package pl.edu.icm.unity.engine;

import eu.emi.security.authn.x509.X509CertChainValidatorExt;
import eu.emi.security.authn.x509.X509Credential;
import eu.emi.security.authn.x509.impl.CertificateUtils;
import eu.unicore.security.canl.CredentialProperties;
import eu.unicore.security.canl.DefaultAuthnAndTrustConfiguration;
import eu.unicore.security.canl.IAuthnAndTrustConfiguration;
import eu.unicore.security.canl.LoggingStoreUpdateListener;
import eu.unicore.security.canl.TruststoreProperties;
import eu.unicore.util.configuration.ConfigurationException;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Collections;
import java.util.HashMap;
import java.util.HashSet;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.stream.Collectors;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Primary;
import org.springframework.stereotype.Component;
import pl.edu.icm.unity.engine.api.PKIManagement;
import pl.edu.icm.unity.engine.api.config.UnityPKIConfiguration;
import pl.edu.icm.unity.engine.api.config.UnityServerConfiguration;
import pl.edu.icm.unity.engine.api.pki.NamedCertificate;
import pl.edu.icm.unity.engine.authz.AuthzCapability;
import pl.edu.icm.unity.engine.authz.InternalAuthorizationManager;
import pl.edu.icm.unity.exceptions.EngineException;
import pl.edu.icm.unity.exceptions.InternalException;
import pl.edu.icm.unity.exceptions.WrongArgumentException;
import pl.edu.icm.unity.store.api.generic.CertificateDB;
import pl.edu.icm.unity.store.api.tx.Transactional;
import pl.edu.icm.unity.store.types.StoredCertificate;

@Component
@Primary
/* loaded from: input_file:pl/edu/icm/unity/engine/PKIManagementImpl.class */
public class PKIManagementImpl implements PKIManagement {
    private InternalAuthorizationManager authz;
    private UnityPKIConfiguration pkiConf;
    private Map<String, X509Credential> credentials;
    private Map<String, X509CertChainValidatorExt> validators;
    private Map<String, NamedCertificate> certificates;
    private IAuthnAndTrustConfiguration mainAuthnTrust;
    private CertificateDB certDB;

    @Autowired
    public PKIManagementImpl(UnityServerConfiguration unityServerConfiguration, CertificateDB certificateDB, InternalAuthorizationManager internalAuthorizationManager) {
        this.pkiConf = unityServerConfiguration.getPKIConfiguration();
        this.certDB = certificateDB;
        this.authz = internalAuthorizationManager;
        Set<String> structuredListKeys = this.pkiConf.getStructuredListKeys("credentials.");
        this.credentials = new HashMap();
        for (String str : structuredListKeys) {
            this.credentials.put(this.pkiConf.getCredentialName(str), new CredentialProperties(this.pkiConf.getProperties(), this.pkiConf.getCredentialPrefix(str)).getCredential());
        }
        Set<String> structuredListKeys2 = this.pkiConf.getStructuredListKeys("truststores.");
        this.validators = new HashMap();
        for (String str2 : structuredListKeys2) {
            this.validators.put(this.pkiConf.getTruststoreName(str2), new TruststoreProperties(this.pkiConf.getProperties(), Collections.singleton(new LoggingStoreUpdateListener()), this.pkiConf.getTruststorePrefix(str2)).getValidator());
        }
        try {
            this.mainAuthnTrust = new DefaultAuthnAndTrustConfiguration(getValidator(unityServerConfiguration.getValue("truststore")), getCredential(unityServerConfiguration.getValue("credential")));
            this.certificates = new HashMap();
        } catch (EngineException e) {
            throw new ConfigurationException("Can't load the main server credential/truststore", e);
        }
    }

    @Transactional
    public void loadCertificatesFromConfigFile() {
        Set allNames = this.certDB.getAllNames();
        for (String str : this.pkiConf.getStructuredListKeys("certificates.")) {
            String certificateName = this.pkiConf.getCertificateName(str);
            try {
                StoredCertificate storedCert = toStoredCert(new NamedCertificate(certificateName, getX509Certificate(new FileInputStream(this.pkiConf.getFileValue(str + "certificateFile", false)))));
                if (allNames.contains(certificateName)) {
                    this.certDB.update(storedCert);
                } else {
                    this.certDB.create(storedCert);
                }
            } catch (IOException e) {
                throw new ConfigurationException("Can not load certificate " + certificateName, e);
            }
        }
    }

    public Set<String> getCredentialNames() throws EngineException {
        return this.credentials.keySet();
    }

    public X509Credential getCredential(String str) throws EngineException {
        if (getCredentialNames().contains(str)) {
            return this.credentials.get(str);
        }
        throw new WrongArgumentException("The credential " + str + " is not defined. Available credentials: " + getCredentialNames());
    }

    public Set<String> getValidatorNames() throws EngineException {
        return this.validators.keySet();
    }

    public X509CertChainValidatorExt getValidator(String str) throws EngineException {
        if (getValidatorNames().contains(str)) {
            return this.validators.get(str);
        }
        throw new WrongArgumentException("The truststore " + str + " is not defined. Available truststores: " + getValidatorNames());
    }

    public IAuthnAndTrustConfiguration getMainAuthnAndTrust() {
        return this.mainAuthnTrust;
    }

    @Transactional
    public synchronized Set<String> getAllCertificateNames() throws EngineException {
        this.authz.checkAuthorization(AuthzCapability.maintenance);
        HashSet hashSet = new HashSet();
        hashSet.addAll(this.certDB.getAllNames());
        hashSet.addAll(this.certificates.keySet());
        return hashSet;
    }

    @Transactional
    public synchronized NamedCertificate getCertificate(String str) throws EngineException {
        this.authz.checkAuthorization(AuthzCapability.maintenance);
        NamedCertificate namedCertificate = this.certificates.get(str);
        if (namedCertificate == null) {
            namedCertificate = fromStoredCert((StoredCertificate) this.certDB.get(str));
        }
        return namedCertificate;
    }

    public synchronized List<NamedCertificate> getVolatileCertificates() throws EngineException {
        this.authz.checkAuthorization(AuthzCapability.maintenance);
        return new ArrayList(this.certificates.values());
    }

    @Transactional
    public synchronized void addVolatileCertificate(String str, X509Certificate x509Certificate) throws EngineException {
        this.authz.checkAuthorization(AuthzCapability.maintenance);
        assertCertificateIsNotPresent(str);
        this.certificates.put(str, new NamedCertificate(str, x509Certificate));
    }

    @Transactional
    public synchronized void addPersistedCertificate(NamedCertificate namedCertificate) throws EngineException {
        this.authz.checkAuthorization(AuthzCapability.maintenance);
        assertCertificateIsNotPresent(namedCertificate.name);
        this.certDB.create(toStoredCert(namedCertificate));
    }

    @Transactional
    public List<NamedCertificate> getPersistedCertificates() throws EngineException {
        this.authz.checkAuthorization(AuthzCapability.maintenance);
        return (List) this.certDB.getAll().stream().map(this::fromStoredCert).collect(Collectors.toList());
    }

    @Transactional
    public synchronized void removeCertificate(String str) throws EngineException {
        this.authz.checkAuthorization(AuthzCapability.maintenance);
        if (this.certificates.remove(str) == null) {
            this.certDB.delete(str);
        }
    }

    @Transactional
    public synchronized void updateCertificate(NamedCertificate namedCertificate) throws EngineException {
        this.authz.checkAuthorization(AuthzCapability.maintenance);
        if (this.certificates.containsKey(namedCertificate.name)) {
            this.certificates.put(namedCertificate.name, namedCertificate);
        } else {
            this.certDB.update(toStoredCert(namedCertificate));
        }
    }

    void assertCertificateIsNotPresent(String str) {
        if (!this.certificates.containsKey(str)) {
            try {
                this.certDB.get(str);
            } catch (IllegalArgumentException e) {
                return;
            }
        }
        throw new IllegalArgumentException("The certificate labelled " + str + " already exists");
    }

    private StoredCertificate toStoredCert(NamedCertificate namedCertificate) {
        return new StoredCertificate(namedCertificate.name, getPemStringFromCert(namedCertificate.value));
    }

    private NamedCertificate fromStoredCert(StoredCertificate storedCertificate) {
        return new NamedCertificate(storedCertificate.getName(), getX509Certificate(new ByteArrayInputStream(storedCertificate.getValue().getBytes())));
    }

    private X509Certificate getX509Certificate(InputStream inputStream) {
        try {
            return CertificateUtils.loadCertificate(inputStream, CertificateUtils.Encoding.PEM);
        } catch (IOException e) {
            throw new InternalException("Can not load certificate from string", e);
        }
    }

    private String getPemStringFromCert(X509Certificate x509Certificate) {
        try {
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            CertificateUtils.saveCertificate(byteArrayOutputStream, x509Certificate, CertificateUtils.Encoding.PEM);
            return new String(byteArrayOutputStream.toString());
        } catch (IOException e) {
            throw new InternalException("Can not parse certificate to string", e);
        }
    }
}
