package org.apache.nifi.bootstrap.util;

import java.io.File;
import java.io.FileReader;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.net.InetAddress;
import java.net.UnknownHostException;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.nio.file.StandardCopyOption;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.cert.Certificate;
import java.time.LocalDate;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalUnit;
import java.util.Enumeration;
import java.util.HashSet;
import java.util.List;
import java.util.Locale;
import java.util.Properties;
import java.util.Set;
import java.util.stream.Collectors;
import org.apache.commons.codec.digest.DigestUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.nifi.security.util.KeyStoreUtils;
import org.apache.nifi.security.util.StandardTlsConfiguration;
import org.apache.nifi.security.util.TlsConfiguration;
import org.bouncycastle.shaded.util.IPAddress;
import org.slf4j.Logger;

/* loaded from: input_file:org/apache/nifi/bootstrap/util/SecureNiFiConfigUtil.class */
public class SecureNiFiConfigUtil {
    private static final int CERT_DURATION_DAYS = 60;
    private static final String LOCALHOST_NAME = "localhost";
    private static final String PROPERTY_VALUE_PATTERN = "%s=%s";

    private SecureNiFiConfigUtil() {
    }

    private static boolean fileExists(String str) {
        return StringUtils.isNotEmpty(str) && Paths.get(str, new String[0]).toFile().exists();
    }

    private static boolean isHttpsSecurityConfiguredWithEmptyPasswords(Properties properties) {
        if (StringUtils.isEmpty(properties.getProperty("nifi.web.https.port", ""))) {
            return false;
        }
        String property = properties.getProperty("nifi.security.keystore", "");
        String property2 = properties.getProperty("nifi.security.truststore", "");
        if (StringUtils.isEmpty(property) || StringUtils.isEmpty(property2)) {
            return false;
        }
        return (StringUtils.isNotEmpty(properties.getProperty("nifi.security.keystorePasswd", "")) || StringUtils.isNotEmpty(properties.getProperty("nifi.security.truststorePasswd", ""))) ? false : true;
    }

    public static void configureSecureNiFiProperties(String str, Logger logger) throws IOException, RuntimeException {
        File file = new File(str);
        Properties loadProperties = loadProperties(file);
        if (!isHttpsSecurityConfiguredWithEmptyPasswords(loadProperties)) {
            logger.debug("Skipping Apache Nifi certificate generation.");
            return;
        }
        String property = loadProperties.getProperty("nifi.security.keystore", "");
        String property2 = loadProperties.getProperty("nifi.security.truststore", "");
        boolean fileExists = fileExists(property);
        boolean fileExists2 = fileExists(property2);
        if (fileExists || fileExists2) {
            if (!fileExists && fileExists2) {
                logger.warn("Truststore file {} already exists.  Apache NiFi will not generate keystore and truststore separately.", property2);
                return;
            } else {
                if (!fileExists || fileExists2) {
                    return;
                }
                logger.warn("Keystore file {} already exists.  Apache NiFi will not generate keystore and truststore separately.", property);
                return;
            }
        }
        logger.info("Generating Self-Signed Certificate: Expires on {}", LocalDate.now().plus(60L, (TemporalUnit) ChronoUnit.DAYS));
        try {
            TlsConfiguration createTlsConfigAndNewKeystoreTruststore = KeyStoreUtils.createTlsConfigAndNewKeystoreTruststore(StandardTlsConfiguration.fromNiFiProperties(loadProperties), 60, getSubjectAlternativeNames(loadProperties, logger));
            KeyStore loadKeyStore = KeyStoreUtils.loadKeyStore(createTlsConfigAndNewKeystoreTruststore.getKeystorePath(), createTlsConfigAndNewKeystoreTruststore.getKeystorePassword().toCharArray(), createTlsConfigAndNewKeystoreTruststore.getKeystoreType().getType());
            Enumeration<String> aliases = loadKeyStore.aliases();
            while (aliases.hasMoreElements()) {
                Certificate certificate = loadKeyStore.getCertificate(aliases.nextElement());
                if (certificate != null) {
                    logger.info("Generated Self-Signed Certificate SHA-256: {}", DigestUtils.sha256Hex(certificate.getEncoded()).toUpperCase(Locale.ROOT));
                }
            }
            Files.move(Paths.get(createTlsConfigAndNewKeystoreTruststore.getKeystorePath(), new String[0]), Paths.get(property, new String[0]), StandardCopyOption.REPLACE_EXISTING);
            Files.move(Paths.get(createTlsConfigAndNewKeystoreTruststore.getTruststorePath(), new String[0]), Paths.get(property2, new String[0]), StandardCopyOption.REPLACE_EXISTING);
            updateProperties(file, createTlsConfigAndNewKeystoreTruststore);
            logger.debug("Generated Keystore [{}] Truststore [{}]", property, property2);
        } catch (GeneralSecurityException e) {
            throw new RuntimeException(e);
        }
    }

    private static String[] getSubjectAlternativeNames(Properties properties, Logger logger) {
        HashSet hashSet = new HashSet();
        try {
            hashSet.add(InetAddress.getLocalHost().getHostName());
        } catch (UnknownHostException e) {
            logger.debug("Could not add localhost hostname as certificate SAN", e);
        }
        addSubjectAlternativeName(properties, "nifi.remote.input.host", hashSet);
        addSubjectAlternativeName(properties, "nifi.web.https.host", hashSet);
        addSubjectAlternativeName(properties, "nifi.web.proxy.host", hashSet);
        addSubjectAlternativeName(properties, "nifi.cluster.load.balance.host", hashSet);
        hashSet.remove(LOCALHOST_NAME);
        return (String[]) hashSet.toArray(new String[hashSet.size()]);
    }

    private static void addSubjectAlternativeName(Properties properties, String str, Set<String> set) {
        String property = properties.getProperty(str, "");
        if (property.isEmpty() || IPAddress.isValid(property)) {
            return;
        }
        set.add(property);
    }

    private static String getPropertyLine(String str, String str2) {
        return String.format(PROPERTY_VALUE_PATTERN, str, str2);
    }

    private static void updateProperties(File file, TlsConfiguration tlsConfiguration) throws IOException {
        Path path = file.toPath();
        Files.write(path, (List) Files.readAllLines(path).stream().map(str -> {
            return str.startsWith("nifi.security.keystorePasswd") ? getPropertyLine("nifi.security.keystorePasswd", tlsConfiguration.getKeystorePassword()) : str.startsWith("nifi.security.truststorePasswd") ? getPropertyLine("nifi.security.truststorePasswd", tlsConfiguration.getTruststorePassword()) : str.startsWith("nifi.security.keyPasswd") ? getPropertyLine("nifi.security.keyPasswd", tlsConfiguration.getKeystorePassword()) : str.startsWith("nifi.security.keystoreType") ? getPropertyLine("nifi.security.keystoreType", tlsConfiguration.getKeystoreType().getType()) : str.startsWith("nifi.security.truststoreType") ? getPropertyLine("nifi.security.truststoreType", tlsConfiguration.getTruststoreType().getType()) : str;
        }).collect(Collectors.toList()), new OpenOption[0]);
    }

    private static Properties loadProperties(File file) {
        Properties properties = new Properties();
        try {
            FileReader fileReader = new FileReader(file);
            try {
                properties.load(fileReader);
                fileReader.close();
                return properties;
            } finally {
            }
        } catch (IOException e) {
            throw new UncheckedIOException(String.format("Failed to read NiFi Properties [%s]", file), e);
        }
    }
}
