package com.atlassian.bitbucket.internal.x509;

import com.atlassian.bitbucket.AuthorisationException;
import com.atlassian.bitbucket.dmz.features.RequireFeature;
import com.atlassian.bitbucket.dmz.x509.DmzX509Certificate;
import com.atlassian.bitbucket.dmz.x509.DmzX509CertificateService;
import com.atlassian.bitbucket.dmz.x509.DmzX509CertificateSupplier;
import com.atlassian.bitbucket.dmz.x509.X509CertificateAlreadyExistsException;
import com.atlassian.bitbucket.dmz.x509.X509CertificateIOException;
import com.atlassian.bitbucket.dmz.x509.X509CertificateNotFoundException;
import com.atlassian.bitbucket.dmz.x509.event.X509CertificateCreatedEvent;
import com.atlassian.bitbucket.dmz.x509.event.X509CertificateDeletedEvent;
import com.atlassian.bitbucket.i18n.I18nService;
import com.atlassian.bitbucket.internal.x509.dao.X509CertificateDao;
import com.atlassian.bitbucket.internal.x509.model.InternalX509Certificate;
import com.atlassian.bitbucket.io.InputSupplier;
import com.atlassian.bitbucket.permission.Permission;
import com.atlassian.bitbucket.permission.PermissionService;
import com.atlassian.bitbucket.server.StandardFeature;
import com.atlassian.bitbucket.util.Page;
import com.atlassian.bitbucket.util.PageRequest;
import com.atlassian.bitbucket.util.PageUtils;
import com.atlassian.event.api.EventPublisher;
import com.atlassian.stash.internal.annotation.Unsecured;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.security.cert.CertificateEncodingException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Objects;
import javax.annotation.Nonnull;
import org.apache.commons.codec.digest.DigestUtils;
import org.springframework.security.access.annotation.Secured;
import org.springframework.transaction.annotation.Transactional;

@RequireFeature(StandardFeature.X509_CERTIFICATE_SIGNING)
/* loaded from: input_file:com/atlassian/bitbucket/internal/x509/DefaultX509CertificateService.class */
public class DefaultX509CertificateService implements DmzX509CertificateService {
    static final int CERTIFICATE_PAGE_SIZE = 500;
    private final EventPublisher eventPublisher;
    private final I18nService i18nService;
    private final PermissionService permissionService;
    private final X509CertificateDao x509CertificateDao;
    private final X509CertificateFactory x509CertificateFactory;
    private final X509RevokedCertificateHelper x509RevokedCertificateHelper;

    public DefaultX509CertificateService(EventPublisher eventPublisher, I18nService i18nService, PermissionService permissionService, X509CertificateDao x509CertificateDao, X509CertificateFactory x509CertificateFactory, X509RevokedCertificateHelper x509RevokedCertificateHelper) {
        this.eventPublisher = eventPublisher;
        this.i18nService = i18nService;
        this.permissionService = permissionService;
        this.x509CertificateDao = x509CertificateDao;
        this.x509CertificateFactory = x509CertificateFactory;
        this.x509RevokedCertificateHelper = x509RevokedCertificateHelper;
    }

    @Nonnull
    @Secured({"Secured internally by an explicit permission check"})
    @Transactional
    public DmzX509Certificate create(@Nonnull DmzX509CertificateSupplier dmzX509CertificateSupplier) throws X509CertificateIOException {
        Objects.requireNonNull(dmzX509CertificateSupplier, "certificateSupplier");
        requireGlobalAdmin();
        X509Certificate generateX509Certificate = generateX509Certificate((InputSupplier<InputStream>) dmzX509CertificateSupplier);
        try {
            byte[] encoded = generateX509Certificate.getEncoded();
            String sha256Hex = DigestUtils.sha256Hex(encoded);
            if (this.x509CertificateDao.getByFingerprint(sha256Hex).isPresent()) {
                throw new X509CertificateAlreadyExistsException(this.i18nService.createKeyedMessage("bitbucket.service.x509.certificate.exists", new Object[]{sha256Hex}));
            }
            InternalX509Certificate build = new InternalX509Certificate.Builder().encoded(encoded).fingerprint(sha256Hex).build();
            DmzX509Certificate dmzX509Certificate = (DmzX509Certificate) this.x509CertificateDao.create(build);
            this.eventPublisher.publish(new X509CertificateCreatedEvent(this, dmzX509Certificate));
            this.x509RevokedCertificateHelper.updateRevokedCertificates(build, generateX509Certificate);
            return dmzX509Certificate;
        } catch (CertificateEncodingException e) {
            throw new X509CertificateIOException(this.i18nService.createKeyedMessage("bitbucket.service.x509.certificate.encoding.invalid", new Object[]{generateX509Certificate, e}));
        }
    }

    @Secured({"Secured internally by an explicit permission check"})
    @Transactional
    public void delete(long j) {
        requireGlobalAdmin();
        InternalX509Certificate internalX509Certificate = (InternalX509Certificate) this.x509CertificateDao.getById(Long.valueOf(j));
        if (internalX509Certificate == null) {
            throw new X509CertificateNotFoundException(this.i18nService.createKeyedMessage("bitbucket.service.x509.certificate.not.found", new Object[]{Long.valueOf(j)}));
        }
        this.x509CertificateDao.deleteById(Long.valueOf(j));
        this.eventPublisher.publish(new X509CertificateDeletedEvent(this, internalX509Certificate));
    }

    @Nonnull
    @Secured({"Secured internally by an explicit permission check"})
    @Transactional(readOnly = true)
    public Page<DmzX509Certificate> findAll(@Nonnull PageRequest pageRequest) {
        Objects.requireNonNull(pageRequest, "pageRequest");
        requireGlobalAdmin();
        return PageUtils.asPageOf(DmzX509Certificate.class, this.x509CertificateDao.findAll(pageRequest));
    }

    @Transactional
    @Unsecured("Internal only method")
    public void runRevokedCertificatesUpdateJob() {
        X509CertificateDao x509CertificateDao = this.x509CertificateDao;
        Objects.requireNonNull(x509CertificateDao);
        PageUtils.toStream(x509CertificateDao::findAll, CERTIFICATE_PAGE_SIZE).forEach(internalX509Certificate -> {
            this.x509RevokedCertificateHelper.updateRevokedCertificates(internalX509Certificate, generateX509Certificate(internalX509Certificate.getEncoded()));
        });
    }

    @Secured({"Secured internally by an explicit permission check"})
    @Transactional
    public void updateRevokedCertificates(long j) {
        requireGlobalAdmin();
        InternalX509Certificate internalX509Certificate = (InternalX509Certificate) this.x509CertificateDao.getById(Long.valueOf(j));
        if (internalX509Certificate == null) {
            throw new X509CertificateNotFoundException(this.i18nService.createKeyedMessage("bitbucket.service.x509.certificate.not.found", new Object[]{Long.valueOf(j)}));
        }
        this.x509RevokedCertificateHelper.updateRevokedCertificates(internalX509Certificate, generateX509Certificate(internalX509Certificate.getEncoded()));
    }

    private X509Certificate generateX509Certificate(byte[] bArr) {
        return generateX509Certificate(() -> {
            return new ByteArrayInputStream(bArr);
        });
    }

    private X509Certificate generateX509Certificate(InputSupplier<InputStream> inputSupplier) {
        try {
            InputStream inputStream = (InputStream) inputSupplier.open();
            try {
                X509Certificate generateCertificate = this.x509CertificateFactory.generateCertificate(inputStream);
                if (inputStream != null) {
                    inputStream.close();
                }
                return generateCertificate;
            } catch (Throwable th) {
                if (inputStream != null) {
                    try {
                        inputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        } catch (IOException e) {
            throw new X509CertificateIOException(this.i18nService.createKeyedMessage("bitbucket.service.x509.certificate.read.failed", new Object[]{e}));
        } catch (CertificateException e2) {
            throw new X509CertificateIOException(this.i18nService.createKeyedMessage("bitbucket.service.x509.certificate.parse.failed", new Object[]{e2}));
        }
    }

    private void requireGlobalAdmin() {
        if (!this.permissionService.hasGlobalPermission(Permission.ADMIN)) {
            throw new AuthorisationException(this.i18nService.createKeyedMessage("bitbucket.service.x509.certificate.permissions.insufficient", new Object[0]));
        }
    }
}
