package org.opends.server.crypto;

import java.util.EnumSet;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.List;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.opendj.ldap.ResultCode;
import org.forgerock.opendj.ldap.SearchScope;
import org.opends.admin.ads.ADSContext;
import org.opends.messages.CoreMessages;
import org.opends.server.api.Backend;
import org.opends.server.api.BackendInitializationListener;
import org.opends.server.api.plugin.InternalDirectoryServerPlugin;
import org.opends.server.api.plugin.PluginResult;
import org.opends.server.api.plugin.PluginType;
import org.opends.server.config.ConfigConstants;
import org.opends.server.controls.EntryChangeNotificationControl;
import org.opends.server.controls.PersistentSearchChangeType;
import org.opends.server.core.AddOperation;
import org.opends.server.core.DeleteOperation;
import org.opends.server.core.DirectoryServer;
import org.opends.server.protocols.internal.InternalClientConnection;
import org.opends.server.protocols.internal.InternalSearchOperation;
import org.opends.server.protocols.internal.Requests;
import org.opends.server.protocols.ldap.LDAPControl;
import org.opends.server.types.Attribute;
import org.opends.server.types.AttributeType;
import org.opends.server.types.Control;
import org.opends.server.types.CryptoManagerException;
import org.opends.server.types.DN;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.InitializationException;
import org.opends.server.types.ObjectClass;
import org.opends.server.types.RDN;
import org.opends.server.types.SearchFilter;
import org.opends.server.types.SearchResultEntry;
import org.opends.server.types.operation.PostResponseAddOperation;
import org.opends.server.types.operation.PostResponseDeleteOperation;
import org.opends.server.types.operation.PostResponseModifyOperation;
import org.opends.server.util.ServerConstants;
import org.opends.server.util.StaticUtils;

/* loaded from: input_file:org/opends/server/crypto/CryptoManagerSync.class */
public class CryptoManagerSync extends InternalDirectoryServerPlugin implements BackendInitializationListener {
    private static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();
    private DN adminSuffixDN;
    private DN instanceKeysDN;
    private DN secretKeysDN;
    private DN trustStoreRootDN;
    private final AttributeType attrCert;
    private final AttributeType attrAlias;
    private final AttributeType attrCompromisedTime;
    private SearchFilter keySearchFilter;
    private final ObjectClass ocInstanceKey;
    private final ObjectClass ocCipherKey;
    private final ObjectClass ocMacKey;
    private static final String CONFIG_DN = "cn=Crypto Manager Sync,cn=config";

    public CryptoManagerSync() throws InitializationException {
        super(toDN(CONFIG_DN), EnumSet.of(PluginType.POST_RESPONSE_ADD, PluginType.POST_RESPONSE_MODIFY, PluginType.POST_RESPONSE_DELETE), true);
        try {
            CryptoManagerImpl.publishInstanceKeyEntryInADS();
            DirectoryServer.registerBackendInitializationListener(this);
            try {
                this.adminSuffixDN = DN.valueOf(ADSContext.getAdministrationSuffixDN());
                this.instanceKeysDN = this.adminSuffixDN.child(DN.valueOf("cn=instance keys"));
                this.secretKeysDN = this.adminSuffixDN.child(DN.valueOf("cn=secret keys"));
                this.trustStoreRootDN = DN.valueOf(ConfigConstants.DN_TRUST_STORE_ROOT);
                this.keySearchFilter = SearchFilter.createFilterFromString("(|(objectclass=ds-cfg-instance-key)(objectclass=ds-cfg-cipher-key)(objectclass=ds-cfg-mac-key))");
            } catch (DirectoryException e) {
            }
            this.ocInstanceKey = DirectoryServer.getObjectClass(ConfigConstants.OC_CRYPTO_INSTANCE_KEY, true);
            this.ocCipherKey = DirectoryServer.getObjectClass(ConfigConstants.OC_CRYPTO_CIPHER_KEY, true);
            this.ocMacKey = DirectoryServer.getObjectClass(ConfigConstants.OC_CRYPTO_MAC_KEY, true);
            this.attrCert = DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.ATTR_CRYPTO_PUBLIC_KEY_CERTIFICATE);
            this.attrAlias = DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.ATTR_CRYPTO_KEY_ID);
            this.attrCompromisedTime = DirectoryServer.getAttributeTypeOrDefault(ConfigConstants.ATTR_CRYPTO_KEY_COMPROMISED_TIME);
            if (DirectoryServer.getBackendWithBaseDN(this.adminSuffixDN) != null) {
                searchAdminSuffix();
            }
            DirectoryServer.registerInternalPlugin(this);
        } catch (CryptoManagerException e2) {
            throw new InitializationException(e2.getMessageObject());
        }
    }

    private static DN toDN(String str) throws InitializationException {
        try {
            return DN.valueOf(str);
        } catch (DirectoryException e) {
            throw new RuntimeException(e);
        }
    }

    private void searchAdminSuffix() {
        InternalSearchOperation processSearch = InternalClientConnection.getRootConnection().processSearch(Requests.newSearchRequest(this.adminSuffixDN, SearchScope.WHOLE_SUBTREE, this.keySearchFilter, new String[0]));
        if (processSearch.getResultCode() != ResultCode.SUCCESS) {
            logger.debug(CoreMessages.INFO_TRUSTSTORESYNC_ADMIN_SUFFIX_SEARCH_FAILED, this.adminSuffixDN, processSearch.getErrorMessage());
        }
        Iterator<SearchResultEntry> it = processSearch.getSearchEntries().iterator();
        while (it.hasNext()) {
            try {
                handleInternalSearchEntry(it.next());
            } catch (DirectoryException e) {
                logger.traceException(e);
                logger.error(CoreMessages.ERR_TRUSTSTORESYNC_EXCEPTION, StaticUtils.stackTraceToSingleLineString(e));
            }
        }
    }

    @Override // org.opends.server.api.BackendInitializationListener
    public void performBackendInitializationProcessing(Backend<?> backend) {
        DN[] baseDNs = backend.getBaseDNs();
        if (baseDNs != null) {
            for (DN dn : baseDNs) {
                if (dn.equals(this.adminSuffixDN)) {
                    searchAdminSuffix();
                }
            }
        }
    }

    @Override // org.opends.server.api.BackendInitializationListener
    public void performBackendFinalizationProcessing(Backend<?> backend) {
    }

    private void handleInternalSearchEntry(SearchResultEntry searchResultEntry) throws DirectoryException {
        if (searchResultEntry.hasObjectClass(this.ocInstanceKey)) {
            handleInstanceKeySearchEntry(searchResultEntry);
            return;
        }
        try {
            if (searchResultEntry.hasObjectClass(this.ocCipherKey)) {
                DirectoryServer.getCryptoManager().importCipherKeyEntry(searchResultEntry);
            } else if (searchResultEntry.hasObjectClass(this.ocMacKey)) {
                DirectoryServer.getCryptoManager().importMacKeyEntry(searchResultEntry);
            }
        } catch (CryptoManagerException e) {
            throw new DirectoryException(DirectoryServer.getServerErrorResultCode(), e);
        }
    }

    private void handleInstanceKeySearchEntry(SearchResultEntry searchResultEntry) throws DirectoryException {
        RDN rdn = searchResultEntry.getName().rdn();
        if (rdn.isMultiValued() || !rdn.getAttributeType(0).equals(this.attrAlias)) {
            return;
        }
        DN child = this.trustStoreRootDN.child(rdn);
        EntryChangeNotificationControl entryChangeNotificationControl = null;
        try {
            for (Control control : searchResultEntry.getControls()) {
                if (ServerConstants.OID_ENTRY_CHANGE_NOTIFICATION.equals(control.getOID())) {
                    entryChangeNotificationControl = control instanceof LDAPControl ? EntryChangeNotificationControl.DECODER.decode(control.isCritical(), ((LDAPControl) control).getValue()) : (EntryChangeNotificationControl) control;
                }
            }
        } catch (DirectoryException e) {
        }
        Entry entry = DirectoryServer.getEntry(child);
        if (entryChangeNotificationControl != null && entryChangeNotificationControl.getChangeType() == PersistentSearchChangeType.DELETE) {
            if (entry != null) {
                deleteEntry(child);
            }
        } else if (searchResultEntry.hasAttribute(this.attrCompromisedTime)) {
            if (entry != null) {
                deleteEntry(child);
            }
        } else if (entry == null) {
            addEntry(searchResultEntry, child);
        } else {
            modifyEntry(searchResultEntry, entry);
        }
    }

    private void modifyEntry(Entry entry, Entry entry2) {
        List<Attribute> attribute = entry.getAttribute(this.attrCert);
        List<Attribute> attribute2 = entry2.getAttribute(this.attrCert);
        boolean z = false;
        if (attribute == null) {
            if (attribute2 != null) {
                z = true;
            }
        } else if (attribute2 == null || attribute.size() != attribute2.size() || !attribute.equals(attribute2)) {
            z = true;
        }
        if (z) {
            DN name = entry2.getName();
            deleteEntry(name);
            addEntry(entry, name);
        }
    }

    private static void deleteEntry(DN dn) {
        DeleteOperation processDelete = InternalClientConnection.getRootConnection().processDelete(dn);
        if (processDelete.getResultCode() != ResultCode.SUCCESS) {
            logger.debug(CoreMessages.INFO_TRUSTSTORESYNC_DELETE_FAILED, dn, processDelete.getErrorMessage());
        }
    }

    private void addEntry(Entry entry, DN dn) {
        LinkedHashMap linkedHashMap = new LinkedHashMap(2);
        linkedHashMap.put(DirectoryServer.getTopObjectClass(), "top");
        linkedHashMap.put(this.ocInstanceKey, ConfigConstants.OC_CRYPTO_INSTANCE_KEY);
        HashMap hashMap = new HashMap();
        List<Attribute> attribute = entry.getAttribute(this.attrAlias);
        if (attribute != null) {
            hashMap.put(this.attrAlias, attribute);
        }
        List<Attribute> attribute2 = entry.getAttribute(this.attrCert);
        if (attribute2 != null) {
            hashMap.put(this.attrCert, attribute2);
        }
        AddOperation processAdd = InternalClientConnection.getRootConnection().processAdd(new Entry(dn, linkedHashMap, hashMap, null));
        if (processAdd.getResultCode() != ResultCode.SUCCESS) {
            logger.debug(CoreMessages.INFO_TRUSTSTORESYNC_ADD_FAILED, dn, processAdd.getErrorMessage());
        }
    }

    @Override // org.opends.server.api.plugin.DirectoryServerPlugin
    public PluginResult.PostResponse doPostResponse(PostResponseAddOperation postResponseAddOperation) {
        if (postResponseAddOperation.getResultCode() != ResultCode.SUCCESS) {
            return PluginResult.PostResponse.continueOperationProcessing();
        }
        Entry entryToAdd = postResponseAddOperation.getEntryToAdd();
        DN entryDN = postResponseAddOperation.getEntryDN();
        if (entryDN.isDescendantOf(this.instanceKeysDN)) {
            handleInstanceKeyAddOperation(entryToAdd);
        } else if (entryDN.isDescendantOf(this.secretKeysDN)) {
            try {
                if (entryToAdd.hasObjectClass(this.ocCipherKey)) {
                    DirectoryServer.getCryptoManager().importCipherKeyEntry(entryToAdd);
                } else if (entryToAdd.hasObjectClass(this.ocMacKey)) {
                    DirectoryServer.getCryptoManager().importMacKeyEntry(entryToAdd);
                }
            } catch (CryptoManagerException e) {
                logger.error(LocalizableMessage.raw("Failed to import key entry: %s", new Object[]{e.getMessage()}));
            }
        }
        return PluginResult.PostResponse.continueOperationProcessing();
    }

    private void handleInstanceKeyAddOperation(Entry entry) {
        RDN rdn = entry.getName().rdn();
        if (rdn.isMultiValued() || !rdn.getAttributeType(0).equals(this.attrAlias)) {
            return;
        }
        DN child = this.trustStoreRootDN.child(rdn);
        if (entry.hasAttribute(this.attrCompromisedTime)) {
            return;
        }
        addEntry(entry, child);
    }

    @Override // org.opends.server.api.plugin.DirectoryServerPlugin
    public PluginResult.PostResponse doPostResponse(PostResponseDeleteOperation postResponseDeleteOperation) {
        if (postResponseDeleteOperation.getResultCode() != ResultCode.SUCCESS || !postResponseDeleteOperation.getEntryDN().isDescendantOf(this.instanceKeysDN)) {
            return PluginResult.PostResponse.continueOperationProcessing();
        }
        RDN rdn = postResponseDeleteOperation.getEntryToDelete().getName().rdn();
        if (!rdn.isMultiValued() && rdn.getAttributeType(0).equals(this.attrAlias)) {
            deleteEntry(this.trustStoreRootDN.child(rdn));
        }
        return PluginResult.PostResponse.continueOperationProcessing();
    }

    @Override // org.opends.server.api.plugin.DirectoryServerPlugin
    public PluginResult.PostResponse doPostResponse(PostResponseModifyOperation postResponseModifyOperation) {
        if (postResponseModifyOperation.getResultCode() != ResultCode.SUCCESS) {
            return PluginResult.PostResponse.continueOperationProcessing();
        }
        Entry modifiedEntry = postResponseModifyOperation.getModifiedEntry();
        DN entryDN = postResponseModifyOperation.getEntryDN();
        if (entryDN.isDescendantOf(this.instanceKeysDN)) {
            handleInstanceKeyModifyOperation(modifiedEntry);
        } else if (entryDN.isDescendantOf(this.secretKeysDN)) {
            try {
                if (modifiedEntry.hasObjectClass(this.ocCipherKey)) {
                    DirectoryServer.getCryptoManager().importCipherKeyEntry(modifiedEntry);
                } else if (modifiedEntry.hasObjectClass(this.ocMacKey)) {
                    DirectoryServer.getCryptoManager().importMacKeyEntry(modifiedEntry);
                }
            } catch (CryptoManagerException e) {
                logger.error(LocalizableMessage.raw("Failed to import modified key entry: %s", new Object[]{e.getMessage()}));
            }
        }
        return PluginResult.PostResponse.continueOperationProcessing();
    }

    private void handleInstanceKeyModifyOperation(Entry entry) {
        RDN rdn = entry.getName().rdn();
        if (rdn.isMultiValued() || !rdn.getAttributeType(0).equals(this.attrAlias)) {
            return;
        }
        DN child = this.trustStoreRootDN.child(rdn);
        Entry entry2 = null;
        try {
            entry2 = DirectoryServer.getEntry(child);
        } catch (DirectoryException e) {
        }
        if (entry.hasAttribute(this.attrCompromisedTime)) {
            if (entry2 != null) {
                deleteEntry(child);
            }
        } else if (entry2 == null) {
            addEntry(entry, child);
        } else {
            modifyEntry(entry, entry2);
        }
    }
}
