package com.tc.net.core.security;

import com.tc.config.schema.SecurityConfig;
import com.tc.logging.TCLogger;
import com.tc.logging.TCLogging;
import com.tc.net.core.ssl.FixedAliasKeyManager;
import com.tc.net.core.ssl.IllegalCertificateURIException;
import com.tc.net.core.ssl.URI;
import com.tc.net.core.ssl.URISyntaxException;
import com.terracotta.management.keychain.KeyChain;
import com.terracotta.management.keychain.URIKeyName;
import com.terracotta.management.keychain.crypto.SecretMismatchException;
import com.terracotta.management.security.SecretProvider;
import com.terracotta.management.security.SecretUtils;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.Key;
import java.security.KeyStore;
import java.security.Principal;
import java.security.cert.Certificate;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.X509KeyManager;

/* loaded from: input_file:L1/terracotta-l1-ee-4.3.10.1.12.jar/com/tc/net/core/security/TCServerSecurityManager.class_terracotta */
public class TCServerSecurityManager extends AbstractTCSecurityManager {
    private static final TCLogger LOGGER = TCLogging.getLogger(TCServerSecurityManager.class);
    private static final int MAX_RETRIES = 3;
    private final Realm realm;

    public TCServerSecurityManager(SecurityConfig securityConfig, KeyChain keyChain) {
        this(securityConfig, keyChain, null);
    }

    public TCServerSecurityManager(SecurityConfig securityConfig, KeyChain keyChain, Realm realm) {
        super(securityConfig, keyChain);
        this.realm = realm;
        SSLContext.setDefault(getSSLBufferManagerFactory().getSslContext());
    }

    @Override // com.tc.net.core.security.AbstractTCSecurityManager
    protected KeyManager[] getKeyManagers(SecurityConfig securityConfig, KeyChain keyChain) throws URISyntaxException, IllegalCertificateURIException, IOException, GeneralSecurityException {
        char[] pw = getPw(securityConfig, keyChain);
        URI buildAndVerifyURI = buildAndVerifyURI(securityConfig);
        String path = buildAndVerifyURI.getPath();
        String userInfo = buildAndVerifyURI.getUserInfo();
        KeyManager[] keyManagerArr = null;
        if (userInfo != null) {
            KeyStore keyStoreInstance = SSLCryptoHelper.getKeyStoreInstance();
            FileInputStream fileInputStream = new FileInputStream(path);
            try {
                keyStoreInstance.load(fileInputStream, pw);
                fileInputStream.close();
                Key key = keyStoreInstance.getKey(userInfo, pw);
                Certificate certificate = keyStoreInstance.getCertificate(userInfo);
                if (key == null || certificate == null) {
                    throw new GeneralSecurityException("Keystore does not contain a key pair with alias " + userInfo + ".");
                }
                String certificateAlias = keyStoreInstance.getCertificateAlias(certificate);
                KeyManagerFactory keyManagerFactoryInstance = SSLCryptoHelper.getKeyManagerFactoryInstance();
                keyManagerFactoryInstance.init(keyStoreInstance, pw);
                KeyManager[] keyManagers = keyManagerFactoryInstance.getKeyManagers();
                keyManagerArr = new KeyManager[keyManagers.length];
                for (int i = 0; i < keyManagers.length; i++) {
                    keyManagerArr[i] = new FixedAliasKeyManager((X509KeyManager) keyManagers[i], certificateAlias);
                }
                LOGGER.info("SSL keystore: " + path + " - using key pair with alias : " + certificateAlias + ".");
            } catch (Throwable th) {
                fileInputStream.close();
                throw th;
            }
        }
        return keyManagerArr;
    }

    @Override // com.tc.net.core.security.TCSecurityManager
    public Principal authenticate(String str, char[] cArr) {
        Principal principal = null;
        try {
            principal = this.realm.authenticate(str, cArr);
            if (principal != null) {
                LOGGER.info("User " + principal + " logged in");
            } else {
                LOGGER.warn("Failed login attempt for " + str);
            }
            return principal;
        } catch (Throwable th) {
            if (principal != null) {
                LOGGER.info("User " + principal + " logged in");
            } else {
                LOGGER.warn("Failed login attempt for " + str);
            }
            throw th;
        }
    }

    @Override // com.tc.net.core.security.TCSecurityManager
    public String getIntraL2Username() {
        return getSecurityConfig().getUser();
    }

    @Override // com.tc.net.core.security.AbstractTCSecurityManager
    protected void performExtraInitialization() {
        int i = 0;
        while (!maxRetryReached(i)) {
            i++;
            try {
                unlockKeyChain();
                return;
            } catch (SecretMismatchException e) {
                if (LOGGER.isDebugEnabled()) {
                    LOGGER.debug("Unable to open keychain, exception message is: " + e.getMessage());
                }
                if (maxRetryReached(i)) {
                    throw e;
                }
            }
        }
    }

    private boolean maxRetryReached(int i) {
        return i >= 3;
    }

    private URI buildAndVerifyURI(SecurityConfig securityConfig) throws URISyntaxException, IllegalCertificateURIException {
        URI uri = new URI(securityConfig.getSslCertificateUri());
        if (uri.getScheme() == null || !uri.getScheme().equals(SSLCryptoHelper.KEY_STORE_TYPE)) {
            throw new IllegalCertificateURIException("URI [" + securityConfig.getSslCertificateUri() + "] scheme is unsupported (must be " + SSLCryptoHelper.KEY_STORE_TYPE + ":...)");
        }
        if (uri.getUserInfo() == null) {
            throw new IllegalCertificateURIException("URI [" + securityConfig.getSslCertificateUri() + "] certificate alias must be supplied (must be " + SSLCryptoHelper.KEY_STORE_TYPE + ":alias@...)");
        }
        return uri;
    }

    private static char[] getPw(SecurityConfig securityConfig, KeyChain keyChain) {
        try {
            byte[] password = keyChain.getPassword(SecretProvider.getSecret(), new URIKeyName(sanitizeWindowsJKS(securityConfig.getSslCertificateUri(), false)));
            if (password == null) {
                throw new RuntimeException("No password available in keyChain for " + securityConfig.getSslCertificateUri());
            }
            return SecretUtils.toCharsAndWipe(password);
        } catch (java.net.URISyntaxException e) {
            throw new RuntimeException(e);
        }
    }

    @Override // com.tc.net.core.security.AbstractTCSecurityManager, com.tc.security.PwProvider
    public /* bridge */ /* synthetic */ char[] getPasswordForTC(String str, String str2, int i) {
        return super.getPasswordForTC(str, str2, i);
    }

    @Override // com.tc.net.core.security.AbstractTCSecurityManager, com.tc.security.PwProvider
    public /* bridge */ /* synthetic */ char[] getPasswordFor(java.net.URI uri) {
        return super.getPasswordFor(uri);
    }

    @Override // com.tc.net.core.security.AbstractTCSecurityManager, com.tc.net.core.security.TCSecurityManager
    public /* bridge */ /* synthetic */ boolean isUserInRole(Principal principal, String str) {
        return super.isUserInRole(principal, str);
    }

    @Override // com.tc.net.core.security.AbstractTCSecurityManager, com.tc.net.core.security.TCSecurityManager
    public /* bridge */ /* synthetic */ SSLContext getSslContext() {
        return super.getSslContext();
    }
}
