package org.jfrog.access.server.rest.resource.cert;

import io.swagger.annotations.Api;
import io.swagger.annotations.ApiImplicitParam;
import io.swagger.annotations.ApiImplicitParams;
import io.swagger.annotations.ApiOperation;
import io.swagger.annotations.ApiResponse;
import io.swagger.annotations.ApiResponses;
import io.swagger.models.properties.StringProperty;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.cert.CertificateEncodingException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;
import javax.ws.rs.Consumes;
import javax.ws.rs.GET;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.CacheControl;
import javax.ws.rs.core.Response;
import org.jfrog.access.server.rest.exception.AccessRestException;
import org.jfrog.access.server.rest.exception.BadRequestRestException;
import org.jfrog.access.server.rest.exception.InternalServerRestException;
import org.jfrog.access.server.rest.model.ErrorsModel;
import org.jfrog.access.server.service.CertificateService;
import org.jfrog.security.ssl.CertificateGenerationException;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.security.config.ldap.LdapServerBeanDefinitionParser;
import org.springframework.stereotype.Component;

@Api("Certificate")
@Path("/v1/cert")
@Component
/* loaded from: input_file:WEB-INF/lib/access-server-rest-2.0.1.jar:org/jfrog/access/server/rest/resource/cert/CertResource.class */
public class CertResource {
    private static final Logger log = LoggerFactory.getLogger((Class<?>) CertResource.class);

    @Autowired
    private CertificateService certificateService;

    @GET
    @Path(LdapServerBeanDefinitionParser.ATT_ROOT_SUFFIX)
    @ApiOperation(value = "Get the root certificate of the JFrog Access server", notes = "Returns the root certificate bytes encoded in Base64")
    @Produces({"text/plain"})
    public String getRootCertificate() {
        try {
            return Base64.getEncoder().encodeToString(this.certificateService.getRootCertificate().getEncoded());
        } catch (CertificateEncodingException e) {
            throw newCertificateEncodingError();
        }
    }

    @ApiResponses({@ApiResponse(code = 500, message = "Certificate signing error", response = ErrorsModel.class)})
    @ApiImplicitParams({@ApiImplicitParam(name = "Authorization", paramType = "header", dataType = StringProperty.TYPE, defaultValue = "Bearer ACCESS-TOKEN")})
    @Consumes({"application/json"})
    @ApiOperation(value = "Generate a certificate signed by the JFrog Access server", hidden = true, notes = "Returns the signed certificate bytes encoded in Base64.")
    @POST
    @Produces({"text/plain"})
    public Response generateAndSignCertificate(CreateCertModel createCertModel) {
        String createAndSignCertificate = createAndSignCertificate(createCertModel);
        CacheControl cacheControl = new CacheControl();
        cacheControl.setNoStore(true);
        cacheControl.setNoCache(true);
        return Response.ok(createAndSignCertificate).cacheControl(cacheControl).build();
    }

    private String createAndSignCertificate(CreateCertModel createCertModel) {
        try {
            return Base64.getEncoder().encodeToString(this.certificateService.createAndSignCertificate(createCertModel.getServiceId(), getPublicKey(createCertModel), null, createCertModel.getExpiry()).getEncoded());
        } catch (CertificateEncodingException | CertificateGenerationException e) {
            log.error("Failed to create and sign certificate for server '{}'.", createCertModel.getServiceId(), e);
            throw newCertificateSigningError();
        }
    }

    private PublicKey getPublicKey(CreateCertModel createCertModel) {
        try {
            return KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode(createCertModel.getPublicKey())));
        } catch (NoSuchAlgorithmException | InvalidKeySpecException e) {
            log.warn("Could not decode public key for service '{}'.", createCertModel.getServiceId(), e);
            throw new BadRequestRestException("Could not decode public key", null);
        }
    }

    private AccessRestException newCertificateEncodingError() {
        return new InternalServerRestException("CERTIFICATE_ENCODING_ERROR", "Failed to encode certificate.", null);
    }

    private AccessRestException newCertificateSigningError() {
        return new InternalServerRestException("CERTIFICATE_SIGNING_ERROR", "Failed to generate and sign certificate, see logs for more details.", null);
    }
}
