package org.apache.qpid.server.security.encryption;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.attribute.AclEntry;
import java.nio.file.attribute.AclEntryPermission;
import java.nio.file.attribute.AclEntryType;
import java.nio.file.attribute.AclFileAttributeView;
import java.nio.file.attribute.FileAttribute;
import java.nio.file.attribute.PosixFileAttributeView;
import java.nio.file.attribute.PosixFilePermission;
import java.nio.file.attribute.PosixFilePermissions;
import java.nio.file.attribute.UserPrincipal;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.EnumSet;
import java.util.HashSet;
import java.util.LinkedHashMap;
import java.util.List;
import java.util.ListIterator;
import java.util.Set;
import javax.crypto.Cipher;
import javax.crypto.KeyGenerator;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.model.SystemConfig;
import org.apache.qpid.server.plugin.ConditionallyAvailable;
import org.apache.qpid.server.plugin.ConfigurationSecretEncrypterFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/qpid/server/security/encryption/AbstractAESKeyFileEncrypterFactory.class */
abstract class AbstractAESKeyFileEncrypterFactory implements ConfigurationSecretEncrypterFactory, ConditionallyAvailable {
    private static final Logger LOGGER = LoggerFactory.getLogger(AbstractAESKeyFileEncrypterFactory.class);
    static final String ENCRYPTER_KEY_FILE = "encrypter.key.file";
    private static final int AES_KEY_SIZE_BITS = 256;
    private static final int AES_KEY_SIZE_BYTES = 32;
    private static final String AES_ALGORITHM = "AES";
    static final String DEFAULT_KEYS_SUBDIR_NAME = ".keys";
    private static final boolean IS_AVAILABLE;
    private static final String GENERAL_EXCEPTION_MESSAGE = "Unable to determine a mechanism to protect access to the key file on this filesystem";

    @Override // org.apache.qpid.server.plugin.ConfigurationSecretEncrypterFactory
    public ConfigurationSecretEncrypter createEncrypter(ConfiguredObject<?> configuredObject) {
        int read;
        String secretKeyLocation = getSecretKeyLocation(configuredObject);
        File file = new File(secretKeyLocation);
        if (!file.exists()) {
            LOGGER.info("Configuration encryption is enabled, but no configuration secret was found. A new configuration secret will be created at '{}'.", secretKeyLocation);
            createAndPopulateKeyFile(file);
        }
        if (!file.isFile()) {
            throw new IllegalConfigurationException(String.format("File '%s' is not a regular file.", secretKeyLocation));
        }
        try {
            checkFilePermissions(secretKeyLocation, file);
            if (Files.size(file.toPath()) != 32) {
                throw new IllegalConfigurationException(String.format("Key file '%s' contains an incorrect about of data", secretKeyLocation));
            }
            FileInputStream fileInputStream = new FileInputStream(file);
            try {
                byte[] bArr = new byte[AES_KEY_SIZE_BYTES];
                int i = 0;
                while (i < bArr.length && -1 != (read = fileInputStream.read(bArr, i, bArr.length - i))) {
                    i += read;
                }
                if (i != bArr.length) {
                    throw new IllegalConfigurationException(String.format("Key file '%s' contained an incorrect about of data", secretKeyLocation));
                }
                ConfigurationSecretEncrypter createEncrypter = createEncrypter(new SecretKeySpec(bArr, AES_ALGORITHM));
                fileInputStream.close();
                return createEncrypter;
            } finally {
            }
        } catch (IOException e) {
            throw new IllegalConfigurationException(String.format("Unable to get file permissions: %s", e.getMessage()), e);
        }
    }

    static String getSecretKeyLocation(ConfiguredObject<?> configuredObject) {
        String str;
        if (configuredObject.getContextKeys(false).contains(ENCRYPTER_KEY_FILE)) {
            str = (String) configuredObject.getContextValue(String.class, ENCRYPTER_KEY_FILE);
        } else {
            str = ((String) configuredObject.getContextValue(String.class, SystemConfig.QPID_WORK_DIR)) + File.separator + ".keys" + File.separator + configuredObject.getCategoryClass().getSimpleName() + "_" + configuredObject.getName() + ".key";
            LinkedHashMap linkedHashMap = new LinkedHashMap(configuredObject.getContext());
            linkedHashMap.put(ENCRYPTER_KEY_FILE, str);
            configuredObject.setAttributes(Collections.singletonMap(ConfiguredObject.CONTEXT, linkedHashMap));
        }
        return str;
    }

    private void checkFilePermissions(String str, File file) throws IOException {
        if (isPosixFileSystem(file)) {
            Set<PosixFilePermission> posixFilePermissions = Files.getPosixFilePermissions(file.toPath(), new LinkOption[0]);
            if (posixFilePermissions.contains(PosixFilePermission.GROUP_READ) || posixFilePermissions.contains(PosixFilePermission.OTHERS_READ) || posixFilePermissions.contains(PosixFilePermission.GROUP_WRITE) || posixFilePermissions.contains(PosixFilePermission.OTHERS_WRITE)) {
                throw new IllegalArgumentException(String.format("Key file '%s' has incorrect permissions.  Only the owner should be able to read or write this file.", str));
            }
            return;
        }
        if (!isAclFileSystem(file)) {
            throw new IllegalArgumentException(GENERAL_EXCEPTION_MESSAGE);
        }
        ListIterator listIterator = new ArrayList(((AclFileAttributeView) Files.getFileAttributeView(file.toPath(), AclFileAttributeView.class, new LinkOption[0])).getAcl()).listIterator();
        UserPrincipal owner = Files.getOwner(file.toPath(), new LinkOption[0]);
        while (listIterator.hasNext()) {
            AclEntry aclEntry = (AclEntry) listIterator.next();
            if (aclEntry.type() == AclEntryType.ALLOW) {
                EnumSet copyOf = EnumSet.copyOf((Collection) aclEntry.permissions());
                if (copyOf.removeAll(EnumSet.of(AclEntryPermission.APPEND_DATA, AclEntryPermission.EXECUTE, AclEntryPermission.WRITE_ACL, AclEntryPermission.WRITE_DATA, AclEntryPermission.WRITE_OWNER))) {
                    throw new IllegalArgumentException(String.format("Key file '%s has incorrect permissions. The file should not be modifiable by any user.", str));
                }
                if (!owner.equals(aclEntry.principal()) && copyOf.removeAll(EnumSet.of(AclEntryPermission.READ_DATA))) {
                    throw new IllegalArgumentException(String.format("Key file '%s' has incorrect permissions. Only the owner should be able to read from the file.", str));
                }
            }
        }
    }

    private static boolean isPosixFileSystem(File file) {
        return Files.getFileAttributeView(file.toPath(), PosixFileAttributeView.class, new LinkOption[0]) != null;
    }

    private static boolean isAclFileSystem(File file) {
        return Files.getFileAttributeView(file.toPath(), AclFileAttributeView.class, new LinkOption[0]) != null;
    }

    static void createAndPopulateKeyFile(File file) {
        try {
            createEmptyKeyFile(file);
            KeyGenerator keyGenerator = KeyGenerator.getInstance(AES_ALGORITHM);
            keyGenerator.init(256);
            SecretKey generateKey = keyGenerator.generateKey();
            FileOutputStream fileOutputStream = new FileOutputStream(file);
            try {
                fileOutputStream.write(generateKey.getEncoded());
                fileOutputStream.close();
                makeKeyFileReadOnly(file);
            } finally {
            }
        } catch (IOException | NoSuchAlgorithmException e) {
            throw new IllegalConfigurationException(String.format("Cannot create key file: %s", e.getMessage()), e);
        }
    }

    private static void makeKeyFileReadOnly(File file) throws IOException {
        if (isPosixFileSystem(file)) {
            Files.setPosixFilePermissions(file.toPath(), EnumSet.of(PosixFilePermission.OWNER_READ));
            return;
        }
        if (!isAclFileSystem(file)) {
            throw new IllegalConfigurationException(GENERAL_EXCEPTION_MESSAGE);
        }
        AclFileAttributeView aclFileAttributeView = (AclFileAttributeView) Files.getFileAttributeView(file.toPath(), AclFileAttributeView.class, new LinkOption[0]);
        ArrayList arrayList = new ArrayList(aclFileAttributeView.getAcl());
        ListIterator listIterator = arrayList.listIterator();
        file.setReadOnly();
        while (listIterator.hasNext()) {
            AclEntry aclEntry = (AclEntry) listIterator.next();
            EnumSet copyOf = EnumSet.copyOf((Collection) aclEntry.permissions());
            if (copyOf.removeAll(EnumSet.of(AclEntryPermission.APPEND_DATA, AclEntryPermission.DELETE, AclEntryPermission.EXECUTE, AclEntryPermission.WRITE_ACL, AclEntryPermission.WRITE_DATA, AclEntryPermission.WRITE_ATTRIBUTES, AclEntryPermission.WRITE_NAMED_ATTRS, AclEntryPermission.WRITE_OWNER))) {
                AclEntry.Builder newBuilder = AclEntry.newBuilder(aclEntry);
                newBuilder.setPermissions(copyOf);
                listIterator.set(newBuilder.build());
            }
        }
        aclFileAttributeView.setAcl(arrayList);
    }

    private static void createEmptyKeyFile(File file) throws IOException {
        Path path = file.getAbsoluteFile().getParentFile().toPath();
        if (isPosixFileSystem(file)) {
            Files.createDirectories(path, PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE, PosixFilePermission.OWNER_EXECUTE)));
            Files.createFile(file.toPath(), PosixFilePermissions.asFileAttribute(EnumSet.of(PosixFilePermission.OWNER_READ, PosixFilePermission.OWNER_WRITE)));
            return;
        }
        if (!isAclFileSystem(file)) {
            throw new IllegalConfigurationException(GENERAL_EXCEPTION_MESSAGE);
        }
        Files.createDirectories(path, new FileAttribute[0]);
        final UserPrincipal owner = Files.getOwner(path, new LinkOption[0]);
        AclFileAttributeView aclFileAttributeView = (AclFileAttributeView) Files.getFileAttributeView(path, AclFileAttributeView.class, new LinkOption[0]);
        ArrayList arrayList = new ArrayList(aclFileAttributeView.getAcl());
        ListIterator<AclEntry> listIterator = arrayList.listIterator();
        boolean z = false;
        while (listIterator.hasNext()) {
            AclEntry next = listIterator.next();
            if (!owner.equals(next.principal())) {
                listIterator.remove();
            } else if (next.type() == AclEntryType.ALLOW) {
                z = true;
                AclEntry.Builder newBuilder = AclEntry.newBuilder(next);
                Set<AclEntryPermission> hashSet = next.permissions().isEmpty() ? new HashSet<>() : EnumSet.copyOf((Collection) next.permissions());
                hashSet.addAll(Arrays.asList(AclEntryPermission.ADD_FILE, AclEntryPermission.ADD_SUBDIRECTORY, AclEntryPermission.LIST_DIRECTORY));
                newBuilder.setPermissions(hashSet);
                listIterator.set(newBuilder.build());
            }
        }
        if (!z) {
            AclEntry.Builder newBuilder2 = AclEntry.newBuilder();
            newBuilder2.setPermissions(AclEntryPermission.ADD_FILE, AclEntryPermission.ADD_SUBDIRECTORY, AclEntryPermission.LIST_DIRECTORY);
            newBuilder2.setType(AclEntryType.ALLOW);
            newBuilder2.setPrincipal(owner);
            arrayList.add(newBuilder2.build());
        }
        aclFileAttributeView.setAcl(arrayList);
        Files.createFile(file.toPath(), new FileAttribute<List<AclEntry>>() { // from class: org.apache.qpid.server.security.encryption.AbstractAESKeyFileEncrypterFactory.1
            @Override // java.nio.file.attribute.FileAttribute
            public String name() {
                return "acl:acl";
            }

            /* JADX WARN: Can't rename method to resolve collision */
            @Override // java.nio.file.attribute.FileAttribute
            public List<AclEntry> value() {
                AclEntry.Builder newBuilder3 = AclEntry.newBuilder();
                newBuilder3.setType(AclEntryType.ALLOW);
                newBuilder3.setPermissions(EnumSet.allOf(AclEntryPermission.class));
                newBuilder3.setPrincipal(owner);
                return Collections.singletonList(newBuilder3.build());
            }
        });
    }

    public boolean isAvailable() {
        return IS_AVAILABLE;
    }

    protected abstract ConfigurationSecretEncrypter createEncrypter(SecretKeySpec secretKeySpec);

    static {
        boolean z;
        try {
            int maxAllowedKeyLength = Cipher.getMaxAllowedKeyLength(AES_ALGORITHM);
            z = maxAllowedKeyLength >= 256;
            if (!z) {
                LOGGER.info("The {} configuration encryption encryption mechanism is not available. Maximum available AES key length is {} but {} is required. Ensure the full strength JCE policy has been installed into your JVM.", new Object[]{AES_ALGORITHM, Integer.valueOf(maxAllowedKeyLength), 256});
            }
        } catch (NoSuchAlgorithmException e) {
            z = false;
            LOGGER.error("The {} configuration encryption mechanism is not available. The {} algorithm is not available within the JVM (despite it being a requirement).", AES_ALGORITHM, AES_ALGORITHM);
        }
        IS_AVAILABLE = z;
    }
}
