package org.graylog2.bootstrap.preflight;

import com.github.rholder.retry.Attempt;
import com.github.rholder.retry.RetryException;
import com.github.rholder.retry.RetryListener;
import com.github.rholder.retry.RetryerBuilder;
import com.github.rholder.retry.StopStrategies;
import com.github.rholder.retry.WaitStrategies;
import com.google.common.base.Suppliers;
import com.google.common.util.concurrent.ThreadFactoryBuilder;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Singleton;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.Response;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.graylog.security.certutil.CaConfiguration;
import org.graylog.security.certutil.CaService;
import org.graylog.security.certutil.CertConstants;
import org.graylog.security.certutil.ca.exceptions.KeyStoreStorageException;
import org.graylog.security.certutil.cert.CertificateChain;
import org.graylog.security.certutil.cert.storage.CertChainMongoStorage;
import org.graylog.security.certutil.cert.storage.CertChainStorage;
import org.graylog.security.certutil.csr.CsrSigner;
import org.graylog.security.certutil.csr.storage.CsrMongoStorage;
import org.graylog2.Configuration;
import org.graylog2.cluster.NodeService;
import org.graylog2.cluster.preflight.DataNodeProvisioningConfig;
import org.graylog2.cluster.preflight.DataNodeProvisioningService;
import org.graylog2.notifications.Notification;
import org.graylog2.notifications.NotificationService;
import org.graylog2.plugin.certificates.RenewalPolicy;
import org.graylog2.plugin.cluster.ClusterConfigService;
import org.graylog2.plugin.periodical.Periodical;
import org.graylog2.security.CustomCAX509TrustManager;
import org.graylog2.security.IndexerJwtAuthTokenProvider;
import org.jetbrains.annotations.NotNull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:org/graylog2/bootstrap/preflight/GraylogCertificateProvisioningPeriodical.class */
public class GraylogCertificateProvisioningPeriodical extends Periodical {
    private static final int THREADPOOL_THREADS = 5;
    private static final int CONNECTION_ATTEMPTS = 40;
    private static final int WAIT_BETWEEN_CONNECTION_ATTEMPTS = 3;
    private static final String ERROR_MESSAGE_PREFIX = "Error trying to connect to data node ";
    private final DataNodeProvisioningService dataNodeProvisioningService;
    private final NodeService nodeService;
    private final CaConfiguration configuration;
    private final CsrMongoStorage csrStorage;
    private final CertChainStorage certMongoStorage;
    private final CaService caService;
    private final CsrSigner csrSigner;
    private final ClusterConfigService clusterConfigService;
    private final String passwordSecret;
    private final Supplier<OkHttpClient> okHttpClient;
    private final PreflightConfigService preflightConfigService;
    private final IndexerJwtAuthTokenProvider indexerJwtAuthTokenProvider;
    private final NotificationService notificationService;
    private final ExecutorService executor = Executors.newFixedThreadPool(5, new ThreadFactoryBuilder().setNameFormat("provisioning-connectivity-check-task").build());
    private static final Logger LOG = LoggerFactory.getLogger(GraylogCertificateProvisioningPeriodical.class);
    private static final Duration DELAY_BEFORE_SHOWING_EXCEPTIONS = Duration.ofMinutes(1);

    @Inject
    public GraylogCertificateProvisioningPeriodical(DataNodeProvisioningService dataNodeProvisioningService, CsrMongoStorage csrMongoStorage, CertChainMongoStorage certChainMongoStorage, CaService caService, Configuration configuration, NodeService nodeService, CsrSigner csrSigner, ClusterConfigService clusterConfigService, @Named("password_secret") String str, IndexerJwtAuthTokenProvider indexerJwtAuthTokenProvider, PreflightConfigService preflightConfigService, NotificationService notificationService, CustomCAX509TrustManager customCAX509TrustManager) {
        this.dataNodeProvisioningService = dataNodeProvisioningService;
        this.csrStorage = csrMongoStorage;
        this.certMongoStorage = certChainMongoStorage;
        this.caService = caService;
        this.passwordSecret = str;
        this.configuration = configuration;
        this.nodeService = nodeService;
        this.csrSigner = csrSigner;
        this.clusterConfigService = clusterConfigService;
        this.preflightConfigService = preflightConfigService;
        this.indexerJwtAuthTokenProvider = indexerJwtAuthTokenProvider;
        this.notificationService = notificationService;
        this.okHttpClient = Suppliers.memoize(() -> {
            return buildConnectivityCheckOkHttpClient(customCAX509TrustManager);
        });
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static OkHttpClient buildConnectivityCheckOkHttpClient(X509TrustManager x509TrustManager) {
        try {
            OkHttpClient.Builder builder = new OkHttpClient.Builder();
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(null, new TrustManager[]{x509TrustManager}, new SecureRandom());
            builder.sslSocketFactory(sSLContext.getSocketFactory(), x509TrustManager);
            return builder.build();
        } catch (KeyManagementException | NoSuchAlgorithmException e) {
            LOG.error("Could not set Graylog CA trust manager: {}", e.getMessage(), e);
            throw new RuntimeException(e);
        }
    }

    private RenewalPolicy getRenewalPolicy() {
        return (RenewalPolicy) this.clusterConfigService.get(RenewalPolicy.class);
    }

    @Override // org.graylog2.plugin.periodical.Periodical
    public void doRun() {
        LOG.debug("checking if there are configuration steps to take care of");
        try {
            List<DataNodeProvisioningConfig> findAllNodesThatNeedAttention = this.dataNodeProvisioningService.findAllNodesThatNeedAttention();
            if (!findAllNodesThatNeedAttention.isEmpty()) {
                char[] charArray = this.configuration.configuredCaExists() ? this.configuration.getCaPassword().toCharArray() : this.passwordSecret.toCharArray();
                Optional<KeyStore> loadKeyStore = this.caService.loadKeyStore();
                if (loadKeyStore.isEmpty()) {
                    LOG.debug("No keystore available.");
                    return;
                }
                RenewalPolicy renewalPolicy = getRenewalPolicy();
                if (renewalPolicy == null) {
                    LOG.debug("No renewal policy available.");
                    return;
                }
                Map map = (Map) findAllNodesThatNeedAttention.stream().collect(Collectors.groupingBy(dataNodeProvisioningConfig -> {
                    return (DataNodeProvisioningConfig.State) Optional.ofNullable(dataNodeProvisioningConfig.state()).orElse(DataNodeProvisioningConfig.State.UNCONFIGURED);
                }));
                if (this.preflightConfigService.getPreflightConfigResult().equals(PreflightConfigResult.FINISHED)) {
                    List list = (List) map.getOrDefault(DataNodeProvisioningConfig.State.UNCONFIGURED, List.of());
                    if (renewalPolicy.mode().equals(RenewalPolicy.Mode.AUTOMATIC)) {
                        list.forEach(dataNodeProvisioningConfig2 -> {
                            this.dataNodeProvisioningService.save(dataNodeProvisioningConfig2.asConfigured());
                        });
                    } else {
                        if (!list.isEmpty()) {
                            this.notificationService.publishIfFirst(this.notificationService.buildNow().addType(Notification.Type.DATA_NODE_NEEDS_PROVISIONING).addSeverity(Notification.Severity.URGENT));
                        } else {
                            this.notificationService.fixed(Notification.Type.DATA_NODE_NEEDS_PROVISIONING);
                        }
                    }
                }
                KeyStore keyStore = loadKeyStore.get();
                List list2 = (List) map.getOrDefault(DataNodeProvisioningConfig.State.CSR, List.of());
                if (!list2.isEmpty()) {
                    PrivateKey privateKey = (PrivateKey) keyStore.getKey(CertConstants.CA_KEY_ALIAS, charArray);
                    X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(CertConstants.CA_KEY_ALIAS);
                    list2.forEach(dataNodeProvisioningConfig3 -> {
                        try {
                            Optional<PKCS10CertificationRequest> readCsr = this.csrStorage.readCsr(dataNodeProvisioningConfig3.nodeId());
                            if (readCsr.isEmpty()) {
                                LOG.error("Node in CSR state, but no CSR present : " + dataNodeProvisioningConfig3.nodeId());
                                this.dataNodeProvisioningService.save(dataNodeProvisioningConfig3.asError("Node in CSR state, but no CSR present"));
                            } else {
                                this.certMongoStorage.writeCertChain(new CertificateChain(this.csrSigner.sign(privateKey, x509Certificate, readCsr.get(), renewalPolicy), List.of(x509Certificate)), dataNodeProvisioningConfig3.nodeId());
                            }
                        } catch (Exception e) {
                            LOG.error("Could not sign CSR: " + e.getMessage(), e);
                            this.dataNodeProvisioningService.save(dataNodeProvisioningConfig3.asError(e.getMessage()));
                        }
                    });
                }
                ((List) map.getOrDefault(DataNodeProvisioningConfig.State.STORED, List.of())).forEach(dataNodeProvisioningConfig4 -> {
                    this.dataNodeProvisioningService.save(dataNodeProvisioningConfig4.asConnecting());
                    this.executor.submit(() -> {
                        checkConnectivity(dataNodeProvisioningConfig4);
                    });
                });
            }
        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | KeyStoreStorageException e) {
            throw new RuntimeException(e);
        }
    }

    private void checkConnectivity(final DataNodeProvisioningConfig dataNodeProvisioningConfig) {
        LOG.info("Starting connectivity check with node {}, silencing error messages for {} seconds.", dataNodeProvisioningConfig.nodeId(), Long.valueOf(DELAY_BEFORE_SHOWING_EXCEPTIONS.getSeconds()));
        String nodeId = dataNodeProvisioningConfig.nodeId();
        try {
            Response response = (Response) RetryerBuilder.newBuilder().withWaitStrategy(WaitStrategies.fixedWait(3L, TimeUnit.SECONDS)).withStopStrategy(StopStrategies.stopAfterAttempt(40)).withRetryListener(new RetryListener() { // from class: org.graylog2.bootstrap.preflight.GraylogCertificateProvisioningPeriodical.1
                public <V> void onRetry(Attempt<V> attempt) {
                    if (attempt.getDelaySinceFirstAttempt() > GraylogCertificateProvisioningPeriodical.DELAY_BEFORE_SHOWING_EXCEPTIONS.toMillis()) {
                        if (!attempt.hasException()) {
                            GraylogCertificateProvisioningPeriodical.LOG.warn("Error trying to connect to data node  {}, retrying (attempt #{})", dataNodeProvisioningConfig.nodeId(), Long.valueOf(attempt.getAttemptNumber()));
                        } else {
                            GraylogCertificateProvisioningPeriodical.LOG.warn("Error trying to connect to data node  {}: {}, retrying (attempt #{})", new Object[]{dataNodeProvisioningConfig.nodeId(), attempt.getExceptionCause().getMessage(), Long.valueOf(attempt.getAttemptNumber())});
                        }
                    }
                }
            }).retryIfResult(response2 -> {
                return !response2.isSuccessful();
            }).retryIfException().build().call(() -> {
                return this.okHttpClient.get().newBuilder().authenticator((route, response3) -> {
                    return response3.request().newBuilder().header("Authorization", this.indexerJwtAuthTokenProvider.m1194get()).build();
                }).build().newCall(new Request.Builder().url(this.nodeService.byNodeId(nodeId).getTransportAddress()).build()).execute();
            });
            try {
                if (response.isSuccessful()) {
                    this.dataNodeProvisioningService.save(dataNodeProvisioningConfig.asConnected());
                    LOG.info("Connectivity check successful with node {}", nodeId);
                } else {
                    this.dataNodeProvisioningService.save(dataNodeProvisioningConfig.asError("Data Node not reachable: " + response.message()));
                }
                if (response != null) {
                    response.close();
                }
            } catch (Throwable th) {
                if (response != null) {
                    try {
                        response.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (RetryException e) {
            LOG.error("Error trying to connect to data node  {}: {}", dataNodeProvisioningConfig.nodeId(), e.getMessage());
            this.dataNodeProvisioningService.save(dataNodeProvisioningConfig.asError(((Throwable) Optional.ofNullable(e.getLastFailedAttempt().getExceptionCause()).orElse(e)).getMessage()));
        } catch (ExecutionException e2) {
            LOG.error("Error trying to connect to data node  {}: {}", dataNodeProvisioningConfig.nodeId(), e2.getMessage());
            this.dataNodeProvisioningService.save(dataNodeProvisioningConfig.asError(e2.getMessage()));
        }
    }

    @Override // org.graylog2.plugin.periodical.Periodical
    @NotNull
    protected Logger getLogger() {
        return LOG;
    }

    @Override // org.graylog2.plugin.periodical.Periodical
    public boolean runsForever() {
        return false;
    }

    @Override // org.graylog2.plugin.periodical.Periodical
    public boolean stopOnGracefulShutdown() {
        return true;
    }

    @Override // org.graylog2.plugin.periodical.Periodical
    public boolean leaderOnly() {
        return true;
    }

    @Override // org.graylog2.plugin.periodical.Periodical
    public boolean startOnThisNode() {
        return true;
    }

    @Override // org.graylog2.plugin.periodical.Periodical
    public boolean isDaemon() {
        return true;
    }

    @Override // org.graylog2.plugin.periodical.Periodical
    public int getInitialDelaySeconds() {
        return 2;
    }

    @Override // org.graylog2.plugin.periodical.Periodical
    public int getPeriodSeconds() {
        return 2;
    }
}
