package com.cloudera.keytrustee.impl;

import com.cloudera.keytrustee.ActivationRequest;
import com.cloudera.keytrustee.ClientConnection;
import com.cloudera.keytrustee.ClientInfo;
import com.cloudera.keytrustee.Connector;
import com.cloudera.keytrustee.DateFormats;
import com.cloudera.keytrustee.Deposit;
import com.cloudera.keytrustee.DepositInfo;
import com.cloudera.keytrustee.DepositRelease;
import com.cloudera.keytrustee.DepositReleaseDenied;
import com.cloudera.keytrustee.DepositSearch;
import com.cloudera.keytrustee.EntropyFormat;
import com.cloudera.keytrustee.FailoverServerInfo;
import com.cloudera.keytrustee.KeyTrusteeConstants;
import com.cloudera.keytrustee.KeyTrusteeException;
import com.cloudera.keytrustee.Request;
import com.cloudera.keytrustee.RequestInfo;
import com.cloudera.keytrustee.ServerInfo;
import com.cloudera.keytrustee.TokenStore;
import com.cloudera.keytrustee.URLConnector;
import com.cloudera.keytrustee.crypto.Crypto;
import com.cloudera.keytrustee.crypto.Fingerprint;
import com.cloudera.keytrustee.crypto.HkpKeyServer;
import com.cloudera.keytrustee.crypto.KeyManager;
import com.cloudera.keytrustee.crypto.analyze.tools.KeyValuePair;
import com.cloudera.keytrustee.impl.PayloadConnection;
import java.io.ByteArrayInputStream;
import java.io.ByteArrayOutputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.MessageDigest;
import java.security.Provider;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.text.ParseException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import java.util.concurrent.TimeoutException;
import javax.xml.ws.http.HTTPException;
import org.apache.commons.codec.binary.Base64InputStream;
import org.apache.commons.codec.binary.Base64OutputStream;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.StringUtils;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.openpgp.PGPPublicKey;
import org.bouncycastle.openpgp.PGPPublicKeyRing;
import org.bouncycastle.util.encoders.Base64;
import org.json.JSONArray;
import org.json.JSONException;
import org.json.JSONObject;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/cloudera/keytrustee/impl/ClientConnectionImpl.class */
public class ClientConnectionImpl implements ClientConnection {
    private static final String RESP_MATCHES = "matches";
    private static final String RESP_CONTENT_SIG_FINGERPRINT = "content_sig_fingerprint";
    private static final String RESP_STATUS = "status";
    private static final String RESP_REASON = "reason";
    private static final String RESP_CHALLENGE = "challenge";
    private static final String RESP_REQUESTS = "requests";
    private static final String RESP_SHA512 = "sha512";
    private static final String RESP_RECOVERABLE = "recoverable";
    private static final String RESP_DEPOSIT_UUID = "deposit_uuid";
    private static final String RESP_ARCHIVE = "archive";
    private static final String RESP_CONTENT = "content";
    private static final String RESP_RECOVERABLE_SIGNATURE = "recoverable_signature";
    private static final String RESP_REQUEST_UUID = "request_uuid";
    private static final String RESP_REQUEST_UUIDS = "request_uuids";
    private static final String RESP_URL = "url";
    private static final String RESP_ENTROPY = "entropy";
    private static final String ACTION_DENY = "deny";
    private static final String ACTION_AUTHORIZE = "authorize";
    private static final String ACTION_PENDING = "pending";
    private static final String ACTION_SEARCH = "search";
    private static final String ACTION_REQUEST = "request";
    private static final String ACTION_HANDLE_REQUEST = "request_handle_deposits";
    private static final String ACTION_GET = "get";
    private static final String ACTION_GET_HANDLE_DEPOSITS = "get_handle_deposits";
    private static final String ACTION_PUT = "put";
    private static final String ACTION_REQUEST_ACTIVATION = "request_activation";
    private static final String ACTION_VERIFY = "verify";
    private static final String ACTION_REGISTER = "register";
    private static final String ACTION_ENTROPY = "entropy";
    private static final String PARAM_BEFORE = "before";
    private static final String PARAM_AFTER = "after";
    private static final String PARAM_REQUEST_TO_TRUSTEE_UUID = "r";
    private static final String PARAM_DEPOSIT_UUIDS = "deposit_uuids";
    private static final String PARAM_STRING = "string";
    private static final String PARAM_TIMEOUT = "timeout";
    private static final String PARAM_CLIENT = "client";
    private static final String PARAM_HOSTNAME = "hostname";
    private static final String PARAM_DEPOSIT_UUID = "deposit_uuid";
    private static final String PARAM_DISABLE = "disable";
    private static final String PARAM_REQUEST_UUID = "request_uuid";
    private static final String PARAM_REQUEST_UUIDS = "request_uuids";
    private static final String PARAM_RECOVERABLE_SIGNATURE = "recoverable_signature";
    private static final String PARAM_CONTENT = "content";
    private static final String PARAM_LABEL = "label";
    private static final String PARAM_SHA512 = "sha512";
    private static final String PARAM_ARCHIVE = "archive";
    private static final String PARAM_VOTES = "votes";
    private static final String PARAM_TTB = "ttb";
    private static final String PARAM_TTL = "ttl";
    private static final String PARAM_RETRIEVALS = "retrievals";
    private static final String PARAM_URL = "url";
    private static final String PARAM_RECOVERABLE = "recoverable";
    private static final String PARAM_DESCRIPTION = "description";
    private static final String PARAM_HANDLE = "handle";
    private static final String PARAM_ORIGINAL_ID = "original_id";
    private static final String PARAM_CLIENTS = "clients";
    private static final String PARAM_TRUSTEES = "trustees";
    private static final String PARAM_NOTIFY = "notify";
    private static final String PARAM_JUSTIFICATION = "justification";
    private static final String PARAM_CONTACT = "contact";
    private static final String PARAM_RESPONSE = "response";
    private static final String PARAM_FINGERPRINT = "fingerprint";
    private static final String PARAM_PROTOCOL = "protocol";
    private static final String PARAM_DEPOSIT_GROUP = "deposit_group";
    private static final String PARAM_GROUP_NAME = "group_name";
    private static final String PARAM_GROUP = "group";
    private static final String PARAM_TOKEN_SYNC = "token_sync";
    private static final String PARAM_COUNT = "count";
    private static final String PARAM_ORG = "org";
    private static final String PARAM_AUTH = "auth";
    private static final String PARAM_ANALYZE = "analyze";
    private static final String PARAM_METADATA = "metadata";
    private static final String PARAM_CERT = "cert";
    private static final String PARAM_HANDLE_BOOL = "handle";
    private static final String PARAM_UUID_BOOL = "uuid";
    private static final String PARAM_ENABLED_BOOL = "enabled";
    private static final String PARAM_DISABLED_BOOL = "disabled";
    private static final String PARAM_META_BOOL = "meta";
    private static final String PARAM_INCLUDE_META_BOOL = "include_meta";
    private static final int HTTP_OK = 200;
    private static final int HTTP_CREATED = 201;
    private static final int HTTP_ACCEPTED = 202;
    private static final int HTTP_FORBIDDEN = 403;
    private static final int MSECS_PER_SEC = 1000;
    private static final int SECS_PER_MIN = 60;
    private static final int DEFAULT_TIMEOUT = 43200;
    private Logger log;
    private ClientInfo clientInfo;
    private ServerInfo serverInfo;
    private TokenStore tokenStore;

    public ClientConnectionImpl(ClientInfo clientInfo, ServerInfo serverInfo) throws KeyTrusteeException {
        PGPPublicKeyRing publicKeyRing;
        this.log = LoggerFactory.getLogger(ClientConnection.class);
        this.clientInfo = clientInfo;
        this.serverInfo = serverInfo;
        disableSNIExtensions();
        Fingerprint fingerprint = serverInfo.getFingerprint();
        if (fingerprint == null || (publicKeyRing = clientInfo.getKeyRings().getPublicKeyRing(fingerprint)) == null) {
            return;
        }
        PGPPublicKey publicKey = publicKeyRing.getPublicKey();
        PGPPublicKey publicKey2 = clientInfo.getKeyRings().getPublicKeyRing().getPublicKey();
        try {
            if (KeyManager.isValid(publicKeyRing.getPublicKey()) && Crypto.getInstance().verifyKeySignature(publicKey2, publicKey)) {
            } else {
                throw new KeyTrusteeException("Invalid server key");
            }
        } catch (Exception e) {
            throw new KeyTrusteeException(e);
        }
    }

    public ClientConnectionImpl(ClientInfo clientInfo, ServerInfo serverInfo, TokenStore tokenStore) throws KeyTrusteeException {
        this(clientInfo, serverInfo);
        this.tokenStore = tokenStore;
    }

    public void disableSNIExtensions() {
        System.setProperty("jsse.enableSNIExtension", "false");
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public ClientInfo getClientInfo() {
        return this.clientInfo;
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public ServerInfo getServerInfo() {
        return this.serverInfo;
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public void register() throws KeyTrusteeException {
        register(new ActivationRequest.Builder().build());
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public void register(ActivationRequest activationRequest) throws KeyTrusteeException {
        try {
            HkpKeyServer hkpKeyServer = new HkpKeyServer(this.serverInfo);
            hkpKeyServer.put(this.clientInfo.getKeyRings().getPublicKeyRing());
            if (this.log.isInfoEnabled()) {
                this.log.info("Public key [" + this.clientInfo.getFingerprint() + "] successfully sent to server [" + this.serverInfo.getHostname() + "]");
            }
            Fingerprint readRemoteFingerprint = readRemoteFingerprint(this.serverInfo, this.serverInfo.getCertificate());
            PGPPublicKeyRing pGPPublicKeyRing = null;
            Iterator keyRings = KeyManager.readPublicKeyRingCollection(hkpKeyServer.get(readRemoteFingerprint)).getKeyRings();
            while (true) {
                if (!keyRings.hasNext()) {
                    break;
                }
                PGPPublicKeyRing pGPPublicKeyRing2 = (PGPPublicKeyRing) keyRings.next();
                if (Fingerprint.of(pGPPublicKeyRing2).equals(readRemoteFingerprint)) {
                    pGPPublicKeyRing = pGPPublicKeyRing2;
                    break;
                }
            }
            if (pGPPublicKeyRing == null) {
                throw new KeyTrusteeException("Server failed to provide a valid public key");
            }
            getClientInfo().getKeyRings().mergeKeyRing(PGPPublicKeyRing.insertPublicKey(pGPPublicKeyRing, Crypto.getInstance().signPublicKey(pGPPublicKeyRing.getPublicKey(), this.clientInfo.getKeyRings().getPrimaryKeyPair(KeyTrusteeConstants.defaultPassphrase()), 16)));
            ServerInfo build = new FailoverServerInfo.Builder().serverInfo(this.serverInfo).fingerprint(readRemoteFingerprint).build();
            verifyRegistration(build, requestRegistration(build, activationRequest));
            this.clientInfo.putServerInfo(build);
            this.serverInfo = build;
        } catch (Exception e) {
            throw new KeyTrusteeException("Registration failed", e);
        }
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public void registerAndActivate(ActivationRequest activationRequest) throws KeyTrusteeException {
        if (StringUtils.isBlank(activationRequest.getOrg())) {
            throw new KeyTrusteeException("To activate, an organization and authorization are required");
        }
        register(activationRequest);
        requestActivation(activationRequest);
    }

    private String requestRegistration(ServerInfo serverInfo, ActivationRequest activationRequest) throws Exception {
        EncryptedPayloadConnection encryptedPayloadConnection = new EncryptedPayloadConnection(this.clientInfo, serverInfo, this.tokenStore);
        HashMap hashMap = new HashMap();
        hashMap.put(PARAM_FINGERPRINT, this.clientInfo.getFingerprint().toString());
        hashMap.put(PARAM_PROTOCOL, serverInfo.getProtocol());
        if (serverInfo.isTokenSync()) {
            hashMap.put(PARAM_TOKEN_SYNC, "1");
        }
        if (activationRequest.getOrg() != null) {
            hashMap.put(PARAM_ORG, activationRequest.getOrg());
        }
        if (activationRequest.hasLabel()) {
            hashMap.put(PARAM_LABEL, activationRequest.label());
        }
        PayloadConnection.PayloadResponse fetchData = encryptedPayloadConnection.fetchData(ACTION_REGISTER, hashMap);
        requireStatus(fetchData, HTTP_OK);
        String decryptRequest = encryptedPayloadConnection.decryptRequest(fetchData.getParams().getString(RESP_CHALLENGE));
        if (!StringUtils.equalsIgnoreCase(hashSha512(decryptRequest), fetchData.getParams().getString("sha512"))) {
            throw new KeyTrusteeException("Invalid registration challenge from server");
        }
        this.log.info("Client decrypted server challenge verification");
        return decryptRequest;
    }

    private static String hashSha512(String str) throws Exception {
        return hashSha512(str.getBytes(KeyTrusteeConstants.ENCODING));
    }

    private static String hashSha512(byte[] bArr) throws Exception {
        return bytesToHex(MessageDigest.getInstance("SHA-512", (Provider) new BouncyCastleProvider()).digest(bArr));
    }

    private static String bytesToHex(byte[] bArr) {
        char[] cArr = {'0', '1', '2', '3', '4', '5', '6', '7', '8', '9', 'a', 'b', 'c', 'd', 'e', 'f'};
        char[] cArr2 = new char[bArr.length * 2];
        for (int i = 0; i < bArr.length; i++) {
            int i2 = bArr[i] & 255;
            cArr2[i * 2] = cArr[i2 >>> 4];
            cArr2[(i * 2) + 1] = cArr[i2 & 15];
        }
        return new String(cArr2);
    }

    private void verifyRegistration(ServerInfo serverInfo, String str) throws Exception {
        PayloadConnection create = PayloadConnection.create(this.clientInfo, serverInfo, getTokenStore());
        HashMap hashMap = new HashMap();
        hashMap.put(PARAM_RESPONSE, str);
        PayloadConnection.PayloadResponse fetchData = create.fetchData(ACTION_VERIFY, hashMap);
        requireStatus(fetchData, HTTP_OK);
        JSONObject data = fetchData.getData();
        if (!data.has("verified") || !data.getString("verified").equals("true")) {
            throw new KeyTrusteeException("Server could not verify the client signed encryption");
        }
        this.log.info("Client/Server cryptographic handshake successful!");
    }

    public Fingerprint readRemoteFingerprint(ServerInfo serverInfo, Certificate certificate) throws KeyTrusteeException {
        try {
            URLConnector uRLConnector = certificate == null ? new URLConnector(KeyTrusteeConstants.SECURE_PROTOCOL, serverInfo.getHostname(), serverInfo.getKtsPort(), serverInfo.isSslInsecure()) : new URLConnector(KeyTrusteeConstants.SECURE_PROTOCOL, serverInfo.getHostname(), serverInfo.getKtsPort(), serverInfo.isSslInsecure(), certificate);
            uRLConnector.setServerInfo(serverInfo);
            Connector.Response execQuery = uRLConnector.execQuery("a=fingerprint");
            String content = execQuery.getContent();
            requireStatus(execQuery, content, HTTP_OK);
            Fingerprint fingerprint = new Fingerprint(content.trim());
            this.log.info("Successfully imported server public key, fingerprint [" + fingerprint + "]");
            return fingerprint;
        } catch (KeyTrusteeException e) {
            throw e;
        } catch (Exception e2) {
            throw new KeyTrusteeException(e2);
        }
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public Fingerprint readRemoteFingerprint(ServerInfo serverInfo) throws KeyTrusteeException {
        return readRemoteFingerprint(serverInfo, null);
    }

    private static void requireStatus(PayloadConnection.PayloadResponse payloadResponse, int... iArr) throws KeyTrusteeException {
        String str = null;
        try {
            if (payloadResponse.getData() != null && payloadResponse.getData().has(RESP_REASON)) {
                str = payloadResponse.getData().getString(RESP_REASON);
            } else if (payloadResponse.getParams() != null && payloadResponse.getData().has(RESP_REASON)) {
                str = payloadResponse.getParams().getString(RESP_REASON);
            }
        } catch (JSONException e) {
        }
        if (str == null) {
            str = payloadResponse.getHttpResponse().getContent();
            if (str == null || str.isEmpty()) {
                str = payloadResponse.getHttpResponse().getStatusText();
            }
        }
        requireStatus(payloadResponse.getHttpResponse(), str, iArr);
    }

    private static void requireStatus(Connector.Response response, String str, int... iArr) throws KeyTrusteeException {
        for (int i : iArr) {
            if (response.getStatusCode() == i) {
                return;
            }
        }
        HTTPException hTTPException = new HTTPException(response.getStatusCode());
        if (!StringUtils.defaultString(str).isEmpty()) {
            throw new KeyTrusteeException(str, hTTPException);
        }
        throw new KeyTrusteeException(response.getStatusText(), hTTPException);
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public boolean isRegistered() throws KeyTrusteeException {
        return this.clientInfo.hasServerInfo(this.serverInfo.getHostname());
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public void requestActivation(ActivationRequest activationRequest) throws KeyTrusteeException {
        requireRegistered();
        try {
            PayloadConnection create = PayloadConnection.create(this.clientInfo, this.serverInfo, getTokenStore());
            HashMap hashMap = new HashMap();
            if (activationRequest.getContact() != null && !activationRequest.getContact().isEmpty()) {
                hashMap.put(PARAM_CONTACT, activationRequest.getContact());
            }
            hashMap.put(PARAM_JUSTIFICATION, activationRequest.getJustification());
            hashMap.put(PARAM_NOTIFY, StringUtils.join(activationRequest.getNotified(), ","));
            if (activationRequest.getOrg() != null && !activationRequest.getOrg().isEmpty()) {
                hashMap.put(PARAM_ORG, activationRequest.getOrg());
                if (activationRequest.getAuth() == null || activationRequest.getAuth().isEmpty()) {
                    hashMap.put(PARAM_AUTH, "");
                } else {
                    hashMap.put(PARAM_AUTH, activationRequest.getAuth());
                }
            }
            if (activationRequest.getGroup() != null) {
                hashMap.put(PARAM_GROUP, activationRequest.getGroup());
            }
            requireStatus(create.fetchData(ACTION_REQUEST_ACTIVATION, hashMap), HTTP_OK);
        } catch (Exception e) {
            throw new KeyTrusteeException(e);
        }
    }

    private void requireRegistered() throws KeyTrusteeException {
        if (!isRegistered()) {
            throw new KeyTrusteeException("Client registration required");
        }
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public DepositInfo put(Deposit deposit) throws KeyTrusteeException {
        requireRegistered();
        try {
            PayloadConnection create = PayloadConnection.create(this.clientInfo, this.serverInfo, getTokenStore());
            HashMap hashMap = new HashMap();
            hashMap.put(PARAM_TRUSTEES, StringUtils.join(deposit.getTrustees(), ","));
            hashMap.put(PARAM_CLIENTS, StringUtils.join(deposit.getClients(), ","));
            hashMap.put("handle", deposit.getHandle());
            hashMap.put(PARAM_DESCRIPTION, deposit.getDescription());
            hashMap.put("recoverable", Boolean.valueOf(deposit.isRecoverable()));
            hashMap.put(PARAM_HOSTNAME, new HostnameResolver().getHostname());
            hashMap.put("url", Boolean.valueOf(deposit.isUrl()));
            HashMap hashMap2 = new HashMap(deposit.getMetadata());
            if (deposit.hasAnalysis()) {
                hashMap.put(PARAM_ANALYZE, Boolean.valueOf(deposit.hasAnalysis()));
                Iterator<KeyValuePair<String, String>> it = deposit.analysis().entries().iterator();
                while (it.hasNext()) {
                    KeyValuePair<String, String> next = it.next();
                    hashMap2.put(next.key(), next.value());
                }
            }
            hashMap.put(PARAM_METADATA, hashMap2);
            if (deposit.getCert() != null) {
                hashMap.put(PARAM_CERT, deposit.getCert());
            }
            if (deposit.getRetrievals() != null) {
                hashMap.put(PARAM_RETRIEVALS, deposit.getRetrievals());
            }
            if (deposit.getTtl() != null) {
                hashMap.put(PARAM_TTL, deposit.getTtl());
            }
            if (deposit.getTtb() != null) {
                hashMap.put(PARAM_TTB, deposit.getTtb());
            }
            if (deposit.getVotes() != null) {
                hashMap.put(PARAM_VOTES, deposit.getVotes());
            }
            hashMap.put("archive", deposit.isArchive() ? "1" : "0");
            ArrayList arrayList = new ArrayList();
            if (deposit.getClients().isEmpty()) {
                arrayList.add(this.clientInfo.getFingerprint());
            } else {
                Iterator<String> it2 = deposit.getClients().iterator();
                while (it2.hasNext()) {
                    Fingerprint fingerprint = new Fingerprint(it2.next());
                    arrayList.add(fingerprint);
                    create.recvPublicKey(fingerprint);
                }
            }
            if (deposit.isRecoverable()) {
                ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
                Base64OutputStream base64OutputStream = new Base64OutputStream(byteArrayOutputStream);
                IOUtils.copy(deposit.getContent(), base64OutputStream);
                base64OutputStream.flush();
                base64OutputStream.close();
                byteArrayOutputStream.flush();
                byte[] byteArray = byteArrayOutputStream.toByteArray();
                hashMap.put("sha512", hashSha512(byteArray));
                hashMap.put("content", new String(byteArray, KeyTrusteeConstants.ENCODING));
                hashMap.put("recoverable_signature", IOUtils.toString(Crypto.getInstance().createSignature(new ByteArrayInputStream(byteArray), this.clientInfo.getKeyRings().getSecretKeyRing(), KeyTrusteeConstants.defaultPassphrase())));
                if (deposit.getGroup() != null) {
                    hashMap.put(PARAM_DEPOSIT_GROUP, deposit.getGroup());
                }
            } else {
                byte[] byteArray2 = IOUtils.toByteArray(Crypto.getInstance().encryptInputStream(deposit.getContent(), this.clientInfo.getPublicKeyRings(), this.clientInfo.getKeyRings().getSecretKeyRing(), KeyTrusteeConstants.defaultPassphrase(), (Fingerprint[]) arrayList.toArray(new Fingerprint[0])));
                hashMap.put("sha512", hashSha512(byteArray2));
                hashMap.put("content", new String(byteArray2, KeyTrusteeConstants.ENCODING));
            }
            PayloadConnection.PayloadResponse fetchData = create.fetchData(ACTION_PUT, hashMap);
            requireStatus(fetchData, HTTP_OK);
            if (!fetchData.getData().has("deposit_uuid")) {
                throw new KeyTrusteeException("Deposit UUID missing from response: " + fetchData.getHttpResponse().getContent());
            }
            String string = fetchData.getData().getString("deposit_uuid");
            if (string.isEmpty()) {
                throw new KeyTrusteeException("Deposit UUID missing from response: " + fetchData.getHttpResponse().getContent());
            }
            return new DepositInfoImpl(string, "https://" + this.serverInfo.getHostname() + ":" + this.serverInfo.getKtsPort() + "/?d=" + (fetchData.getData().has("url") ? fetchData.getData().getString("url") : null), null, null, null, null, null);
        } catch (Exception e) {
            throw new KeyTrusteeException(e);
        }
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public DepositRelease get(Request request) throws DepositReleaseDenied, KeyTrusteeException, TimeoutException {
        requireRegistered();
        if (StringUtils.defaultString(request.getUuid()).isEmpty() && StringUtils.defaultString(request.getHandle()).isEmpty()) {
            throw new KeyTrusteeException("Deposit UUID or handle is required");
        }
        JSONObject registerRequest = registerRequest(request);
        if (isDepositRelease(registerRequest)) {
            try {
                return populateDepositRelease(registerRequest, null);
            } catch (Exception e) {
                throw new KeyTrusteeException(e);
            }
        }
        try {
            return pollDepositRelease(request, registerRequest.getString("request_uuid"))[0];
        } catch (JSONException e2) {
            throw new KeyTrusteeException(e2);
        }
    }

    private DepositRelease[] pollDepositRelease(Request request, String str) throws KeyTrusteeException, TimeoutException {
        HashMap hashMap = new HashMap();
        hashMap.put("request_uuid", str);
        hashMap.put(PARAM_DISABLE, Boolean.valueOf(request.isDisable()));
        hashMap.put(PARAM_INCLUDE_META_BOOL, Boolean.valueOf(request.isMetadataIncluded()));
        return pollDepositRelease(request, hashMap, ACTION_GET);
    }

    private DepositRelease[] pollDepositRelease(Request request, String[] strArr) throws KeyTrusteeException, TimeoutException {
        HashMap hashMap = new HashMap();
        hashMap.put("request_uuids", strArr);
        hashMap.put(PARAM_DISABLE, Boolean.valueOf(request.isDisable()));
        hashMap.put(PARAM_INCLUDE_META_BOOL, Boolean.valueOf(request.isMetadataIncluded()));
        return pollDepositRelease(request, hashMap, ACTION_GET_HANDLE_DEPOSITS);
    }

    private DepositRelease[] pollDepositRelease(Request request, Map<String, Object> map, String str) throws KeyTrusteeException, TimeoutException {
        int i = MSECS_PER_SEC;
        long currentTimeMillis = System.currentTimeMillis();
        int intValue = (request.getTimeout() != null ? request.getTimeout().intValue() : DEFAULT_TIMEOUT) * MSECS_PER_SEC;
        while (System.currentTimeMillis() - currentTimeMillis < intValue) {
            try {
                PayloadConnection create = PayloadConnection.create(this.clientInfo, this.serverInfo, getTokenStore());
                PayloadConnection.PayloadResponse fetchData = create.fetchData(str, map);
                int statusCode = fetchData.getHttpResponse().getStatusCode();
                if (fetchData.getData().has(RESP_STATUS)) {
                    statusCode = fetchData.getData().getInt(RESP_STATUS);
                }
                String statusText = fetchData.getHttpResponse().getStatusText();
                if (fetchData.getData().has(RESP_REASON)) {
                    statusText = fetchData.getData().getString(RESP_REASON);
                }
                switch (statusCode) {
                    case HTTP_OK /* 200 */:
                    case HTTP_ACCEPTED /* 202 */:
                        PGPPublicKeyRing loadSigKeyRing = loadSigKeyRing(create, fetchData.getData());
                        DepositRelease[] depositReleaseArr = new DepositRelease[1];
                        if (str.equals(ACTION_GET)) {
                            depositReleaseArr[0] = populateDepositRelease(fetchData.getData(), loadSigKeyRing);
                        }
                        if (str.equals(ACTION_GET_HANDLE_DEPOSITS)) {
                            depositReleaseArr = populateDepositReleases(fetchData.getData().getJSONArray("release_statuses"), loadSigKeyRing);
                        }
                        return depositReleaseArr;
                    case HTTP_CREATED /* 201 */:
                        i = i < 60000 ? i + MSECS_PER_SEC : i;
                        Thread.sleep(i);
                    case HTTP_FORBIDDEN /* 403 */:
                        throw new DepositReleaseDenied(statusText);
                    default:
                        throw new KeyTrusteeException(statusText);
                }
            } catch (KeyTrusteeException e) {
                throw e;
            } catch (Exception e2) {
                throw new KeyTrusteeException(e2);
            }
        }
        throw new TimeoutException("Deposit request timed out (" + intValue + " seconds)");
    }

    private PGPPublicKeyRing loadSigKeyRing(PayloadConnection payloadConnection, JSONObject jSONObject) throws JSONException, KeyTrusteeException, ParseException {
        PGPPublicKeyRing pGPPublicKeyRing = null;
        if (jSONObject.has(RESP_CONTENT_SIG_FINGERPRINT)) {
            pGPPublicKeyRing = payloadConnection.recvPublicKey(new Fingerprint(jSONObject.getString(RESP_CONTENT_SIG_FINGERPRINT)));
            if (null == pGPPublicKeyRing) {
                throw new KeyTrusteeException("Content signature key not found: " + jSONObject.getString(RESP_CONTENT_SIG_FINGERPRINT));
            }
        }
        return pGPPublicKeyRing;
    }

    private DepositRelease[] populateDepositReleases(JSONArray jSONArray, PGPPublicKeyRing pGPPublicKeyRing) throws Exception {
        DepositRelease[] depositReleaseArr = new DepositRelease[jSONArray.length()];
        for (int i = 0; i < jSONArray.length(); i++) {
            JSONObject jSONObject = jSONArray.getJSONObject(i);
            if (null == pGPPublicKeyRing) {
                pGPPublicKeyRing = loadSigKeyRing(PayloadConnection.create(this.clientInfo, this.serverInfo, getTokenStore()), jSONObject);
            }
            depositReleaseArr[i] = populateDepositRelease(jSONObject, pGPPublicKeyRing);
        }
        return depositReleaseArr;
    }

    private DepositRelease populateDepositRelease(JSONObject jSONObject, PGPPublicKeyRing pGPPublicKeyRing) throws Exception {
        DepositRelease depositReleaseImpl;
        if (null == pGPPublicKeyRing) {
            pGPPublicKeyRing = loadSigKeyRing(PayloadConnection.create(this.clientInfo, this.serverInfo, getTokenStore()), jSONObject);
        }
        boolean z = jSONObject.has("recoverable") && jSONObject.getBoolean("recoverable");
        boolean z2 = jSONObject.has("archive") && jSONObject.getInt("archive") == 1;
        if (z) {
            String string = jSONObject.getString("content");
            if (!Crypto.getInstance().verifySignature(string, jSONObject.getString("recoverable_signature"), pGPPublicKeyRing)) {
                throw new KeyTrusteeException("Invalid signature on recoverable deposit");
            }
            depositReleaseImpl = new DepositReleaseImpl(Base64.decode(string.getBytes(KeyTrusteeConstants.ENCODING)), z2);
        } else {
            String string2 = jSONObject.getString("content");
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            Crypto.getInstance().decryptString(string2, this.clientInfo.getKeyRings().getPublicKeyRing(), this.clientInfo.getKeyRings().getSecretKeyRing(), KeyTrusteeConstants.defaultPassphrase(), byteArrayOutputStream);
            depositReleaseImpl = new DepositReleaseImpl(byteArrayOutputStream.toByteArray(), z2);
        }
        if (jSONObject.has(PARAM_INCLUDE_META_BOOL) && jSONObject.getBoolean(PARAM_INCLUDE_META_BOOL)) {
            depositReleaseImpl = new AnnotatedDepositReleaseImpl(depositReleaseImpl, new DepositInfoImpl(jSONObject));
        }
        return depositReleaseImpl;
    }

    private static boolean isDepositRelease(JSONObject jSONObject) {
        return jSONObject.has("content");
    }

    private static boolean containsDepositReleases(JSONObject jSONObject) {
        return jSONObject.has("responses");
    }

    private JSONObject registerRequest(Request request) throws KeyTrusteeException {
        try {
            PayloadConnection create = PayloadConnection.create(this.clientInfo, this.serverInfo, getTokenStore());
            HashMap hashMap = new HashMap();
            hashMap.put("deposit_uuid", request.getUuid());
            hashMap.put("handle", request.getHandle());
            hashMap.put(PARAM_ORIGINAL_ID, request.getOriginalId());
            if (request.getClient() != null) {
                hashMap.put(PARAM_CLIENT, request.getClient());
            }
            if (request.getGroup() != null) {
                hashMap.put(PARAM_GROUP_NAME, request.getGroup());
            }
            if (request.isDisable()) {
                hashMap.put(PARAM_DISABLE, Boolean.valueOf(request.isDisable()));
            }
            hashMap.put(PARAM_TIMEOUT, Integer.valueOf(request.getTimeout() == null ? DEFAULT_TIMEOUT : request.getTimeout().intValue()));
            hashMap.put(PARAM_JUSTIFICATION, request.getJustification());
            hashMap.put(PARAM_INCLUDE_META_BOOL, Boolean.valueOf(request.isMetadataIncluded()));
            PayloadConnection.PayloadResponse fetchData = create.fetchData(ACTION_REQUEST, hashMap);
            requireStatus(fetchData, HTTP_OK);
            return fetchData.getData();
        } catch (KeyTrusteeException e) {
            throw e;
        } catch (Exception e2) {
            throw new KeyTrusteeException(e2);
        }
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public DepositRelease[] getHandleDeposits(Request request) throws DepositReleaseDenied, KeyTrusteeException, TimeoutException {
        requireRegistered();
        if (null != request.getUuid()) {
            throw new KeyTrusteeException("Deposit UUID not supported.");
        }
        if (StringUtils.defaultString(request.getHandle()).isEmpty()) {
            throw new KeyTrusteeException("Handle is required");
        }
        try {
            JSONObject registerHandleRequest = registerHandleRequest(request);
            if (!containsDepositReleases(registerHandleRequest)) {
                return pollDepositRelease(request, convertToStringArray(registerHandleRequest.getJSONArray("request_uuids")));
            }
            try {
                return populateDepositReleases(registerHandleRequest.getJSONArray("responses"), null);
            } catch (KeyTrusteeException e) {
                throw e;
            } catch (Exception e2) {
                throw new KeyTrusteeException(e2);
            }
        } catch (JSONException e3) {
            throw new KeyTrusteeException("Could not parse server response to deposit request.", e3);
        }
    }

    private JSONObject registerHandleRequest(Request request) throws KeyTrusteeException {
        try {
            PayloadConnection create = PayloadConnection.create(this.clientInfo, this.serverInfo, getTokenStore());
            HashMap hashMap = new HashMap();
            hashMap.put("handle", request.getHandle());
            if (request.getClient() != null) {
                hashMap.put(PARAM_CLIENT, request.getClient());
            }
            if (request.getGroup() != null) {
                hashMap.put(PARAM_GROUP_NAME, request.getGroup());
            }
            if (request.isDisable()) {
                hashMap.put(PARAM_DISABLE, Boolean.valueOf(request.isDisable()));
            }
            hashMap.put(PARAM_TIMEOUT, Integer.valueOf(request.getTimeout() == null ? DEFAULT_TIMEOUT : request.getTimeout().intValue()));
            hashMap.put(PARAM_JUSTIFICATION, request.getJustification());
            hashMap.put(PARAM_INCLUDE_META_BOOL, Boolean.valueOf(request.isMetadataIncluded()));
            PayloadConnection.PayloadResponse fetchData = create.fetchData(ACTION_HANDLE_REQUEST, hashMap);
            requireStatus(fetchData, HTTP_OK);
            return fetchData.getData();
        } catch (KeyTrusteeException e) {
            throw e;
        } catch (Exception e2) {
            throw new KeyTrusteeException(e2);
        }
    }

    private String[] convertToStringArray(JSONArray jSONArray) throws JSONException {
        String[] strArr = new String[jSONArray.length()];
        for (int i = 0; i < jSONArray.length(); i++) {
            strArr[i] = jSONArray.getString(i);
        }
        return strArr;
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public Collection<DepositInfo> getDeposits(DepositSearch depositSearch) throws KeyTrusteeException {
        JSONArray depositsJSON = getDepositsJSON(depositSearch);
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < depositsJSON.length(); i++) {
            try {
                arrayList.add(new DepositInfoImpl(depositsJSON.getJSONObject(i)));
            } catch (Exception e) {
                throw new KeyTrusteeException(e);
            }
        }
        return arrayList;
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public JSONArray getDepositsJSON(DepositSearch depositSearch) throws KeyTrusteeException {
        requireRegistered();
        try {
            PayloadConnection create = PayloadConnection.create(this.clientInfo, this.serverInfo, getTokenStore());
            HashMap hashMap = new HashMap();
            hashMap.put(PARAM_STRING, depositSearch.getKeyword());
            if (depositSearch.getAfter() != null) {
                hashMap.put(PARAM_AFTER, DateFormats.formatDateTime(depositSearch.getAfter()));
            }
            if (depositSearch.getBefore() != null) {
                hashMap.put(PARAM_BEFORE, DateFormats.formatDateTime(depositSearch.getBefore()));
            }
            if (depositSearch.getGroup() != null) {
                hashMap.put(PARAM_GROUP, depositSearch.getGroup());
            }
            if (depositSearch.isHandle().booleanValue()) {
                hashMap.put("handle", depositSearch.isHandle());
            }
            if (depositSearch.isUUID().booleanValue()) {
                hashMap.put(PARAM_UUID_BOOL, depositSearch.isUUID());
            }
            if (null != depositSearch.isEnabled() && depositSearch.isEnabled().booleanValue()) {
                hashMap.put(PARAM_ENABLED_BOOL, depositSearch.isEnabled());
            }
            if (null != depositSearch.isDisabled() && depositSearch.isDisabled().booleanValue()) {
                hashMap.put(PARAM_DISABLED_BOOL, depositSearch.isDisabled());
            }
            if (null != depositSearch.includeMeta() && depositSearch.includeMeta().booleanValue()) {
                hashMap.put(PARAM_META_BOOL, depositSearch.includeMeta());
            }
            PayloadConnection.PayloadResponse fetchData = create.fetchData(ACTION_SEARCH, hashMap);
            requireStatus(fetchData, HTTP_OK);
            return fetchData.getData().getJSONArray(RESP_MATCHES);
        } catch (KeyTrusteeException e) {
            throw e;
        } catch (Exception e2) {
            throw new KeyTrusteeException(e2);
        }
    }

    private void updateDeposit(String str, String... strArr) throws KeyTrusteeException {
        requireRegistered();
        try {
            ArrayList arrayList = new ArrayList();
            PayloadConnection create = PayloadConnection.create(this.clientInfo, this.serverInfo, getTokenStore());
            HashMap hashMap = new HashMap();
            Collections.addAll(arrayList, strArr);
            hashMap.put(PARAM_DEPOSIT_UUIDS, new JSONArray((Collection) arrayList));
            requireStatus(create.fetchData(str, hashMap), HTTP_OK);
        } catch (KeyTrusteeException e) {
            throw e;
        } catch (Exception e2) {
            throw new KeyTrusteeException(e2);
        }
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public void enable(String... strArr) throws KeyTrusteeException {
        updateDeposit("enable", strArr);
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public byte[] entropy(int i) throws KeyTrusteeException {
        byte[] fetchEntropy = fetchEntropy(i);
        File file = new File("/dev/urandom");
        if (file.exists() && file.canWrite()) {
            try {
                FileOutputStream fileOutputStream = new FileOutputStream(file);
                try {
                    fileOutputStream.write(fetchEntropy);
                    if (fileOutputStream != null) {
                        fileOutputStream.close();
                    }
                } catch (Throwable th) {
                    if (fileOutputStream != null) {
                        fileOutputStream.close();
                    }
                    throw th;
                }
            } catch (IOException e) {
                throw new KeyTrusteeException(e);
            }
        }
        return fetchEntropy;
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public String entropyString(int i, EntropyFormat entropyFormat) throws KeyTrusteeException {
        MessageDigest messageDigest;
        byte[] generateSeed = new SecureRandom().generateSeed(4096);
        if (entropyFormat == EntropyFormat.RAW) {
            return bytesToHex(entropy(i));
        }
        try {
            if (entropyFormat == EntropyFormat.MD5) {
                messageDigest = MessageDigest.getInstance("MD5", (Provider) new BouncyCastleProvider());
            } else {
                if (entropyFormat != EntropyFormat.SHA512) {
                    throw new UnsupportedOperationException("Unsupported format type " + entropyFormat);
                }
                messageDigest = MessageDigest.getInstance("SHA512", (Provider) new BouncyCastleProvider());
            }
            messageDigest.update(generateSeed);
            return bytesToHex(messageDigest.digest(entropy(i)));
        } catch (KeyTrusteeException e) {
            throw e;
        } catch (Exception e2) {
            throw new KeyTrusteeException(e2);
        }
    }

    private byte[] fetchEntropy(int i) throws KeyTrusteeException {
        try {
            PayloadConnection create = PayloadConnection.create(this.clientInfo, this.serverInfo, getTokenStore());
            HashMap hashMap = new HashMap();
            hashMap.put(PARAM_COUNT, Integer.valueOf(i));
            PayloadConnection.PayloadResponse fetchData = create.fetchData("entropy", hashMap);
            requireStatus(fetchData, HTTP_OK);
            return IOUtils.toByteArray(new Base64InputStream(new ByteArrayInputStream(fetchData.getData().getString("entropy").getBytes(KeyTrusteeConstants.ENCODING))));
        } catch (KeyTrusteeException e) {
            throw e;
        } catch (Exception e2) {
            throw new KeyTrusteeException(e2);
        }
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public void disable(String... strArr) throws KeyTrusteeException {
        updateDeposit(PARAM_DISABLE, strArr);
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public void purge(String... strArr) throws KeyTrusteeException {
        updateDeposit("purge", strArr);
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public Collection<RequestInfo> getPending() throws KeyTrusteeException {
        JSONArray pendingJSON = getPendingJSON();
        ArrayList arrayList = new ArrayList();
        for (int i = 0; i < pendingJSON.length(); i++) {
            try {
                arrayList.add(new RequestInfoImpl(pendingJSON.getJSONObject(i)));
            } catch (Exception e) {
                throw new KeyTrusteeException(e);
            }
        }
        return arrayList;
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public JSONArray getPendingJSON() throws KeyTrusteeException {
        requireRegistered();
        try {
            PayloadConnection.PayloadResponse fetchData = PayloadConnection.create(this.clientInfo, this.serverInfo, getTokenStore()).fetchData(ACTION_PENDING);
            requireStatus(fetchData, HTTP_OK);
            return fetchData.getData().getJSONArray(RESP_REQUESTS);
        } catch (KeyTrusteeException e) {
            throw e;
        } catch (Exception e2) {
            throw new KeyTrusteeException(e2);
        }
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public void authorize(String str) throws KeyTrusteeException {
        requireRegistered();
        try {
            PayloadConnection create = PayloadConnection.create(this.clientInfo, this.serverInfo, getTokenStore());
            HashMap hashMap = new HashMap();
            hashMap.put(PARAM_REQUEST_TO_TRUSTEE_UUID, str);
            requireStatus(create.fetchData(ACTION_AUTHORIZE, hashMap), HTTP_OK);
        } catch (Exception e) {
            throw new KeyTrusteeException(e);
        }
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public void deny(String str) throws KeyTrusteeException {
        requireRegistered();
        try {
            PayloadConnection create = PayloadConnection.create(this.clientInfo, this.serverInfo, getTokenStore());
            HashMap hashMap = new HashMap();
            hashMap.put(PARAM_REQUEST_TO_TRUSTEE_UUID, str);
            requireStatus(create.fetchData(ACTION_DENY, hashMap), HTTP_OK);
        } catch (KeyTrusteeException e) {
            throw e;
        } catch (Exception e2) {
            throw new KeyTrusteeException(e2);
        }
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public void refreshKeys() throws KeyTrusteeException {
        try {
            PayloadConnection create = PayloadConnection.create(this.clientInfo, this.serverInfo, getTokenStore());
            Iterator keyRings = this.clientInfo.getPublicKeyRings().getKeyRings();
            while (keyRings.hasNext()) {
                create.recvPublicKey(Fingerprint.of((PGPPublicKeyRing) keyRings.next()));
            }
        } catch (KeyTrusteeException e) {
            throw e;
        } catch (Exception e2) {
            throw new KeyTrusteeException(e2);
        }
    }

    @Override // com.cloudera.keytrustee.ClientConnection
    public TokenStore getTokenStore() {
        return this.tokenStore;
    }
}
