package org.apache.hadoop.hdds.scm.ha;

import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.security.KeyPair;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.TimeUnit;
import org.apache.hadoop.hdds.conf.OzoneConfiguration;
import org.apache.hadoop.hdds.protocol.proto.HddsProtos;
import org.apache.hadoop.hdds.protocol.proto.SCMSecurityProtocolProtos;
import org.apache.hadoop.hdds.scm.server.SCMStorageConfig;
import org.apache.hadoop.hdds.security.x509.SecurityConfig;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateApprover;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateServer;
import org.apache.hadoop.hdds.security.x509.certificate.authority.CertificateStore;
import org.apache.hadoop.hdds.security.x509.certificate.authority.DefaultCAServer;
import org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.DefaultCAProfile;
import org.apache.hadoop.hdds.security.x509.certificate.authority.PKIProfiles.PKIProfile;
import org.apache.hadoop.hdds.security.x509.certificate.client.CertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.client.SCMCertificateClient;
import org.apache.hadoop.hdds.security.x509.certificate.utils.CertificateCodec;
import org.apache.hadoop.hdds.security.x509.certificates.utils.CertificateSignRequest;
import org.apache.hadoop.hdds.utils.HddsServerUtil;
import org.apache.hadoop.ozone.OzoneConsts;
import org.apache.ratis.RaftConfigKeys;
import org.apache.ratis.client.RaftClient;
import org.apache.ratis.conf.Parameters;
import org.apache.ratis.conf.RaftProperties;
import org.apache.ratis.grpc.GrpcConfigKeys;
import org.apache.ratis.grpc.GrpcTlsConfig;
import org.apache.ratis.protocol.Message;
import org.apache.ratis.protocol.RaftClientReply;
import org.apache.ratis.protocol.RaftGroup;
import org.apache.ratis.protocol.RaftPeerId;
import org.apache.ratis.retry.RetryPolicies;
import org.apache.ratis.rpc.RpcType;
import org.apache.ratis.util.TimeDuration;
import org.bouncycastle.cert.X509CertificateHolder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/hadoop/hdds/scm/ha/HASecurityUtils.class */
public final class HASecurityUtils {
    public static final Logger LOG = LoggerFactory.getLogger(HASecurityUtils.class);

    /* renamed from: org.apache.hadoop.hdds.scm.ha.HASecurityUtils$1, reason: invalid class name */
    /* loaded from: input_file:org/apache/hadoop/hdds/scm/ha/HASecurityUtils$1.class */
    static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$CertificateClient$InitResponse = new int[CertificateClient.InitResponse.values().length];

        static {
            try {
                $SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$CertificateClient$InitResponse[CertificateClient.InitResponse.SUCCESS.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$CertificateClient$InitResponse[CertificateClient.InitResponse.GETCERT.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$CertificateClient$InitResponse[CertificateClient.InitResponse.FAILURE.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$CertificateClient$InitResponse[CertificateClient.InitResponse.RECOVER.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    private HASecurityUtils() {
    }

    public static void initializeSecurity(SCMStorageConfig sCMStorageConfig, OzoneConfiguration ozoneConfiguration, InetSocketAddress inetSocketAddress, boolean z) throws IOException {
        LOG.info("Initializing secure StorageContainerManager.");
        SCMCertificateClient sCMCertificateClient = new SCMCertificateClient(new SecurityConfig(ozoneConfiguration));
        CertificateClient.InitResponse init = sCMCertificateClient.init();
        LOG.info("Init response: {}", init);
        switch (AnonymousClass1.$SwitchMap$org$apache$hadoop$hdds$security$x509$certificate$client$CertificateClient$InitResponse[init.ordinal()]) {
            case 1:
                LOG.info("Initialization successful.");
                return;
            case 2:
                if (z) {
                    getPrimarySCMSelfSignedCert(sCMCertificateClient, ozoneConfiguration, sCMStorageConfig, inetSocketAddress);
                } else {
                    getRootCASignedSCMCert(sCMCertificateClient, ozoneConfiguration, sCMStorageConfig, inetSocketAddress);
                }
                LOG.info("Successfully stored SCM signed certificate.");
                return;
            case 3:
                LOG.error("SCM security initialization failed.");
                throw new RuntimeException("OM security initialization failed.");
            case 4:
                LOG.error("SCM security initialization failed. SCM certificate is missing.");
                throw new RuntimeException("SCM security initialization failed.");
            default:
                LOG.error("SCM security initialization failed. Init response: {}", init);
                throw new RuntimeException("SCM security initialization failed.");
        }
    }

    private static void getRootCASignedSCMCert(CertificateClient certificateClient, OzoneConfiguration ozoneConfiguration, SCMStorageConfig sCMStorageConfig, InetSocketAddress inetSocketAddress) {
        try {
            PKCS10CertificationRequest generateCSR = generateCSR(certificateClient, sCMStorageConfig, ozoneConfiguration, inetSocketAddress);
            SCMSecurityProtocolProtos.SCMGetCertResponseProto sCMCertChain = HddsServerUtil.getScmSecurityClientWithFixedDuration(ozoneConfiguration).getSCMCertChain(HddsProtos.ScmNodeDetailsProto.newBuilder().setClusterId(sCMStorageConfig.getClusterID()).setHostName(inetSocketAddress.getHostName()).setScmNodeId(sCMStorageConfig.getScmId()).build(), CertificateSignRequest.getEncodedString(generateCSR));
            String x509Certificate = sCMCertChain.getX509Certificate();
            if (!sCMCertChain.hasX509CACertificate()) {
                throw new RuntimeException("Unable to retrieve SCM certificate chain");
            }
            certificateClient.storeCertificate(sCMCertChain.getX509CACertificate(), true, true);
            certificateClient.storeCertificate(x509Certificate, true);
            X509Certificate x509Certificate2 = CertificateCodec.getX509Certificate(x509Certificate);
            persistSubCACertificate(ozoneConfiguration, certificateClient, CertificateCodec.getCertificateHolder(x509Certificate2));
            sCMStorageConfig.setScmCertSerialId(x509Certificate2.getSerialNumber().toString());
        } catch (IOException | CertificateException e) {
            LOG.error("Error while fetching/storing SCM signed certificate.", e);
            throw new RuntimeException(e);
        }
    }

    private static void getPrimarySCMSelfSignedCert(CertificateClient certificateClient, OzoneConfiguration ozoneConfiguration, SCMStorageConfig sCMStorageConfig, InetSocketAddress inetSocketAddress) {
        try {
            CertificateServer initializeRootCertificateServer = initializeRootCertificateServer(ozoneConfiguration, null, sCMStorageConfig, new DefaultCAProfile());
            X509CertificateHolder x509CertificateHolder = (X509CertificateHolder) initializeRootCertificateServer.requestCertificate(generateCSR(certificateClient, sCMStorageConfig, ozoneConfiguration, inetSocketAddress), CertificateApprover.ApprovalType.KERBEROS_TRUSTED, HddsProtos.NodeType.SCM).get();
            X509CertificateHolder cACertificate = initializeRootCertificateServer.getCACertificate();
            String pEMEncodedString = CertificateCodec.getPEMEncodedString(x509CertificateHolder);
            certificateClient.storeCertificate(CertificateCodec.getPEMEncodedString(cACertificate), true, true);
            certificateClient.storeCertificate(pEMEncodedString, true);
            persistSubCACertificate(ozoneConfiguration, certificateClient, x509CertificateHolder);
            sCMStorageConfig.setScmCertSerialId(x509CertificateHolder.getSerialNumber().toString());
        } catch (IOException | InterruptedException | CertificateException | ExecutionException e) {
            LOG.error("Error while fetching/storing SCM signed certificate.", e);
            throw new RuntimeException(e);
        }
    }

    public static CertificateServer initializeRootCertificateServer(OzoneConfiguration ozoneConfiguration, CertificateStore certificateStore, SCMStorageConfig sCMStorageConfig, PKIProfile pKIProfile) throws IOException {
        DefaultCAServer defaultCAServer = new DefaultCAServer("scm@" + InetAddress.getLocalHost().getHostName(), sCMStorageConfig.getClusterID(), sCMStorageConfig.getScmId(), certificateStore, pKIProfile, OzoneConsts.SCM_ROOT_CA_COMPONENT_NAME);
        defaultCAServer.init(new SecurityConfig(ozoneConfiguration), CertificateServer.CAType.SELF_SIGNED_CA);
        return defaultCAServer;
    }

    private static PKCS10CertificationRequest generateCSR(CertificateClient certificateClient, SCMStorageConfig sCMStorageConfig, OzoneConfiguration ozoneConfiguration, InetSocketAddress inetSocketAddress) throws IOException {
        CertificateSignRequest.Builder cSRBuilder = certificateClient.getCSRBuilder();
        KeyPair keyPair = new KeyPair(certificateClient.getPublicKey(), certificateClient.getPrivateKey());
        String hostName = inetSocketAddress.getAddress().getHostName();
        String str = "scm-sub@" + hostName;
        cSRBuilder.setKey(keyPair).setConfiguration(ozoneConfiguration).setScmID(sCMStorageConfig.getScmId()).setClusterID(sCMStorageConfig.getClusterID()).setSubject(str);
        LOG.info("Creating csr for SCM->hostName:{},scmId:{},clusterId:{},subject:{}", new Object[]{hostName, sCMStorageConfig.getScmId(), sCMStorageConfig.getClusterID(), str});
        return cSRBuilder.build();
    }

    private static void persistSubCACertificate(OzoneConfiguration ozoneConfiguration, CertificateClient certificateClient, X509CertificateHolder x509CertificateHolder) throws IOException {
        new CertificateCodec(new SecurityConfig(ozoneConfiguration), certificateClient.getComponentName()).writeCertificate(x509CertificateHolder);
    }

    public static Parameters createSCMServerTlsParameters(GrpcTlsConfig grpcTlsConfig) {
        Parameters parameters = new Parameters();
        if (grpcTlsConfig != null) {
            GrpcConfigKeys.Server.setTlsConf(parameters, grpcTlsConfig);
            GrpcConfigKeys.Admin.setTlsConf(parameters, grpcTlsConfig);
            GrpcConfigKeys.Client.setTlsConf(parameters, grpcTlsConfig);
            GrpcConfigKeys.TLS.setConf(parameters, grpcTlsConfig);
        }
        return parameters;
    }

    public static GrpcTlsConfig createSCMRatisTLSConfig(SecurityConfig securityConfig, CertificateClient certificateClient) {
        if (securityConfig.isSecurityEnabled() && securityConfig.isGrpcTlsEnabled()) {
            return new GrpcTlsConfig(certificateClient.getPrivateKey(), certificateClient.getCertificate(), certificateClient.getCACertificate(), true);
        }
        return null;
    }

    public static SCMRatisResponse submitScmCertsToRatis(RaftGroup raftGroup, GrpcTlsConfig grpcTlsConfig, Message message) throws Exception {
        RaftProperties raftProperties = new RaftProperties();
        RaftConfigKeys.Rpc.setType(raftProperties, RpcType.valueOf("GRPC"));
        RaftClient.Builder retryPolicy = RaftClient.newBuilder().setRaftGroup(raftGroup).setLeaderId((RaftPeerId) null).setProperties(raftProperties).setRetryPolicy(RetryPolicies.retryUpToMaximumCountWithFixedSleep(15, TimeDuration.valueOf(500L, TimeUnit.MILLISECONDS)));
        if (grpcTlsConfig != null) {
            Parameters parameters = new Parameters();
            GrpcConfigKeys.Client.setTlsConf(parameters, grpcTlsConfig);
            retryPolicy.setParameters(parameters);
        }
        return SCMRatisResponse.decode((RaftClientReply) retryPolicy.build().async().send(message).get());
    }
}
