package org.apache.qpid.server.security;

import java.io.IOException;
import java.security.AccessControlException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Iterator;
import java.util.Map;
import java.util.Set;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.model.AbstractConfiguredObject;
import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.model.IntegrityViolationException;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.ManagedObjectFactoryConstructor;
import org.apache.qpid.server.model.Port;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.TrustStore;
import org.apache.qpid.server.security.access.Operation;
import org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager;
import org.apache.qpid.transport.network.security.ssl.QpidMultipleTrustManager;
import org.apache.qpid.transport.network.security.ssl.QpidPeersOnlyTrustManager;
import org.apache.qpid.transport.network.security.ssl.SSLUtil;

/* loaded from: input_file:org/apache/qpid/server/security/FileTrustStoreImpl.class */
public class FileTrustStoreImpl extends AbstractConfiguredObject<FileTrustStoreImpl> implements FileTrustStore<FileTrustStoreImpl> {

    @ManagedAttributeField
    private String _trustStoreType;

    @ManagedAttributeField
    private String _trustManagerFactoryAlgorithm;

    @ManagedAttributeField
    private String _path;

    @ManagedAttributeField
    private boolean _peersOnly;

    @ManagedAttributeField
    private String _password;
    private Broker<?> _broker;

    @ManagedObjectFactoryConstructor
    public FileTrustStoreImpl(Map<String, Object> map, Broker<?> broker) {
        super(parentsMap(broker), map);
        this._broker = broker;
    }

    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void onValidate() {
        super.onValidate();
        validateTrustStore(this);
        if (!isDurable()) {
            throw new IllegalArgumentException(getClass().getSimpleName() + " must be durable");
        }
    }

    @Override // org.apache.qpid.server.model.ConfiguredObject
    public State getState() {
        return State.ACTIVE;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public boolean setState(State state) {
        if (state != State.DELETED) {
            return false;
        }
        String name = getName();
        for (Port port : new ArrayList(this._broker.getPorts())) {
            Collection<TrustStore> trustStores = port.getTrustStores();
            if (trustStores != null) {
                Iterator<TrustStore> it = trustStores.iterator();
                while (it.hasNext()) {
                    if (name.equals(it.next().getAttribute(ConfiguredObject.NAME))) {
                        throw new IntegrityViolationException("Trust store '" + name + "' can't be deleted as it is in use by a port: " + port.getName());
                    }
                }
            }
        }
        for (AuthenticationProvider authenticationProvider : new ArrayList(this._broker.getAuthenticationProviders())) {
            if (authenticationProvider.getAttributeNames().contains(SimpleLDAPAuthenticationManager.TRUST_STORE)) {
                Object attribute = authenticationProvider.getAttribute(ConfiguredObject.TYPE);
                Object attribute2 = authenticationProvider.getAttribute(SimpleLDAPAuthenticationManager.TRUST_STORE);
                if (SimpleLDAPAuthenticationManager.PROVIDER_TYPE.equals(attribute) && name.equals(attribute2)) {
                    throw new IntegrityViolationException("Trust store '" + name + "' can't be deleted as it is in use by an authentication manager: " + authenticationProvider.getName());
                }
            }
        }
        deleted();
        return true;
    }

    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    protected void authoriseSetDesiredState(State state) throws AccessControlException {
        if (state == State.DELETED && !this._broker.getSecurityManager().authoriseConfiguringBroker(getName(), TrustStore.class, Operation.DELETE)) {
            throw new AccessControlException("Deletion of key store is denied");
        }
    }

    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    protected void authoriseSetAttributes(ConfiguredObject<?> configuredObject, Set<String> set) throws AccessControlException {
        if (!this._broker.getSecurityManager().authoriseConfiguringBroker(getName(), TrustStore.class, Operation.UPDATE)) {
            throw new AccessControlException("Setting key store attributes is denied");
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void validateChange(ConfiguredObject<?> configuredObject, Set<String> set) {
        super.validateChange(configuredObject, set);
        FileTrustStore fileTrustStore = (FileTrustStore) configuredObject;
        if (set.contains(ConfiguredObject.DESIRED_STATE) && fileTrustStore.getDesiredState() == State.DELETED) {
            return;
        }
        if (set.contains(ConfiguredObject.NAME) && !getName().equals(fileTrustStore.getName())) {
            throw new IllegalConfigurationException("Changing the trust store name is not allowed");
        }
        if (set.contains(ConfiguredObject.DURABLE) && !configuredObject.isDurable()) {
            throw new IllegalArgumentException(getClass().getSimpleName() + " must be durable");
        }
        validateTrustStore(fileTrustStore);
    }

    private static void validateTrustStore(FileTrustStore fileTrustStore) {
        try {
            SSLUtil.getInitializedKeyStore(fileTrustStore.getPath(), fileTrustStore.getPassword(), fileTrustStore.getTrustStoreType());
            try {
                TrustManagerFactory.getInstance(fileTrustStore.getTrustManagerFactoryAlgorithm());
            } catch (NoSuchAlgorithmException e) {
                throw new IllegalConfigurationException("Unknown trustManagerFactoryAlgorithm: " + fileTrustStore.getTrustManagerFactoryAlgorithm());
            }
        } catch (Exception e2) {
            throw new IllegalConfigurationException("Cannot instantiate trust store at " + fileTrustStore.getPath(), e2);
        }
    }

    @Override // org.apache.qpid.server.model.AbstractConfiguredObject, org.apache.qpid.server.model.ConfiguredObject
    public Object getAttribute(String str) {
        return "state".equals(str) ? getState() : super.getAttribute(str);
    }

    @Override // org.apache.qpid.server.security.FileTrustStore
    public String getPath() {
        return this._path;
    }

    @Override // org.apache.qpid.server.security.FileTrustStore
    public String getTrustManagerFactoryAlgorithm() {
        return this._trustManagerFactoryAlgorithm;
    }

    @Override // org.apache.qpid.server.security.FileTrustStore
    public String getTrustStoreType() {
        return this._trustStoreType;
    }

    @Override // org.apache.qpid.server.security.FileTrustStore
    public boolean isPeersOnly() {
        return this._peersOnly;
    }

    @Override // org.apache.qpid.server.security.FileTrustStore
    public String getPassword() {
        return this._password;
    }

    @Override // org.apache.qpid.server.security.FileTrustStore
    public void setPassword(String str) {
        this._password = str;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public TrustManager[] getTrustManagers() throws GeneralSecurityException {
        String str = this._path;
        String password = getPassword();
        String str2 = this._trustStoreType;
        String str3 = this._trustManagerFactoryAlgorithm;
        try {
            KeyStore initializedKeyStore = SSLUtil.getInitializedKeyStore(str, password, str2);
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(str3);
            trustManagerFactory.init(initializedKeyStore);
            ArrayList arrayList = new ArrayList();
            QpidMultipleTrustManager qpidMultipleTrustManager = new QpidMultipleTrustManager();
            for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                if (!(trustManager instanceof X509TrustManager)) {
                    arrayList.add(trustManager);
                } else if (this._peersOnly) {
                    qpidMultipleTrustManager.addTrustManager(new QpidPeersOnlyTrustManager(initializedKeyStore, (X509TrustManager) trustManager));
                } else {
                    qpidMultipleTrustManager.addTrustManager((X509TrustManager) trustManager);
                }
            }
            if (!qpidMultipleTrustManager.isEmpty()) {
                arrayList.add(qpidMultipleTrustManager);
            }
            if (arrayList.isEmpty()) {
                return null;
            }
            return (TrustManager[]) arrayList.toArray(new TrustManager[arrayList.size()]);
        } catch (IOException e) {
            throw new GeneralSecurityException(e);
        }
    }
}
