package org.jfrog.access.server;

import com.google.common.collect.Lists;
import com.google.common.hash.Hashing;
import java.io.File;
import java.io.FileOutputStream;
import java.io.FileReader;
import java.io.IOException;
import java.math.BigInteger;
import java.nio.ByteBuffer;
import java.nio.file.CopyOption;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.security.KeyPair;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Iterator;
import java.util.List;
import java.util.Optional;
import java.util.Properties;
import java.util.UUID;
import java.util.concurrent.TimeUnit;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.annotation.PostConstruct;
import javax.security.auth.x500.X500Principal;
import javax.security.cert.X509Certificate;
import org.apache.commons.io.Charsets;
import org.apache.commons.io.FileUtils;
import org.jfrog.access.common.AccessAuthz;
import org.jfrog.access.common.ServiceId;
import org.jfrog.access.server.config.AccessConfig;
import org.jfrog.access.server.config.AccessConfigKeys;
import org.jfrog.access.server.db.service.ServerStorageService;
import org.jfrog.access.server.home.AccessHome;
import org.jfrog.access.server.home.BundledInternalAccessHome;
import org.jfrog.access.server.home.InternalAccessHome;
import org.jfrog.access.server.model.Role;
import org.jfrog.access.server.model.Server;
import org.jfrog.access.server.model.ServerImpl;
import org.jfrog.access.server.model.User;
import org.jfrog.access.server.model.UserImpl;
import org.jfrog.access.server.service.storage.UserStorageService;
import org.jfrog.access.server.service.token.CreatedSignedToken;
import org.jfrog.access.server.service.token.InternalTokenService;
import org.jfrog.access.server.service.token.TokenSpec;
import org.jfrog.access.util.AccessCredsFileHelper;
import org.jfrog.access.util.CredsUtils;
import org.jfrog.access.util.SecurityUtils;
import org.jfrog.access.version.AccessVersion;
import org.jfrog.security.crypto.JFrogCryptoHelper;
import org.jfrog.security.file.PemHelper;
import org.jfrog.security.file.SecurityFolderHelper;
import org.jfrog.security.ssl.CertificateGenerationException;
import org.jfrog.security.ssl.CertificateHelper;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.crypto.password.PasswordEncoder;
import org.springframework.stereotype.Component;

@Component
/* loaded from: input_file:WEB-INF/lib/access-server-core-2.0.1.jar:org/jfrog/access/server/AccessServerBootstrapImpl.class */
public class AccessServerBootstrapImpl implements AccessServerBootstrap {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) AccessServerBootstrapImpl.class);
    private static final long SERVICE_ADMIN_TOKEN_EXPIRY = TimeUnit.SECONDS.convert(10950, TimeUnit.DAYS);

    @Autowired
    private AccessHome accessHome;

    @Autowired
    private InternalAccessHome internalAccessHome;

    @Autowired
    private AccessConfig accessConfig;

    @Autowired
    private UserStorageService userStorageService;

    @Autowired
    private ServerStorageService serverStorageService;

    @Autowired
    private InternalTokenService internalTokenService;

    @Autowired
    private PasswordEncoder passwordEncoder;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/access-server-core-2.0.1.jar:org/jfrog/access/server/AccessServerBootstrapImpl$BootstrapConfig.class */
    public static class BootstrapConfig {
        static final String PROP_SRC_PRIVATE_KEY = "key";
        static final String PROP_SRC_CERT = "crt";
        static final String PROP_GEN_SERVICE_TOKENS = "service_tokens";
        static final String PROP_GEN_SERVICE_TOKENS_FOLDER = "service_tokens_folder";
        private final InternalAccessHome internalAccessHome;
        private final Properties props;

        private BootstrapConfig(InternalAccessHome internalAccessHome) {
            this.internalAccessHome = internalAccessHome;
            this.props = loadProperties();
        }

        public void discard() {
            try {
                this.internalAccessHome.removeBootstrapConfigFile();
            } catch (IOException e) {
                throw new RuntimeException("Could not remove bootstrap config file.", e);
            }
        }

        @Nullable
        public String getProperty(@Nonnull String str) {
            String property = this.props.getProperty(str);
            if (property == null) {
                property = System.getProperty(AccessConfig.SYSTEM_PROP_PREFIX + str);
            }
            return property;
        }

        @Nullable
        public List<String> getPropertyJoinedList(@Nonnull String str, @Nonnull String str2) {
            String property = this.props.getProperty(str);
            String property2 = System.getProperty(AccessConfig.SYSTEM_PROP_PREFIX + str);
            if (property == null && property2 == null) {
                return null;
            }
            ArrayList newArrayList = Lists.newArrayList();
            Optional.ofNullable(property).ifPresent(str3 -> {
                newArrayList.addAll(Arrays.asList(str3.split(str2)));
            });
            Optional.ofNullable(property2).ifPresent(str4 -> {
                newArrayList.addAll(Arrays.asList(str4.split(str2)));
            });
            return newArrayList;
        }

        private Properties loadProperties() {
            Properties properties = new Properties();
            File bootstrapConfigFile = this.internalAccessHome.getBootstrapConfigFile();
            if (bootstrapConfigFile.exists()) {
                try {
                    FileReader fileReader = new FileReader(bootstrapConfigFile);
                    Throwable th = null;
                    try {
                        try {
                            properties.load(fileReader);
                            if (fileReader != null) {
                                if (0 != 0) {
                                    try {
                                        fileReader.close();
                                    } catch (Throwable th2) {
                                        th.addSuppressed(th2);
                                    }
                                } else {
                                    fileReader.close();
                                }
                            }
                        } finally {
                        }
                    } finally {
                    }
                } catch (IOException e) {
                    throw new IllegalArgumentException("Could not load bootstrap config file: " + bootstrapConfigFile.getAbsolutePath(), e);
                }
            }
            return properties;
        }
    }

    @PostConstruct
    private void run() {
        log.info("[ACCESS BOOTSTRAP] Starting JFrog Access bootstrap...");
        BootstrapConfig bootstrapConfig = new BootstrapConfig(this.internalAccessHome);
        initPrivateKeyAndCert(bootstrapConfig);
        createOrUpdateAdminCredentials();
        createRequestedServiceAdminTokens(bootstrapConfig);
        bootstrapConfig.discard();
        log.info("[ACCESS BOOTSTRAP] JFrog Access bootstrap finished.");
    }

    private void initPrivateKeyAndCert(BootstrapConfig bootstrapConfig) {
        try {
            boolean copyPrivateKeyAndCertFromBootstrapIfExists = copyPrivateKeyAndCertFromBootstrapIfExists(bootstrapConfig);
            File accessPrivateKeyFile = this.accessHome.getAccessPrivateKeyFile();
            File accessRootCertFile = this.accessHome.getAccessRootCertFile();
            if (privateKeyAndCertExist(accessPrivateKeyFile, accessRootCertFile)) {
                ensureMatchingPrivateKeyAndCert(accessPrivateKeyFile, accessRootCertFile);
            } else {
                generatePrivateKeyAndCert();
                if (!forceReplaceExistingRootKeys()) {
                    verifyLatestPrivateKey(accessPrivateKeyFile);
                }
                copyPrivateKeyAndCertFromBootstrapIfExists = true;
            }
            if (copyPrivateKeyAndCertFromBootstrapIfExists) {
                updateServerPrivateKeyFingerprint();
                createKeyStore();
            }
            SecurityFolderHelper.setPermissionsOnSecurityFile(accessPrivateKeyFile.toPath(), SecurityFolderHelper.PERMISSIONS_MODE_600);
            SecurityFolderHelper.setPermissionsOnSecurityFile(accessRootCertFile.toPath(), SecurityFolderHelper.PERMISSIONS_MODE_600);
            this.accessHome.verifyFolderPermissions();
        } catch (Exception e) {
            throw asRuntimeException(e);
        }
    }

    private void createKeyStore() throws KeyStoreException, CertificateException, NoSuchAlgorithmException, IOException {
        KeyStore keyStore = KeyStore.getInstance("PKCS12");
        keyStore.load(null, null);
        keyStore.setEntry(getKeyStoreCertificateAlias(), new KeyStore.PrivateKeyEntry(PemHelper.readPrivateKey(this.accessHome.getAccessPrivateKeyFile()), new Certificate[]{PemHelper.readCertificate(this.accessHome.getAccessRootCertFile())}), new KeyStore.PasswordProtection(getKeyStorePassword().toCharArray()));
        new FileOutputStream(this.accessHome.getKeyStoreFile());
        keyStore.store(new FileOutputStream(this.accessHome.getKeyStoreFile()), getKeyStorePassword().toCharArray());
    }

    private void updateServerPrivateKeyFingerprint() {
        PrivateKey readPrivateKey = readPrivateKey(this.accessHome.getAccessPrivateKeyFile());
        String serverName = getServerName();
        Optional<Server> findServerByUniqueName = this.serverStorageService.findServerByUniqueName(serverName);
        Server build = findServerByUniqueName.isPresent() ? ServerImpl.buildFrom(findServerByUniqueName.get()).version(AccessVersion.current().getName()).privateKeyFingerprint(readPrivateKey).privateKeyLastModified(System.currentTimeMillis()).build() : ServerImpl.builder().uniqueName(serverName).version(AccessVersion.current().getName()).privateKeyFingerprint(readPrivateKey).privateKeyLastModified(System.currentTimeMillis()).build();
        log.info("[ACCESS BOOTSTRAP] Updating server '{}' private key finger print to: {}", build.getUniqueName(), build.getPrivateKeyFingerprint());
        this.serverStorageService.saveServer(build);
    }

    @Nonnull
    private String getServerName() {
        AccessProperties accessProperties = new AccessProperties(this.accessHome);
        Optional<String> serverName = accessProperties.getServerName();
        if (!serverName.isPresent()) {
            String uuid = UUID.randomUUID().toString();
            log.info("[ACCESS BOOTSTRAP] Server name not found in access properties. Setting server name: {}", uuid);
            accessProperties.setServerName(uuid);
            accessProperties.save();
            serverName = accessProperties.getServerName();
        }
        return serverName.get();
    }

    private void ensureMatchingPrivateKeyAndCert(File file, File file2) throws Exception {
        SecurityUtils.ensureMatchingPrivatePublicKeys(new KeyPair(PemHelper.readCertificate(file2).getPublicKey(), readPrivateKey(file)));
    }

    private boolean copyPrivateKeyAndCertFromBootstrapIfExists(BootstrapConfig bootstrapConfig) throws IOException {
        String property = bootstrapConfig.getProperty("key");
        String property2 = bootstrapConfig.getProperty("crt");
        File file = property != null ? new File(property) : null;
        File file2 = property2 != null ? new File(property2) : null;
        File accessPrivateKeyFile = this.accessHome.getAccessPrivateKeyFile();
        File accessRootCertFile = this.accessHome.getAccessRootCertFile();
        if (privateKeyAndCertExist(accessPrivateKeyFile, accessRootCertFile)) {
            if (forceReplaceExistingRootKeys()) {
                return true;
            }
            verifyLatestPrivateKey(accessPrivateKeyFile);
            return true;
        }
        if (!privateKeyAndCertExist(file, file2)) {
            if (property == null || property2 == null) {
                return false;
            }
            throw new IllegalStateException("Both bootstrap private key and root certificate files do not exist (private key: " + property + ", certificate: " + property2 + ").");
        }
        log.info("[ACCESS BOOTSTRAP] Copying private key and root certificate files provided by bootstrap config.");
        log.debug("[ACCESS BOOTSTRAP] Copying private key and root certificate files provided by bootstrap config (private key: {}, certificate: {}).", property, property2);
        if (!forceReplaceExistingRootKeys()) {
            verifyLatestPrivateKey(file);
        }
        Files.copy(file.toPath(), accessPrivateKeyFile.toPath(), new CopyOption[0]);
        Files.copy(file2.toPath(), accessRootCertFile.toPath(), new CopyOption[0]);
        return true;
    }

    private boolean forceReplaceExistingRootKeys() {
        if (!"true".equals(System.getProperty("jfrog.access.force.replace.existing.root.keys", "false"))) {
            return false;
        }
        log.info("[ACCESS BOOTSTRAP] \n*******************************************************************\n*** Forcing replacement of the root private key and certificate ***\n*******************************************************************");
        return true;
    }

    private void verifyLatestPrivateKey(File file) {
        Optional<Server> findServerWithLastModifiedPrivateKey = this.serverStorageService.findServerWithLastModifiedPrivateKey();
        if (findServerWithLastModifiedPrivateKey.isPresent()) {
            log.debug("[ACCESS BOOTSTRAP] Server with latest private key: {}", findServerWithLastModifiedPrivateKey.get().getUniqueName());
            String privateKeyFingerprint = findServerWithLastModifiedPrivateKey.get().getPrivateKeyFingerprint();
            String calcFingerprint = SecurityUtils.calcFingerprint(readPrivateKey(file));
            if (!calcFingerprint.equals(privateKeyFingerprint)) {
                throw new IllegalStateException("Provided private key and latest private key fingerprints mismatch. provided: " + calcFingerprint + ", latest: " + privateKeyFingerprint);
            }
        }
    }

    private PrivateKey readPrivateKey(File file) {
        try {
            return PemHelper.readPrivateKey(file);
        } catch (IOException e) {
            throw new IllegalArgumentException("Failed to read private key PEM file: " + file.getAbsolutePath(), e);
        }
    }

    private boolean privateKeyAndCertExist(@Nullable File file, @Nullable File file2) {
        if (file == null || !file.exists()) {
            if (file2 == null || !file2.exists()) {
                return false;
            }
            throw new IllegalStateException("Both private key and root certificate files must be given or not together (only the root certificate exists: " + file2.getAbsolutePath() + ").");
        }
        if (file2 == null || !file2.exists()) {
            throw new IllegalStateException("Both private key and root certificate files must be given or not together (only the private key exists: " + file.getAbsolutePath() + ").");
        }
        return true;
    }

    private void generatePrivateKeyAndCert() {
        try {
            log.info("[ACCESS BOOTSTRAP] Generating private key and root certificate");
            File accessPrivateKeyFile = this.accessHome.getAccessPrivateKeyFile();
            File accessRootCertFile = this.accessHome.getAccessRootCertFile();
            SecurityFolderHelper.setPermissionsOnSecurityFolder(accessPrivateKeyFile.getParentFile());
            KeyPair generateKeyPair = JFrogCryptoHelper.generateKeyPair(2048);
            X509Certificate generateRootCertificate = generateRootCertificate(generateKeyPair);
            PemHelper.savePrivateKey(accessPrivateKeyFile, generateKeyPair.getPrivate());
            PemHelper.saveCertificate(accessRootCertFile, generateRootCertificate);
        } catch (Exception e) {
            throw new RuntimeException("Failed to generate and save private key and root certificate.", e);
        }
    }

    private X509Certificate generateRootCertificate(KeyPair keyPair) throws CertificateGenerationException {
        X500Principal x500Principal = new X500Principal("CN=" + this.accessConfig.getAccessServerId());
        return CertificateHelper.generateSignedCertificate(x500Principal, keyPair.getPrivate(), x500Principal, keyPair.getPublic(), randomSerialNumber(), Long.MAX_VALUE);
    }

    private BigInteger randomSerialNumber() {
        UUID randomUUID = UUID.randomUUID();
        ByteBuffer wrap = ByteBuffer.wrap(new byte[16]);
        wrap.putLong(randomUUID.getMostSignificantBits());
        wrap.putLong(randomUUID.getLeastSignificantBits());
        return new BigInteger(1, wrap.array());
    }

    private void createOrUpdateAdminCredentials() {
        if (this.internalAccessHome.getBootstrapAccessCredsFile().exists()) {
            handleBootstrapCredsFile();
        } else {
            if (this.userStorageService.adminUserExists()) {
                return;
            }
            try {
                generateAdminUser();
            } catch (IOException e) {
                throw new RuntimeException("Failed to generate and save initial admin credentials", e);
            }
        }
    }

    private void handleBootstrapCredsFile() {
        try {
            SecurityFolderHelper.checkPermissionsOnSecurityFile(this.internalAccessHome.getBootstrapAccessCredsFile(), SecurityFolderHelper.PERMISSIONS_MODE_600);
            saveUsersFromBootstrapCredsFile();
            FileUtils.forceDelete(this.internalAccessHome.getBootstrapAccessCredsFile());
        } catch (IOException e) {
            throw new RuntimeException("Failed to bootstrap initial access credentials.", e);
        }
    }

    private void saveUsersFromBootstrapCredsFile() throws IOException {
        AccessCredsFileHelper.readAccessCreds(this.internalAccessHome.getBootstrapAccessCredsFile()).forEach((str, str2) -> {
            User build;
            CredsUtils.ScopedUsername scopedUsername = CredsUtils.scopedUsername(str);
            Optional<User> findUserByUsername = this.userStorageService.findUserByUsername(scopedUsername.getUsername());
            if (findUserByUsername.isPresent()) {
                build = findUserByUsername.get();
            } else {
                build = UserImpl.builder().username(scopedUsername.getUsername()).role(Role.ADMIN).password(this.passwordEncoder.encode(str2)).allowedIps(scopedUsername.getAllowedIps()).build();
            }
            log.info("[ACCESS BOOTSTRAP] Create/update password for admin user '{}'", build);
            this.userStorageService.saveUser(build);
            handleUpdatedAdminCredentials(build.getUsername(), str2);
        });
    }

    private void deleteFileIfBundledServer(File file) throws IOException {
        if (isBundled()) {
            Files.deleteIfExists(file.toPath());
        }
    }

    private void generateAdminUser() throws IOException {
        File file = new File(this.accessHome.getEtcDir(), "generated.creds");
        log.info("[ACCESS BOOTSTRAP] No admin user exists - generating an admin user, credentials will be saved to: {}", file.getAbsolutePath());
        CharSequence generatePassword = CredsUtils.generatePassword(12);
        AccessCredsFileHelper.saveAccessCreds(file, AccessAuthz.ADMIN, generatePassword);
        this.userStorageService.saveUser(UserImpl.builder().username(AccessAuthz.ADMIN).password(this.passwordEncoder.encode(generatePassword)).role(Role.ADMIN).allowedIps("127.0.0.1").build());
        handleUpdatedAdminCredentials(AccessAuthz.ADMIN, generatePassword);
        deleteFileIfBundledServer(file);
    }

    private boolean isBundled() {
        return this.internalAccessHome instanceof BundledInternalAccessHome;
    }

    private void handleUpdatedAdminCredentials(String str, CharSequence charSequence) {
        if (isBundled()) {
            try {
                File bundlingAppClientHomeDir = ((BundledInternalAccessHome) this.internalAccessHome).getBundlingAppClientHomeDir();
                File file = new File(bundlingAppClientHomeDir, "bootstrap.creds");
                log.info("[ACCESS BOOTSTRAP] Writing updated credentials to the bundling Artifactory: {}", file.getAbsolutePath());
                FileUtils.forceMkdir(bundlingAppClientHomeDir);
                AccessCredsFileHelper.saveAccessCreds(file, str, charSequence);
            } catch (IOException e) {
                throw new RuntimeException("Failed to write the updated credentials to the bundling Artifactory.", e);
            }
        }
    }

    private void createRequestedServiceAdminTokens(BootstrapConfig bootstrapConfig) {
        String property = bootstrapConfig.getProperty("service_tokens_folder");
        List<String> propertyJoinedList = bootstrapConfig.getPropertyJoinedList("service_tokens", ",");
        if (property == null || propertyJoinedList == null || propertyJoinedList.isEmpty()) {
            if (property != null || (propertyJoinedList != null && !propertyJoinedList.isEmpty())) {
                throw new IllegalArgumentException("Both service IDs (service_tokens) and target folder (service_tokens_folder) need to be given or not together.");
            }
            return;
        }
        File file = new File(property);
        try {
            FileUtils.forceMkdir(file);
            Iterator<String> it = propertyJoinedList.iterator();
            while (it.hasNext()) {
                createServiceAdminToken(file, it.next());
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    private void createServiceAdminToken(File file, String str) throws IOException {
        log.debug("[ACCESS BOOTSTRAP] Creating admin token for service '{}'", str);
        CreatedSignedToken createTokenInternal = this.internalTokenService.createTokenInternal(createServiceAdminTokenSpec(ServiceId.fromFormattedName(str)));
        File file2 = new File(file, str + ".token");
        Files.write(file2.toPath(), createTokenInternal.getAccessToken().getTokenValue().getBytes(Charsets.UTF_8), new OpenOption[0]);
        SecurityFolderHelper.setPermissionsOnSecurityFile(file2.toPath(), SecurityFolderHelper.PERMISSIONS_MODE_640);
        log.info("[ACCESS BOOTSTRAP] Admin token for service '{}' was created and saved to: {}", str, file2.getAbsolutePath());
    }

    private TokenSpec createServiceAdminTokenSpec(@Nonnull ServiceId serviceId) {
        return TokenSpec.create().audience(this.accessConfig.getAccessServerId().getFormattedName()).subject(serviceId.getFormattedName()).owner(this.accessConfig.getAccessServerId().getFormattedName()).scope(serviceId + ":" + AccessAuthz.ADMIN).expiresIn(Long.valueOf(SERVICE_ADMIN_TOKEN_EXPIRY)).refreshable(false);
    }

    private RuntimeException asRuntimeException(Exception exc) {
        return exc instanceof RuntimeException ? (RuntimeException) exc : new RuntimeException(exc);
    }

    @Override // org.jfrog.access.server.AccessServerBootstrap
    public String getKeyStorePassword() {
        return Hashing.md5().hashBytes((this.accessConfig.getAccessServerId().getInstanceId() + "keyStorePass").getBytes()).toString();
    }

    @Override // org.jfrog.access.server.AccessServerBootstrap
    public String getKeyStoreCertificateAlias() {
        return this.accessConfig.getAccessServerId().getFormattedName();
    }

    @Override // org.jfrog.access.server.AccessServerBootstrap
    public boolean isAccessHttpTlsEnabled() {
        return this.accessConfig.getBoolean(AccessConfigKeys.accessHttpTlsEnabled);
    }

    @Override // org.jfrog.access.server.AccessServerBootstrap
    public int getAccessHttpPort() {
        return this.accessConfig.getInt(AccessConfigKeys.accessHttpPort);
    }
}
