package org.forgerock.openidm.security;

import java.security.Security;
import java.util.Dictionary;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import org.apache.felix.scr.annotations.Activate;
import org.apache.felix.scr.annotations.Component;
import org.apache.felix.scr.annotations.ConfigurationPolicy;
import org.apache.felix.scr.annotations.Deactivate;
import org.apache.felix.scr.annotations.Properties;
import org.apache.felix.scr.annotations.Property;
import org.apache.felix.scr.annotations.Reference;
import org.apache.felix.scr.annotations.Service;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.forgerock.json.fluent.JsonValue;
import org.forgerock.json.resource.ActionRequest;
import org.forgerock.json.resource.CreateRequest;
import org.forgerock.json.resource.DeleteRequest;
import org.forgerock.json.resource.PatchRequest;
import org.forgerock.json.resource.QueryRequest;
import org.forgerock.json.resource.QueryResultHandler;
import org.forgerock.json.resource.ReadRequest;
import org.forgerock.json.resource.RequestHandler;
import org.forgerock.json.resource.Resource;
import org.forgerock.json.resource.ResultHandler;
import org.forgerock.json.resource.Router;
import org.forgerock.json.resource.ServerContext;
import org.forgerock.json.resource.UpdateRequest;
import org.forgerock.openidm.core.IdentityServer;
import org.forgerock.openidm.crypto.factory.CryptoUpdateService;
import org.forgerock.openidm.jetty.Config;
import org.forgerock.openidm.jetty.Param;
import org.forgerock.openidm.repo.RepositoryService;
import org.forgerock.openidm.security.impl.CertificateResourceProvider;
import org.forgerock.openidm.security.impl.JcaKeyStoreHandler;
import org.forgerock.openidm.security.impl.KeystoreResourceProvider;
import org.forgerock.openidm.security.impl.PrivateKeyResourceProvider;
import org.osgi.service.component.ComponentContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

@Service
@Component(name = SecurityManager.PID, policy = ConfigurationPolicy.IGNORE, metatype = true, description = "OpenIDM Security Management Service", immediate = true)
@Properties({@Property(name = "service.vendor", value = {"ForgeRock AS."}), @Property(name = "service.description", value = {"Security Management Service"}), @Property(name = "openidm.router.prefix", value = {"/security/*"})})
/* loaded from: input_file:org/forgerock/openidm/security/SecurityManager.class */
public class SecurityManager implements RequestHandler, KeyStoreManager {
    public static final String PID = "org.forgerock.openidm.security";
    private static final Logger logger = LoggerFactory.getLogger(SecurityManager.class);

    @Reference
    protected RepositoryService repoService;

    @Reference
    private CryptoUpdateService cryptoUpdateService;
    private final Router router = new Router();
    private KeyStoreHandler trustStoreHandler = null;
    private KeyStoreHandler keyStoreHandler = null;

    @Activate
    void activate(ComponentContext componentContext) throws Exception {
        logger.debug("Activating Security Management Service {}", componentContext);
        Security.addProvider(new BouncyCastleProvider());
        String keystoreType = Param.getKeystoreType();
        String keystoreLocation = Param.getKeystoreLocation();
        String keystorePassword = Param.getKeystorePassword(false);
        String truststoreType = Param.getTruststoreType();
        String truststoreLocation = Param.getTruststoreLocation();
        String truststorePassword = Param.getTruststorePassword(false);
        if (System.getProperty("javax.net.ssl.keyStore") == null) {
            System.setProperty("javax.net.ssl.keyStore", keystoreLocation);
            System.setProperty("javax.net.ssl.keyStorePassword", keystorePassword);
            System.setProperty("javax.net.ssl.keyStoreType", keystoreType);
        }
        if (System.getProperty("javax.net.ssl.trustStore") == null) {
            System.setProperty("javax.net.ssl.trustStore", truststoreLocation);
            System.setProperty("javax.net.ssl.trustStorePassword", truststorePassword);
            System.setProperty("javax.net.ssl.trustStoreType", truststoreType);
        }
        this.keyStoreHandler = new JcaKeyStoreHandler(keystoreType, keystoreLocation, keystorePassword);
        KeystoreResourceProvider keystoreResourceProvider = new KeystoreResourceProvider("keystore", this.keyStoreHandler, this, this.repoService);
        CertificateResourceProvider certificateResourceProvider = new CertificateResourceProvider("keystore", this.keyStoreHandler, this, this.repoService);
        PrivateKeyResourceProvider privateKeyResourceProvider = new PrivateKeyResourceProvider("keystore", this.keyStoreHandler, this, this.repoService);
        this.router.addRoute("/keystore", keystoreResourceProvider);
        this.router.addRoute("/keystore/cert", certificateResourceProvider);
        this.router.addRoute("/keystore/privatekey", privateKeyResourceProvider);
        this.trustStoreHandler = new JcaKeyStoreHandler(truststoreType, truststoreLocation, truststorePassword);
        KeystoreResourceProvider keystoreResourceProvider2 = new KeystoreResourceProvider("truststore", this.trustStoreHandler, this, this.repoService);
        CertificateResourceProvider certificateResourceProvider2 = new CertificateResourceProvider("truststore", this.trustStoreHandler, this, this.repoService);
        this.router.addRoute("/truststore", keystoreResourceProvider2);
        this.router.addRoute("/truststore/cert", certificateResourceProvider2);
        String property = IdentityServer.getInstance().getProperty("openidm.instance.type", "standalone");
        String property2 = Param.getProperty("openidm.https.keystore.cert.alias");
        String str = property2 == null ? "openidm-localhost" : property2;
        try {
            if (property.equals("clustered-additional")) {
                keystoreResourceProvider.loadStoreFromRepo();
                keystoreResourceProvider2.loadStoreFromRepo();
                reload();
                this.cryptoUpdateService.updateKeySelector(this.keyStoreHandler.getStore(), keystorePassword);
            } else {
                if (!privateKeyResourceProvider.hasEntry(str)) {
                    privateKeyResourceProvider.createDefaultEntry(str);
                    reload();
                    try {
                        Config.updateConfig((Dictionary) null);
                    } catch (NullPointerException e) {
                        e.printStackTrace();
                    }
                }
                if (property.equals("clustered-first")) {
                    keystoreResourceProvider.saveStoreToRepo();
                    keystoreResourceProvider2.saveStoreToRepo();
                }
            }
        } catch (Exception e2) {
            logger.warn("Error initializing keys", e2);
        }
    }

    @Deactivate
    void deactivate(ComponentContext componentContext) {
        logger.debug("Deactivating Security Management Service {}", componentContext);
        this.router.removeAllRoutes();
    }

    @Override // org.forgerock.openidm.security.KeyStoreManager
    public void reload() throws Exception {
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(this.trustStoreHandler.getStore());
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(this.keyStoreHandler.getStore(), this.keyStoreHandler.getPassword().toCharArray());
        KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
        SSLContext sSLContext = SSLContext.getInstance("SSL");
        sSLContext.init(keyManagers, trustManagers, null);
        SSLContext.setDefault(sSLContext);
    }

    public void handleAction(ServerContext serverContext, ActionRequest actionRequest, ResultHandler<JsonValue> resultHandler) {
        this.router.handleAction(serverContext, actionRequest, resultHandler);
    }

    public void handleCreate(ServerContext serverContext, CreateRequest createRequest, ResultHandler<Resource> resultHandler) {
        this.router.handleCreate(serverContext, createRequest, resultHandler);
    }

    public void handleDelete(ServerContext serverContext, DeleteRequest deleteRequest, ResultHandler<Resource> resultHandler) {
        this.router.handleDelete(serverContext, deleteRequest, resultHandler);
    }

    public void handlePatch(ServerContext serverContext, PatchRequest patchRequest, ResultHandler<Resource> resultHandler) {
        this.router.handlePatch(serverContext, patchRequest, resultHandler);
    }

    public void handleQuery(ServerContext serverContext, QueryRequest queryRequest, QueryResultHandler queryResultHandler) {
        this.router.handleQuery(serverContext, queryRequest, queryResultHandler);
    }

    public void handleRead(ServerContext serverContext, ReadRequest readRequest, ResultHandler<Resource> resultHandler) {
        this.router.handleRead(serverContext, readRequest, resultHandler);
    }

    public void handleUpdate(ServerContext serverContext, UpdateRequest updateRequest, ResultHandler<Resource> resultHandler) {
        this.router.handleUpdate(serverContext, updateRequest, resultHandler);
    }

    protected void bindRepoService(RepositoryService repositoryService) {
        this.repoService = repositoryService;
    }

    protected void unbindRepoService(RepositoryService repositoryService) {
        if (this.repoService == repositoryService) {
            this.repoService = null;
        }
    }

    protected void bindCryptoUpdateService(CryptoUpdateService cryptoUpdateService) {
        this.cryptoUpdateService = cryptoUpdateService;
    }

    protected void unbindCryptoUpdateService(CryptoUpdateService cryptoUpdateService) {
        if (this.cryptoUpdateService == cryptoUpdateService) {
            this.cryptoUpdateService = null;
        }
    }
}
