package org.apache.hadoop.gateway.services.security.impl;

import java.security.cert.Certificate;
import java.security.cert.CertificateExpiredException;
import java.security.cert.CertificateNotYetValidException;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Map;
import org.apache.hadoop.gateway.GatewayMessages;
import org.apache.hadoop.gateway.config.GatewayConfig;
import org.apache.hadoop.gateway.i18n.messages.MessagesFactory;
import org.apache.hadoop.gateway.services.ServiceLifecycleException;
import org.apache.hadoop.gateway.services.security.AliasService;
import org.apache.hadoop.gateway.services.security.KeystoreService;
import org.apache.hadoop.gateway.services.security.KeystoreServiceException;
import org.apache.hadoop.gateway.services.security.MasterService;
import org.apache.hadoop.gateway.services.security.SSLService;
import org.apache.hadoop.gateway.util.X500PrincipalParser;
import org.eclipse.jetty.server.ssl.SslSelectChannelConnector;
import org.eclipse.jetty.util.ssl.SslContextFactory;

/* loaded from: input_file:org/apache/hadoop/gateway/services/security/impl/JettySSLService.class */
public class JettySSLService implements SSLService {
    private static final String GATEWAY_IDENTITY_PASSPHRASE = "gateway-identity-passphrase";
    private static final String GATEWAY_TRUSTSTORE_PASSWORD = "gateway-truststore-password";
    private static final String GATEWAY_CREDENTIAL_STORE_NAME = "__gateway";
    private static GatewayMessages log = (GatewayMessages) MessagesFactory.get(GatewayMessages.class);
    private MasterService ms;
    private KeystoreService ks;
    private AliasService as;
    private List<String> sslExcludeProtocols = null;
    private boolean clientAuthNeeded;
    private boolean trustAllCerts;
    private String truststorePath;
    private String keystoreType;
    private String trustStoreType;

    public void setMasterService(MasterService masterService) {
        this.ms = masterService;
    }

    public void setAliasService(AliasService aliasService) {
        this.as = aliasService;
    }

    public void setKeystoreService(KeystoreService keystoreService) {
        this.ks = keystoreService;
    }

    public void init(GatewayConfig gatewayConfig, Map<String, String> map) throws ServiceLifecycleException {
        try {
            if (this.ks.isCredentialStoreForClusterAvailable(GATEWAY_CREDENTIAL_STORE_NAME)) {
                log.credentialStoreForGatewayFoundNotCreating();
            } else {
                log.creatingCredentialStoreForGateway();
                this.ks.createCredentialStoreForCluster(GATEWAY_CREDENTIAL_STORE_NAME);
                this.as.generateAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME, GATEWAY_IDENTITY_PASSPHRASE);
            }
            try {
                if (this.ks.isKeystoreForGatewayAvailable()) {
                    log.keyStoreForGatewayFoundNotCreating();
                } else {
                    log.creatingKeyStoreForGateway();
                    this.ks.createKeystoreForGateway();
                    this.ks.addSelfSignedCertForGateway("gateway-identity", this.as.getPasswordFromAliasForCluster(GATEWAY_CREDENTIAL_STORE_NAME, GATEWAY_IDENTITY_PASSPHRASE));
                }
                logAndValidateCertificate();
                this.keystoreType = gatewayConfig.getKeystoreType();
                this.sslExcludeProtocols = gatewayConfig.getExcludedSSLProtocols();
                this.clientAuthNeeded = gatewayConfig.isClientAuthNeeded();
                this.truststorePath = gatewayConfig.getTruststorePath();
                this.trustAllCerts = gatewayConfig.getTrustAllCerts();
                this.trustStoreType = gatewayConfig.getTruststoreType();
            } catch (KeystoreServiceException e) {
                throw new ServiceLifecycleException("Keystore was not loaded properly - the provided (or persisted) master secret may not match the password for the keystore.", e);
            }
        } catch (KeystoreServiceException e2) {
            throw new ServiceLifecycleException("Keystore was not loaded properly - the provided (or persisted) master secret may not match the password for the keystore.", e2);
        }
    }

    private void logAndValidateCertificate() throws ServiceLifecycleException {
        Certificate certificateForGateway = this.as.getCertificateForGateway("gateway-identity");
        if (certificateForGateway == null) {
            throw new ServiceLifecycleException("Public certificate for the gateway is not of the expected type of X509Certificate. Something is wrong with the gateway keystore.");
        }
        if (!(certificateForGateway instanceof X509Certificate)) {
            throw new ServiceLifecycleException("Public certificate for the gateway cannot be found with the alias gateway-identity. Plase check the identity certificate alias.");
        }
        log.certificateHostNameForGateway(new X500PrincipalParser(((X509Certificate) certificateForGateway).getSubjectX500Principal()).getCN());
        log.certificateValidityPeriod(((X509Certificate) certificateForGateway).getNotBefore(), ((X509Certificate) certificateForGateway).getNotAfter());
        try {
            ((X509Certificate) certificateForGateway).checkValidity();
        } catch (CertificateExpiredException e) {
            throw new ServiceLifecycleException("Gateway SSL Certificate is Expired. Server will not start.", e);
        } catch (CertificateNotYetValidException e2) {
            throw new ServiceLifecycleException("Gateway SSL Certificate is not yet valid. Server will not start.", e2);
        }
    }

    public Object buildSSlConnector(String str) {
        SslContextFactory sslContextFactory = new SslContextFactory(true);
        sslContextFactory.setCertAlias("gateway-identity");
        sslContextFactory.setKeyStoreType(this.keystoreType);
        sslContextFactory.setKeyStorePath(str);
        char[] masterSecret = this.ms.getMasterSecret();
        sslContextFactory.setKeyStorePassword(new String(masterSecret));
        char[] passwordFromAliasForGateway = this.as.getPasswordFromAliasForGateway(GATEWAY_IDENTITY_PASSPHRASE);
        if (passwordFromAliasForGateway == null) {
            passwordFromAliasForGateway = masterSecret;
        }
        sslContextFactory.setKeyManagerPassword(new String(passwordFromAliasForGateway));
        if (this.clientAuthNeeded) {
            if (this.truststorePath != null) {
                sslContextFactory.setTrustStore(this.truststorePath);
                char[] passwordFromAliasForGateway2 = this.as.getPasswordFromAliasForGateway(GATEWAY_TRUSTSTORE_PASSWORD);
                sslContextFactory.setTrustStorePassword(passwordFromAliasForGateway2 != null ? new String(passwordFromAliasForGateway2) : new String(masterSecret));
                sslContextFactory.setTrustStoreType(this.trustStoreType);
            } else {
                sslContextFactory.setTrustStore(str);
                sslContextFactory.setTrustStorePassword(new String(masterSecret));
                sslContextFactory.setTrustStoreType(this.keystoreType);
            }
        }
        sslContextFactory.setNeedClientAuth(this.clientAuthNeeded);
        sslContextFactory.setTrustAll(this.trustAllCerts);
        if (this.sslExcludeProtocols != null) {
            sslContextFactory.setExcludeProtocols((String[]) this.sslExcludeProtocols.toArray());
        }
        return new SslSelectChannelConnector(sslContextFactory);
    }

    public void start() throws ServiceLifecycleException {
    }

    public void stop() throws ServiceLifecycleException {
    }
}
