package org.geoserver.security;

import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.Enumeration;
import java.util.logging.Level;
import java.util.logging.Logger;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import org.geoserver.platform.resource.Resource;
import org.geotools.util.logging.Logging;
import org.springframework.beans.factory.BeanNameAware;

/* loaded from: input_file:org/geoserver/security/KeyStoreProviderImpl.class */
public class KeyStoreProviderImpl implements BeanNameAware, KeyStoreProvider {
    public static final String DEFAULT_BEAN_NAME = "DefaultKeyStoreProvider";
    public static final String DEFAULT_FILE_NAME = "geoserver.jceks";
    public static final String PREPARED_FILE_NAME = "geoserver.jceks.new";
    public static final String CONFIGPASSWORDKEY = "config:password:key";
    public static final String URLPARAMKEY = "url:param:key";
    public static final String USERGROUP_PREFIX = "ug:";
    public static final String USERGROUP_POSTFIX = ":key";
    protected static Logger LOGGER = Logging.getLogger("org.geoserver.security");
    protected String name;
    protected Resource keyStoreResource;
    protected KeyStore ks;
    public static final String KEYSTORETYPE = "JCEKS";
    GeoServerSecurityManager securityManager;

    public void setBeanName(String str) {
        this.name = str;
    }

    public String getName() {
        return this.name;
    }

    @Override // org.geoserver.security.KeyStoreProvider
    public void setSecurityManager(GeoServerSecurityManager geoServerSecurityManager) {
        this.securityManager = geoServerSecurityManager;
    }

    public GeoServerSecurityManager getSecurityManager() {
        return this.securityManager;
    }

    @Override // org.geoserver.security.KeyStoreProvider
    public Resource getResource() {
        if (this.keyStoreResource == null) {
            this.keyStoreResource = this.securityManager.security().get(DEFAULT_FILE_NAME);
        }
        return this.keyStoreResource;
    }

    @Override // org.geoserver.security.KeyStoreProvider
    public void reloadKeyStore() throws IOException {
        this.ks = null;
        assertActivatedKeyStore();
    }

    @Override // org.geoserver.security.KeyStoreProvider
    public Key getKey(String str) throws IOException {
        assertActivatedKeyStore();
        try {
            char[] masterPassword = this.securityManager.getMasterPassword();
            try {
                Key key = this.ks.getKey(str, masterPassword);
                this.securityManager.disposePassword(masterPassword);
                return key;
            } catch (Throwable th) {
                this.securityManager.disposePassword(masterPassword);
                throw th;
            }
        } catch (Exception e) {
            throw new IOException(e);
        }
    }

    @Override // org.geoserver.security.KeyStoreProvider
    public byte[] getConfigPasswordKey() throws IOException {
        SecretKey secretKey = getSecretKey(CONFIGPASSWORDKEY);
        if (secretKey == null) {
            return null;
        }
        return secretKey.getEncoded();
    }

    @Override // org.geoserver.security.KeyStoreProvider
    public boolean hasConfigPasswordKey() throws IOException {
        return containsAlias(CONFIGPASSWORDKEY);
    }

    @Override // org.geoserver.security.KeyStoreProvider
    public boolean containsAlias(String str) throws IOException {
        assertActivatedKeyStore();
        try {
            return this.ks.containsAlias(str);
        } catch (KeyStoreException e) {
            throw new IOException(e);
        }
    }

    @Override // org.geoserver.security.KeyStoreProvider
    public byte[] getUserGroupKey(String str) throws IOException {
        SecretKey secretKey = getSecretKey(aliasForGroupService(str));
        if (secretKey == null) {
            return null;
        }
        return secretKey.getEncoded();
    }

    @Override // org.geoserver.security.KeyStoreProvider
    public boolean hasUserGroupKey(String str) throws IOException {
        return containsAlias(aliasForGroupService(str));
    }

    @Override // org.geoserver.security.KeyStoreProvider
    public SecretKey getSecretKey(String str) throws IOException {
        Key key = getKey(str);
        if (key == null) {
            return null;
        }
        if (key instanceof SecretKey) {
            return (SecretKey) key;
        }
        throw new IOException("Invalid key type for: " + str);
    }

    @Override // org.geoserver.security.KeyStoreProvider
    public PublicKey getPublicKey(String str) throws IOException {
        Key key = getKey(str);
        if (key == null) {
            return null;
        }
        if (key instanceof PublicKey) {
            return (PublicKey) key;
        }
        throw new IOException("Invalid key type for: " + str);
    }

    @Override // org.geoserver.security.KeyStoreProvider
    public PrivateKey getPrivateKey(String str) throws IOException {
        Key key = getKey(str);
        if (key == null) {
            return null;
        }
        if (key instanceof PrivateKey) {
            return (PrivateKey) key;
        }
        throw new IOException("Invalid key type for: " + str);
    }

    @Override // org.geoserver.security.KeyStoreProvider
    public String aliasForGroupService(String str) {
        StringBuffer stringBuffer = new StringBuffer(USERGROUP_PREFIX);
        stringBuffer.append(str);
        stringBuffer.append(USERGROUP_POSTFIX);
        return stringBuffer.toString();
    }

    protected void assertActivatedKeyStore() throws IOException {
        if (this.ks != null) {
            return;
        }
        char[] masterPassword = this.securityManager.getMasterPassword();
        try {
            try {
                this.ks = KeyStore.getInstance(KEYSTORETYPE);
                if (getResource().getType() == Resource.Type.UNDEFINED) {
                    this.ks.load(null, masterPassword);
                    addInitialKeys();
                    OutputStream out = getResource().out();
                    try {
                        this.ks.store(out, masterPassword);
                        if (out != null) {
                            out.close();
                        }
                    } catch (Throwable th) {
                        if (out != null) {
                            try {
                                out.close();
                            } catch (Throwable th2) {
                                th.addSuppressed(th2);
                            }
                        }
                        throw th;
                    }
                } else {
                    InputStream in = getResource().in();
                    try {
                        this.ks.load(in, masterPassword);
                        if (in != null) {
                            in.close();
                        }
                    } catch (Throwable th3) {
                        if (in != null) {
                            try {
                                in.close();
                            } catch (Throwable th4) {
                                th3.addSuppressed(th4);
                            }
                        }
                        throw th3;
                    }
                }
            } finally {
                this.securityManager.disposePassword(masterPassword);
            }
        } catch (Exception e) {
            if (!(e instanceof IOException)) {
                throw new IOException(e);
            }
            throw ((IOException) e);
        }
    }

    @Override // org.geoserver.security.KeyStoreProvider
    public boolean isKeyStorePassword(char[] cArr) throws IOException {
        if (cArr == null) {
            return false;
        }
        assertActivatedKeyStore();
        try {
            KeyStore keyStore = KeyStore.getInstance(KEYSTORETYPE);
            try {
                InputStream in = getResource().in();
                try {
                    keyStore.load(in, cArr);
                    if (in != null) {
                        in.close();
                    }
                    return true;
                } finally {
                }
            } catch (IOException e) {
                return false;
            } catch (Exception e2) {
                throw new RuntimeException(e2);
            }
        } catch (KeyStoreException e3) {
            throw new RuntimeException(e3);
        }
    }

    @Override // org.geoserver.security.KeyStoreProvider
    public void setSecretKey(String str, char[] cArr) throws IOException {
        assertActivatedKeyStore();
        KeyStore.SecretKeyEntry secretKeyEntry = new KeyStore.SecretKeyEntry(new SecretKeySpec(SecurityUtils.toBytes(cArr), "PBE"));
        char[] masterPassword = this.securityManager.getMasterPassword();
        try {
            try {
                this.ks.setEntry(str, secretKeyEntry, new KeyStore.PasswordProtection(masterPassword));
                this.securityManager.disposePassword(masterPassword);
            } catch (KeyStoreException e) {
                throw new IOException(e);
            }
        } catch (Throwable th) {
            this.securityManager.disposePassword(masterPassword);
            throw th;
        }
    }

    @Override // org.geoserver.security.KeyStoreProvider
    public void setUserGroupKey(String str, char[] cArr) throws IOException {
        setSecretKey(aliasForGroupService(str), cArr);
    }

    @Override // org.geoserver.security.KeyStoreProvider
    public void removeKey(String str) throws IOException {
        assertActivatedKeyStore();
        try {
            this.ks.deleteEntry(str);
        } catch (KeyStoreException e) {
            throw new IOException(e);
        }
    }

    @Override // org.geoserver.security.KeyStoreProvider
    public void storeKeyStore() throws IOException {
        assertActivatedKeyStore();
        OutputStream out = getResource().out();
        try {
            char[] masterPassword = this.securityManager.getMasterPassword();
            try {
                try {
                    this.ks.store(out, masterPassword);
                    this.securityManager.disposePassword(masterPassword);
                    if (out != null) {
                        out.close();
                    }
                } catch (Throwable th) {
                    this.securityManager.disposePassword(masterPassword);
                    throw th;
                }
            } catch (Exception e) {
                throw new IOException(e);
            }
        } catch (Throwable th2) {
            if (out != null) {
                try {
                    out.close();
                } catch (Throwable th3) {
                    th2.addSuppressed(th3);
                }
            }
            throw th2;
        }
    }

    protected void addInitialKeys() throws IOException {
        setSecretKey(CONFIGPASSWORDKEY, getSecurityManager().getRandomPassworddProvider().getRandomPasswordWithDefaultLength());
    }

    @Override // org.geoserver.security.KeyStoreProvider
    public void prepareForMasterPasswordChange(char[] cArr, char[] cArr2) throws IOException {
        Resource resource = getResource().parent().get(PREPARED_FILE_NAME);
        if (resource.getType() != Resource.Type.UNDEFINED) {
            resource.delete();
        }
        try {
            KeyStore keyStore = KeyStore.getInstance(KEYSTORETYPE);
            InputStream in = getResource().in();
            try {
                keyStore.load(in, cArr);
                if (in != null) {
                    in.close();
                }
                KeyStore keyStore2 = KeyStore.getInstance(KEYSTORETYPE);
                keyStore2.load(null, cArr2);
                KeyStore.PasswordProtection passwordProtection = new KeyStore.PasswordProtection(cArr2);
                Enumeration<String> aliases = keyStore.aliases();
                while (aliases.hasMoreElements()) {
                    String nextElement = aliases.nextElement();
                    Key key = keyStore.getKey(nextElement, cArr);
                    KeyStore.Entry entry = null;
                    if (key instanceof SecretKey) {
                        entry = new KeyStore.SecretKeyEntry((SecretKey) key);
                    }
                    if (key instanceof PrivateKey) {
                        entry = new KeyStore.PrivateKeyEntry((PrivateKey) key, keyStore.getCertificateChain(nextElement));
                    }
                    if (key instanceof PublicKey) {
                        entry = new KeyStore.TrustedCertificateEntry(keyStore.getCertificate(nextElement));
                    }
                    if (entry == null) {
                        LOGGER.warning("Unknown key in store, alias: " + nextElement + " class: " + key.getClass().getName());
                    } else {
                        keyStore2.setEntry(nextElement, entry, passwordProtection);
                    }
                }
                OutputStream out = resource.out();
                try {
                    keyStore2.store(out, cArr2);
                    if (out != null) {
                        out.close();
                    }
                } finally {
                }
            } finally {
            }
        } catch (Exception e) {
            throw new IOException(e);
        }
    }

    @Override // org.geoserver.security.KeyStoreProvider
    public void abortMasterPasswordChange() {
    }

    @Override // org.geoserver.security.KeyStoreProvider
    public void commitMasterPasswordChange() throws IOException {
        Resource parent = getResource().parent();
        Resource resource = parent.get(PREPARED_FILE_NAME);
        Resource resource2 = parent.get(DEFAULT_FILE_NAME);
        if (resource.getType() == Resource.Type.UNDEFINED || resource2.getType() == Resource.Type.UNDEFINED) {
            return;
        }
        InputStream in = resource.in();
        char[] masterPassword = this.securityManager.getMasterPassword();
        try {
            try {
                KeyStore keyStore = KeyStore.getInstance(KEYSTORETYPE);
                keyStore.load(in, masterPassword);
                Enumeration<String> aliases = keyStore.aliases();
                while (aliases.hasMoreElements()) {
                    keyStore.getKey(aliases.nextElement(), masterPassword);
                }
                in.close();
                InputStream inputStream = null;
                if (!resource2.delete()) {
                    LOGGER.severe("cannot delete " + resource2.path());
                    this.securityManager.disposePassword(masterPassword);
                    if (0 != 0) {
                        try {
                            inputStream.close();
                            return;
                        } catch (IOException e) {
                            return;
                        }
                    }
                    return;
                }
                if (resource.renameTo(resource2)) {
                    reloadKeyStore();
                    LOGGER.info("Successfully changed master password");
                    this.securityManager.disposePassword(masterPassword);
                    if (0 != 0) {
                        try {
                            inputStream.close();
                            return;
                        } catch (IOException e2) {
                            return;
                        }
                    }
                    return;
                }
                LOGGER.severe((("cannot rename " + resource.path()) + "to " + resource2.path()) + "Try to rename manually and restart");
                this.securityManager.disposePassword(masterPassword);
                if (0 != 0) {
                    try {
                        inputStream.close();
                    } catch (IOException e3) {
                    }
                }
            } catch (Throwable th) {
                this.securityManager.disposePassword(masterPassword);
                if (in != null) {
                    try {
                        in.close();
                    } catch (IOException e4) {
                    }
                }
                throw th;
            }
        } catch (IOException e5) {
            LOGGER.log(Level.WARNING, "Error creating new keystore: " + resource.path(), (Throwable) e5);
            throw e5;
        } catch (Exception e6) {
            throw new RuntimeException(e6);
        }
    }
}
