package _ss_com.streamsets.datacollector.publicrestapi;

import _ss_com.com.google.common.base.Preconditions;
import _ss_com.streamsets.datacollector.event.handler.remote.RemoteEventHandlerTask;
import _ss_com.streamsets.datacollector.main.RuntimeInfo;
import _ss_com.streamsets.datacollector.restapi.WebServerAgentCondition;
import _ss_com.streamsets.datacollector.security.SecurityConfiguration;
import _ss_com.streamsets.datacollector.util.Configuration;
import _ss_com.streamsets.lib.security.http.CredentialDeploymentResponseJson;
import _ss_com.streamsets.lib.security.http.CredentialDeploymentStatus;
import _ss_com.streamsets.lib.security.http.CredentialsBeanJson;
import _ss_com.streamsets.lib.security.http.RemoteSSOService;
import _ss_org.apache.commons.collections.CollectionUtils;
import _ss_org.apache.commons.io.Charsets;
import _ss_org.apache.commons.lang3.StringUtils;
import io.swagger.annotations.Api;
import java.io.File;
import java.io.FileReader;
import java.io.FileWriter;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.nio.file.StandardOpenOption;
import java.security.InvalidKeyException;
import java.security.KeyFactory;
import java.security.NoSuchAlgorithmException;
import java.security.PublicKey;
import java.security.Signature;
import java.security.SignatureException;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.X509EncodedKeySpec;
import java.util.Base64;
import java.util.concurrent.atomic.AtomicInteger;
import javax.annotation.security.PermitAll;
import javax.inject.Inject;
import javax.ws.rs.Consumes;
import javax.ws.rs.POST;
import javax.ws.rs.Path;
import javax.ws.rs.Produces;
import javax.ws.rs.core.MediaType;
import javax.ws.rs.core.Response;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Api("deployment")
@Path("/v1/deployment")
@PermitAll
/* loaded from: input_file:_ss_com/streamsets/datacollector/publicrestapi/CredentialsDeploymentResource.class */
public class CredentialsDeploymentResource {
    private static final Logger LOG = LoggerFactory.getLogger(CredentialsDeploymentResource.class);
    private static final String APPLICATION_TOKEN_TXT = "application-token.txt";
    private static final int MAX_FAILURES_ALLOWED = 100;
    static final String DPM_AGENT_PUBLIC_KEY = "streamsets.cluster.manager.public.key";
    private final RuntimeInfo runtimeInfo;
    private final AtomicInteger failedCount = new AtomicInteger(0);

    @Inject
    public CredentialsDeploymentResource(RuntimeInfo runtimeInfo) {
        this.runtimeInfo = runtimeInfo;
    }

    @Path("/deployCredentials")
    @Consumes({MediaType.APPLICATION_JSON})
    @POST
    @Produces({MediaType.APPLICATION_JSON})
    public Response deployCredentials(CredentialsBeanJson credentialsBeanJson) throws Exception {
        CredentialDeploymentStatus credentialDeploymentStatus;
        LOG.info("Credentials have been received. Validating..");
        if (!validateSignature(credentialsBeanJson)) {
            LOG.warn("Received credentials were invalid, {} of maximum {} attempts", Integer.valueOf(this.failedCount.incrementAndGet()), 100);
            if (this.failedCount.get() > 100) {
                LOG.error("Failed to validate Cluster Manager credentials 100 times, likely due to agent failure or a denial of service attack");
                System.exit(-1);
            }
            return Response.status(Response.Status.BAD_REQUEST).entity("Cannot validate the received credentials").build();
        }
        if (WebServerAgentCondition.getReceivedCredentials()) {
            LOG.info("Credentials already received, so not using the token");
            credentialDeploymentStatus = CredentialDeploymentStatus.CREDENTIAL_NOT_USED_ALREADY_DEPLOYED;
        } else {
            deployDPMToken(credentialsBeanJson);
            handleKerberos(credentialsBeanJson);
            WebServerAgentCondition.setCredentialsReceived();
            credentialDeploymentStatus = CredentialDeploymentStatus.CREDENTIAL_USED_AND_DEPLOYED;
        }
        return Response.ok(new CredentialDeploymentResponseJson(this.runtimeInfo.getId(), credentialDeploymentStatus)).build();
    }

    private boolean validateSignature(CredentialsBeanJson credentialsBeanJson) throws NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException, SignatureException {
        PublicKey generatePublic = KeyFactory.getInstance("RSA").generatePublic(new X509EncodedKeySpec(Base64.getDecoder().decode((String) Preconditions.checkNotNull(System.getProperty(DPM_AGENT_PUBLIC_KEY)))));
        Signature signature = Signature.getInstance("SHA256withRSA");
        signature.initVerify(generatePublic);
        signature.update(credentialsBeanJson.getToken().getBytes(Charsets.UTF_8));
        LOG.info("Token : {}, Signature {}", credentialsBeanJson.getToken(), credentialsBeanJson.getTokenSignature());
        return signature.verify(Base64.getDecoder().decode(credentialsBeanJson.getTokenSignature()));
    }

    private void handleKerberos(CredentialsBeanJson credentialsBeanJson) throws IOException {
        if (StringUtils.isEmpty(credentialsBeanJson.getPrincipal())) {
            return;
        }
        LOG.info("Kerberos credentials found, deploying..");
        Files.write(Paths.get(this.runtimeInfo.getConfigDir(), SecurityConfiguration.KERBEROS_KEYTAB_DEFAULT), Base64.getDecoder().decode(credentialsBeanJson.getKeytab()), StandardOpenOption.CREATE, StandardOpenOption.WRITE);
        File file = new File(this.runtimeInfo.getConfigDir(), "sdc.properties");
        Configuration configuration = new Configuration();
        FileReader fileReader = new FileReader(file);
        Throwable th = null;
        try {
            try {
                configuration.load(fileReader);
                if (fileReader != null) {
                    if (0 != 0) {
                        try {
                            fileReader.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        fileReader.close();
                    }
                }
                configuration.set(SecurityConfiguration.KERBEROS_PRINCIPAL_KEY, credentialsBeanJson.getPrincipal());
                configuration.set(SecurityConfiguration.KERBEROS_ENABLED_KEY, true);
                configuration.set(SecurityConfiguration.KERBEROS_KEYTAB_KEY, SecurityConfiguration.KERBEROS_KEYTAB_DEFAULT);
                FileWriter fileWriter = new FileWriter(file);
                Throwable th3 = null;
                try {
                    try {
                        configuration.save(fileWriter);
                        if (fileWriter != null) {
                            if (0 != 0) {
                                try {
                                    fileWriter.close();
                                } catch (Throwable th4) {
                                    th3.addSuppressed(th4);
                                }
                            } else {
                                fileWriter.close();
                            }
                        }
                        LOG.info("Kerberos credentials deployed.");
                    } catch (Throwable th5) {
                        th3 = th5;
                        throw th5;
                    }
                } catch (Throwable th6) {
                    if (fileWriter != null) {
                        if (th3 != null) {
                            try {
                                fileWriter.close();
                            } catch (Throwable th7) {
                                th3.addSuppressed(th7);
                            }
                        } else {
                            fileWriter.close();
                        }
                    }
                    throw th6;
                }
            } catch (Throwable th8) {
                th = th8;
                throw th8;
            }
        } catch (Throwable th9) {
            if (fileReader != null) {
                if (th != null) {
                    try {
                        fileReader.close();
                    } catch (Throwable th10) {
                        th.addSuppressed(th10);
                    }
                } else {
                    fileReader.close();
                }
            }
            throw th9;
        }
    }

    private void deployDPMToken(CredentialsBeanJson credentialsBeanJson) throws IOException {
        LOG.info("Deploying DPM token");
        File file = new File(this.runtimeInfo.getConfigDir(), "dpm.properties");
        Configuration configuration = new Configuration();
        Files.write(Paths.get(this.runtimeInfo.getConfigDir(), APPLICATION_TOKEN_TXT), credentialsBeanJson.getToken().getBytes(Charsets.UTF_8), StandardOpenOption.CREATE, StandardOpenOption.WRITE);
        FileReader fileReader = new FileReader(file);
        Throwable th = null;
        try {
            try {
                configuration.load(fileReader);
                if (fileReader != null) {
                    if (0 != 0) {
                        try {
                            fileReader.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        fileReader.close();
                    }
                }
                configuration.unset(RemoteSSOService.DPM_BASE_URL_CONFIG);
                configuration.set(RemoteSSOService.DPM_ENABLED, true);
                configuration.set(RemoteSSOService.SECURITY_SERVICE_APP_AUTH_TOKEN_CONFIG, "${file(application-token.txt)}");
                configuration.set(RemoteSSOService.DPM_DEPLOYMENT_ID, credentialsBeanJson.getDeploymentId());
                this.runtimeInfo.setDeploymentId(credentialsBeanJson.getDeploymentId());
                if (!CollectionUtils.isEmpty(credentialsBeanJson.getLabels())) {
                    String join = StringUtils.join(credentialsBeanJson.getLabels().toArray(), ",");
                    LOG.info("SDC will have the following Labels: {}", join);
                    configuration.set(RemoteEventHandlerTask.REMOTE_JOB_LABELS, join);
                }
                FileWriter fileWriter = new FileWriter(file);
                Throwable th3 = null;
                try {
                    configuration.save(fileWriter);
                    if (fileWriter != null) {
                        if (0 != 0) {
                            try {
                                fileWriter.close();
                            } catch (Throwable th4) {
                                th3.addSuppressed(th4);
                            }
                        } else {
                            fileWriter.close();
                        }
                    }
                    Files.write(Paths.get(file.getPath(), new String[0]), ("dpm.base.url=" + credentialsBeanJson.getDpmUrl()).getBytes(), StandardOpenOption.APPEND);
                    this.runtimeInfo.setDPMEnabled(true);
                    LOG.info("DPM token deployed");
                } catch (Throwable th5) {
                    if (fileWriter != null) {
                        if (0 != 0) {
                            try {
                                fileWriter.close();
                            } catch (Throwable th6) {
                                th3.addSuppressed(th6);
                            }
                        } else {
                            fileWriter.close();
                        }
                    }
                    throw th5;
                }
            } finally {
            }
        } catch (Throwable th7) {
            if (fileReader != null) {
                if (th != null) {
                    try {
                        fileReader.close();
                    } catch (Throwable th8) {
                        th.addSuppressed(th8);
                    }
                } else {
                    fileReader.close();
                }
            }
            throw th7;
        }
    }
}
