package org.graylog.security.certutil.csr;

import jakarta.inject.Inject;
import jakarta.inject.Named;
import java.io.IOException;
import java.io.StringWriter;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.X509Certificate;
import java.util.Base64;
import java.util.List;
import org.bouncycastle.openssl.jcajce.JcaPEMWriter;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.graylog.security.certutil.CaService;
import org.graylog.security.certutil.CertConstants;
import org.graylog.security.certutil.csr.exceptions.ClientCertGenerationException;
import org.graylog.security.certutil.privatekey.PrivateKeyEncryptedFileStorage;
import org.graylog2.indexer.security.SecurityAdapter;
import org.graylog2.plugin.certificates.RenewalPolicy;
import org.graylog2.plugin.cluster.ClusterConfigService;

/* loaded from: input_file:org/graylog/security/certutil/csr/ClientCertGenerator.class */
public class ClientCertGenerator {
    private final CaService caService;
    private final String passwordSecret;
    private final CsrGenerator csrGenerator;
    private final CsrSigner csrSigner;
    private final ClusterConfigService clusterConfigService;
    private final SecurityAdapter securityAdapter;
    private final Path dataDir;

    @Inject
    public ClientCertGenerator(CaService caService, @Named("password_secret") String str, @Named("data_dir") Path path, CsrGenerator csrGenerator, CsrSigner csrSigner, ClusterConfigService clusterConfigService, SecurityAdapter securityAdapter) {
        this.caService = caService;
        this.passwordSecret = str;
        this.csrGenerator = csrGenerator;
        this.csrSigner = csrSigner;
        this.clusterConfigService = clusterConfigService;
        this.securityAdapter = securityAdapter;
        this.dataDir = path;
    }

    private Path certFilePath(String str, String str2) {
        return this.dataDir.resolve(Path.of(Base64.getEncoder().encodeToString((str + ":" + str2).getBytes(StandardCharsets.UTF_8)) + ".cert", new String[0]));
    }

    private String c(Object obj) throws IOException {
        StringWriter stringWriter = new StringWriter();
        JcaPEMWriter jcaPEMWriter = new JcaPEMWriter(stringWriter);
        try {
            jcaPEMWriter.writeObject(obj);
            jcaPEMWriter.close();
            return stringWriter.toString();
        } catch (Throwable th) {
            try {
                jcaPEMWriter.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    public ClientCert generateClientCert(String str, String str2, char[] cArr) throws ClientCertGenerationException {
        try {
            RenewalPolicy renewalPolicy = (RenewalPolicy) this.clusterConfigService.get(RenewalPolicy.class);
            PrivateKeyEncryptedFileStorage privateKeyEncryptedFileStorage = new PrivateKeyEncryptedFileStorage(certFilePath(str2, str));
            KeyStore keyStore = this.caService.loadKeyStore().get();
            PrivateKey privateKey = (PrivateKey) keyStore.getKey(CertConstants.CA_KEY_ALIAS, this.passwordSecret.toCharArray());
            X509Certificate x509Certificate = (X509Certificate) keyStore.getCertificate(CertConstants.CA_KEY_ALIAS);
            PKCS10CertificationRequest generateCSR = this.csrGenerator.generateCSR(cArr, str, List.of(str), privateKeyEncryptedFileStorage);
            Object readEncryptedKey = privateKeyEncryptedFileStorage.readEncryptedKey(cArr);
            Object sign = this.csrSigner.sign(privateKey, x509Certificate, generateCSR, renewalPolicy);
            this.securityAdapter.addUserToRoleMapping(str2, str);
            return new ClientCert(str, str2, c(x509Certificate), c(readEncryptedKey), c(sign));
        } catch (Exception e) {
            throw new ClientCertGenerationException("Failed to generate client certificate", e);
        }
    }

    public void removeCertFor(String str, String str2) throws IOException {
        Path certFilePath = certFilePath(str, str2);
        if (Files.exists(certFilePath, new LinkOption[0])) {
            Files.delete(certFilePath);
            this.securityAdapter.removeUserFromRoleMapping(str, str2);
        }
    }
}
