package com.tc.net.core.security;

import com.tc.config.schema.SecurityConfig;
import com.tc.exception.TCRuntimeException;
import com.tc.license.LicenseManager;
import com.tc.logging.TCLogger;
import com.tc.logging.TCLogging;
import com.tc.net.core.BufferManagerFactory;
import com.tc.net.core.ssl.FixedAliasKeyManager;
import com.tc.net.core.ssl.IllegalCertificateURIException;
import com.tc.net.core.ssl.SSLBufferManagerFactory;
import com.tc.statistics.retrieval.actions.SRAMessages;
import com.tc.util.Assert;
import com.tc.util.runtime.Os;
import com.terracotta.management.keychain.KeyChain;
import com.terracotta.management.keychain.URIKeyName;
import com.terracotta.management.security.SecretProvider;
import com.terracotta.management.security.SecretProviderBackEnd;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.Principal;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.X509KeyManager;

/* loaded from: input_file:L1/terracotta-l1-ee-3.7.8.jar:com/tc/net/core/security/TCSecurityManagerImpl.class */
public class TCSecurityManagerImpl implements TCSecurityManager {
    private static final TCLogger logger = TCLogging.getLogger(TCSecurityManagerImpl.class);
    private final BufferManagerFactory bufferManagerFactory;
    private final KeyChain keyChain;
    private final Realm realm;
    private final SecurityConfig securityConfig;

    public TCSecurityManagerImpl(SecurityConfig securityConfig, KeyChain keyChain) {
        this(securityConfig, keyChain, null, securityConfig != null);
    }

    public TCSecurityManagerImpl(SecurityConfig securityConfig, KeyChain keyChain, Realm realm) {
        this(securityConfig, keyChain, realm, securityConfig != null);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public TCSecurityManagerImpl(SecurityConfig securityConfig, KeyChain keyChain, boolean z) {
        this(securityConfig, keyChain, null, z);
    }

    private TCSecurityManagerImpl(SecurityConfig securityConfig, KeyChain keyChain, Realm realm, boolean z) {
        LicenseManager.verifySecurityCapability();
        this.securityConfig = securityConfig;
        this.keyChain = keyChain;
        initSecretProvider();
        try {
            SSLContext createSSLContext = SSLBufferManagerFactory.createSSLContext(getKeyManagers());
            if (z) {
                SSLContext.setDefault(createSSLContext);
            }
            this.bufferManagerFactory = new SSLBufferManagerFactory(createSSLContext);
            this.realm = realm;
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public void initSecretProvider() {
        try {
            String secretProviderImplClass = this.securityConfig != null ? this.securityConfig.getSecretProviderImplClass() : null;
            if (secretProviderImplClass != null) {
                SecretProvider.fetchSecret((SecretProviderBackEnd) Class.forName(secretProviderImplClass).newInstance());
            } else {
                SecretProvider.fetchSecret();
            }
            if (this.keyChain != null) {
                this.keyChain.unlock(SecretProvider.getSecret());
            }
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }

    public static KeyChain createKeyChain(String str, String str2) {
        try {
            return (KeyChain) Class.forName(str).getConstructor(URL.class).newInstance(new URL(str2));
        } catch (Exception e) {
            throw new TCRuntimeException("Couldn't create KeyChain instance of type " + str + " with arg " + str2, e);
        }
    }

    public static Realm createRealm(String str, String str2) {
        try {
            return (Realm) Class.forName(str).getConstructor(URL.class).newInstance(new URL(str2));
        } catch (Exception e) {
            throw new TCRuntimeException("Couldn't create Realm instance of type " + str + " with " + str2, e);
        }
    }

    @Override // com.tc.net.core.security.TCSecurityManager
    public Principal authenticate(String str, char[] cArr) {
        return this.realm.authenticate(str, cArr);
    }

    @Override // com.tc.net.core.security.TCSecurityManager
    public BufferManagerFactory getBufferManagerFactory() {
        return this.bufferManagerFactory;
    }

    @Override // com.tc.security.PwProvider
    public char[] getPasswordFor(URI uri) {
        URIKeyName uRIKeyName = new URIKeyName(uri);
        byte[] password = this.keyChain.getPassword(SecretProvider.getSecret(), uRIKeyName);
        if (password != null) {
            return toChar(password);
        }
        StringBuilder sb = new StringBuilder();
        sb.append("No password found for ").append(uRIKeyName).append(" in KeyChain");
        if (this.securityConfig != null) {
            sb.append(" located at ").append(this.securityConfig.getKeyChainUrl());
        }
        sb.append(". Check your configuration.");
        throw new NullPointerException(sb.toString());
    }

    @Override // com.tc.security.PwProvider
    public char[] getPasswordForTC(String str, String str2, int i) {
        return getPasswordFor(createTcURI(str, str2, i));
    }

    public static URI createTcURI(String str, String str2, int i) {
        try {
            return new URI("tc://" + (str != null ? str + "@" : "") + str2 + SRAMessages.ELEMENT_NAME_DELIMITER + i);
        } catch (URISyntaxException e) {
            throw new IllegalArgumentException("Can't create an URI from the provided arguments!", e);
        }
    }

    @Override // com.tc.net.core.security.TCSecurityManager
    public String getIntraL2Username() {
        Assert.assertNotNull("You shouldn't access this on the L1!", this.securityConfig);
        return this.securityConfig.getUser();
    }

    protected KeyManager[] getKeyManagers() throws com.tc.net.core.ssl.URISyntaxException, IllegalCertificateURIException, IOException, GeneralSecurityException {
        String str;
        String str2;
        char[] cArr;
        if (this.securityConfig != null) {
            cArr = getPw(this.securityConfig, this.keyChain);
            com.tc.net.core.ssl.URI buildAndVerifyURI = buildAndVerifyURI(this.securityConfig);
            str = buildAndVerifyURI.getPath();
            str2 = buildAndVerifyURI.getUserInfo();
        } else {
            str = null;
            str2 = null;
            cArr = null;
        }
        KeyManager[] keyManagerArr = null;
        if (str2 != null) {
            KeyStore keyStore = KeyStore.getInstance("JKS");
            keyStore.load(new FileInputStream(str), cArr);
            if (!keyStore.containsAlias(str2)) {
                throw new GeneralSecurityException("Keystore does not contain a key pair with alias " + str2 + ".");
            }
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance("SunX509");
            keyManagerFactory.init(keyStore, cArr);
            KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
            keyManagerArr = new KeyManager[keyManagers.length];
            for (int i = 0; i < keyManagers.length; i++) {
                keyManagerArr[i] = new FixedAliasKeyManager((X509KeyManager) keyManagers[i], str2);
            }
            logger.info("SSL keystore: " + str);
        }
        return keyManagerArr;
    }

    private static char[] getPw(SecurityConfig securityConfig, KeyChain keyChain) {
        try {
            byte[] password = keyChain.getPassword(SecretProvider.getSecret(), new URIKeyName(sanitizeWindowsJKS(securityConfig.getSslCertificateUri(), false)));
            if (password == null) {
                throw new RuntimeException("No password available in keyChain for " + securityConfig.getSslCertificateUri());
            }
            return toChar(password);
        } catch (URISyntaxException e) {
            throw new RuntimeException(e);
        }
    }

    static String sanitizeWindowsJKS(String str, boolean z) {
        if (Os.isWindows() || z) {
            str = str.replace('\\', '/');
        }
        return str;
    }

    private com.tc.net.core.ssl.URI buildAndVerifyURI(SecurityConfig securityConfig) throws com.tc.net.core.ssl.URISyntaxException, IllegalCertificateURIException {
        com.tc.net.core.ssl.URI uri = new com.tc.net.core.ssl.URI(securityConfig.getSslCertificateUri());
        if (uri.getScheme() == null || !uri.getScheme().equals("jks")) {
            throw new IllegalCertificateURIException("URI [" + securityConfig.getSslCertificateUri() + "] scheme is unsupported (must be jks:...)");
        }
        if (uri.getUserInfo() == null) {
            throw new IllegalCertificateURIException("URI [" + securityConfig.getSslCertificateUri() + "] certificate alias must be supplied (must be jks:alias@...)");
        }
        return uri;
    }

    private static char[] toChar(byte[] bArr) {
        char[] cArr = new char[bArr.length];
        for (int i = 0; i < bArr.length; i++) {
            cArr[i] = (char) bArr[i];
        }
        return cArr;
    }

    public static File getKeyChainFile() throws MalformedURLException {
        File file;
        if (System.getProperty("com.tc.security.keychain.url") != null) {
            file = new File(new URL(System.getProperty("com.tc.security.keychain.url")).getPath());
        } else {
            URL resource = TCSecurityManagerImpl.class.getResource("/keyChain.key");
            if (resource != null) {
                file = new File(resource.getPath());
            } else {
                File file2 = new File(System.getProperty("user.home") + "/.tc/mgmt/keychain");
                if (!file2.exists()) {
                    file2 = new File(System.getProperty("user.dir") + "/keychain.tkc");
                }
                file = file2;
            }
        }
        return file;
    }
}
