Loading configured trust store at {}", stringConfig.get());
            path = stringConfig.get();
            cArr = (char[]) getStringConfig("trustStorePassword").map(str -> {
                return lookupPassword(str, this.credentialsServiceProvider).toCharArray();
            }).orElse(new char[0]);
        } else {
            Path path2 = Paths.get(this.config.getString(DremioConfig.LOCAL_WRITE_PATH_STRING), TRUST_STORE_FILE);
            if (Files.notExists(path2, new LinkOption[0])) {
                return Optional.empty();
            }
            path = path2.toString();
            cArr = UNSECURE_PASSWORD_CHAR_ARRAY;
        }
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        InputStream newInputStream = Files.newInputStream(Paths.get(path, new String[0]), new OpenOption[0]);
        try {
            keyStore.load(newInputStream, cArr);
            if (newInputStream != null) {
                newInputStream.close();
            }
            return Optional.of(keyStore);
        } catch (Throwable th) {
            if (newInputStream != null) {
                try {
                    newInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    static {
        $assertionsDisabled = !SSLConfigurator.class.desiredAssertionStatus();
        logger = LoggerFactory.getLogger((Class<?>) SSLConfigurator.class);
        UNSECURE_PASSWORD_CHAR_ARRAY = UNSECURE_PASSWORD.toCharArray();
        TRUST_STORE_FILE_PERMISSIONS = EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE, PosixFilePermission.GROUP_READ, PosixFilePermission.OTHERS_READ);
    }
}
