package org.igniterealtime.openfire.plugins.certificatemanager;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.nio.file.FileSystems;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardWatchEventKinds;
import java.nio.file.WatchEvent;
import java.nio.file.WatchKey;
import java.nio.file.WatchService;
import java.util.Iterator;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;
import org.jivesoftware.openfire.XMPPServer;
import org.jivesoftware.openfire.keystore.IdentityStore;
import org.jivesoftware.openfire.security.SecurityAuditManager;
import org.jivesoftware.openfire.spi.ConnectionType;
import org.jivesoftware.util.CertificateManager;
import org.jivesoftware.util.JiveGlobals;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:lib/certificatemanager-1.0.5.jar:org/igniterealtime/openfire/plugins/certificatemanager/DirectoryWatcher.class */
public class DirectoryWatcher {
    public static final String PROPERTY_WATCHED_PATH = "certificate-manager.directory-watcher.watched-path";
    public static final String PROPERTY_ENABLED = "certificate-manager.directory-watcher.enabled";
    public static final boolean PROPERTY_ENABLED_DEFAULT = true;
    public static final String PROPERTY_REPLACE = "certificate-manager.directory-watcher.replace";
    public static final boolean PROPERTY_REPLACE_DEFAULT = true;
    public static final String PROPERTY_DELETE = "certificate-manager.directory-watcher.delete";
    public static final boolean PROPERTY_DELETE_DEFAULT = false;
    public static final String PROPERTY_CHAIN_MIN_LENGTH = "certificate-manager.chain-min-length";
    public static final int PROPERTY_CHAIN_MIN_LENGTH_DEFAULT = 2;
    public static final String PROPERTY_FILE_CHANGES_GRACE_PERIOD_MS = "certificate-manager.directory-watcher.file-changes.grace-period-ms";
    public static final int PROPERTY_FILE_CHANGES_GRACE_PERIOD_MS_DEFAULT = 60000;
    public static final String PROPERTY_PRIVATEKEY_PASSPHRASE = "certificate-manager.privatekey.password";
    private WatchService watchService;
    private ExecutorService executorService;
    private static final Logger Log = LoggerFactory.getLogger(DirectoryWatcher.class);
    public static final String PROPERTY_WATCHED_PATH_DEFAULT = JiveGlobals.getHomeDirectory() + File.separator + "resources" + File.separator + "security" + File.separator + "hotdeploy" + File.separator;
    public static final String PROPERTY_PRIVATEKEY_PASSPHRASE_DEFAULT = null;

    public synchronized void start() {
        if (this.watchService != null) {
            throw new IllegalStateException("Cannot start - already started.");
        }
        if (!JiveGlobals.getBooleanProperty(PROPERTY_ENABLED, true)) {
            Log.info("The TLS hot-deploy service is disabled by configuration.");
            return;
        }
        try {
            this.watchService = FileSystems.getDefault().newWatchService();
            Path path = Paths.get(JiveGlobals.getProperty(PROPERTY_WATCHED_PATH, PROPERTY_WATCHED_PATH_DEFAULT), new String[0]);
            if (!path.toFile().exists() && !path.toFile().mkdirs()) {
                Log.warn("Unable to create path used for hot-deployment of certificates: {}", path);
            }
            path.register(this.watchService, StandardWatchEventKinds.ENTRY_MODIFY, StandardWatchEventKinds.ENTRY_CREATE);
            Log.info("Watching '{}' for updates for installed certificate chains and private keys.", path);
        } catch (IOException e) {
            Log.error("Unable to start watching path for certificate changes.", e);
        }
        this.executorService = Executors.newSingleThreadScheduledExecutor();
        this.executorService.submit(new Runnable() { // from class: org.igniterealtime.openfire.plugins.certificatemanager.DirectoryWatcher.1
            @Override // java.lang.Runnable
            public void run() {
                Path path2 = null;
                long j = 0;
                Path path3 = null;
                long j2 = 0;
                while (!DirectoryWatcher.this.executorService.isShutdown()) {
                    try {
                        WatchKey poll = DirectoryWatcher.this.watchService.poll(5L, TimeUnit.SECONDS);
                        if (poll != null) {
                            long longProperty = JiveGlobals.getLongProperty(DirectoryWatcher.PROPERTY_FILE_CHANGES_GRACE_PERIOD_MS, 60000L);
                            String property = JiveGlobals.getProperty(DirectoryWatcher.PROPERTY_PRIVATEKEY_PASSPHRASE, DirectoryWatcher.PROPERTY_PRIVATEKEY_PASSPHRASE_DEFAULT);
                            Iterator<WatchEvent<?>> it = poll.pollEvents().iterator();
                            while (true) {
                                if (!it.hasNext()) {
                                    break;
                                }
                                WatchEvent<?> next = it.next();
                                if (next.kind() != StandardWatchEventKinds.OVERFLOW) {
                                    Path resolve = ((Path) poll.watchable()).resolve((Path) next.context());
                                    DirectoryWatcher.Log.trace("Change detected in file {}", resolve);
                                    File file = resolve.toFile();
                                    if (DirectoryWatcher.isCertificateChain(file)) {
                                        DirectoryWatcher.Log.info("Found a certificate chain file in the hot-deploy directory: {}", file);
                                        j = System.currentTimeMillis();
                                        path2 = resolve;
                                    }
                                    if (DirectoryWatcher.isPrivateKey(file, property)) {
                                        DirectoryWatcher.Log.info("Found a private key file in the hot-deploy directory: {}", file);
                                        j2 = System.currentTimeMillis();
                                        path3 = resolve;
                                    }
                                    if (j > 0 && Math.abs(j - j2) < longProperty) {
                                        j = 0;
                                        j2 = 0;
                                        DirectoryWatcher.Log.info("Files containing both a private key ({}) as well as a certificate chain ({}) were recently added to the hot-deploy directory. Attempting to install them...", path3, path2);
                                        IdentityStore identityStore = XMPPServer.getInstance().getCertificateStoreManager().getIdentityStore(ConnectionType.SOCKET_C2S);
                                        try {
                                            String str = new String(Files.readAllBytes(path2));
                                            String str2 = new String(Files.readAllBytes(path3));
                                            if (JiveGlobals.getBooleanProperty(DirectoryWatcher.PROPERTY_REPLACE, true)) {
                                                identityStore.replaceCertificate(str, str2, property);
                                            } else {
                                                identityStore.installCertificate(str, str2, property);
                                            }
                                            SecurityAuditManager.getInstance().logEvent("Certificate Manager plugin", "hot-deployed private key and certificate chain.", "A private key and corresponding certificate chain were automatically installed. Files used: " + path3 + " and: " + path2);
                                            DirectoryWatcher.Log.info("Hot-deployment of certificate and private key was successful.");
                                            if (JiveGlobals.getBooleanProperty(DirectoryWatcher.PROPERTY_DELETE, false)) {
                                                if (!path2.toFile().delete()) {
                                                    DirectoryWatcher.Log.info("Unable to delete the hot-deployed certificate chain file: {}", path2);
                                                }
                                                if (!path3.toFile().delete()) {
                                                    DirectoryWatcher.Log.info("Unable to delete the hot-deployed private key file: {}", path3);
                                                }
                                            }
                                            poll.reset();
                                        } catch (Exception e2) {
                                            DirectoryWatcher.Log.warn("Unable to hot-deploy certificate and private key.", e2);
                                        }
                                    }
                                }
                            }
                            poll.reset();
                        }
                    } catch (InterruptedException e3) {
                    }
                }
            }
        });
    }

    public static boolean isPrivateKey(File file, String str) {
        Log.debug("Checking if {} is a private key...", file);
        if (!file.isFile() || !file.canRead()) {
            Log.debug("{} is not a file, or cannot be read.", file);
            return false;
        }
        try {
            FileInputStream fileInputStream = new FileInputStream(file);
            Throwable th = null;
            try {
                CertificateManager.parsePrivateKey(fileInputStream, str);
                Log.debug("{} is a private key.", file);
                if (fileInputStream != null) {
                    if (0 != 0) {
                        try {
                            fileInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        fileInputStream.close();
                    }
                }
                return true;
            } finally {
            }
        } catch (Exception e) {
            Log.debug("{} is not a private key (or might still be written to).", file);
            return false;
        }
    }

    public static boolean isCertificateChain(File file) {
        Log.debug("Checking if {} is a certificate chain...", file);
        if (!file.isFile() || !file.canRead()) {
            Log.debug("{} is not a file, or cannot be read.", file);
            return false;
        }
        try {
            FileInputStream fileInputStream = new FileInputStream(file);
            Throwable th = null;
            try {
                int intProperty = JiveGlobals.getIntProperty(PROPERTY_CHAIN_MIN_LENGTH, 2);
                boolean z = CertificateManager.parseCertificates(fileInputStream).size() >= intProperty;
                Logger logger = Log;
                Object[] objArr = new Object[3];
                objArr[0] = file;
                objArr[1] = z ? "a" : "not a";
                objArr[2] = Integer.valueOf(intProperty);
                logger.debug("{} is {} certificate chain that has {} or more certificates in it.", objArr);
                if (fileInputStream != null) {
                    if (0 != 0) {
                        try {
                            fileInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        fileInputStream.close();
                    }
                }
                return z;
            } finally {
            }
        } catch (Exception e) {
            Log.debug("{} is not a certificate chain (or might still be written to).", file);
            return false;
        }
    }

    public synchronized void stop() {
        if (this.executorService != null) {
            this.executorService.shutdown();
            this.executorService = null;
        }
        if (this.watchService != null) {
            try {
                this.watchService.close();
                this.watchService = null;
            } catch (IOException e) {
                Log.warn("Unable to close the watcherservice that is watching for file system changes to certificate stores.", e);
            }
        }
        Log.info("Stopped watching for updates for installed certificate chains and private keys.");
    }
}
