package org.apache.qpid.server.security;

import com.google.common.collect.Sets;
import com.google.common.util.concurrent.Futures;
import com.google.common.util.concurrent.ListenableFuture;
import java.security.GeneralSecurityException;
import java.security.InvalidKeyException;
import java.security.SignatureException;
import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.TrustAnchor;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.HashSet;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.qpid.server.configuration.IllegalConfigurationException;
import org.apache.qpid.server.logging.EventLogger;
import org.apache.qpid.server.logging.messages.TrustStoreMessages;
import org.apache.qpid.server.model.AbstractConfigurationChangeListener;
import org.apache.qpid.server.model.AbstractConfiguredObject;
import org.apache.qpid.server.model.AuthenticationProvider;
import org.apache.qpid.server.model.Broker;
import org.apache.qpid.server.model.ConfiguredObject;
import org.apache.qpid.server.model.ContextProvider;
import org.apache.qpid.server.model.IntegrityViolationException;
import org.apache.qpid.server.model.ManagedAttributeField;
import org.apache.qpid.server.model.Port;
import org.apache.qpid.server.model.State;
import org.apache.qpid.server.model.TrustStore;
import org.apache.qpid.server.model.VirtualHostNode;
import org.apache.qpid.server.security.AbstractTrustStore;
import org.apache.qpid.server.security.auth.manager.SimpleLDAPAuthenticationManager;
import org.apache.qpid.server.security.auth.manager.oauth2.OAuth2AuthenticationProvider;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apache/qpid/server/security/AbstractTrustStore.class */
public abstract class AbstractTrustStore<X extends AbstractTrustStore<X>> extends AbstractConfiguredObject<X> implements TrustStore<X> {
    private static Logger LOGGER = LoggerFactory.getLogger(AbstractTrustStore.class);
    protected static final long ONE_DAY = 86400000;
    private final Broker<?> _broker;
    private final EventLogger _eventLogger;

    @ManagedAttributeField
    private boolean _exposedAsMessageSource;

    @ManagedAttributeField
    private List<VirtualHostNode<?>> _includedVirtualHostNodeMessageSources;

    @ManagedAttributeField
    private List<VirtualHostNode<?>> _excludedVirtualHostNodeMessageSources;

    @ManagedAttributeField
    private boolean _trustAnchorValidityEnforced;
    private ScheduledFuture<?> _checkExpiryTaskFuture;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AbstractTrustStore(Map<String, Object> map, Broker<?> broker) {
        super(broker, map);
        this._broker = broker;
        this._eventLogger = broker.getEventLogger();
        this._eventLogger.message(TrustStoreMessages.CREATE(getName()));
    }

    public final Broker<?> getBroker() {
        return this._broker;
    }

    final EventLogger getEventLogger() {
        return this._eventLogger;
    }

    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    protected ListenableFuture<Void> onClose() {
        if (this._checkExpiryTaskFuture != null) {
            this._checkExpiryTaskFuture.cancel(false);
            this._checkExpiryTaskFuture = null;
        }
        return Futures.immediateFuture((Object) null);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // org.apache.qpid.server.model.AbstractConfiguredObject
    public void logOperation(String str) {
        this._broker.getEventLogger().message(TrustStoreMessages.OPERATION(str));
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public void initializeExpiryChecking() {
        final int certificateExpiryCheckFrequency = getCertificateExpiryCheckFrequency();
        if (getBroker().getState() == State.ACTIVE) {
            this._checkExpiryTaskFuture = getBroker().scheduleHouseKeepingTask(certificateExpiryCheckFrequency, TimeUnit.DAYS, this::checkCertificateExpiry);
        } else {
            getBroker().addChangeListener(new AbstractConfigurationChangeListener() { // from class: org.apache.qpid.server.security.AbstractTrustStore.1
                @Override // org.apache.qpid.server.model.AbstractConfigurationChangeListener, org.apache.qpid.server.model.ConfigurationChangeListener
                public void stateChanged(ConfiguredObject<?> configuredObject, State state, State state2) {
                    if (state2 == State.ACTIVE) {
                        AbstractTrustStore.this._checkExpiryTaskFuture = AbstractTrustStore.this.getBroker().scheduleHouseKeepingTask(certificateExpiryCheckFrequency, TimeUnit.DAYS, () -> {
                            AbstractTrustStore.this.checkCertificateExpiry();
                        });
                        AbstractTrustStore.this.getBroker().removeChangeListener(this);
                    }
                }
            });
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public final ListenableFuture<Void> deleteIfNotInUse() {
        String name = getName();
        for (Port port : new ArrayList(this._broker.getPorts())) {
            Collection<TrustStore> trustStores = port.getTrustStores();
            if (trustStores != null) {
                Iterator<TrustStore> it = trustStores.iterator();
                while (it.hasNext()) {
                    if (name.equals(it.next().getAttribute("name"))) {
                        throw new IntegrityViolationException("Trust store '" + name + "' can't be deleted as it is in use by a port: " + port.getName());
                    }
                }
            }
        }
        for (AuthenticationProvider authenticationProvider : new ArrayList(this._broker.getAuthenticationProviders())) {
            ContextProvider contextProvider = null;
            if (authenticationProvider instanceof SimpleLDAPAuthenticationManager) {
                contextProvider = ((SimpleLDAPAuthenticationManager) authenticationProvider).getTrustStore();
            } else if (authenticationProvider instanceof OAuth2AuthenticationProvider) {
                contextProvider = ((OAuth2AuthenticationProvider) authenticationProvider).getTrustStore();
            }
            if (contextProvider == this) {
                throw new IntegrityViolationException(String.format("Trust store '%s' can't be deleted as it is in use by an authentication manager: '%s'", getName(), authenticationProvider.getName()));
            }
        }
        deleted();
        setState(State.DELETED);
        this._eventLogger.message(TrustStoreMessages.DELETE(getName()));
        return Futures.immediateFuture((Object) null);
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void checkCertificateExpiry() {
        int certificateExpiryWarnPeriod = getCertificateExpiryWarnPeriod();
        if (certificateExpiryWarnPeriod > 0) {
            long currentTimeMillis = System.currentTimeMillis();
            Date date = new Date(currentTimeMillis + (ONE_DAY * certificateExpiryWarnPeriod));
            try {
                Certificate[] certificates = getCertificates();
                if (certificates.length > 0) {
                    Arrays.stream(certificates).filter(certificate -> {
                        return certificate instanceof X509Certificate;
                    }).forEach(certificate2 -> {
                        checkCertificateExpiry(currentTimeMillis, date, (X509Certificate) certificate2);
                    });
                }
            } catch (GeneralSecurityException e) {
                LOGGER.debug("Unexpected exception whilst checking certificate expiry", e);
            }
        }
    }

    private void checkCertificateExpiry(long j, Date date, X509Certificate x509Certificate) {
        try {
            x509Certificate.checkValidity(date);
        } catch (CertificateExpiredException e) {
            getEventLogger().message(TrustStoreMessages.EXPIRING(getName(), String.valueOf(Math.max(0, (int) ((x509Certificate.getNotAfter().getTime() - j) / ONE_DAY))), x509Certificate.getSubjectDN().toString()));
        } catch (CertificateNotYetValidException e2) {
        }
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public final TrustManager[] getTrustManagers() throws GeneralSecurityException {
        if (!isTrustAnchorValidityEnforced()) {
            return getTrustManagersInternal();
        }
        HashSet<Certificate> newHashSet = Sets.newHashSet(getCertificates());
        HashSet hashSet = new HashSet();
        HashSet hashSet2 = new HashSet();
        for (Certificate certificate : newHashSet) {
            if ((certificate instanceof X509Certificate) && isSelfSigned((X509Certificate) certificate)) {
                hashSet.add(new TrustAnchor((X509Certificate) certificate, null));
            } else {
                hashSet2.add(certificate);
            }
        }
        TrustManager[] trustManagersInternal = getTrustManagersInternal();
        TrustManager[] trustManagerArr = new TrustManager[trustManagersInternal.length];
        for (int i = 0; i < trustManagersInternal.length; i++) {
            TrustManager trustManager = trustManagersInternal[i];
            if (trustManager instanceof X509TrustManager) {
                trustManagerArr[i] = new TrustAnchorValidatingTrustManager(getName(), (X509TrustManager) trustManager, hashSet, hashSet2);
            } else {
                trustManagerArr[i] = trustManager;
            }
        }
        return trustManagerArr;
    }

    protected abstract TrustManager[] getTrustManagersInternal() throws GeneralSecurityException;

    @Override // org.apache.qpid.server.model.TrustStore
    public final int getCertificateExpiryWarnPeriod() {
        try {
            return ((Integer) getContextValue(Integer.class, TrustStore.CERTIFICATE_EXPIRY_WARN_PERIOD)).intValue();
        } catch (IllegalArgumentException | NullPointerException e) {
            LOGGER.warn("The value of the context variable '{}' for truststore {} cannot be converted to an integer. The value {} will be used as a default", new Object[]{TrustStore.CERTIFICATE_EXPIRY_WARN_PERIOD, getName(), 30});
            return 30;
        }
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public int getCertificateExpiryCheckFrequency() {
        int i;
        try {
            i = ((Integer) getContextValue(Integer.class, TrustStore.CERTIFICATE_EXPIRY_CHECK_FREQUENCY)).intValue();
        } catch (IllegalArgumentException | NullPointerException e) {
            LOGGER.warn("Cannot parse the context variable {} ", TrustStore.CERTIFICATE_EXPIRY_CHECK_FREQUENCY, e);
            i = 1;
        }
        return i;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public boolean isTrustAnchorValidityEnforced() {
        return this._trustAnchorValidityEnforced;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public boolean isExposedAsMessageSource() {
        return this._exposedAsMessageSource;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public List<VirtualHostNode<?>> getIncludedVirtualHostNodeMessageSources() {
        return this._includedVirtualHostNodeMessageSources;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public List<VirtualHostNode<?>> getExcludedVirtualHostNodeMessageSources() {
        return this._excludedVirtualHostNodeMessageSources;
    }

    @Override // org.apache.qpid.server.model.TrustStore
    public List<CertificateDetails> getCertificateDetails() {
        try {
            Certificate[] certificates = getCertificates();
            return certificates.length > 0 ? (List) Arrays.stream(certificates).filter(certificate -> {
                return certificate instanceof X509Certificate;
            }).map(certificate2 -> {
                return new CertificateDetailsImpl((X509Certificate) certificate2);
            }).collect(Collectors.toList()) : Collections.emptyList();
        } catch (GeneralSecurityException e) {
            throw new IllegalConfigurationException("Failed to extract certificate details", e);
        }
    }

    private boolean isSelfSigned(X509Certificate x509Certificate) throws GeneralSecurityException {
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return true;
        } catch (InvalidKeyException | SignatureException e) {
            return false;
        }
    }
}
