package org.apache.hadoop.hdds.scm.server;

import com.google.common.base.Preconditions;
import java.io.IOException;
import java.lang.reflect.Proxy;
import java.math.BigInteger;
import java.security.cert.CRLException;
import java.security.cert.X509CRL;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Date;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicLong;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantLock;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.protocol.proto.SCMRatisProtocol;
import org.apache.hadoop.hdds.scm.ha.SCMHAInvocationHandler;
import org.apache.hadoop.hdds.scm.ha.SCMRatisServer;
import org.apache.hadoop.hdds.scm.metadata.SCMMetadataStore;
import org.apache.hadoop.hdds.security.exception.SCMSecurityException;
import org.apache.hadoop.hdds.security.x509.certificate.CertInfo;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CRLApprover;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateStore;
import org.apache.hadoop.hdds.security.x509.crl.CRLInfo;
import org.apache.hadoop.hdds.utils.MetadataKeyFilters;
import org.apache.hadoop.hdds.utils.db.BatchOperation;
import org.apache.hadoop.hdds.utils.db.Table;
import org.bouncycastle.asn1.x509.CRLReason;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.cert.X509v2CRLBuilder;
import org.bouncycastle.operator.OperatorCreationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hdds/scm/server/SCMCertStore.class */
public final class SCMCertStore implements CertificateStore {
    private static final Logger LOG = LoggerFactory.getLogger(SCMCertStore.class);
    private SCMMetadataStore scmMetadataStore;
    private final Lock lock;
    private AtomicLong crlSequenceId;

    /* loaded from: input_file:org/apache/hadoop/hdds/scm/server/SCMCertStore$Builder.class */
    public static class Builder {
        private SCMMetadataStore metadataStore;
        private long crlSequenceId;
        private SCMRatisServer scmRatisServer;

        public Builder setMetadaStore(SCMMetadataStore sCMMetadataStore) {
            this.metadataStore = sCMMetadataStore;
            return this;
        }

        public Builder setCRLSequenceId(long j) {
            this.crlSequenceId = j;
            return this;
        }

        public Builder setRatisServer(SCMRatisServer sCMRatisServer) {
            this.scmRatisServer = sCMRatisServer;
            return this;
        }

        public CertificateStore build() {
            return (CertificateStore) Proxy.newProxyInstance(SCMHAInvocationHandler.class.getClassLoader(), new Class[]{CertificateStore.class}, new SCMHAInvocationHandler(SCMRatisProtocol.RequestType.CERT_STORE, new SCMCertStore(this.metadataStore, this.crlSequenceId), this.scmRatisServer));
        }
    }

    private SCMCertStore(SCMMetadataStore sCMMetadataStore, long j) {
        this.scmMetadataStore = sCMMetadataStore;
        this.lock = new ReentrantLock();
        this.crlSequenceId = new AtomicLong(j);
    }

    public void storeValidCertificate(BigInteger bigInteger, X509Certificate x509Certificate, HddsProtos.NodeType nodeType) throws IOException {
        this.lock.lock();
        try {
            if (nodeType == HddsProtos.NodeType.SCM) {
                storeValidScmCertificate(bigInteger, x509Certificate);
            } else {
                this.scmMetadataStore.getValidCertsTable().put(bigInteger, x509Certificate);
            }
        } finally {
            this.lock.unlock();
        }
    }

    public void storeValidScmCertificate(BigInteger bigInteger, X509Certificate x509Certificate) throws IOException {
        this.lock.lock();
        try {
            BatchOperation initBatchOperation = this.scmMetadataStore.getBatchHandler().initBatchOperation();
            this.scmMetadataStore.getValidSCMCertsTable().putWithBatch(initBatchOperation, bigInteger, x509Certificate);
            this.scmMetadataStore.getValidCertsTable().putWithBatch(initBatchOperation, bigInteger, x509Certificate);
            this.scmMetadataStore.getStore().commitBatchOperation(initBatchOperation);
            this.lock.unlock();
        } catch (Throwable th) {
            this.lock.unlock();
            throw th;
        }
    }

    public void checkValidCertID(BigInteger bigInteger) throws IOException {
        this.lock.lock();
        try {
            if (getCertificateByID(bigInteger, CertificateStore.CertType.VALID_CERTS) == null && getCertificateByID(bigInteger, CertificateStore.CertType.REVOKED_CERTS) == null) {
            } else {
                throw new SCMSecurityException("Conflicting certificate ID" + bigInteger);
            }
        } finally {
            this.lock.unlock();
        }
    }

    public Optional<Long> revokeCertificates(List<BigInteger> list, X509CertificateHolder x509CertificateHolder, CRLReason cRLReason, Date date, CRLApprover cRLApprover) throws IOException {
        Date date2 = new Date();
        X509v2CRLBuilder x509v2CRLBuilder = new X509v2CRLBuilder(x509CertificateHolder.getIssuer(), date2);
        ArrayList<X509Certificate> arrayList = new ArrayList();
        Optional<Long> empty = Optional.empty();
        this.lock.lock();
        try {
            for (BigInteger bigInteger : list) {
                X509Certificate certificateByID = getCertificateByID(bigInteger, CertificateStore.CertType.VALID_CERTS);
                if (certificateByID == null && LOG.isWarnEnabled()) {
                    LOG.warn("Trying to revoke a certificate that is not valid. Serial ID: {}", bigInteger.toString());
                } else if (getCertificateByID(bigInteger, CertificateStore.CertType.REVOKED_CERTS) != null) {
                    LOG.warn("Trying to revoke a certificate that is already revoked.");
                } else {
                    x509v2CRLBuilder.addCRLEntry(bigInteger, date, cRLReason.getValue().intValue());
                    arrayList.add(certificateByID);
                }
            }
            if (!arrayList.isEmpty()) {
                try {
                    X509CRL sign = cRLApprover.sign(x509v2CRLBuilder);
                    BatchOperation initBatchOperation = this.scmMetadataStore.getStore().initBatchOperation();
                    Throwable th = null;
                    try {
                        try {
                            if (date2.after(date) || date2.equals(date)) {
                                for (X509Certificate x509Certificate : arrayList) {
                                    this.scmMetadataStore.getRevokedCertsV2Table().putWithBatch(initBatchOperation, x509Certificate.getSerialNumber(), new CertInfo.Builder().setX509Certificate(x509Certificate).setTimestamp(date2.getTime()).build());
                                    this.scmMetadataStore.getValidCertsTable().deleteWithBatch(initBatchOperation, x509Certificate.getSerialNumber());
                                }
                            }
                            long incrementAndGet = this.crlSequenceId.incrementAndGet();
                            this.scmMetadataStore.getCRLInfoTable().putWithBatch(initBatchOperation, Long.valueOf(incrementAndGet), new CRLInfo.Builder().setX509CRL(sign).setCreationTimestamp(date2.getTime()).setCrlSequenceID(incrementAndGet).build());
                            this.scmMetadataStore.getCRLSequenceIdTable().putWithBatch(initBatchOperation, "CRL_SEQUENCE_ID", Long.valueOf(incrementAndGet));
                            this.scmMetadataStore.getStore().commitBatchOperation(initBatchOperation);
                            empty = Optional.of(Long.valueOf(incrementAndGet));
                            if (initBatchOperation != null) {
                                if (0 != 0) {
                                    try {
                                        initBatchOperation.close();
                                    } catch (Throwable th2) {
                                        th.addSuppressed(th2);
                                    }
                                } else {
                                    initBatchOperation.close();
                                }
                            }
                        } finally {
                        }
                    } finally {
                    }
                } catch (OperatorCreationException | CRLException e) {
                    throw new SCMSecurityException("Unable to create Certificate Revocation List.", e);
                }
            }
            return empty;
        } finally {
            this.lock.unlock();
        }
    }

    public void removeExpiredCertificate(BigInteger bigInteger) throws IOException {
    }

    public X509Certificate getCertificateByID(BigInteger bigInteger, CertificateStore.CertType certType) throws IOException {
        if (certType == CertificateStore.CertType.VALID_CERTS) {
            return (X509Certificate) this.scmMetadataStore.getValidCertsTable().get(bigInteger);
        }
        CertInfo revokedCertificateInfoByID = getRevokedCertificateInfoByID(bigInteger);
        if (revokedCertificateInfoByID != null) {
            return revokedCertificateInfoByID.getX509Certificate();
        }
        return null;
    }

    public CertInfo getRevokedCertificateInfoByID(BigInteger bigInteger) throws IOException {
        return (CertInfo) this.scmMetadataStore.getRevokedCertsV2Table().get(bigInteger);
    }

    public List<X509Certificate> listCertificate(HddsProtos.NodeType nodeType, BigInteger bigInteger, int i, CertificateStore.CertType certType) throws IOException {
        ArrayList arrayList = new ArrayList();
        Preconditions.checkNotNull(bigInteger);
        if (bigInteger.longValue() == 0) {
            bigInteger = null;
        }
        if (certType == CertificateStore.CertType.VALID_CERTS) {
            Iterator<? extends Table.KeyValue<BigInteger, X509Certificate>> it = getValidCertTableList(nodeType, bigInteger, i).iterator();
            while (it.hasNext()) {
                try {
                    arrayList.add((X509Certificate) it.next().getValue());
                } catch (IOException e) {
                    LOG.error("Fail to list certificate from SCM metadata store", e);
                    throw new SCMSecurityException("Fail to list certificate from SCM metadata store");
                }
            }
        } else {
            Iterator it2 = this.scmMetadataStore.getRevokedCertsV2Table().getRangeKVs(bigInteger, i, new MetadataKeyFilters.MetadataKeyFilter[0]).iterator();
            while (it2.hasNext()) {
                try {
                    CertInfo certInfo = (CertInfo) ((Table.KeyValue) it2.next()).getValue();
                    arrayList.add(certInfo != null ? certInfo.getX509Certificate() : null);
                } catch (IOException e2) {
                    LOG.error("Fail to list certificate from SCM metadata store", e2);
                    throw new SCMSecurityException("Fail to list certificate from SCM metadata store");
                }
            }
        }
        return arrayList;
    }

    private List<? extends Table.KeyValue<BigInteger, X509Certificate>> getValidCertTableList(HddsProtos.NodeType nodeType, BigInteger bigInteger, int i) throws IOException {
        return nodeType == HddsProtos.NodeType.SCM ? this.scmMetadataStore.getValidSCMCertsTable().getRangeKVs(bigInteger, i, new MetadataKeyFilters.MetadataKeyFilter[0]) : this.scmMetadataStore.getValidCertsTable().getRangeKVs(bigInteger, i, new MetadataKeyFilters.MetadataKeyFilter[0]);
    }

    public void reinitialize(SCMMetadataStore sCMMetadataStore) {
        this.scmMetadataStore = sCMMetadataStore;
    }

    public List<CRLInfo> getCrls(List<Long> list) throws IOException {
        ArrayList arrayList = new ArrayList();
        for (Long l : list) {
            try {
                arrayList.add((CRLInfo) this.scmMetadataStore.getCRLInfoTable().get(l));
            } catch (IOException e) {
                LOG.error("Fail to get CRLs from SCM metadata store for crlId: " + l, e);
                throw new SCMSecurityException("Fail to get CRLs from SCM metadata store for crlId: " + l, e);
            }
        }
        return arrayList;
    }

    public long getLatestCrlId() {
        return this.crlSequenceId.get();
    }
}
