package io.bdeploy.bhive.cli;

import io.bdeploy.common.cfg.Configuration;
import io.bdeploy.common.cli.ToolBase;
import io.bdeploy.common.cli.ToolCategory;
import io.bdeploy.common.cli.data.DataResult;
import io.bdeploy.common.cli.data.RenderableResult;
import io.bdeploy.common.security.ApiAccessToken;
import io.bdeploy.common.security.SecurityHelper;
import io.bdeploy.common.util.PathHelper;
import java.nio.file.Path;
import java.nio.file.Paths;

@ToolCategory("Analysis and maintenance commands")
@Configuration.Help("Generate, import and verify access tokens.")
@ToolBase.CliTool.CliName("token")
/* loaded from: input_file:io/bdeploy/bhive/cli/TokenTool.class */
public class TokenTool extends ToolBase.ConfiguredCliTool<TokenConfig> {

    /* loaded from: input_file:io/bdeploy/bhive/cli/TokenTool$TokenConfig.class */
    public @interface TokenConfig {
        @Configuration.Help("Path to the (PKCS12) private or (JKS) public key store, depending on other parameters")
        String keystore();

        @Configuration.Help("Passphrase for the keystore and any contained keys")
        String passphrase();

        @Configuration.Help(value = "Create a token from the private key in the given keystore", arg = false)
        boolean create() default false;

        @Configuration.Help(value = "Load a public key and token and store into the given truststore", arg = false)
        boolean load() default false;

        @Configuration.Help("The signature pack of the remote to load into the truststore")
        String pack();

        @Configuration.Help(value = "Validate a given token against the given private key store", arg = false)
        boolean check() default false;

        @Configuration.Help(value = "Dump the current access token in the given truststore", arg = false)
        boolean dump() default false;

        @Configuration.Help("The signed token value to check agains the private key store")
        String token();
    }

    public TokenTool() {
        super(TokenConfig.class);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // io.bdeploy.common.cli.ToolBase.ConfiguredCliTool
    public RenderableResult run(TokenConfig tokenConfig) {
        helpAndFailIfMissing(tokenConfig.keystore(), "Missing --keystore");
        Path path = Paths.get(tokenConfig.keystore(), new String[0]);
        char[] charArray = tokenConfig.passphrase() == null ? null : tokenConfig.passphrase().toCharArray();
        if (tokenConfig.create()) {
            return createNewToken(path, charArray);
        }
        if (tokenConfig.load()) {
            helpAndFailIfMissing(tokenConfig.pack(), "Missing --pack");
            importExistingToken(path, charArray, tokenConfig.pack());
            return createSuccess();
        }
        if (tokenConfig.check()) {
            helpAndFailIfMissing(tokenConfig.token(), "Missing --token");
            return checkExistingToken(path, charArray, tokenConfig.token());
        }
        if (!tokenConfig.dump()) {
            return createNoOp();
        }
        dumpExistingToken(path, charArray);
        return null;
    }

    private void dumpExistingToken(Path path, char[] cArr) {
        SecurityHelper securityHelper = SecurityHelper.getInstance();
        try {
            out().println(securityHelper.getSignedToken(securityHelper.loadPublicKeyStore(path, cArr), cArr));
        } catch (Exception e) {
            throw new IllegalStateException("Cannot load access token from " + path, e);
        }
    }

    private DataResult createNewToken(Path path, char[] cArr) {
        SecurityHelper securityHelper = SecurityHelper.getInstance();
        ApiAccessToken build = new ApiAccessToken.Builder().forSystem().addPermission(ApiAccessToken.ADMIN_PERMISSION).build();
        try {
            out().println(securityHelper.createSignaturePack((SecurityHelper) build, path, cArr));
            return createSuccess().addField("Valid For", "50 years").addField("Issued To", build.getIssuedTo()).addField("Permissions", build.getPermissions().toString());
        } catch (Exception e) {
            throw new IllegalStateException("cannot create signature pack", e);
        }
    }

    private void importExistingToken(Path path, char[] cArr, String str) {
        try {
            SecurityHelper.getInstance().importSignaturePack(str, path, cArr);
        } catch (Exception e) {
            throw new IllegalStateException("Cannot import signature pack", e);
        }
    }

    private DataResult checkExistingToken(Path path, char[] cArr, String str) {
        checkPrivateKeyStoreExists(path);
        SecurityHelper securityHelper = SecurityHelper.getInstance();
        try {
            ApiAccessToken apiAccessToken = (ApiAccessToken) securityHelper.getVerifiedPayload(str, ApiAccessToken.class, securityHelper.loadPrivateKeyStore(path, cArr));
            return apiAccessToken == null ? createResultWithMessage("Invalid signature.") : !apiAccessToken.isValid() ? createResultWithMessage("Signature valid, but token expired") : createResultWithMessage("Signature valid. Issued to " + apiAccessToken.getIssuedTo() + ".");
        } catch (Exception e) {
            throw new IllegalStateException("Cannot verify token", e);
        }
    }

    private void checkPrivateKeyStoreExists(Path path) {
        if (PathHelper.exists(path)) {
            return;
        }
        out().println("You must generate a keystore manually: ");
        out().println("  openssl req -newkey rsa:2048 -nodes -keyout key.pem -x509 -days 17800 -out cert.pem");
        out().println("  openssl pkcs12 -inkey key.pem  -in cert.pem -export -out certstore.p12");
        throw new IllegalArgumentException("private keystore does not exist: " + path);
    }
}
