package org.apache.nifi.bootstrap.property;

import java.io.BufferedReader;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.io.PrintWriter;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
import java.security.KeyPair;
import java.security.KeyPairGenerator;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.MessageDigest;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.SecureRandom;
import java.security.cert.CertificateEncodingException;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.LocalDate;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashSet;
import java.util.HexFormat;
import java.util.Objects;
import java.util.Properties;
import java.util.Set;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import javax.security.auth.x500.X500Principal;
import org.apache.nifi.security.cert.builder.StandardCertificateBuilder;
import org.slf4j.Logger;

/* loaded from: input_file:org/apache/nifi/bootstrap/property/SecurityApplicationPropertyHandler.class */
public class SecurityApplicationPropertyHandler implements ApplicationPropertyHandler {
    protected static final String ENTRY_ALIAS = "generated";
    private static final String DIGEST_ALGORITHM = "SHA-256";
    private static final String KEY_ALGORITHM = "RSA";
    private static final int KEY_SIZE = 4096;
    private static final String LOCALHOST = "localhost";
    private static final int RANDOM_BYTE_LENGTH = 16;
    private static final String PROPERTY_SEPARATOR = "=";
    private static final int HOST_GROUP = 1;
    private final Logger logger;
    protected static final X500Principal CERTIFICATE_ISSUER = new X500Principal("CN=localhost");
    private static final Duration CERTIFICATE_VALIDITY_PERIOD = Duration.ofDays(60);
    private static final Pattern HOST_PORT_PATTERN = Pattern.compile("^([\\w-.]{1,254}):?\\d{0,5}$");
    private static final Pattern HOST_PORT_GROUP_SEPARATOR = Pattern.compile("\\s*,\\s*");

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:org/apache/nifi/bootstrap/property/SecurityApplicationPropertyHandler$SecurityProperty.class */
    public enum SecurityProperty {
        HTTPS_PORT("nifi.web.https.port"),
        WEB_PROXY_HOST("nifi.web.proxy.host"),
        KEYSTORE("nifi.security.keystore"),
        KEYSTORE_TYPE("nifi.security.keystoreType"),
        KEYSTORE_PASSWD("nifi.security.keystorePasswd"),
        KEY_PASSWD("nifi.security.keyPasswd"),
        TRUSTSTORE("nifi.security.truststore"),
        TRUSTSTORE_TYPE("nifi.security.truststoreType"),
        TRUSTSTORE_PASSWD("nifi.security.truststorePasswd");

        private final String name;

        SecurityProperty(String str) {
            this.name = str;
        }

        public String getName() {
            return this.name;
        }
    }

    public SecurityApplicationPropertyHandler(Logger logger) {
        this.logger = (Logger) Objects.requireNonNull(logger, "Logger required");
    }

    @Override // org.apache.nifi.bootstrap.property.ApplicationPropertyHandler
    public void handleProperties(Path path) {
        Objects.requireNonNull(path);
        Properties loadProperties = loadProperties(path);
        if (isCertificateGenerationRequired(loadProperties)) {
            processApplicationProperties(loadProperties);
            writePasswordProperties(loadProperties, path);
        }
    }

    private void processApplicationProperties(Properties properties) {
        KeyPair generateKeyPair = generateKeyPair();
        X509Certificate build = new StandardCertificateBuilder(generateKeyPair, CERTIFICATE_ISSUER, CERTIFICATE_VALIDITY_PERIOD).setDnsSubjectAlternativeNames(getSubjectAlternativeNames(properties)).build();
        String digest = getDigest(build);
        this.logger.info("Generated Self-Signed Certificate Expiration: {}", LocalDate.now().plusDays(CERTIFICATE_VALIDITY_PERIOD.toDays()));
        this.logger.info("Generated Self-Signed Certificate SHA-256: {}", digest);
        writeKeyStore(properties, build, generateKeyPair.getPrivate());
        writeTrustStore(properties, build);
    }

    private void writeTrustStore(Properties properties, X509Certificate x509Certificate) {
        KeyStore newKeyStore = newKeyStore(properties.getProperty(SecurityProperty.TRUSTSTORE_TYPE.getName()));
        try {
            newKeyStore.load(null, null);
            newKeyStore.setCertificateEntry(ENTRY_ALIAS, x509Certificate);
            try {
                OutputStream newOutputStream = Files.newOutputStream(Paths.get(properties.getProperty(SecurityProperty.TRUSTSTORE.getName()), new String[0]), new OpenOption[0]);
                try {
                    String generatePassword = generatePassword();
                    newKeyStore.store(newOutputStream, generatePassword.toCharArray());
                    properties.setProperty(SecurityProperty.TRUSTSTORE_PASSWD.getName(), generatePassword);
                    if (newOutputStream != null) {
                        newOutputStream.close();
                    }
                } finally {
                }
            } catch (IOException | GeneralSecurityException e) {
                throw new IllegalStateException("Trust Store storage failed", e);
            }
        } catch (IOException | GeneralSecurityException e2) {
            throw new IllegalStateException("Trust Store creation failed", e2);
        }
    }

    private void writeKeyStore(Properties properties, X509Certificate x509Certificate, PrivateKey privateKey) {
        String generatePassword = generatePassword();
        char[] charArray = generatePassword.toCharArray();
        KeyStore newKeyStore = newKeyStore(properties.getProperty(SecurityProperty.KEYSTORE_TYPE.getName()));
        try {
            newKeyStore.load(null, null);
            newKeyStore.setKeyEntry(ENTRY_ALIAS, privateKey, charArray, new X509Certificate[]{x509Certificate});
            try {
                OutputStream newOutputStream = Files.newOutputStream(Paths.get(properties.getProperty(SecurityProperty.KEYSTORE.getName()), new String[0]), new OpenOption[0]);
                try {
                    newKeyStore.store(newOutputStream, charArray);
                    properties.setProperty(SecurityProperty.KEYSTORE_PASSWD.getName(), generatePassword);
                    properties.setProperty(SecurityProperty.KEY_PASSWD.getName(), generatePassword);
                    if (newOutputStream != null) {
                        newOutputStream.close();
                    }
                } finally {
                }
            } catch (IOException | GeneralSecurityException e) {
                throw new IllegalStateException("Key Store storage failed", e);
            }
        } catch (IOException | GeneralSecurityException e2) {
            throw new IllegalStateException("Key Store creation failed", e2);
        }
    }

    private void writePasswordProperties(Properties properties, Path path) {
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        try {
            BufferedReader newBufferedReader = Files.newBufferedReader(path);
            try {
                PrintWriter printWriter = new PrintWriter(byteArrayOutputStream);
                try {
                    for (String readLine = newBufferedReader.readLine(); readLine != null; readLine = newBufferedReader.readLine()) {
                        if (readLine.startsWith(SecurityProperty.KEYSTORE_PASSWD.getName())) {
                            writeProperty(printWriter, SecurityProperty.KEYSTORE_PASSWD, properties);
                        } else if (readLine.startsWith(SecurityProperty.KEY_PASSWD.getName())) {
                            writeProperty(printWriter, SecurityProperty.KEY_PASSWD, properties);
                        } else if (readLine.startsWith(SecurityProperty.TRUSTSTORE_PASSWD.getName())) {
                            writeProperty(printWriter, SecurityProperty.TRUSTSTORE_PASSWD, properties);
                        } else {
                            printWriter.println(readLine);
                        }
                    }
                    printWriter.close();
                    if (newBufferedReader != null) {
                        newBufferedReader.close();
                    }
                    byte[] byteArray = byteArrayOutputStream.toByteArray();
                    try {
                        OutputStream newOutputStream = Files.newOutputStream(path, new OpenOption[0]);
                        try {
                            newOutputStream.write(byteArray);
                            if (newOutputStream != null) {
                                newOutputStream.close();
                            }
                        } finally {
                        }
                    } catch (IOException e) {
                        throw new IllegalStateException("Write Application Properties failed", e);
                    }
                } catch (Throwable th) {
                    try {
                        printWriter.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            } finally {
            }
        } catch (IOException e2) {
            throw new IllegalStateException("Read Application Properties failed", e2);
        }
    }

    private void writeProperty(PrintWriter printWriter, SecurityProperty securityProperty, Properties properties) {
        printWriter.print(securityProperty.getName());
        printWriter.print(PROPERTY_SEPARATOR);
        printWriter.println(properties.getProperty(securityProperty.getName()));
    }

    private KeyStore newKeyStore(String str) {
        try {
            return KeyStore.getInstance(str);
        } catch (KeyStoreException e) {
            throw new IllegalStateException("Key Store Type [%s] instantiation failed".formatted(str), e);
        }
    }

    private boolean isCertificateGenerationRequired(Properties properties) {
        boolean z;
        String property = properties.getProperty(SecurityProperty.KEYSTORE.getName());
        String property2 = properties.getProperty(SecurityProperty.TRUSTSTORE.getName());
        if (isBlank(properties.getProperty(SecurityProperty.HTTPS_PORT.getName()))) {
            z = false;
        } else if (isBlank(property)) {
            z = false;
        } else if (isBlank(property2)) {
            z = false;
        } else if (isBlank(properties.getProperty(SecurityProperty.KEYSTORE_PASSWD.getName())) && isBlank(properties.getProperty(SecurityProperty.TRUSTSTORE_PASSWD.getName()))) {
            z = Files.notExists(Paths.get(property, new String[0]), new LinkOption[0]) && Files.notExists(Paths.get(property2, new String[0]), new LinkOption[0]);
        } else {
            z = false;
        }
        return z;
    }

    private Collection<String> getSubjectAlternativeNames(Properties properties) {
        try {
            String hostName = InetAddress.getLocalHost().getHostName();
            ArrayList arrayList = new ArrayList();
            arrayList.add(LOCALHOST);
            arrayList.add(hostName);
            arrayList.addAll(getHosts(properties.getProperty(SecurityProperty.WEB_PROXY_HOST.getName())));
            return arrayList;
        } catch (UnknownHostException e) {
            return Collections.emptyList();
        }
    }

    private KeyPair generateKeyPair() {
        try {
            KeyPairGenerator keyPairGenerator = KeyPairGenerator.getInstance(KEY_ALGORITHM);
            keyPairGenerator.initialize(KEY_SIZE);
            return keyPairGenerator.generateKeyPair();
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException("Key Pair Algorithm not supported [%s]".formatted(KEY_ALGORITHM), e);
        }
    }

    protected String generatePassword() {
        SecureRandom secureRandom = new SecureRandom();
        byte[] bArr = new byte[RANDOM_BYTE_LENGTH];
        secureRandom.nextBytes(bArr);
        return HexFormat.of().formatHex(bArr);
    }

    private static String getDigest(X509Certificate x509Certificate) {
        try {
            return HexFormat.of().formatHex(MessageDigest.getInstance(DIGEST_ALGORITHM).digest(x509Certificate.getEncoded())).toUpperCase();
        } catch (NoSuchAlgorithmException e) {
            throw new IllegalStateException("Message Digest Algorithm not found", e);
        } catch (CertificateEncodingException e2) {
            throw new IllegalArgumentException("Certificate encoding processing failed", e2);
        }
    }

    private Properties loadProperties(Path path) {
        try {
            InputStream newInputStream = Files.newInputStream(path, new OpenOption[0]);
            try {
                Properties properties = new Properties();
                properties.load(newInputStream);
                if (newInputStream != null) {
                    newInputStream.close();
                }
                return properties;
            } finally {
            }
        } catch (IOException e) {
            throw new IllegalStateException("Reading Application Properties failed [%s]".formatted(path), e);
        }
    }

    private Set<String> getHosts(String str) {
        HashSet hashSet = new HashSet();
        if (str != null) {
            String[] split = HOST_PORT_GROUP_SEPARATOR.split(str);
            int length = split.length;
            for (int i = 0; i < length; i += HOST_GROUP) {
                String str2 = split[i];
                Matcher matcher = HOST_PORT_PATTERN.matcher(str2);
                if (matcher.matches()) {
                    hashSet.add(matcher.group(HOST_GROUP));
                } else {
                    this.logger.warn("Invalid host [{}] configured for [{}] in nifi.properties", str2, SecurityProperty.WEB_PROXY_HOST.getName());
                }
            }
        }
        return hashSet;
    }

    private boolean isBlank(String str) {
        return str == null || str.isBlank();
    }
}
