package com.appiancorp.object.remote.auth;

import com.appiancorp.core.configuration.FeatureToggles;
import com.appiancorp.crypto.kas.api.SitesPublicKeysApi;
import com.appiancorp.crypto.kas.invoker.ApiException;
import com.appiancorp.crypto.kas.model.SitePublicKeyModel;
import com.appiancorp.object.remote.RemoteDesignObjectConfiguration;
import com.appiancorp.security.ssl.CertificateData;
import com.appiancorp.security.ssl.CertificateService;
import com.appiancorp.suite.SuiteConfiguration;
import com.appiancorp.suite.cfg.ConfigurationFactory;
import com.nimbusds.jose.JOSEException;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.Key;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.PKCS8EncodedKeySpec;
import java.security.spec.X509EncodedKeySpec;
import java.sql.Date;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Base64;
import java.util.LinkedHashSet;
import java.util.Optional;
import javax.annotation.Nullable;
import org.apache.commons.lang.math.NumberUtils;
import org.apache.log4j.Logger;
import org.springframework.http.HttpStatus;
import org.springframework.transaction.annotation.Propagation;
import org.springframework.transaction.annotation.Transactional;

/* loaded from: input_file:com/appiancorp/object/remote/auth/SecretProvider.class */
public class SecretProvider {
    private static final Logger LOG = Logger.getLogger(SecretProvider.class);
    private final FeatureToggles featureToggles;
    public static final String PUBLIC_ALIAS = "LCP_KAS_PUBLIC_KEY";
    public static final String PRIVATE_ALIAS = "LCP_KAS_PRIVATE_KEY";
    private CertificateService certificateService;
    private SitesPublicKeysApi sitesPublicKeysApi;
    private SecretGenerator secretGenerator;
    private int siteId;
    private KeyPair keyPair;

    public SecretProvider(FeatureToggles featureToggles, int i, SitesPublicKeysApi sitesPublicKeysApi, CertificateService certificateService, SecretGenerator secretGenerator) {
        this.featureToggles = featureToggles;
        this.siteId = i;
        this.sitesPublicKeysApi = sitesPublicKeysApi;
        this.secretGenerator = secretGenerator;
        this.certificateService = certificateService;
    }

    public void initializeKeys() {
        try {
            if (shouldLoadKeyPair()) {
                loadKeypair();
            }
        } catch (Exception e) {
            e.printStackTrace();
        }
    }

    public int getSiteId() {
        return this.siteId;
    }

    public KeyPair getKeyPair() {
        if (this.keyPair == null) {
            throw new IllegalStateException("Cannot call getKeyPair() on this instance of SecretProvider because it was not properly initialized.  The most likely reason for this is that appropriate toggles are not on.");
        }
        return this.keyPair;
    }

    private boolean shouldLoadKeyPair() {
        if (this.featureToggles.isRemoteFrameworksDevJwtSigningKeyEnabled()) {
            return false;
        }
        if (this.siteId >= 0) {
            return true;
        }
        LOG.error("Invalid site id: " + this.siteId + ". Cannot register with KAS.");
        return false;
    }

    private boolean isSameKey(KeyPair keyPair, SitePublicKeyModel sitePublicKeyModel) {
        return Base64.getEncoder().encodeToString(keyPair.getPublic().getEncoded()).equals(sitePublicKeyModel.getPublicKey());
    }

    private void loadKeypair() throws IOException, NoSuchAlgorithmException, URISyntaxException, ApiException {
        long signingKeyRotationSec = ((RemoteDesignObjectConfiguration) ConfigurationFactory.getConfiguration(RemoteDesignObjectConfiguration.class)).getSigningKeyRotationSec();
        updateCertificateSiteIdIfNecessary();
        CertificateData privateKeyInDatabase = getPrivateKeyInDatabase();
        CertificateData publicKeyInDatabase = getPublicKeyInDatabase();
        byte[] serializedKey = privateKeyInDatabase == null ? null : privateKeyInDatabase.getSerializedKey();
        Date dateOfIssue = privateKeyInDatabase == null ? null : privateKeyInDatabase.getDateOfIssue();
        byte[] serializedKey2 = publicKeyInDatabase == null ? null : publicKeyInDatabase.getSerializedKey();
        if (serializedKey == null || serializedKey2 == null || dateOfIssue == null || dateOfIssue.before(Date.from(Instant.now().minus(signingKeyRotationSec, (TemporalUnit) ChronoUnit.SECONDS)))) {
            LOG.info("Generating a new keypair.");
            this.keyPair = this.secretGenerator.generateNewKeyPair();
            if (serializedKey == null || serializedKey2 == null) {
                createNewKeyPairInDatabase(this.keyPair);
            } else {
                updateKeyPairInDatabase(this.keyPair);
            }
        } else {
            LOG.info("Using an old keypair");
            this.keyPair = toKeypair(serializedKey, serializedKey2);
        }
        try {
            if (isSameKey(this.keyPair, this.sitesPublicKeysApi.getPublicKeyApiV1SitesPublicKeysSiteIdGet(Integer.valueOf(this.siteId)))) {
                LOG.info("Keypair already registered with KAS.");
            } else {
                LOG.info("Database keypair is different from keypair registered with KAS - updating public key in KAS");
                this.sitesPublicKeysApi.updatePublicKeyApiV1SitesPublicKeysSiteIdPatch(serializedKey, this.keyPair.getPublic().getEncoded(), this.siteId);
            }
        } catch (JOSEException | InvalidKeySpecException e) {
            LOG.error("Failed to update LCP key with KAS.", e);
        } catch (ApiException e2) {
            if (e2.getCode() != HttpStatus.NOT_FOUND.value()) {
                LOG.error("Failed to check if LCP key was registered with KAS.", e2);
            } else {
                this.sitesPublicKeysApi.registerPublicKeyApiV1SitesPublicKeysPut(this.keyPair.getPublic().getEncoded(), this.siteId);
                LOG.info("Keypair succesfully registered.");
            }
        }
    }

    private void updateCertificateSiteIdIfNecessary() throws URISyntaxException, NoSuchAlgorithmException {
        CertificateData byAlias = this.certificateService.getByAlias(PRIVATE_ALIAS);
        CertificateData byAlias2 = this.certificateService.getByAlias(PUBLIC_ALIAS);
        if (isANewSite(byAlias, byAlias2)) {
            return;
        }
        Optional<Integer> siteIdInDatabase = getSiteIdInDatabase(byAlias2);
        if (!siteIdInDatabase.isPresent()) {
            updateSiteIdInDatabase(byAlias, byAlias2);
        } else {
            if (certificateSiteIdMatchesCurrentSiteId(siteIdInDatabase)) {
                return;
            }
            deleteKeyPairCertificates(byAlias, byAlias2);
        }
    }

    private void deleteKeyPairCertificates(CertificateData certificateData, CertificateData certificateData2) {
        LinkedHashSet linkedHashSet = new LinkedHashSet();
        linkedHashSet.add(certificateData.m4102getId());
        linkedHashSet.add(certificateData2.m4102getId());
        this.certificateService.delete(linkedHashSet);
    }

    private KeyPair toKeypair(byte[] bArr, byte[] bArr2) {
        try {
            KeyFactory keyFactory = KeyFactory.getInstance("RSA");
            return new KeyPair(keyFactory.generatePublic(new X509EncodedKeySpec(bArr2)), keyFactory.generatePrivate(new PKCS8EncodedKeySpec(bArr)));
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            throw new RuntimeException(e);
        }
    }

    @Nullable
    private CertificateData getPrivateKeyInDatabase() {
        return this.certificateService.getByAlias(PRIVATE_ALIAS);
    }

    @Nullable
    private CertificateData getPublicKeyInDatabase() {
        return this.certificateService.getByAlias(PUBLIC_ALIAS);
    }

    public Optional<Integer> getSiteIdInDatabase(CertificateData certificateData) {
        return (certificateData == null || !NumberUtils.isDigits(certificateData.getCommonName())) ? Optional.empty() : Optional.of(Integer.valueOf(Integer.parseInt(certificateData.getCommonName())));
    }

    private static boolean isANewSite(CertificateData certificateData, CertificateData certificateData2) {
        return certificateData == null || certificateData2 == null;
    }

    private boolean certificateSiteIdMatchesCurrentSiteId(Optional<Integer> optional) {
        return optional.isPresent() && optional.get().intValue() == this.siteId;
    }

    @Transactional(propagation = Propagation.REQUIRES_NEW)
    private void createNewKeyPairInDatabase(KeyPair keyPair) throws URISyntaxException {
        CertificateData buildCertificateData = buildCertificateData(keyPair.getPrivate(), PRIVATE_ALIAS, CertificateData.CertificateType.REMOTE_FRAMEWORKS_PRIVATE);
        CertificateData buildCertificateData2 = buildCertificateData(keyPair.getPublic(), PUBLIC_ALIAS, CertificateData.CertificateType.REMOTE_FRAMEWORKS_PUBLIC);
        String valueOf = String.valueOf(getSiteId());
        buildCertificateData2.setCommonName(valueOf);
        buildCertificateData.setCommonName(valueOf);
        this.certificateService.saveCertificateData(buildCertificateData);
        this.certificateService.saveCertificateData(buildCertificateData2);
    }

    @Transactional(propagation = Propagation.REQUIRES_NEW)
    private void updateKeyPairInDatabase(KeyPair keyPair) throws URISyntaxException {
        CertificateData updateCertificateData = updateCertificateData(keyPair.getPrivate(), this.certificateService.getByAlias(PRIVATE_ALIAS));
        CertificateData updateCertificateData2 = updateCertificateData(keyPair.getPublic(), this.certificateService.getByAlias(PUBLIC_ALIAS));
        String valueOf = String.valueOf(getSiteId());
        updateCertificateData2.setCommonName(valueOf);
        updateCertificateData.setCommonName(valueOf);
        this.certificateService.saveCertificateData(updateCertificateData);
        this.certificateService.saveCertificateData(updateCertificateData2);
    }

    @Transactional(propagation = Propagation.REQUIRES_NEW)
    private void updateSiteIdInDatabase(CertificateData certificateData, CertificateData certificateData2) throws URISyntaxException {
        String valueOf = String.valueOf(getSiteId());
        certificateData.setCommonName(valueOf);
        certificateData2.setCommonName(valueOf);
        this.certificateService.saveCertificateData(certificateData);
        this.certificateService.saveCertificateData(certificateData2);
    }

    private CertificateData buildCertificateData(Key key, String str, CertificateData.CertificateType certificateType) throws URISyntaxException {
        java.util.Date date = new java.util.Date();
        Date date2 = new Date(date.getTime());
        Date date3 = new Date(date.getTime());
        String hostname = getHostname();
        CertificateData certificateData = new CertificateData();
        certificateData.setKeyType(key.getAlgorithm());
        certificateData.setSerializedKey(key.getEncoded());
        certificateData.setAlias(str);
        certificateData.setCertType(certificateType);
        certificateData.setDateOfIssue(date2);
        certificateData.setDateOfExpiration(date3);
        certificateData.setCommonName(String.valueOf(getSiteId()));
        certificateData.setIssuer(hostname);
        certificateData.setSerialNumber(String.valueOf(date2.getTime()));
        certificateData.setThumbprint(String.valueOf(key.hashCode()));
        return certificateData;
    }

    private CertificateData updateCertificateData(Key key, CertificateData certificateData) throws URISyntaxException {
        java.util.Date date = new java.util.Date();
        Date date2 = new Date(date.getTime());
        Date date3 = new Date(date.getTime());
        String hostname = getHostname();
        certificateData.setKeyType(key.getAlgorithm());
        certificateData.setSerializedKey(key.getEncoded());
        certificateData.setDateOfIssue(date2);
        certificateData.setDateOfExpiration(date3);
        certificateData.setCommonName(String.valueOf(getSiteId()));
        certificateData.setIssuer(hostname);
        certificateData.setSerialNumber(String.valueOf(date2.getTime()));
        certificateData.setThumbprint(String.valueOf(key.hashCode()));
        return certificateData;
    }

    private String getHostname() throws URISyntaxException {
        return new URI(((SuiteConfiguration) ConfigurationFactory.getConfiguration(SuiteConfiguration.class)).getBaseUri()).getHost();
    }
}
