package com.ibm.ws.collective.member.internal.security;

import com.ibm.websphere.kernel.server.ServerInfoMBean;
import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.Trivial;
import com.ibm.websphere.ssl.SSLConfigurationNotAvailableException;
import com.ibm.websphere.ssl.SSLException;
import com.ibm.ws.collective.member.DockerEnvironmentUtil;
import com.ibm.ws.collective.member.security.CollectiveCertificateConfig;
import com.ibm.ws.collective.security.CollectiveDNUtil;
import com.ibm.ws.collective.utils.RepositoryPathUtility;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.ssl.KeyStoreService;
import com.ibm.wsspi.kernel.service.utils.AtomicServiceReference;
import com.ibm.wsspi.kernel.service.utils.FrameworkState;
import com.ibm.wsspi.ssl.SSLConfiguration;
import com.ibm.wsspi.ssl.SSLSupport;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.security.KeyStoreException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Properties;
import java.util.concurrent.Callable;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import javax.naming.InvalidNameException;
import javax.naming.ldap.LdapName;
import javax.naming.ldap.Rdn;
import org.apache.cxf.staxutils.PropertiesExpandingStreamReader;
import org.osgi.framework.ServiceReference;
import org.osgi.service.component.ComponentContext;
import org.osgi.service.component.annotations.Activate;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Deactivate;
import org.osgi.service.component.annotations.Reference;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(configurationPolicy = ConfigurationPolicy.IGNORE, property = {"service.vendor=IBM"})
/* loaded from: input_file:wlp/lib/com.ibm.ws.collective.member_1.1.15.jar:com/ibm/ws/collective/member/internal/security/CollectiveIdentityValidator.class */
public class CollectiveIdentityValidator {
    private static final TraceComponent tc = Tr.register(CollectiveIdentityValidator.class);
    static final String SSL_CONFIG_ID = "controllerConnectionConfig";
    static final String SERVER_IDENTITY_KEYSTORE_NAME = "serverIdentity";
    static final String SERVER_IDENTITY_KEY_ALIAS = "serveridentity";
    static final String KEY_KEYSTORE_SERVICE_REF = "keyStoreService";
    static final String KEY_SSL_SUPPORT_REF = "sslSupport";
    static final String KEY_EXECUTOR_SERVICE_REF = "executorService";
    private static final String KEY_COLLECTIVE_CERT_CONFIG_SERVICE_REF = "CollectiveCertificateConfig";
    private ScheduledValidate scheduledValidate;
    static final long serialVersionUID = -6919494982870064748L;
    private final AtomicServiceReference<KeyStoreService> keyStoreServiceRef = new AtomicServiceReference<>("keyStoreService");
    private final AtomicServiceReference<SSLSupport> sslSupportRef = new AtomicServiceReference<>("sslSupport");
    private final AtomicServiceReference<ScheduledExecutorService> executorServiceRef = new AtomicServiceReference<>("executorService");
    private final AtomicServiceReference<CollectiveCertificateConfig> collectiveCertConfigServiceRef = new AtomicServiceReference<>(KEY_COLLECTIVE_CERT_CONFIG_SERVICE_REF);
    private ServerInfoMBean serverIdentity = null;

    @InjectedFFDC
    @TraceObjectField(fieldName = "$$$tc$$$", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
    /* loaded from: input_file:wlp/lib/com.ibm.ws.collective.member_1.1.15.jar:com/ibm/ws/collective/member/internal/security/CollectiveIdentityValidator$ScheduledValidate.class */
    class ScheduledValidate implements Callable<Void> {
        private final int MAX_ATTEMPTS = 5;
        private int attempts = 0;
        private boolean isCanceled = false;
        private boolean scheduled = false;
        private ScheduledFuture<Void> scheduledFuture = null;
        static final long serialVersionUID = -734877917605544400L;
        private static final /* synthetic */ TraceComponent $$$tc$$$ = Tr.register(ScheduledValidate.class);

        ScheduledValidate() {
        }

        public synchronized void schedule() {
            if (this.scheduled) {
                return;
            }
            if (FrameworkState.isStopping()) {
                if (CollectiveIdentityValidator.tc.isEventEnabled()) {
                    Tr.event(CollectiveIdentityValidator.tc, "Framework is stopping, will not schedule any new attempts.", new Object[0]);
                }
            } else if (this.isCanceled) {
                if (CollectiveIdentityValidator.tc.isEventEnabled()) {
                    Tr.event(CollectiveIdentityValidator.tc, "Task is canceled, will not schedule any new attempts.", new Object[0]);
                }
            } else {
                if (CollectiveIdentityValidator.tc.isDebugEnabled()) {
                    Tr.debug(CollectiveIdentityValidator.tc, "Scheduling a connection attempt in 5 seconds", new Object[0]);
                }
                this.scheduledFuture = CollectiveIdentityValidator.this.getScheduledExecutorServiceService().schedule(this, 5L, TimeUnit.SECONDS);
                this.scheduled = true;
            }
        }

        /* JADX WARN: Can't rename method to resolve collision */
        @Override // java.util.concurrent.Callable
        @FFDCIgnore({SSLConfigurationNotAvailableException.class, CertificateException.class})
        public synchronized Void call() throws Exception {
            this.scheduled = false;
            if (this.isCanceled) {
                if (!CollectiveIdentityValidator.tc.isEventEnabled()) {
                    return null;
                }
                Tr.event(CollectiveIdentityValidator.tc, "Work has been explicitly canceled, no performing any work.", new Object[0]);
                return null;
            }
            this.attempts++;
            if (this.attempts > 5) {
                if (CollectiveIdentityValidator.tc.isEventEnabled()) {
                    Tr.event(CollectiveIdentityValidator.tc, "Max number of attempts to validate have been exceeded, giving up", new Object[0]);
                }
                Tr.warning(CollectiveIdentityValidator.tc, "IDENTITY_CANNOT_BE_VALIDATED", new Object[0]);
                cancel();
                return null;
            }
            try {
                try {
                    CollectiveIdentityValidator.this.getSSLSupportService().getJSSEHelper().getSSLContext("controllerConnectionConfig", null, null, false);
                    CollectiveIdentityValidator.this.validateServerIdentity();
                    return null;
                } catch (SSLConfigurationNotAvailableException e) {
                    if (CollectiveIdentityValidator.tc.isEventEnabled()) {
                        Tr.event(CollectiveIdentityValidator.tc, "SSL configuration controllerConnectionConfig is not yet ready, scheduling another attempt.", e);
                    }
                    schedule();
                    return null;
                } catch (SSLException e2) {
                    FFDCFilter.processException(e2, "com.ibm.ws.collective.member.internal.security.CollectiveIdentityValidator$ScheduledValidate", "216", this, new Object[0]);
                    throw e2;
                }
            } catch (CertificateException e3) {
                throw e3;
            } catch (Exception e4) {
                FFDCFilter.processException(e4, "com.ibm.ws.collective.member.internal.security.CollectiveIdentityValidator$ScheduledValidate", "221", this, new Object[0]);
                if (CollectiveIdentityValidator.tc.isEventEnabled()) {
                    Tr.event(CollectiveIdentityValidator.tc, "Unexpected Exception caught while trying to validate the server identity", e4);
                }
                Tr.warning(CollectiveIdentityValidator.tc, "IDENTITY_CANNOT_BE_VALIDATED", new Object[0]);
                return null;
            }
        }

        public synchronized void cancel() {
            if (CollectiveIdentityValidator.tc.isEventEnabled()) {
                Tr.event(CollectiveIdentityValidator.tc, "Canceling the currently scheduled future", new Object[0]);
            }
            this.isCanceled = true;
            if (this.scheduledFuture != null) {
                this.scheduledFuture.cancel(true);
            }
        }
    }

    @Reference(service = ServerInfoMBean.class)
    protected void setServerIdentityMBean(ServerInfoMBean serverInfoMBean) {
        this.serverIdentity = serverInfoMBean;
    }

    protected void unsetServerIdentityMBean(ServerInfoMBean serverInfoMBean) {
        if (this.serverIdentity == serverInfoMBean) {
            this.serverIdentity = null;
        }
    }

    @Reference(service = SSLConfiguration.class, target = "(id=controllerConnectionConfig)")
    protected void setSSLConfiguration(ServiceReference<SSLConfiguration> serviceReference) {
    }

    protected void unsetSSLConfiguration(ServiceReference<SSLConfiguration> serviceReference) {
    }

    @Reference(name = "keyStoreService", service = KeyStoreService.class)
    protected void setKeyStoreService(ServiceReference<KeyStoreService> serviceReference) {
        this.keyStoreServiceRef.setReference(serviceReference);
    }

    protected void unsetKeyStoreService(ServiceReference<KeyStoreService> serviceReference) {
        this.keyStoreServiceRef.unsetReference(serviceReference);
    }

    @Reference(name = "sslSupport", service = SSLSupport.class)
    protected void setSSLSupport(ServiceReference<SSLSupport> serviceReference) {
        this.sslSupportRef.setReference(serviceReference);
    }

    protected void unsetSSLSupport(ServiceReference<SSLSupport> serviceReference) {
        this.sslSupportRef.unsetReference(serviceReference);
    }

    @Reference(name = "executorService", service = ScheduledExecutorService.class)
    protected void setExecutorService(ServiceReference<ScheduledExecutorService> serviceReference) {
        this.executorServiceRef.setReference(serviceReference);
    }

    protected void unsetExecutorService(ServiceReference<ScheduledExecutorService> serviceReference) {
        this.executorServiceRef.unsetReference(serviceReference);
    }

    @Reference(name = KEY_COLLECTIVE_CERT_CONFIG_SERVICE_REF, service = CollectiveCertificateConfig.class)
    protected void setCollectiveCertificateConfig(ServiceReference<CollectiveCertificateConfig> serviceReference) {
        this.collectiveCertConfigServiceRef.setReference(serviceReference);
    }

    protected void unsetCollectiveCertificateConfig(ServiceReference<CollectiveCertificateConfig> serviceReference) {
        this.collectiveCertConfigServiceRef.unsetReference(serviceReference);
    }

    @Activate
    protected void activate(ComponentContext componentContext) {
        this.keyStoreServiceRef.activate(componentContext);
        this.sslSupportRef.activate(componentContext);
        this.executorServiceRef.activate(componentContext);
        this.collectiveCertConfigServiceRef.activate(componentContext);
        this.scheduledValidate = new ScheduledValidate();
        getScheduledExecutorServiceService().submit(this.scheduledValidate);
    }

    @Deactivate
    protected void deactivate(ComponentContext componentContext) {
        if (this.scheduledValidate != null) {
            this.scheduledValidate.cancel();
        }
        this.keyStoreServiceRef.deactivate(componentContext);
        this.sslSupportRef.deactivate(componentContext);
        this.executorServiceRef.deactivate(componentContext);
        this.collectiveCertConfigServiceRef.deactivate(componentContext);
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* JADX WARN: Finally extract failed */
    @FFDCIgnore({FileNotFoundException.class, IOException.class})
    public void validateServerIdentity() throws KeyStoreException, CertificateException, InvalidNameException {
        String name = ((X509Certificate) getKeyStoreServiceService().getCertificateFromKeyStore(SERVER_IDENTITY_KEYSTORE_NAME, SERVER_IDENTITY_KEY_ALIAS)).getSubjectDN().getName();
        if (isCACertificate(name)) {
            return;
        }
        String hostName = CollectiveDNUtil.getHostName(name);
        String decodeURLEncodedDir = RepositoryPathUtility.decodeURLEncodedDir(CollectiveDNUtil.getURLEncodedUserDir(name));
        String serverName = CollectiveDNUtil.getServerName(name);
        String defaultHostname = this.serverIdentity.getDefaultHostname();
        String decodeURLEncodedDir2 = RepositoryPathUtility.decodeURLEncodedDir(RepositoryPathUtility.getURLEncodedPath(this.serverIdentity.getUserDirectory()));
        String name2 = this.serverIdentity.getName();
        FileInputStream fileInputStream = null;
        Properties properties = new Properties();
        try {
            try {
                fileInputStream = new FileInputStream("/opt/ibm/docker/env.properties");
                properties.load(fileInputStream);
                if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                    Tr.debug(DockerEnvironmentUtil.class, tc, "Loaded Docker env.properties", new Object[0]);
                }
                if (fileInputStream != null) {
                    try {
                        fileInputStream.close();
                    } catch (IOException e) {
                        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                            Tr.debug(DockerEnvironmentUtil.class, tc, "Docker env.properties failed to close: " + e.getMessage(), new Object[0]);
                        }
                    }
                }
            } catch (Throwable th) {
                if (fileInputStream != null) {
                    try {
                        fileInputStream.close();
                    } catch (IOException e2) {
                        if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                            Tr.debug(DockerEnvironmentUtil.class, tc, "Docker env.properties failed to close: " + e2.getMessage(), new Object[0]);
                        }
                    }
                }
                throw th;
            }
        } catch (FileNotFoundException e3) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(DockerEnvironmentUtil.class, tc, "Docker env.properties not found", new Object[0]);
            }
            if (fileInputStream != null) {
                try {
                    fileInputStream.close();
                } catch (IOException e4) {
                    if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(DockerEnvironmentUtil.class, tc, "Docker env.properties failed to close: " + e4.getMessage(), new Object[0]);
                    }
                }
            }
        } catch (IOException e5) {
            if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                Tr.debug(DockerEnvironmentUtil.class, tc, "Docker env.properties failed to open: " + e5.getMessage(), new Object[0]);
            }
            if (fileInputStream != null) {
                try {
                    fileInputStream.close();
                } catch (IOException e6) {
                    if (TraceComponent.isAnyTracingEnabled() && tc.isDebugEnabled()) {
                        Tr.debug(DockerEnvironmentUtil.class, tc, "Docker env.properties failed to close: " + e6.getMessage(), new Object[0]);
                    }
                }
            }
        }
        String property = properties.getProperty(DockerEnvironmentUtil.DOCKER_CONTAINER_NAME);
        if (property != null) {
            name2 = name2 + PropertiesExpandingStreamReader.DELIMITER + property;
        }
        if (!hostName.equals(defaultHostname)) {
            Tr.error(tc, "IDENTITY_HOSTNAME_HAS_CHANGED_SINCE_IDENTITY_CREATED", hostName, defaultHostname);
        }
        if (!decodeURLEncodedDir.equals(decodeURLEncodedDir2)) {
            Tr.error(tc, "IDENTITY_USERDIR_HAS_CHANGED_SINCE_IDENTITY_CREATED", decodeURLEncodedDir, decodeURLEncodedDir2);
        }
        if (serverName.equals(name2)) {
            return;
        }
        Tr.error(tc, "IDENTITY_SERVERNAME_HAS_CHANGED_SINCE_IDENTITY_CREATED", serverName, name2);
    }

    private boolean isCACertificate(String str) throws InvalidNameException {
        return new LdapName(str).getRdns().contains(new Rdn(this.collectiveCertConfigServiceRef.getService().getRDN()));
    }

    /* JADX INFO: Access modifiers changed from: private */
    @Trivial
    public ScheduledExecutorService getScheduledExecutorServiceService() {
        ScheduledExecutorService service = this.executorServiceRef.getService();
        if (service == null) {
            if (!FrameworkState.isStopping()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "ScheduledExecutorService is null and Framework is not in the process of stopping or already stopped", new Object[0]);
                }
                IllegalStateException illegalStateException = new IllegalStateException("The ScheduledExecutorService service is not available - it was likely accessed after it was deactivated.");
                illegalStateException.fillInStackTrace();
                throw illegalStateException;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Ignore that ScheduledExecutorService is null because Framework is in the process of stopping or already stopped", new Object[0]);
            }
        }
        return service;
    }

    /* JADX INFO: Access modifiers changed from: private */
    @Trivial
    public SSLSupport getSSLSupportService() {
        SSLSupport service = this.sslSupportRef.getService();
        if (service == null) {
            if (!FrameworkState.isStopping()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "SSLSupportService is null and Framework is not in the process of stopping or already stopped", new Object[0]);
                }
                IllegalStateException illegalStateException = new IllegalStateException("The SSLSupport service is not available - it was likely accessed after it was deactivated.");
                illegalStateException.fillInStackTrace();
                throw illegalStateException;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Ignore that SSLSupportService is null because Framework is in the process of stopping or already stopped", new Object[0]);
            }
        }
        return service;
    }

    @Trivial
    private KeyStoreService getKeyStoreServiceService() {
        KeyStoreService service = this.keyStoreServiceRef.getService();
        if (service == null) {
            if (!FrameworkState.isStopping()) {
                if (tc.isDebugEnabled()) {
                    Tr.debug(tc, "KeyStoreService is null and Framework is not in the process of stopping or already stopped", new Object[0]);
                }
                IllegalStateException illegalStateException = new IllegalStateException("The KeyStoreService service is not available - it was likely accessed after it was deactivated.");
                illegalStateException.fillInStackTrace();
                throw illegalStateException;
            }
            if (tc.isDebugEnabled()) {
                Tr.debug(tc, "Ignore that KeyStoreService is null because Framework is in the process of stopping or already stopped", new Object[0]);
            }
        }
        return service;
    }
}
