package org.apache.nifi.ssl;

import java.io.File;
import java.net.MalformedURLException;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.List;
import java.util.Map;
import javax.net.ssl.SSLContext;
import javax.net.ssl.X509TrustManager;
import org.apache.nifi.annotation.documentation.CapabilityDescription;
import org.apache.nifi.annotation.documentation.Tags;
import org.apache.nifi.annotation.lifecycle.OnEnabled;
import org.apache.nifi.components.AllowableValue;
import org.apache.nifi.components.PropertyDescriptor;
import org.apache.nifi.components.PropertyValue;
import org.apache.nifi.components.ValidationContext;
import org.apache.nifi.components.ValidationResult;
import org.apache.nifi.components.Validator;
import org.apache.nifi.components.resource.ResourceCardinality;
import org.apache.nifi.components.resource.ResourceType;
import org.apache.nifi.context.PropertyContext;
import org.apache.nifi.controller.AbstractControllerService;
import org.apache.nifi.controller.ConfigurationContext;
import org.apache.nifi.expression.ExpressionLanguageScope;
import org.apache.nifi.processor.exception.ProcessException;
import org.apache.nifi.processor.util.StandardValidators;
import org.apache.nifi.reporting.InitializationException;
import org.apache.nifi.security.util.KeyStoreUtils;
import org.apache.nifi.security.util.KeystoreType;
import org.apache.nifi.security.util.SslContextFactory;
import org.apache.nifi.security.util.StandardTlsConfiguration;
import org.apache.nifi.security.util.TlsConfiguration;
import org.apache.nifi.security.util.TlsException;
import org.apache.nifi.security.util.TlsPlatform;
import org.apache.nifi.util.StringUtils;

@CapabilityDescription("Standard implementation of the SSLContextService. Provides the ability to configure keystore and/or truststore properties once and reuse that configuration throughout the application. This service can be used to communicate with both legacy and modern systems. If you only need to communicate with non-legacy systems, then the StandardRestrictedSSLContextService is recommended as it only allows a specific set of SSL protocols to be chosen.")
@Tags({"ssl", "secure", "certificate", "keystore", "truststore", "jks", "p12", "pkcs12", "pkcs", "tls"})
/* loaded from: input_file:org/apache/nifi/ssl/StandardSSLContextService.class */
public class StandardSSLContextService extends AbstractControllerService implements SSLContextService {
    public static final String SSL_PROTOCOL = "SSL";
    private static final List<PropertyDescriptor> properties;
    protected ConfigurationContext configContext;
    private boolean isValidated;
    private static final int VALIDATION_CACHE_EXPIRATION = 5;
    private int validationCacheCount = 0;
    public static final PropertyDescriptor TRUSTSTORE = new PropertyDescriptor.Builder().name("Truststore Filename").description("The fully-qualified filename of the Truststore").expressionLanguageSupported(ExpressionLanguageScope.ENVIRONMENT).identifiesExternalResource(ResourceCardinality.SINGLE, ResourceType.FILE, new ResourceType[0]).sensitive(false).build();
    public static final PropertyDescriptor TRUSTSTORE_TYPE = new PropertyDescriptor.Builder().name("Truststore Type").description("The Type of the Truststore").allowableValues(KeystoreType.values()).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).sensitive(false).build();
    public static final PropertyDescriptor TRUSTSTORE_PASSWORD = new PropertyDescriptor.Builder().name("Truststore Password").description("The password for the Truststore").addValidator(Validator.VALID).required(false).sensitive(true).build();
    public static final PropertyDescriptor KEYSTORE = new PropertyDescriptor.Builder().name("Keystore Filename").description("The fully-qualified filename of the Keystore").expressionLanguageSupported(ExpressionLanguageScope.ENVIRONMENT).identifiesExternalResource(ResourceCardinality.SINGLE, ResourceType.FILE, new ResourceType[0]).sensitive(false).build();
    public static final PropertyDescriptor KEYSTORE_TYPE = new PropertyDescriptor.Builder().name("Keystore Type").description("The Type of the Keystore").allowableValues(KeystoreType.values()).addValidator(StandardValidators.NON_EMPTY_VALIDATOR).sensitive(false).build();
    public static final PropertyDescriptor KEYSTORE_PASSWORD = new PropertyDescriptor.Builder().name("Keystore Password").description("The password for the Keystore").addValidator(StandardValidators.NON_EMPTY_VALIDATOR).sensitive(true).build();
    static final PropertyDescriptor KEY_PASSWORD = new PropertyDescriptor.Builder().name("key-password").displayName("Key Password").description("The password for the key. If this is not specified, but the Keystore Filename, Password, and Type are specified, then the Keystore Password will be assumed to be the same as the Key Password.").addValidator(StandardValidators.NON_EMPTY_VALIDATOR).sensitive(true).required(false).build();
    public static final String TLS_PROTOCOL = "TLS";
    public static final PropertyDescriptor SSL_ALGORITHM = new PropertyDescriptor.Builder().name("SSL Protocol").displayName("TLS Protocol").defaultValue(TLS_PROTOCOL).required(false).allowableValues(getProtocolAllowableValues()).description("SSL or TLS Protocol Version for encrypted connections. Supported versions include insecure legacy options and depend on the specific version of Java used.").addValidator(StandardValidators.NON_EMPTY_VALIDATOR).sensitive(false).build();

    /* loaded from: input_file:org/apache/nifi/ssl/StandardSSLContextService$KeystoreValidationGroup.class */
    public enum KeystoreValidationGroup {
        KEYSTORE,
        TRUSTSTORE
    }

    @OnEnabled
    public void onConfigured(ConfigurationContext configurationContext) throws InitializationException {
        this.configContext = configurationContext;
        ArrayList arrayList = new ArrayList();
        Map<PropertyDescriptor, String> evaluateProperties = evaluateProperties(configurationContext);
        arrayList.addAll(validateStore(evaluateProperties, KeystoreValidationGroup.KEYSTORE));
        arrayList.addAll(validateStore(evaluateProperties, KeystoreValidationGroup.TRUSTSTORE));
        if (arrayList.isEmpty()) {
            return;
        }
        StringBuilder sb = new StringBuilder(String.valueOf(this) + " is not valid due to:");
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            sb.append("\n").append(((ValidationResult) it.next()).toString());
        }
        throw new InitializationException(sb.toString());
    }

    public void onPropertyModified(PropertyDescriptor propertyDescriptor, String str, String str2) {
        super.onPropertyModified(propertyDescriptor, str, str2);
        resetValidationCache();
    }

    protected List<PropertyDescriptor> getSupportedPropertyDescriptors() {
        return properties;
    }

    protected Collection<ValidationResult> customValidate(ValidationContext validationContext) {
        ArrayList arrayList = new ArrayList();
        if (this.isValidated) {
            this.validationCacheCount++;
            if (this.validationCacheCount <= VALIDATION_CACHE_EXPIRATION) {
                return arrayList;
            }
            resetValidationCache();
        }
        Map<PropertyDescriptor, String> evaluateProperties = evaluateProperties(validationContext);
        arrayList.addAll(validateStore(evaluateProperties, KeystoreValidationGroup.KEYSTORE));
        arrayList.addAll(validateStore(evaluateProperties, KeystoreValidationGroup.TRUSTSTORE));
        this.isValidated = arrayList.isEmpty();
        return arrayList;
    }

    private Map<PropertyDescriptor, String> evaluateProperties(PropertyContext propertyContext) {
        HashMap hashMap = new HashMap(getSupportedPropertyDescriptors().size(), 1.0f);
        for (PropertyDescriptor propertyDescriptor : getSupportedPropertyDescriptors()) {
            PropertyValue evaluateAttributeExpressions = propertyDescriptor.isExpressionLanguageSupported() ? propertyContext.getProperty(propertyDescriptor).evaluateAttributeExpressions() : propertyContext.getProperty(propertyDescriptor);
            hashMap.put(propertyDescriptor, evaluateAttributeExpressions.isSet() ? evaluateAttributeExpressions.getValue() : null);
        }
        return hashMap;
    }

    private void resetValidationCache() {
        this.validationCacheCount = 0;
        this.isValidated = false;
    }

    protected int getValidationCacheExpiration() {
        return VALIDATION_CACHE_EXPIRATION;
    }

    public TlsConfiguration createTlsConfiguration() {
        return new StandardTlsConfiguration(getKeyStoreFile(), getKeyStorePassword(), getKeyPassword(), getKeyStoreType(), getTrustStoreFile(), getTrustStorePassword(), getTrustStoreType(), getSslAlgorithm());
    }

    public SSLContext createContext() {
        TlsConfiguration createTlsConfiguration = createTlsConfiguration();
        if (!createTlsConfiguration.isTruststorePopulated()) {
            getLogger().warn("Trust Store properties not found: using platform default Certificate Authorities");
        }
        try {
            return SslContextFactory.createSslContext(createTlsConfiguration, SslContextFactory.getTrustManagers(createTlsConfiguration));
        } catch (TlsException e) {
            getLogger().error("Unable to create SSLContext: {}", new Object[]{e.getLocalizedMessage()});
            throw new ProcessException("Unable to create SSLContext", e);
        }
    }

    public X509TrustManager createTrustManager() {
        try {
            X509TrustManager x509TrustManager = SslContextFactory.getX509TrustManager(createTlsConfiguration());
            if (x509TrustManager == null) {
                throw new ProcessException("X.509 Trust Manager not found using configured properties");
            }
            return x509TrustManager;
        } catch (TlsException e) {
            throw new ProcessException("Unable to create X.509 Trust Manager", e);
        }
    }

    public String getTrustStoreFile() {
        return this.configContext.getProperty(TRUSTSTORE).evaluateAttributeExpressions().getValue();
    }

    public String getTrustStoreType() {
        return this.configContext.getProperty(TRUSTSTORE_TYPE).getValue();
    }

    public String getTrustStorePassword() {
        PropertyValue property = this.configContext.getProperty(TRUSTSTORE_PASSWORD);
        return property.isSet() ? property.getValue() : "";
    }

    public boolean isTrustStoreConfigured() {
        return (getTrustStoreFile() == null || getTrustStoreType() == null) ? false : true;
    }

    public String getKeyStoreFile() {
        return this.configContext.getProperty(KEYSTORE).evaluateAttributeExpressions().getValue();
    }

    public String getKeyStoreType() {
        return this.configContext.getProperty(KEYSTORE_TYPE).getValue();
    }

    public String getKeyStorePassword() {
        return this.configContext.getProperty(KEYSTORE_PASSWORD).getValue();
    }

    public String getKeyPassword() {
        return this.configContext.getProperty(KEY_PASSWORD).getValue();
    }

    public boolean isKeyStoreConfigured() {
        return (getKeyStoreFile() == null || getKeyStorePassword() == null || getKeyStoreType() == null) ? false : true;
    }

    public String getSslAlgorithm() {
        return this.configContext.getProperty(SSL_ALGORITHM).getValue();
    }

    private static Collection<ValidationResult> validateStore(Map<PropertyDescriptor, String> map, KeystoreValidationGroup keystoreValidationGroup) {
        List<ValidationResult> validateKeystore = keystoreValidationGroup == KeystoreValidationGroup.KEYSTORE ? validateKeystore(map) : validateTruststore(map);
        if (keystorePropertiesEmpty(map) && truststorePropertiesEmpty(map)) {
            validateKeystore.add(new ValidationResult.Builder().valid(false).explanation("Either the keystore and/or truststore must be populated").subject("Keystore/truststore properties").build());
        }
        return validateKeystore;
    }

    private static boolean keystorePropertiesEmpty(Map<PropertyDescriptor, String> map) {
        return StringUtils.isBlank(map.get(KEYSTORE)) && StringUtils.isBlank(map.get(KEYSTORE_PASSWORD)) && StringUtils.isBlank(map.get(KEYSTORE_TYPE));
    }

    private static boolean truststorePropertiesEmpty(Map<PropertyDescriptor, String> map) {
        return StringUtils.isBlank(map.get(TRUSTSTORE)) && StringUtils.isBlank(map.get(TRUSTSTORE_PASSWORD)) && StringUtils.isBlank(map.get(TRUSTSTORE_TYPE));
    }

    private static int countNulls(Object... objArr) {
        int i = 0;
        for (Object obj : objArr) {
            if (obj == null) {
                i++;
            }
        }
        return i;
    }

    private static List<ValidationResult> validateKeystore(Map<PropertyDescriptor, String> map) {
        ArrayList arrayList = new ArrayList();
        String str = map.get(KEYSTORE);
        String str2 = map.get(KEYSTORE_PASSWORD);
        String str3 = map.get(KEY_PASSWORD);
        String str4 = map.get(KEYSTORE_TYPE);
        int countNulls = countNulls(str, str2, str4);
        if (countNulls != 3 && countNulls != 0) {
            arrayList.add(new ValidationResult.Builder().valid(false).explanation("Must set either 0 or 3 properties for Keystore").subject("Keystore Properties").build());
        } else if (countNulls == 0) {
            arrayList.addAll(validateKeystoreFile(str, str2, str3, str4));
        }
        return arrayList;
    }

    private static List<ValidationResult> validateTruststore(Map<PropertyDescriptor, String> map) {
        String str = map.get(TRUSTSTORE);
        String str2 = map.get(TRUSTSTORE_PASSWORD);
        String str3 = map.get(TRUSTSTORE_TYPE);
        ArrayList arrayList = new ArrayList();
        if (!StringUtils.isBlank(str) && !StringUtils.isBlank(str3)) {
            arrayList.addAll(validateTruststoreFile(str, str2, str3));
        } else if (!StringUtils.isBlank(str) || !StringUtils.isBlank(str3)) {
            arrayList.add(new ValidationResult.Builder().valid(false).explanation("If the truststore filename or type are set, both must be populated").subject("Truststore Properties").build());
        }
        return arrayList;
    }

    private static List<ValidationResult> validateTruststoreFile(String str, String str2, String str3) {
        ArrayList arrayList = new ArrayList();
        File file = new File(str);
        if (file.exists() && file.canRead()) {
            char[] cArr = new char[0];
            if (!StringUtils.isBlank(str2)) {
                cArr = str2.toCharArray();
            }
            try {
                if (!KeyStoreUtils.isStoreValid(file.toURI().toURL(), KeystoreType.valueOf(str3), cArr)) {
                    arrayList.add(new ValidationResult.Builder().subject("Truststore Properties").valid(false).explanation("Invalid truststore password or type specified for file " + str).build());
                }
            } catch (MalformedURLException e) {
                arrayList.add(new ValidationResult.Builder().subject("Truststore Properties").valid(false).explanation("Malformed URL from file: " + String.valueOf(e)).build());
            }
        } else {
            arrayList.add(new ValidationResult.Builder().valid(false).subject("Truststore Properties").explanation("Cannot access file " + file.getAbsolutePath()).build());
        }
        return arrayList;
    }

    private static List<ValidationResult> validateKeystoreFile(String str, String str2, String str3, String str4) {
        ArrayList arrayList = new ArrayList();
        File file = new File(str);
        if (file.exists() && file.canRead()) {
            char[] cArr = new char[0];
            if (!StringUtils.isBlank(str2)) {
                cArr = str2.toCharArray();
            }
            try {
                if (!KeyStoreUtils.isStoreValid(file.toURI().toURL(), KeystoreType.valueOf(str4), cArr)) {
                    arrayList.add(new ValidationResult.Builder().subject("Keystore Properties").valid(false).explanation("Invalid keystore password or type specified for file " + str).build());
                }
                char[] cArr2 = new char[0];
                if (StringUtils.isBlank(str3) || str3.equals(str2)) {
                    cArr2 = cArr;
                }
                if (!StringUtils.isBlank(str3)) {
                    cArr2 = str3.toCharArray();
                }
                if (!KeyStoreUtils.isKeyPasswordCorrect(file.toURI().toURL(), KeystoreType.valueOf(str4), cArr, cArr2)) {
                    arrayList.add(new ValidationResult.Builder().subject("Keystore Properties").valid(false).explanation("Invalid key password specified for file " + str).build());
                }
            } catch (MalformedURLException e) {
                arrayList.add(new ValidationResult.Builder().subject("Keystore Properties").valid(false).explanation("Malformed URL from file: " + String.valueOf(e)).build());
            }
        } else {
            arrayList.add(new ValidationResult.Builder().valid(false).subject("Keystore Properties").explanation("Cannot access file " + file.getAbsolutePath()).build());
        }
        return arrayList;
    }

    public String toString() {
        return "SSLContextService[id=" + getIdentifier() + "]";
    }

    private static AllowableValue[] getProtocolAllowableValues() {
        ArrayList arrayList = new ArrayList();
        arrayList.add(new AllowableValue(SSL_PROTOCOL, SSL_PROTOCOL, "Negotiate latest SSL or TLS protocol version based on platform supported versions"));
        arrayList.add(new AllowableValue(TLS_PROTOCOL, TLS_PROTOCOL, "Negotiate latest TLS protocol version based on platform supported versions"));
        for (String str : TlsPlatform.getSupportedProtocols()) {
            arrayList.add(new AllowableValue(str, str, String.format("Require %s protocol version", str)));
        }
        return (AllowableValue[]) arrayList.toArray(new AllowableValue[0]);
    }

    static {
        ArrayList arrayList = new ArrayList();
        arrayList.add(KEYSTORE);
        arrayList.add(KEYSTORE_PASSWORD);
        arrayList.add(KEY_PASSWORD);
        arrayList.add(KEYSTORE_TYPE);
        arrayList.add(TRUSTSTORE);
        arrayList.add(TRUSTSTORE_PASSWORD);
        arrayList.add(TRUSTSTORE_TYPE);
        arrayList.add(SSL_ALGORITHM);
        properties = Collections.unmodifiableList(arrayList);
    }
}
