package com.tc.net.core.security;

import com.tc.config.schema.SecurityConfig;
import com.tc.license.LicenseManager;
import com.tc.logging.TCLogger;
import com.tc.logging.TCLogging;
import com.tc.net.core.BufferManagerFactory;
import com.tc.net.core.ssl.FixedAliasKeyManager;
import com.tc.net.core.ssl.IllegalCertificateURIException;
import com.tc.net.core.ssl.SSLBufferManagerFactory;
import com.tc.net.core.ssl.URISyntaxException;
import com.tc.util.Assert;
import com.tc.util.runtime.Os;
import com.terracotta.management.keychain.KeyChain;
import com.terracotta.management.keychain.URIKeyName;
import com.terracotta.management.security.SecretProvider;
import com.terracotta.management.security.SecretUtils;
import com.terracotta.management.user.UserRole;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.URI;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.Principal;
import java.util.Iterator;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.X509KeyManager;

/* loaded from: input_file:L1/terracotta-l1-ee-4.0.1.jar/com/tc/net/core/security/AbstractTCSecurityManager.class_terracotta */
abstract class AbstractTCSecurityManager implements TCSecurityManager {
    private static final TCLogger LOGGER = TCLogging.getLogger(AbstractTCSecurityManager.class);
    private final KeyChain keyChain;
    private final SecurityConfig securityConfig;
    private final BufferManagerFactory bufferManagerFactory;

    /* JADX INFO: Access modifiers changed from: package-private */
    public AbstractTCSecurityManager(SecurityConfig securityConfig, KeyChain keyChain) {
        LicenseManager.verifySecurityCapability();
        this.securityConfig = securityConfig;
        this.keyChain = keyChain;
        performExtraInitialization();
        this.bufferManagerFactory = initSslBufferManagerFactory();
    }

    @Override // com.tc.net.core.security.TCSecurityManager
    public boolean isUserInRole(Principal principal, String str) {
        if (!(principal instanceof TCPrincipal)) {
            return false;
        }
        Iterator<UserRole> it = ((TCPrincipal) principal).getRoles().iterator();
        while (it.hasNext()) {
            if (it.next().toString().equals(str)) {
                return true;
            }
        }
        return false;
    }

    @Override // com.tc.net.core.security.TCSecurityManager
    public BufferManagerFactory getBufferManagerFactory() {
        return this.bufferManagerFactory;
    }

    @Override // com.tc.security.PwProvider
    public char[] getPasswordFor(URI uri) {
        URIKeyName uRIKeyName = new URIKeyName(uri);
        byte[] password = this.keyChain.getPassword(SecretProvider.getSecret(), uRIKeyName);
        if (password == null) {
            throw new NullPointerException("No password found for " + uRIKeyName + " in KeyChain located at " + this.securityConfig.getKeyChainUrl() + ". Check your configuration.");
        }
        return SecretUtils.toCharsAndWipe(password);
    }

    @Override // com.tc.security.PwProvider
    public char[] getPasswordForTC(String str, String str2, int i) {
        return getPasswordFor(TCSecurityManagerUtils.createTcURI(str, str2, i));
    }

    @Override // com.tc.net.core.security.TCSecurityManager
    public String getIntraL2Username() {
        Assert.assertNotNull("You shouldn't access this on the L1!", this.securityConfig);
        return this.securityConfig.getUser();
    }

    private BufferManagerFactory initSslBufferManagerFactory() {
        try {
            SSLBufferManagerFactory sSLBufferManagerFactory = new SSLBufferManagerFactory(getKeyManagers());
            SSLContext.setDefault(sSLBufferManagerFactory.getSslContext());
            return sSLBufferManagerFactory;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    protected void performExtraInitialization() {
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void unlockKeyChain() {
        initSecretProvider();
        if (this.keyChain != null) {
            this.keyChain.unlock(SecretProvider.getSecret());
        }
    }

    protected void initSecretProvider() {
        try {
            SecretUtils.initProviderAndFetchSecret(this.securityConfig != null ? this.securityConfig.getSecretProviderImplClass() : null);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    protected KeyManager[] getKeyManagers() throws URISyntaxException, IllegalCertificateURIException, IOException, GeneralSecurityException {
        String str;
        String str2;
        char[] cArr;
        if (this.securityConfig != null) {
            cArr = getPw(this.securityConfig, this.keyChain);
            com.tc.net.core.ssl.URI buildAndVerifyURI = buildAndVerifyURI(this.securityConfig);
            str = buildAndVerifyURI.getPath();
            str2 = buildAndVerifyURI.getUserInfo();
        } else {
            str = null;
            str2 = null;
            cArr = null;
        }
        KeyManager[] keyManagerArr = null;
        if (str2 != null) {
            KeyStore keyStore = KeyStore.getInstance("JKS");
            keyStore.load(new FileInputStream(str), cArr);
            if (!keyStore.containsAlias(str2)) {
                throw new GeneralSecurityException("Keystore does not contain a key pair with alias " + str2 + ".");
            }
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
            keyManagerFactory.init(keyStore, cArr);
            KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
            keyManagerArr = new KeyManager[keyManagers.length];
            for (int i = 0; i < keyManagers.length; i++) {
                keyManagerArr[i] = new FixedAliasKeyManager((X509KeyManager) keyManagers[i], str2);
            }
            LOGGER.info("SSL keystore: " + str);
        }
        return keyManagerArr;
    }

    private com.tc.net.core.ssl.URI buildAndVerifyURI(SecurityConfig securityConfig) throws URISyntaxException, IllegalCertificateURIException {
        com.tc.net.core.ssl.URI uri = new com.tc.net.core.ssl.URI(securityConfig.getSslCertificateUri());
        if (uri.getScheme() == null || !uri.getScheme().equals("jks")) {
            throw new IllegalCertificateURIException("URI [" + securityConfig.getSslCertificateUri() + "] scheme is unsupported (must be jks:...)");
        }
        if (uri.getUserInfo() == null) {
            throw new IllegalCertificateURIException("URI [" + securityConfig.getSslCertificateUri() + "] certificate alias must be supplied (must be jks:alias@...)");
        }
        return uri;
    }

    static String sanitizeWindowsJKS(String str, boolean z) {
        if (Os.isWindows() || z) {
            str = str.replace('\\', '/');
        }
        return str;
    }

    private static char[] getPw(SecurityConfig securityConfig, KeyChain keyChain) {
        try {
            byte[] password = keyChain.getPassword(SecretProvider.getSecret(), new URIKeyName(sanitizeWindowsJKS(securityConfig.getSslCertificateUri(), false)));
            if (password == null) {
                throw new RuntimeException("No password available in keyChain for " + securityConfig.getSslCertificateUri());
            }
            return SecretUtils.toCharsAndWipe(password);
        } catch (java.net.URISyntaxException e) {
            throw new RuntimeException(e);
        }
    }
}
