package org.logstash.secret.store.backend;

import java.io.DataOutputStream;
import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.nio.ByteBuffer;
import java.nio.CharBuffer;
import java.nio.channels.FileLock;
import java.nio.channels.SeekableByteChannel;
import java.nio.charset.CharsetEncoder;
import java.nio.charset.StandardCharsets;
import java.nio.file.AccessDeniedException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.NoSuchFileException;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardOpenOption;
import java.nio.file.attribute.FileAttribute;
import java.nio.file.attribute.PosixFileAttributeView;
import java.nio.file.attribute.PosixFilePermissions;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.Collection;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.Random;
import java.util.concurrent.locks.Lock;
import java.util.concurrent.locks.ReentrantReadWriteLock;
import javax.crypto.SecretKeyFactory;
import javax.crypto.spec.PBEKeySpec;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.logstash.secret.SecretIdentifier;
import org.logstash.secret.store.SecretStore;
import org.logstash.secret.store.SecretStoreException;
import org.logstash.secret.store.SecretStoreFactory;
import org.logstash.secret.store.SecretStoreUtil;
import org.logstash.secret.store.SecureConfig;

/* loaded from: input_file:org/logstash/secret/store/backend/JavaKeyStore.class */
public final class JavaKeyStore implements SecretStore {
    private static final String KEYSTORE_TYPE = "pkcs12";
    private static final String PATH_KEY = "keystore.file";
    private KeyStore keyStore;
    private char[] keyStorePass;
    private Path keyStorePath;
    private KeyStore.ProtectionParameter protectionParameter;
    private Lock readLock;
    private Lock writeLock;
    private static final Logger LOGGER = LogManager.getLogger(JavaKeyStore.class);
    static String filePermissions = "rw-r--r--";
    private static final boolean IS_WINDOWS = System.getProperty("os.name").startsWith("Windows");
    private final CharsetEncoder asciiEncoder = StandardCharsets.US_ASCII.newEncoder();
    private boolean useDefaultPass = false;

    @Override // org.logstash.secret.store.SecretStore
    public JavaKeyStore create(SecureConfig secureConfig) {
        try {
            if (exists(secureConfig)) {
                throw new SecretStoreException.AlreadyExistsException(String.format("Logstash keystore at %s already exists.", new String(secureConfig.getPlainText(PATH_KEY))));
            }
            try {
                try {
                    init(secureConfig);
                    this.writeLock.lock();
                    LOGGER.debug("Creating new keystore at {}.", this.keyStorePath.toAbsolutePath());
                    String str = filePermissions;
                    Files.createFile(this.keyStorePath, new FileAttribute[0]);
                    try {
                        this.keyStore = KeyStore.Builder.newInstance(KEYSTORE_TYPE, null, this.protectionParameter).getKeyStore();
                        this.keyStore.setEntry(SecretStoreFactory.LOGSTASH_MARKER.toExternalForm(), new KeyStore.SecretKeyEntry(SecretKeyFactory.getInstance("PBE").generateSecret(new PBEKeySpec(SecretStoreUtil.asciiBytesToChar(SecretStoreUtil.base64Encode(SecretStoreFactory.LOGSTASH_MARKER.getKey().getBytes(StandardCharsets.UTF_8)))))), this.protectionParameter);
                        saveKeyStore();
                        PosixFileAttributeView posixFileAttributeView = (PosixFileAttributeView) Files.getFileAttributeView(this.keyStorePath, PosixFileAttributeView.class, new LinkOption[0]);
                        if (posixFileAttributeView != null) {
                            posixFileAttributeView.setPermissions(PosixFilePermissions.fromString(str));
                        }
                        LOGGER.info("Created Logstash keystore at {}", this.keyStorePath.toAbsolutePath());
                        releaseLock(this.writeLock);
                        secureConfig.clearValues();
                        return this;
                    } catch (Exception e) {
                        throw new SecretStoreException.CreateException("Failed to create Logstash keystore.", e);
                    }
                } catch (AccessDeniedException | NoSuchFileException e2) {
                    throw new SecretStoreException.CreateException("Error while trying to create the Logstash keystore. Please ensure that path to " + this.keyStorePath.toAbsolutePath() + " exists and is writable", e2);
                }
            } catch (SecretStoreException e3) {
                throw e3;
            } catch (Exception e4) {
                throw new SecretStoreException.UnknownException("Error while trying to create the Logstash keystore. ", e4);
            }
        } catch (Throwable th) {
            releaseLock(this.writeLock);
            secureConfig.clearValues();
            throw th;
        }
    }

    @Override // org.logstash.secret.store.SecretStore
    public void delete(SecureConfig secureConfig) {
        try {
            try {
                initLocks();
                this.writeLock.lock();
                if (exists(secureConfig)) {
                    Files.delete(Paths.get(new String(secureConfig.getPlainText(PATH_KEY)), new String[0]));
                }
            } catch (SecretStoreException e) {
                throw e;
            } catch (Exception e2) {
                throw new SecretStoreException.UnknownException("Error while trying to delete the Logstash keystore", e2);
            }
        } finally {
            releaseLock(this.writeLock);
            secureConfig.clearValues();
        }
    }

    @Override // org.logstash.secret.store.SecretStore
    public boolean exists(SecureConfig secureConfig) {
        char[] plainText = secureConfig.getPlainText(PATH_KEY);
        if (valid(plainText)) {
            return new File(new String(plainText)).exists();
        }
        LOGGER.warn("keystore.file configuration is not defined");
        return false;
    }

    protected void finalize() throws Throwable {
        SecretStoreUtil.clearChars(this.keyStorePass);
    }

    private char[] getKeyStorePassword(SecureConfig secureConfig) throws IOException {
        char[] plainText = secureConfig.getPlainText(SecretStoreFactory.KEYSTORE_ACCESS_KEY);
        boolean exists = exists(secureConfig);
        if (secureConfig.has(SecretStoreFactory.KEYSTORE_ACCESS_KEY) && (plainText == null || plainText.length == 0)) {
            String format = String.format("Empty keystore passwords are not allowed. Please ensure configured password is not empty for Logstash keystore %s.", this.keyStorePath.toAbsolutePath());
            if (exists) {
                throw new SecretStoreException.AccessException(format);
            }
            throw new SecretStoreException.CreateException(format);
        }
        this.useDefaultPass = !secureConfig.has(SecretStoreFactory.KEYSTORE_ACCESS_KEY);
        if (!this.useDefaultPass) {
            return this.asciiEncoder.canEncode(CharBuffer.wrap(plainText)) ? plainText : SecretStoreUtil.base64Encode(plainText);
        }
        if (!exists) {
            byte[] bArr = new byte[32];
            new Random().nextBytes(bArr);
            return SecretStoreUtil.base64EncodeToChars(bArr);
        }
        SeekableByteChannel newByteChannel = Files.newByteChannel(this.keyStorePath, StandardOpenOption.READ);
        if (newByteChannel.size() > 1) {
            newByteChannel.position(newByteChannel.size() - 1);
            ByteBuffer allocate = ByteBuffer.allocate(1);
            newByteChannel.read(allocate);
            int i = allocate.array()[0] & 255;
            if (i > 0 && newByteChannel.size() >= i + 1) {
                ByteBuffer allocate2 = ByteBuffer.allocate(i);
                newByteChannel.position((newByteChannel.size() - i) - 1);
                newByteChannel.read(allocate2);
                return SecretStoreUtil.deObfuscate(SecretStoreUtil.asciiBytesToChar(allocate2.array()));
            }
        }
        throw new SecretStoreException.AccessException(String.format("Could not determine keystore password. Please ensure the file at %s is a valid Logstash keystore", this.keyStorePath.toAbsolutePath()));
    }

    private void init(SecureConfig secureConfig) throws IOException, KeyStoreException {
        char[] plainText = secureConfig.getPlainText(PATH_KEY);
        if (!valid(plainText)) {
            throw new IllegalArgumentException("Logstash keystore path must be defined");
        }
        this.keyStorePath = Paths.get(new String(plainText), new String[0]);
        this.keyStorePass = getKeyStorePassword(secureConfig);
        this.keyStore = KeyStore.getInstance(KEYSTORE_TYPE);
        this.protectionParameter = new KeyStore.PasswordProtection(this.keyStorePass);
        initLocks();
    }

    private void initLocks() {
        ReentrantReadWriteLock reentrantReadWriteLock = new ReentrantReadWriteLock();
        this.readLock = reentrantReadWriteLock.readLock();
        this.writeLock = reentrantReadWriteLock.writeLock();
    }

    @Override // org.logstash.secret.store.SecretStore
    public Collection<SecretIdentifier> list() {
        HashSet hashSet = new HashSet();
        try {
            try {
                this.readLock.lock();
                loadKeyStore();
                Enumeration<String> aliases = this.keyStore.aliases();
                while (aliases.hasMoreElements()) {
                    hashSet.add(SecretIdentifier.fromExternalForm(aliases.nextElement()));
                }
                return hashSet;
            } catch (Exception e) {
                throw new SecretStoreException.ListException(e);
            }
        } finally {
            releaseLock(this.readLock);
        }
    }

    @Override // org.logstash.secret.store.SecretStore
    public JavaKeyStore load(SecureConfig secureConfig) {
        try {
            if (!exists(secureConfig)) {
                Object[] objArr = new Object[1];
                objArr[0] = secureConfig.getPlainText(PATH_KEY) == null ? "<undefined>" : new String(secureConfig.getPlainText(PATH_KEY));
                throw new SecretStoreException.LoadException(String.format("Can not find Logstash keystore at %s. Please verify this file exists and is a valid Logstash keystore.", objArr));
            }
            try {
                try {
                    init(secureConfig);
                    this.readLock.lock();
                    InputStream newInputStream = Files.newInputStream(this.keyStorePath, new OpenOption[0]);
                    try {
                        try {
                            this.keyStore.load(newInputStream, this.keyStorePass);
                            if (retrieveSecret(SecretStoreFactory.LOGSTASH_MARKER) == null) {
                                throw new SecretStoreException.LoadException(String.format("Found a keystore at %s, but it is not a Logstash keystore.", this.keyStorePath.toAbsolutePath().toString()));
                            }
                            LOGGER.debug("Using existing keystore at {}", this.keyStorePath.toAbsolutePath());
                            if (newInputStream != null) {
                                newInputStream.close();
                            }
                            return this;
                        } catch (Throwable th) {
                            if (newInputStream != null) {
                                try {
                                    newInputStream.close();
                                } catch (Throwable th2) {
                                    th.addSuppressed(th2);
                                }
                            }
                            throw th;
                        }
                    } catch (IOException e) {
                        if (e.getCause() instanceof UnrecoverableKeyException) {
                            throw new SecretStoreException.AccessException(String.format("Can not access Logstash keystore at %s. Please verify correct file permissions and keystore password.", this.keyStorePath.toAbsolutePath()), e);
                        }
                        throw new SecretStoreException.LoadException(String.format("Found a file at %s, but it is not a valid Logstash keystore.", this.keyStorePath.toAbsolutePath().toString()), e);
                    }
                } catch (Exception e2) {
                    throw new SecretStoreException.UnknownException("Error while trying to load the Logstash keystore", e2);
                }
            } catch (SecretStoreException e3) {
                throw e3;
            }
        } finally {
            releaseLock(this.readLock);
            secureConfig.clearValues();
        }
    }

    private void loadKeyStore() throws CertificateException, NoSuchAlgorithmException, IOException {
        InputStream newInputStream = Files.newInputStream(this.keyStorePath, new OpenOption[0]);
        try {
            this.keyStore.load(newInputStream, this.keyStorePass);
            if (newInputStream != null) {
                newInputStream.close();
            }
        } catch (Throwable th) {
            if (newInputStream != null) {
                try {
                    newInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    @Override // org.logstash.secret.store.SecretStore
    public void persistSecret(SecretIdentifier secretIdentifier, byte[] bArr) {
        try {
            try {
                this.writeLock.lock();
                loadKeyStore();
                SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBE");
                PBEKeySpec pBEKeySpec = new PBEKeySpec(SecretStoreUtil.asciiBytesToChar(SecretStoreUtil.base64Encode(bArr)));
                this.keyStore.setEntry(secretIdentifier.toExternalForm(), new KeyStore.SecretKeyEntry(secretKeyFactory.generateSecret(pBEKeySpec)), this.protectionParameter);
                try {
                    saveKeyStore();
                    pBEKeySpec.clearPassword();
                    SecretStoreUtil.clearBytes(bArr);
                    LOGGER.debug("persisted secret {}", secretIdentifier.toExternalForm());
                    releaseLock(this.writeLock);
                } catch (Throwable th) {
                    pBEKeySpec.clearPassword();
                    SecretStoreUtil.clearBytes(bArr);
                    throw th;
                }
            } catch (Exception e) {
                throw new SecretStoreException.PersistException(secretIdentifier, e);
            }
        } catch (Throwable th2) {
            releaseLock(this.writeLock);
            throw th2;
        }
    }

    @Override // org.logstash.secret.store.SecretStore
    public void purgeSecret(SecretIdentifier secretIdentifier) {
        try {
            try {
                this.writeLock.lock();
                loadKeyStore();
                this.keyStore.deleteEntry(secretIdentifier.toExternalForm());
                saveKeyStore();
                LOGGER.debug("purged secret {}", secretIdentifier.toExternalForm());
                releaseLock(this.writeLock);
            } catch (Exception e) {
                throw new SecretStoreException.PurgeException(secretIdentifier, e);
            }
        } catch (Throwable th) {
            releaseLock(this.writeLock);
            throw th;
        }
    }

    private void releaseLock(Lock lock) {
        if (lock != null) {
            lock.unlock();
        }
    }

    @Override // org.logstash.secret.store.SecretStore
    public byte[] retrieveSecret(SecretIdentifier secretIdentifier) {
        if (secretIdentifier == null || secretIdentifier.getKey() == null) {
            return null;
        }
        try {
            if (secretIdentifier.getKey().isEmpty()) {
                return null;
            }
            try {
                this.readLock.lock();
                loadKeyStore();
                SecretKeyFactory secretKeyFactory = SecretKeyFactory.getInstance("PBE");
                KeyStore.SecretKeyEntry secretKeyEntry = (KeyStore.SecretKeyEntry) this.keyStore.getEntry(secretIdentifier.toExternalForm(), this.protectionParameter);
                if (secretKeyEntry == null) {
                    LOGGER.debug("requested secret {} not found", secretIdentifier.toExternalForm());
                    releaseLock(this.readLock);
                    return null;
                }
                PBEKeySpec pBEKeySpec = (PBEKeySpec) secretKeyFactory.getKeySpec(secretKeyEntry.getSecretKey(), PBEKeySpec.class);
                byte[] base64Decode = SecretStoreUtil.base64Decode(pBEKeySpec.getPassword());
                pBEKeySpec.clearPassword();
                LOGGER.debug("retrieved secret {}", secretIdentifier.toExternalForm());
                releaseLock(this.readLock);
                return base64Decode;
            } catch (Exception e) {
                throw new SecretStoreException.RetrievalException(secretIdentifier, e);
            }
        } catch (Throwable th) {
            releaseLock(this.readLock);
            throw th;
        }
    }

    private void saveKeyStore() throws IOException, CertificateException, NoSuchAlgorithmException, KeyStoreException {
        FileLock fileLock = null;
        try {
            FileOutputStream fileOutputStream = new FileOutputStream(this.keyStorePath.toFile(), true);
            try {
                if (!IS_WINDOWS) {
                    fileLock = fileOutputStream.getChannel().tryLock();
                    if (fileLock == null) {
                        throw new IllegalStateException("Can not save Logstash keystore. Some other process has locked on the file: " + this.keyStorePath.toAbsolutePath());
                    }
                }
                OutputStream newOutputStream = Files.newOutputStream(this.keyStorePath, StandardOpenOption.WRITE);
                try {
                    this.keyStore.store(newOutputStream, this.keyStorePass);
                    if (newOutputStream != null) {
                        newOutputStream.close();
                    }
                    if (this.useDefaultPass) {
                        byte[] asciiCharToBytes = SecretStoreUtil.asciiCharToBytes(SecretStoreUtil.obfuscate((char[]) this.keyStorePass.clone()));
                        DataOutputStream dataOutputStream = new DataOutputStream(fileOutputStream);
                        fileOutputStream.write(asciiCharToBytes);
                        dataOutputStream.write(asciiCharToBytes.length);
                    }
                    fileOutputStream.close();
                    if (fileLock == null || !fileLock.isValid()) {
                        return;
                    }
                    fileLock.release();
                } catch (Throwable th) {
                    if (newOutputStream != null) {
                        try {
                            newOutputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } finally {
            }
        } catch (Throwable th3) {
            if (0 != 0 && fileLock.isValid()) {
                fileLock.release();
            }
            throw th3;
        }
    }

    private boolean valid(char[] cArr) {
        return (cArr == null || cArr.length == 0) ? false : true;
    }
}
