package org.forgerock.opendj.reactive;

import com.forgerock.reactive.ReactiveHandler;
import com.forgerock.reactive.Stream;
import java.io.IOException;
import java.net.InetAddress;
import java.net.InetSocketAddress;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedList;
import java.util.List;
import java.util.Map;
import java.util.Set;
import java.util.SortedSet;
import java.util.TreeSet;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.opendj.config.Configuration;
import org.forgerock.opendj.config.server.ConfigChangeResult;
import org.forgerock.opendj.config.server.ConfigException;
import org.forgerock.opendj.config.server.ConfigurationChangeListener;
import org.forgerock.opendj.ldap.AddressMask;
import org.forgerock.opendj.ldap.DN;
import org.forgerock.opendj.ldap.LDAPClientContext;
import org.forgerock.opendj.ldap.LDAPClientContextEventListener;
import org.forgerock.opendj.ldap.LDAPListener;
import org.forgerock.opendj.ldap.LdapException;
import org.forgerock.opendj.ldap.ResultCode;
import org.forgerock.opendj.ldap.requests.UnbindRequest;
import org.forgerock.opendj.ldap.responses.Response;
import org.forgerock.opendj.ldap.spi.LdapMessages;
import org.forgerock.opendj.server.config.meta.LDAPConnectionHandlerCfgDefn;
import org.forgerock.opendj.server.config.server.ConnectionHandlerCfg;
import org.forgerock.opendj.server.config.server.LDAPConnectionHandlerCfg;
import org.forgerock.util.Function;
import org.forgerock.util.Options;
import org.opends.messages.ProtocolMessages;
import org.opends.server.api.AlertGenerator;
import org.opends.server.api.ClientConnection;
import org.opends.server.api.ConnectionHandler;
import org.opends.server.api.DirectoryThread;
import org.opends.server.api.KeyManagerProvider;
import org.opends.server.api.ServerShutdownListener;
import org.opends.server.api.plugin.PluginResult;
import org.opends.server.core.DirectoryServer;
import org.opends.server.core.QueueingStrategy;
import org.opends.server.core.ServerContext;
import org.opends.server.core.WorkQueueStrategy;
import org.opends.server.extensions.NullKeyManagerProvider;
import org.opends.server.loggers.AccessLogger;
import org.opends.server.monitors.ClientConnectionMonitorProvider;
import org.opends.server.protocols.ldap.LDAPStatistics;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.DisconnectReason;
import org.opends.server.types.HostPort;
import org.opends.server.types.InitializationException;
import org.opends.server.types.SSLClientAuthPolicy;
import org.opends.server.util.SelectableCertificateKeyManager;
import org.opends.server.util.ServerConstants;
import org.opends.server.util.StaticUtils;

/* loaded from: input_file:org/forgerock/opendj/reactive/LDAPConnectionHandler2.class */
public final class LDAPConnectionHandler2 extends ConnectionHandler<LDAPConnectionHandlerCfg> implements ConfigurationChangeListener<LDAPConnectionHandlerCfg>, ServerShutdownListener, AlertGenerator {
    private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();
    private static final String DEFAULT_FRIENDLY_NAME = "LDAP Connection Handler";
    private static final String SSL_CONTEXT_INSTANCE_NAME = "TLS";
    private LDAPListener listener;
    private LDAPConnectionHandlerCfg currentConfig;
    private Set<InetSocketAddress> listenAddresses;
    private SSLClientAuthPolicy sslClientAuthPolicy;
    private int backlog;
    private boolean allowReuseAddress;
    private volatile boolean shutdownRequested;
    private boolean enabled;
    private Collection<AddressMask> allowedClients;
    private Collection<AddressMask> deniedClients;
    private List<HostPort> listeners;
    private LDAPStatistics statTracker;
    private ClientConnectionMonitorProvider connMonitor;
    private String handlerName;
    private String protocol;
    private final QueueingStrategy queueingStrategy;
    private final Object waitListen;
    private String friendlyName;
    private SSLContext sslContext;
    private SSLEngine sslEngine;
    private final Object connectionFinalizerLock;
    private ScheduledExecutorService connectionFinalizer;
    private List<Runnable> connectionFinalizerActiveJobQueue;
    private List<Runnable> connectionFinalizerPendingJobQueue;
    private final Collection<ClientConnection> clientConnections;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.forgerock.opendj.reactive.LDAPConnectionHandler2$2, reason: invalid class name */
    /* loaded from: input_file:org/forgerock/opendj/reactive/LDAPConnectionHandler2$2.class */
    public static /* synthetic */ class AnonymousClass2 {
        static final /* synthetic */ int[] $SwitchMap$org$forgerock$opendj$server$config$meta$LDAPConnectionHandlerCfgDefn$SSLClientAuthPolicy = new int[LDAPConnectionHandlerCfgDefn.SSLClientAuthPolicy.values().length];

        static {
            try {
                $SwitchMap$org$forgerock$opendj$server$config$meta$LDAPConnectionHandlerCfgDefn$SSLClientAuthPolicy[LDAPConnectionHandlerCfgDefn.SSLClientAuthPolicy.DISABLED.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$forgerock$opendj$server$config$meta$LDAPConnectionHandlerCfgDefn$SSLClientAuthPolicy[LDAPConnectionHandlerCfgDefn.SSLClientAuthPolicy.REQUIRED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$forgerock$opendj$server$config$meta$LDAPConnectionHandlerCfgDefn$SSLClientAuthPolicy[LDAPConnectionHandlerCfgDefn.SSLClientAuthPolicy.OPTIONAL.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/forgerock/opendj/reactive/LDAPConnectionHandler2$ConnectionFinalizerRunnable.class */
    public final class ConnectionFinalizerRunnable implements Runnable {
        private ConnectionFinalizerRunnable() {
        }

        @Override // java.lang.Runnable
        public void run() {
            if (!LDAPConnectionHandler2.this.connectionFinalizerActiveJobQueue.isEmpty()) {
                Iterator it = LDAPConnectionHandler2.this.connectionFinalizerActiveJobQueue.iterator();
                while (it.hasNext()) {
                    ((Runnable) it.next()).run();
                }
                LDAPConnectionHandler2.this.connectionFinalizerActiveJobQueue.clear();
            }
            synchronized (LDAPConnectionHandler2.this.connectionFinalizerLock) {
                List list = LDAPConnectionHandler2.this.connectionFinalizerActiveJobQueue;
                LDAPConnectionHandler2.this.connectionFinalizerActiveJobQueue = LDAPConnectionHandler2.this.connectionFinalizerPendingJobQueue;
                LDAPConnectionHandler2.this.connectionFinalizerPendingJobQueue = list;
            }
        }
    }

    public LDAPConnectionHandler2() {
        this(new WorkQueueStrategy(), null);
    }

    public LDAPConnectionHandler2(QueueingStrategy queueingStrategy, String str) {
        super(str != null ? str : "LDAP Connection Handler Thread");
        this.waitListen = new Object();
        this.connectionFinalizerLock = new Object();
        this.clientConnections = Collections.newSetFromMap(new ConcurrentHashMap());
        this.friendlyName = str;
        this.queueingStrategy = queueingStrategy;
    }

    public boolean allowLDAPv2() {
        return this.currentConfig.isAllowLDAPV2();
    }

    public boolean allowStartTLS() {
        return this.currentConfig.isAllowStartTLS() && !this.currentConfig.isUseSSL();
    }

    public ConfigChangeResult applyConfigurationChange(LDAPConnectionHandlerCfg lDAPConnectionHandlerCfg) {
        ConfigChangeResult configChangeResult = new ConfigChangeResult();
        if (this.currentConfig.isAllowLDAPV2() != lDAPConnectionHandlerCfg.isAllowLDAPV2() && lDAPConnectionHandlerCfg.isAllowLDAPV2()) {
            this.statTracker.clearStatistics();
        }
        this.currentConfig = lDAPConnectionHandlerCfg;
        this.enabled = lDAPConnectionHandlerCfg.isEnabled();
        this.allowedClients = lDAPConnectionHandlerCfg.getAllowedClient();
        this.deniedClients = lDAPConnectionHandlerCfg.getDeniedClient();
        try {
            configureSSL(lDAPConnectionHandlerCfg);
            if (lDAPConnectionHandlerCfg.isAllowLDAPV2()) {
                DirectoryServer.registerSupportedLDAPVersion(2, this);
            } else {
                DirectoryServer.deregisterSupportedLDAPVersion(2, this);
            }
            return configChangeResult;
        } catch (DirectoryException e) {
            logger.traceException(e);
            configChangeResult.setResultCode(e.getResultCode());
            configChangeResult.addMessage(e.getMessageObject());
            return configChangeResult;
        }
    }

    private void configureSSL(LDAPConnectionHandlerCfg lDAPConnectionHandlerCfg) throws DirectoryException {
        this.protocol = lDAPConnectionHandlerCfg.isUseSSL() ? "LDAPS" : "LDAP";
        if (lDAPConnectionHandlerCfg.isUseSSL() || lDAPConnectionHandlerCfg.isAllowStartTLS()) {
            this.sslContext = createSSLContext(lDAPConnectionHandlerCfg);
            this.sslEngine = createSSLEngine(lDAPConnectionHandlerCfg, this.sslContext);
        } else {
            this.sslContext = null;
            this.sslEngine = null;
        }
    }

    @Override // org.opends.server.api.ConnectionHandler
    public void finalizeConnectionHandler(LocalizableMessage localizableMessage) {
        this.shutdownRequested = true;
        this.currentConfig.removeLDAPChangeListener(this);
        if (this.connMonitor != null) {
            DirectoryServer.deregisterMonitorProvider(this.connMonitor);
        }
        if (this.statTracker != null) {
            DirectoryServer.deregisterMonitorProvider(this.statTracker);
        }
        DirectoryServer.deregisterSupportedLDAPVersion(2, this);
        DirectoryServer.deregisterSupportedLDAPVersion(3, this);
        synchronized (this.connectionFinalizerLock) {
            this.connectionFinalizer.shutdown();
            this.connectionFinalizer = null;
            ConnectionFinalizerRunnable connectionFinalizerRunnable = new ConnectionFinalizerRunnable();
            connectionFinalizerRunnable.run();
            connectionFinalizerRunnable.run();
        }
    }

    @Override // org.opends.server.api.AlertGenerator
    public Map<String, String> getAlerts() {
        LinkedHashMap linkedHashMap = new LinkedHashMap();
        linkedHashMap.put(ServerConstants.ALERT_TYPE_LDAP_CONNECTION_HANDLER_CONSECUTIVE_FAILURES, ServerConstants.ALERT_DESCRIPTION_LDAP_CONNECTION_HANDLER_CONSECUTIVE_FAILURES);
        linkedHashMap.put(ServerConstants.ALERT_TYPE_LDAP_CONNECTION_HANDLER_UNCAUGHT_ERROR, ServerConstants.ALERT_DESCRIPTION_LDAP_CONNECTION_HANDLER_UNCAUGHT_ERROR);
        return linkedHashMap;
    }

    @Override // org.opends.server.api.AlertGenerator
    public String getClassName() {
        return LDAPConnectionHandler2.class.getName();
    }

    @Override // org.opends.server.api.ConnectionHandler
    public Collection<ClientConnection> getClientConnections() {
        return Collections.unmodifiableCollection(this.clientConnections);
    }

    @Override // org.opends.server.api.ConnectionHandler, org.opends.server.api.AlertGenerator
    public DN getComponentEntryDN() {
        return this.currentConfig.dn();
    }

    @Override // org.opends.server.api.ConnectionHandler
    public String getConnectionHandlerName() {
        return this.handlerName;
    }

    @Override // org.opends.server.api.ConnectionHandler
    public Collection<String> getEnabledSSLCipherSuites() {
        SSLEngine sSLEngine = this.sslEngine;
        return sSLEngine != null ? Arrays.asList(sSLEngine.getEnabledCipherSuites()) : super.getEnabledSSLCipherSuites();
    }

    @Override // org.opends.server.api.ConnectionHandler
    public Collection<String> getEnabledSSLProtocols() {
        SSLEngine sSLEngine = this.sslEngine;
        return sSLEngine != null ? Arrays.asList(sSLEngine.getEnabledProtocols()) : super.getEnabledSSLProtocols();
    }

    @Override // org.opends.server.api.ConnectionHandler
    public Collection<HostPort> getListeners() {
        return this.listeners;
    }

    public long getMaxBlockedWriteTimeLimit() {
        return this.currentConfig.getMaxBlockedWriteTimeLimit();
    }

    public int getMaxRequestSize() {
        return (int) this.currentConfig.getMaxRequestSize();
    }

    @Override // org.opends.server.api.ConnectionHandler
    public String getProtocol() {
        return this.protocol;
    }

    @Override // org.opends.server.api.ServerShutdownListener
    public String getShutdownListenerName() {
        return this.handlerName;
    }

    public SSLClientAuthPolicy getSSLClientAuthPolicy() {
        return this.sslClientAuthPolicy;
    }

    public LDAPStatistics getStatTracker() {
        return this.statTracker;
    }

    @Override // org.opends.server.api.ConnectionHandler
    public void initializeConnectionHandler(ServerContext serverContext, LDAPConnectionHandlerCfg lDAPConnectionHandlerCfg) throws ConfigException, InitializationException {
        if (this.friendlyName == null) {
            this.friendlyName = lDAPConnectionHandlerCfg.name();
        }
        this.currentConfig = lDAPConnectionHandlerCfg;
        this.enabled = lDAPConnectionHandlerCfg.isEnabled();
        this.allowedClients = lDAPConnectionHandlerCfg.getAllowedClient();
        this.deniedClients = lDAPConnectionHandlerCfg.getDeniedClient();
        try {
            configureSSL(lDAPConnectionHandlerCfg);
            this.allowReuseAddress = lDAPConnectionHandlerCfg.isAllowTCPReuseAddress();
            this.backlog = lDAPConnectionHandlerCfg.getAcceptBacklog();
            this.listenAddresses = new HashSet();
            Iterator it = lDAPConnectionHandlerCfg.getListenAddress().iterator();
            while (it.hasNext()) {
                this.listenAddresses.add(new InetSocketAddress((InetAddress) it.next(), lDAPConnectionHandlerCfg.getListenPort()));
            }
            this.listeners = new LinkedList();
            StringBuilder sb = new StringBuilder();
            sb.append(this.friendlyName);
            for (InetSocketAddress inetSocketAddress : this.listenAddresses) {
                this.listeners.add(new HostPort(inetSocketAddress.getHostName(), inetSocketAddress.getPort()));
                sb.append(" ");
                sb.append(inetSocketAddress.getHostName());
            }
            sb.append(" port ");
            sb.append(lDAPConnectionHandlerCfg.getListenPort());
            this.handlerName = sb.toString();
            LocalizableMessage checkAnyListenAddressInUse = checkAnyListenAddressInUse(lDAPConnectionHandlerCfg.getListenAddress(), lDAPConnectionHandlerCfg.getListenPort(), this.allowReuseAddress, lDAPConnectionHandlerCfg.dn());
            if (checkAnyListenAddressInUse != null) {
                logger.error(checkAnyListenAddressInUse);
                throw new InitializationException(checkAnyListenAddressInUse);
            }
            System.setProperty(this.protocol + "_port", String.valueOf(lDAPConnectionHandlerCfg.getListenPort()));
            this.connectionFinalizer = Executors.newSingleThreadScheduledExecutor(new DirectoryThread.Factory("LDAP Connection Finalizer for connection handler " + toString()));
            this.connectionFinalizerActiveJobQueue = new ArrayList();
            this.connectionFinalizerPendingJobQueue = new ArrayList();
            this.connectionFinalizer.scheduleWithFixedDelay(new ConnectionFinalizerRunnable(), 100L, 100L, TimeUnit.MILLISECONDS);
            DirectoryServer.registerSupportedLDAPVersion(3, this);
            if (lDAPConnectionHandlerCfg.isAllowLDAPV2()) {
                DirectoryServer.registerSupportedLDAPVersion(2, this);
            }
            this.statTracker = new LDAPStatistics(this.handlerName + " Statistics");
            DirectoryServer.registerMonitorProvider(this.statTracker);
            this.connMonitor = new ClientConnectionMonitorProvider(this);
            DirectoryServer.registerMonitorProvider(this.connMonitor);
            lDAPConnectionHandlerCfg.addLDAPChangeListener(this);
        } catch (DirectoryException e) {
            logger.traceException(e);
            throw new InitializationException(e.getMessageObject());
        }
    }

    @Override // org.opends.server.api.ConnectionHandler
    public boolean isConfigurationAcceptable(ConnectionHandlerCfg connectionHandlerCfg, List<LocalizableMessage> list) {
        LocalizableMessage checkAnyListenAddressInUse;
        LDAPConnectionHandlerCfg lDAPConnectionHandlerCfg = (LDAPConnectionHandlerCfg) connectionHandlerCfg;
        if ((this.currentConfig == null || (!this.currentConfig.isEnabled() && lDAPConnectionHandlerCfg.isEnabled())) && (checkAnyListenAddressInUse = checkAnyListenAddressInUse(lDAPConnectionHandlerCfg.getListenAddress(), lDAPConnectionHandlerCfg.getListenPort(), lDAPConnectionHandlerCfg.isAllowTCPReuseAddress(), lDAPConnectionHandlerCfg.dn())) != null) {
            list.add(checkAnyListenAddressInUse);
            return false;
        }
        if (!lDAPConnectionHandlerCfg.isEnabled()) {
            return true;
        }
        if (!lDAPConnectionHandlerCfg.isUseSSL() && !lDAPConnectionHandlerCfg.isAllowStartTLS()) {
            return true;
        }
        try {
            createSSLEngine(lDAPConnectionHandlerCfg, createSSLContext(lDAPConnectionHandlerCfg));
            return true;
        } catch (DirectoryException e) {
            logger.traceException(e);
            list.add(e.getMessageObject());
            return false;
        }
    }

    private LocalizableMessage checkAnyListenAddressInUse(Collection<InetAddress> collection, int i, boolean z, DN dn) {
        for (InetAddress inetAddress : collection) {
            try {
                if (StaticUtils.isAddressInUse(inetAddress, i, z)) {
                    throw new IOException(ProtocolMessages.ERR_CONNHANDLER_ADDRESS_INUSE.get().toString());
                }
            } catch (IOException e) {
                logger.traceException(e);
                return ProtocolMessages.ERR_CONNHANDLER_CANNOT_BIND.get("LDAP", dn, inetAddress.getHostAddress(), Integer.valueOf(i), StaticUtils.getExceptionMessage(e));
            }
        }
        return null;
    }

    public boolean isConfigurationChangeAcceptable(LDAPConnectionHandlerCfg lDAPConnectionHandlerCfg, List<LocalizableMessage> list) {
        return isConfigurationAcceptable(lDAPConnectionHandlerCfg, list);
    }

    @Override // org.opends.server.api.ServerShutdownListener
    public void processServerShutdown(LocalizableMessage localizableMessage) {
        this.shutdownRequested = true;
    }

    void stopListener() {
        if (this.listener != null) {
            this.listener.close();
            this.listener = null;
            logger.info(ProtocolMessages.NOTE_CONNHANDLER_STOPPED_LISTENING, this.handlerName);
        }
    }

    private void startListener() throws IOException {
        this.listener = new LDAPListener(this.listenAddresses, new Function<LDAPClientContext, ReactiveHandler<LDAPClientContext, LdapMessages.LdapRequestEnvelope, Stream<Response>>, LdapException>() { // from class: org.forgerock.opendj.reactive.LDAPConnectionHandler2.1
            public ReactiveHandler<LDAPClientContext, LdapMessages.LdapRequestEnvelope, Stream<Response>> apply(LDAPClientContext lDAPClientContext) throws LdapException {
                final LDAPClientConnection2 canAccept = LDAPConnectionHandler2.this.canAccept(lDAPClientContext);
                LDAPConnectionHandler2.this.clientConnections.add(canAccept);
                AccessLogger.logConnect(canAccept);
                lDAPClientContext.addListener(new LDAPClientContextEventListener() { // from class: org.forgerock.opendj.reactive.LDAPConnectionHandler2.1.1
                    public void handleConnectionError(LDAPClientContext lDAPClientContext2, Throwable th) {
                        LDAPConnectionHandler2.this.clientConnections.remove(canAccept);
                    }

                    public void handleConnectionDisconnected(LDAPClientContext lDAPClientContext2, ResultCode resultCode, String str) {
                        LDAPConnectionHandler2.this.clientConnections.remove(canAccept);
                    }

                    public void handleConnectionClosed(LDAPClientContext lDAPClientContext2, UnbindRequest unbindRequest) {
                        LDAPConnectionHandler2.this.clientConnections.remove(canAccept);
                    }
                });
                return new ReactiveHandler<LDAPClientContext, LdapMessages.LdapRequestEnvelope, Stream<Response>>() { // from class: org.forgerock.opendj.reactive.LDAPConnectionHandler2.1.2
                    public Stream<Response> handle(LDAPClientContext lDAPClientContext2, LdapMessages.LdapRequestEnvelope ldapRequestEnvelope) throws Exception {
                        return canAccept.handle(LDAPConnectionHandler2.this.queueingStrategy, ldapRequestEnvelope);
                    }
                };
            }
        }, Options.defaultOptions().set(LDAPListener.CONNECT_MAX_BACKLOG, Integer.valueOf(this.backlog)).set(LDAPListener.REQUEST_MAX_SIZE_IN_BYTES, Integer.valueOf((int) this.currentConfig.getMaxRequestSize())));
        logger.info(ProtocolMessages.NOTE_CONNHANDLER_STARTED_LISTENING, this.handlerName);
    }

    @Override // org.opends.server.api.ConnectionHandler, java.lang.Thread, java.lang.Runnable
    public void run() {
        setName(this.handlerName);
        boolean z = true;
        boolean z2 = false;
        while (!this.shutdownRequested) {
            if (!this.enabled) {
                if (this.listener != null) {
                    stopListener();
                }
                if (z) {
                    synchronized (this.waitListen) {
                        z = false;
                        this.waitListen.notify();
                    }
                }
                StaticUtils.sleep(1000L);
            } else if (this.listener != null) {
                StaticUtils.sleep(1000L);
            } else {
                try {
                    synchronized (this.waitListen) {
                        this.waitListen.notify();
                    }
                    startListener();
                    z2 = false;
                } catch (Exception e) {
                    stopListener();
                    logger.traceException(e);
                    logger.error(ProtocolMessages.ERR_CONNHANDLER_CANNOT_ACCEPT_CONNECTION, this.friendlyName, this.currentConfig.dn(), StaticUtils.getExceptionMessage(e));
                    if (z2) {
                        LocalizableMessage localizableMessage = ProtocolMessages.ERR_CONNHANDLER_CONSECUTIVE_ACCEPT_FAILURES.get(this.friendlyName, this.currentConfig.dn(), StaticUtils.stackTraceToSingleLineString(e));
                        logger.error(localizableMessage);
                        DirectoryServer.sendAlertNotification(this, ServerConstants.ALERT_TYPE_HTTP_CONNECTION_HANDLER_CONSECUTIVE_FAILURES, localizableMessage);
                        this.enabled = false;
                    } else {
                        z2 = true;
                    }
                }
            }
        }
        stopListener();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public LDAPClientConnection2 canAccept(LDAPClientContext lDAPClientContext) throws LdapException {
        LDAPClientConnection2 lDAPClientConnection2 = new LDAPClientConnection2(this, lDAPClientContext, getProtocol(), this.currentConfig.isKeepStats());
        if (lDAPClientConnection2.getConnectionID() < 0) {
            lDAPClientConnection2.disconnect(DisconnectReason.ADMIN_LIMIT_EXCEEDED, true, ProtocolMessages.ERR_CONNHANDLER_REJECTED_BY_SERVER.get());
            throw LdapException.newLdapException(ResultCode.ADMIN_LIMIT_EXCEEDED);
        }
        InetAddress remoteAddress = lDAPClientConnection2.getRemoteAddress();
        if (!this.deniedClients.isEmpty() && AddressMask.matchesAny(this.deniedClients, remoteAddress)) {
            lDAPClientConnection2.disconnect(DisconnectReason.CONNECTION_REJECTED, this.currentConfig.isSendRejectionNotice(), ProtocolMessages.ERR_CONNHANDLER_DENIED_CLIENT.get(lDAPClientConnection2.getClientHostPort(), lDAPClientConnection2.getServerHostPort()));
            throw LdapException.newLdapException(ResultCode.CONSTRAINT_VIOLATION);
        }
        if (!this.allowedClients.isEmpty() && !AddressMask.matchesAny(this.allowedClients, remoteAddress)) {
            lDAPClientConnection2.disconnect(DisconnectReason.CONNECTION_REJECTED, this.currentConfig.isSendRejectionNotice(), ProtocolMessages.ERR_CONNHANDLER_DISALLOWED_CLIENT.get(lDAPClientConnection2.getClientHostPort(), lDAPClientConnection2.getServerHostPort()));
            throw LdapException.newLdapException(ResultCode.CONSTRAINT_VIOLATION);
        }
        try {
            PluginResult.PostConnect invokePostConnectPlugins = DirectoryServer.getPluginConfigManager().invokePostConnectPlugins(lDAPClientConnection2);
            if (!invokePostConnectPlugins.continueProcessing()) {
                lDAPClientConnection2.disconnect(invokePostConnectPlugins.getDisconnectReason(), invokePostConnectPlugins.sendDisconnectNotification(), invokePostConnectPlugins.getErrorMessage());
                throw LdapException.newLdapException(ResultCode.CONSTRAINT_VIOLATION);
            }
            if (useSSL()) {
                try {
                    lDAPClientContext.enableTLS(createSSLEngine(), false);
                } catch (DirectoryException e) {
                    throw LdapException.newLdapException(e.getResultCode(), e);
                }
            }
            return lDAPClientConnection2;
        } catch (Exception e2) {
            logger.traceException(e2);
            LocalizableMessage localizableMessage = ProtocolMessages.INFO_CONNHANDLER_UNABLE_TO_REGISTER_CLIENT.get(lDAPClientConnection2.getClientHostPort(), lDAPClientConnection2.getServerHostPort(), StaticUtils.getExceptionMessage(e2));
            logger.debug(localizableMessage);
            lDAPClientConnection2.disconnect(DisconnectReason.SERVER_ERROR, this.currentConfig.isSendRejectionNotice(), localizableMessage);
            throw LdapException.newLdapException(ResultCode.OPERATIONS_ERROR);
        }
    }

    @Override // org.opends.server.api.ConnectionHandler
    public void toString(StringBuilder sb) {
        sb.append(this.handlerName);
    }

    public boolean useSSL() {
        return this.currentConfig.isUseSSL();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SSLEngine createSSLEngine() throws DirectoryException {
        return createSSLEngine(this.currentConfig, this.sslContext);
    }

    private SSLEngine createSSLEngine(LDAPConnectionHandlerCfg lDAPConnectionHandlerCfg, SSLContext sSLContext) throws DirectoryException {
        try {
            SSLEngine createSSLEngine = sSLContext.createSSLEngine();
            createSSLEngine.setUseClientMode(false);
            SortedSet sSLProtocol = lDAPConnectionHandlerCfg.getSSLProtocol();
            if (sSLProtocol.isEmpty()) {
                createSSLEngine.setEnabledProtocols(createSSLEngine.getEnabledProtocols());
            } else {
                createSSLEngine.setEnabledProtocols((String[]) sSLProtocol.toArray(new String[0]));
            }
            SortedSet sSLCipherSuite = lDAPConnectionHandlerCfg.getSSLCipherSuite();
            if (!sSLCipherSuite.isEmpty()) {
                createSSLEngine.setEnabledCipherSuites((String[]) sSLCipherSuite.toArray(new String[0]));
            }
            switch (AnonymousClass2.$SwitchMap$org$forgerock$opendj$server$config$meta$LDAPConnectionHandlerCfgDefn$SSLClientAuthPolicy[lDAPConnectionHandlerCfg.getSSLClientAuthPolicy().ordinal()]) {
                case 1:
                    createSSLEngine.setNeedClientAuth(false);
                    createSSLEngine.setWantClientAuth(false);
                    break;
                case 2:
                    createSSLEngine.setWantClientAuth(true);
                    createSSLEngine.setNeedClientAuth(true);
                    break;
                case 3:
                default:
                    createSSLEngine.setNeedClientAuth(false);
                    createSSLEngine.setWantClientAuth(true);
                    break;
            }
            return createSSLEngine;
        } catch (Exception e) {
            logger.traceException(e);
            throw new DirectoryException(DirectoryServer.getCoreConfigManager().getServerErrorResultCode(), ProtocolMessages.ERR_CONNHANDLER_SSL_CANNOT_INITIALIZE.get(StaticUtils.getExceptionMessage(e)), e);
        }
    }

    private void disableAndWarnIfUseSSL(LDAPConnectionHandlerCfg lDAPConnectionHandlerCfg) {
        if (lDAPConnectionHandlerCfg.isUseSSL()) {
            logger.warn(ProtocolMessages.INFO_DISABLE_CONNECTION, this.friendlyName);
            this.enabled = false;
        }
    }

    private SSLContext createSSLContext(LDAPConnectionHandlerCfg lDAPConnectionHandlerCfg) throws DirectoryException {
        KeyManager[] wrap;
        try {
            DN keyManagerProviderDN = lDAPConnectionHandlerCfg.getKeyManagerProviderDN();
            ServerContext serverContext = DirectoryServer.getInstance().getServerContext();
            KeyManagerProvider<?> keyManagerProvider = serverContext.getKeyManagerProvider(keyManagerProviderDN);
            if (keyManagerProvider == null) {
                logger.error(ProtocolMessages.ERR_NULL_KEY_PROVIDER_MANAGER, keyManagerProviderDN, this.friendlyName);
                disableAndWarnIfUseSSL(lDAPConnectionHandlerCfg);
                keyManagerProvider = new NullKeyManagerProvider();
            } else if (!keyManagerProvider.containsAtLeastOneKey()) {
                logger.error(ProtocolMessages.ERR_INVALID_KEYSTORE, this.friendlyName);
                disableAndWarnIfUseSSL(lDAPConnectionHandlerCfg);
            }
            TreeSet treeSet = new TreeSet(lDAPConnectionHandlerCfg.getSSLCertNickname());
            if (treeSet.isEmpty()) {
                wrap = keyManagerProvider.getKeyManagers();
            } else {
                Iterator it = treeSet.iterator();
                while (it.hasNext()) {
                    if (!keyManagerProvider.containsKeyWithAlias((String) it.next())) {
                        logger.error(ProtocolMessages.ERR_KEYSTORE_DOES_NOT_CONTAIN_ALIAS, treeSet, this.friendlyName);
                        it.remove();
                    }
                }
                if (treeSet.isEmpty()) {
                    disableAndWarnIfUseSSL(lDAPConnectionHandlerCfg);
                }
                wrap = SelectableCertificateKeyManager.wrap(keyManagerProvider.getKeyManagers(), treeSet, this.friendlyName);
            }
            DN trustManagerProviderDN = lDAPConnectionHandlerCfg.getTrustManagerProviderDN();
            TrustManager[] trustManagers = trustManagerProviderDN == null ? null : serverContext.getTrustManagerProvider(trustManagerProviderDN).getTrustManagers();
            SSLContext sSLContext = SSLContext.getInstance(SSL_CONTEXT_INSTANCE_NAME);
            if (com.forgerock.opendj.util.StaticUtils.isFips()) {
                sSLContext.init(keyManagerProvider.getKeyManagers(), trustManagers, null);
            } else {
                sSLContext.init(wrap, trustManagers, null);
            }
            return sSLContext;
        } catch (Exception e) {
            logger.traceException(e);
            throw new DirectoryException(DirectoryServer.getCoreConfigManager().getServerErrorResultCode(), ProtocolMessages.ERR_CONNHANDLER_SSL_CANNOT_INITIALIZE.get(StaticUtils.getExceptionMessage(e)), e);
        }
    }

    void registerConnectionFinalizer(Runnable runnable) {
        synchronized (this.connectionFinalizerLock) {
            if (this.connectionFinalizer != null) {
                this.connectionFinalizerPendingJobQueue.add(runnable);
            } else {
                runnable.run();
            }
        }
    }

    public /* bridge */ /* synthetic */ boolean isConfigurationChangeAcceptable(Configuration configuration, List list) {
        return isConfigurationChangeAcceptable((LDAPConnectionHandlerCfg) configuration, (List<LocalizableMessage>) list);
    }
}
