package org.graylog.security.certutil;

import com.google.common.annotations.VisibleForTesting;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.LocalDateTime;
import java.time.ZoneId;
import java.time.temporal.TemporalAmount;
import java.util.Date;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import javax.inject.Inject;
import javax.inject.Named;
import javax.inject.Singleton;
import org.graylog.scheduler.DBJobTriggerService;
import org.graylog.scheduler.clock.JobSchedulerClock;
import org.graylog.security.certutil.CertRenewalService;
import org.graylog.security.certutil.ca.exceptions.KeyStoreStorageException;
import org.graylog.security.certutil.keystore.storage.KeystoreMongoStorage;
import org.graylog.security.certutil.keystore.storage.location.KeystoreMongoCollections;
import org.graylog.security.certutil.keystore.storage.location.KeystoreMongoLocation;
import org.graylog2.cluster.Node;
import org.graylog2.cluster.NodeService;
import org.graylog2.cluster.preflight.DataNodeProvisioningConfig;
import org.graylog2.cluster.preflight.DataNodeProvisioningService;
import org.graylog2.notifications.Notification;
import org.graylog2.notifications.NotificationService;
import org.graylog2.plugin.certificates.RenewalPolicy;
import org.graylog2.plugin.cluster.ClusterConfigService;
import org.joda.time.DateTime;
import org.joda.time.DateTimeZone;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Singleton
/* loaded from: input_file:org/graylog/security/certutil/CertRenewalServiceImpl.class */
public class CertRenewalServiceImpl implements CertRenewalService {
    private static final Logger LOG = LoggerFactory.getLogger(CertRenewalServiceImpl.class);
    private final ClusterConfigService clusterConfigService;
    private final KeystoreMongoStorage keystoreMongoStorage;
    private final NodeService nodeService;
    private final DataNodeProvisioningService dataNodeProvisioningService;
    private final NotificationService notificationService;
    private final DBJobTriggerService jobTriggerService;
    private final JobSchedulerClock clock;
    private final CaService caService;
    private final char[] passwordSecret;
    private long CERT_RENEWAL_THRESHOLD_PERCENTAGE;

    @Inject
    public CertRenewalServiceImpl(ClusterConfigService clusterConfigService, KeystoreMongoStorage keystoreMongoStorage, NodeService nodeService, DataNodeProvisioningService dataNodeProvisioningService, NotificationService notificationService, DBJobTriggerService dBJobTriggerService, CaService caService, JobSchedulerClock jobSchedulerClock, @Named("password_secret") String str) {
        this.CERT_RENEWAL_THRESHOLD_PERCENTAGE = 10L;
        this.clusterConfigService = clusterConfigService;
        this.keystoreMongoStorage = keystoreMongoStorage;
        this.nodeService = nodeService;
        this.dataNodeProvisioningService = dataNodeProvisioningService;
        this.notificationService = notificationService;
        this.jobTriggerService = dBJobTriggerService;
        this.clock = jobSchedulerClock;
        this.caService = caService;
        this.passwordSecret = str.toCharArray();
    }

    @VisibleForTesting
    CertRenewalServiceImpl(JobSchedulerClock jobSchedulerClock) {
        this(null, null, null, null, null, null, null, jobSchedulerClock, "dummy");
    }

    private RenewalPolicy getRenewalPolicy() {
        return (RenewalPolicy) this.clusterConfigService.get(RenewalPolicy.class);
    }

    boolean needsRenewal(DateTime dateTime, RenewalPolicy renewalPolicy, X509Certificate x509Certificate) {
        try {
            x509Certificate.checkValidity(calculateThreshold(renewalPolicy.certificateLifetime()));
            x509Certificate.checkValidity(dateTime.toDate());
            return false;
        } catch (CertificateExpiredException e) {
            LOG.debug("Certificate about to expire.");
            return true;
        } catch (CertificateNotYetValidException e2) {
            LOG.debug("Certificate not yet valid - which is surprising, but ignoring it.");
            return false;
        }
    }

    /* JADX WARN: Type inference failed for: r0v1, types: [java.time.ZonedDateTime] */
    Date convertToDateViaInstant(LocalDateTime localDateTime) {
        return Date.from(localDateTime.atZone(ZoneId.systemDefault()).toInstant());
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r0v7, types: [java.time.LocalDateTime] */
    Date calculateThreshold(String str) {
        return convertToDateViaInstant(this.clock.now(ZoneId.systemDefault()).plus((TemporalAmount) Duration.parse(str).dividedBy(this.CERT_RENEWAL_THRESHOLD_PERCENTAGE)).toLocalDateTime());
    }

    @Override // org.graylog.security.certutil.CertRenewalService
    public void checkCertificatesForRenewal() {
        RenewalPolicy renewalPolicy = getRenewalPolicy();
        if (renewalPolicy != null) {
            checkDataNodesCertificatesForRenewal(renewalPolicy);
            checkCaCertificatesForRenewal(renewalPolicy);
        }
    }

    private DateTime getNextRenewal() {
        return (DateTime) this.jobTriggerService.getOneForJob(CheckForCertRenewalJob.RENEWAL_JOB_ID).map((v0) -> {
            return v0.nextTime();
        }).orElse(DateTime.now(DateTimeZone.UTC).plusMinutes(30));
    }

    protected void checkCaCertificatesForRenewal(RenewalPolicy renewalPolicy) {
        try {
            Optional<KeyStore> loadKeyStore = this.caService.loadKeyStore();
            if (loadKeyStore.isPresent()) {
                if (needsRenewal(getNextRenewal(), renewalPolicy, (X509Certificate) loadKeyStore.get().getCertificate(CertConstants.CA_KEY_ALIAS))) {
                    this.notificationService.fixed(Notification.Type.CERTIFICATE_NEEDS_RENEWAL, "ca cert");
                }
            }
        } catch (KeyStoreException | NoSuchAlgorithmException | KeyStoreStorageException e) {
            LOG.error("Could not read CA keystore: {}", e.getMessage());
        }
    }

    private Optional<KeyStore> loadKeyStoreForNode(Node node) {
        try {
            return this.keystoreMongoStorage.readKeyStore(new KeystoreMongoLocation(node.getNodeId(), KeystoreMongoCollections.DATA_NODE_KEYSTORE_COLLECTION), this.passwordSecret);
        } catch (KeyStoreStorageException e) {
            return Optional.empty();
        }
    }

    private Optional<X509Certificate> getCertificateForNode(KeyStore keyStore) {
        try {
            return Optional.of((X509Certificate) keyStore.getCertificate("datanode"));
        } catch (KeyStoreException e) {
            return Optional.empty();
        }
    }

    protected List<Node> findNodesThatNeedCertificateRenewal(RenewalPolicy renewalPolicy) {
        DateTime nextRenewal = getNextRenewal();
        return this.nodeService.allActive(Node.Type.DATANODE).values().stream().map(node -> {
            Optional<U> flatMap = loadKeyStoreForNode(node).flatMap(this::getCertificateForNode);
            if (flatMap.isPresent() && needsRenewal(nextRenewal, renewalPolicy, (X509Certificate) flatMap.get())) {
                return node;
            }
            return null;
        }).filter((v0) -> {
            return Objects.nonNull(v0);
        }).toList();
    }

    @Override // org.graylog.security.certutil.CertRenewalService
    public void initiateRenewalForNode(String str) {
        this.dataNodeProvisioningService.save((DataNodeProvisioningConfig) this.dataNodeProvisioningService.getPreflightConfigFor(str).map((v0) -> {
            return v0.asConfigured();
        }).orElseThrow(() -> {
            return new IllegalStateException("No config found for data node " + str);
        }));
    }

    @Override // org.graylog.security.certutil.CertRenewalService
    public List<CertRenewalService.DataNode> findNodes() {
        return this.nodeService.allActive(Node.Type.DATANODE).values().stream().map(node -> {
            Optional map = loadKeyStoreForNode(node).flatMap(this::getCertificateForNode).map(x509Certificate -> {
                return x509Certificate.getNotAfter().toInstant().atZone(ZoneId.systemDefault()).toLocalDateTime();
            });
            DataNodeProvisioningConfig orElseThrow = getDataNodeProvisioningConfig(node).orElseThrow(() -> {
                return new IllegalStateException("No config found for data node " + node.getNodeId());
            });
            return new CertRenewalService.DataNode(node.getNodeId(), node.getType(), node.getTransportAddress(), orElseThrow.state(), orElseThrow.errorMsg(), node.getHostname(), node.getShortNodeId(), (LocalDateTime) map.orElse(null));
        }).toList();
    }

    private Optional<DataNodeProvisioningConfig> getDataNodeProvisioningConfig(Node node) {
        return this.dataNodeProvisioningService.getPreflightConfigFor(node.getNodeId());
    }

    private void notifyManualRenewalForNode(List<Node> list) {
        String join = String.join(",", list.stream().map((v0) -> {
            return v0.getNodeId();
        }).toList());
        if (!this.notificationService.isFirst(Notification.Type.CERTIFICATE_NEEDS_RENEWAL)) {
            this.notificationService.fixed(Notification.Type.CERTIFICATE_NEEDS_RENEWAL);
        }
        this.notificationService.publishIfFirst(this.notificationService.buildNow().addType(Notification.Type.CERTIFICATE_NEEDS_RENEWAL).addSeverity(Notification.Severity.URGENT).addKey(join).addDetail("nodes", join));
    }

    protected void checkDataNodesCertificatesForRenewal(RenewalPolicy renewalPolicy) {
        List<Node> findNodesThatNeedCertificateRenewal = findNodesThatNeedCertificateRenewal(renewalPolicy);
        if (findNodesThatNeedCertificateRenewal.isEmpty()) {
            return;
        }
        if (RenewalPolicy.Mode.AUTOMATIC.equals(renewalPolicy.mode())) {
            findNodesThatNeedCertificateRenewal.forEach(node -> {
                initiateRenewalForNode(node.getNodeId());
            });
        } else {
            notifyManualRenewalForNode(findNodesThatNeedCertificateRenewal);
        }
    }
}
