package org.opends.server.crypto;

import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedHashMap;
import java.util.LinkedHashSet;
import java.util.List;
import org.opends.admin.ads.ADSContext;
import org.opends.messages.CoreMessages;
import org.opends.messages.Message;
import org.opends.server.api.Backend;
import org.opends.server.api.BackendInitializationListener;
import org.opends.server.api.ChangeNotificationListener;
import org.opends.server.api.ClientConnection;
import org.opends.server.config.ConfigConstants;
import org.opends.server.controls.EntryChangeNotificationControl;
import org.opends.server.controls.PersistentSearchChangeType;
import org.opends.server.core.AddOperation;
import org.opends.server.core.DeleteOperation;
import org.opends.server.core.DirectoryServer;
import org.opends.server.loggers.ErrorLogger;
import org.opends.server.loggers.debug.DebugLogger;
import org.opends.server.loggers.debug.DebugTracer;
import org.opends.server.protocols.internal.InternalClientConnection;
import org.opends.server.protocols.internal.InternalSearchListener;
import org.opends.server.protocols.internal.InternalSearchOperation;
import org.opends.server.protocols.ldap.LDAPControl;
import org.opends.server.types.Attribute;
import org.opends.server.types.AttributeType;
import org.opends.server.types.Control;
import org.opends.server.types.CryptoManagerException;
import org.opends.server.types.DN;
import org.opends.server.types.DebugLogLevel;
import org.opends.server.types.DereferencePolicy;
import org.opends.server.types.DirectoryException;
import org.opends.server.types.Entry;
import org.opends.server.types.InitializationException;
import org.opends.server.types.ObjectClass;
import org.opends.server.types.RDN;
import org.opends.server.types.ResultCode;
import org.opends.server.types.SearchFilter;
import org.opends.server.types.SearchResultEntry;
import org.opends.server.types.SearchScope;
import org.opends.server.types.operation.PostResponseAddOperation;
import org.opends.server.types.operation.PostResponseDeleteOperation;
import org.opends.server.types.operation.PostResponseModifyDNOperation;
import org.opends.server.types.operation.PostResponseModifyOperation;
import org.opends.server.util.ServerConstants;
import org.opends.server.util.StaticUtils;

/* loaded from: input_file:WEB-INF/lib/OpenDS.jar:org/opends/server/crypto/CryptoManagerSync.class */
public class CryptoManagerSync implements BackendInitializationListener, ChangeNotificationListener {
    private static final DebugTracer TRACER = DebugLogger.getTracer();
    private DN adminSuffixDN;
    private DN instanceKeysDN;
    private DN secretKeysDN;
    private DN trustStoreRootDN;
    AttributeType attrCert;
    AttributeType attrAlias;
    AttributeType attrCompromisedTime;
    private SearchFilter keySearchFilter;
    private ObjectClass ocInstanceKey;
    private ObjectClass ocCipherKey;
    private ObjectClass ocMacKey;

    public CryptoManagerSync() throws InitializationException {
        this(true);
    }

    public CryptoManagerSync(boolean z) throws InitializationException {
        if (z) {
            try {
                CryptoManagerImpl.publishInstanceKeyEntryInADS();
            } catch (CryptoManagerException e) {
                throw new InitializationException(e.getMessageObject());
            }
        }
        DirectoryServer.registerBackendInitializationListener(this);
        try {
            this.adminSuffixDN = DN.decode(ADSContext.getAdministrationSuffixDN());
            this.instanceKeysDN = this.adminSuffixDN.concat(DN.decode("cn=instance keys"));
            this.secretKeysDN = this.adminSuffixDN.concat(DN.decode("cn=secret keys"));
            this.trustStoreRootDN = DN.decode(ConfigConstants.DN_TRUST_STORE_ROOT);
            this.keySearchFilter = SearchFilter.createFilterFromString("(|(objectclass=ds-cfg-instance-key)(objectclass=ds-cfg-cipher-key)(objectclass=ds-cfg-mac-key))");
        } catch (DirectoryException e2) {
        }
        this.ocInstanceKey = DirectoryServer.getObjectClass(ConfigConstants.OC_CRYPTO_INSTANCE_KEY, true);
        this.ocCipherKey = DirectoryServer.getObjectClass(ConfigConstants.OC_CRYPTO_CIPHER_KEY, true);
        this.ocMacKey = DirectoryServer.getObjectClass(ConfigConstants.OC_CRYPTO_MAC_KEY, true);
        this.attrCert = DirectoryServer.getAttributeType(ConfigConstants.ATTR_CRYPTO_PUBLIC_KEY_CERTIFICATE, true);
        this.attrAlias = DirectoryServer.getAttributeType(ConfigConstants.ATTR_CRYPTO_KEY_ID, true);
        this.attrCompromisedTime = DirectoryServer.getAttributeType(ConfigConstants.ATTR_CRYPTO_KEY_COMPROMISED_TIME, true);
        if (DirectoryServer.getBackendWithBaseDN(this.adminSuffixDN) != null) {
            searchAdminSuffix();
        }
        DirectoryServer.registerChangeNotificationListener(this);
    }

    private void searchAdminSuffix() {
        InternalClientConnection rootConnection = InternalClientConnection.getRootConnection();
        LinkedHashSet linkedHashSet = new LinkedHashSet(0);
        InternalSearchOperation internalSearchOperation = new InternalSearchOperation((ClientConnection) rootConnection, InternalClientConnection.nextOperationID(), InternalClientConnection.nextMessageID(), (List<Control>) new ArrayList(0), this.adminSuffixDN, SearchScope.WHOLE_SUBTREE, DereferencePolicy.NEVER_DEREF_ALIASES, 0, 0, false, this.keySearchFilter, (LinkedHashSet<String>) linkedHashSet, (InternalSearchListener) null);
        internalSearchOperation.run();
        if (internalSearchOperation.getResultCode() != ResultCode.SUCCESS) {
            ErrorLogger.logError(CoreMessages.INFO_TRUSTSTORESYNC_ADMIN_SUFFIX_SEARCH_FAILED.get(String.valueOf(this.adminSuffixDN), internalSearchOperation.getErrorMessage().toString()));
        }
        Iterator<SearchResultEntry> it = internalSearchOperation.getSearchEntries().iterator();
        while (it.hasNext()) {
            try {
                handleInternalSearchEntry(it.next());
            } catch (DirectoryException e) {
                if (DebugLogger.debugEnabled()) {
                    TRACER.debugCaught(DebugLogLevel.ERROR, e);
                }
                ErrorLogger.logError(CoreMessages.ERR_TRUSTSTORESYNC_EXCEPTION.get(StaticUtils.stackTraceToSingleLineString(e)));
            }
        }
    }

    @Override // org.opends.server.api.BackendInitializationListener
    public void performBackendInitializationProcessing(Backend backend) {
        DN[] baseDNs = backend.getBaseDNs();
        if (baseDNs != null) {
            for (DN dn : baseDNs) {
                if (dn.equals(this.adminSuffixDN)) {
                    searchAdminSuffix();
                }
            }
        }
    }

    @Override // org.opends.server.api.BackendInitializationListener
    public void performBackendFinalizationProcessing(Backend backend) {
    }

    private void handleInternalSearchEntry(SearchResultEntry searchResultEntry) throws DirectoryException {
        if (searchResultEntry.hasObjectClass(this.ocInstanceKey)) {
            handleInstanceKeySearchEntry(searchResultEntry);
            return;
        }
        try {
            if (searchResultEntry.hasObjectClass(this.ocCipherKey)) {
                DirectoryServer.getCryptoManager().importCipherKeyEntry(searchResultEntry);
            } else if (searchResultEntry.hasObjectClass(this.ocMacKey)) {
                DirectoryServer.getCryptoManager().importMacKeyEntry(searchResultEntry);
            }
        } catch (CryptoManagerException e) {
            throw new DirectoryException(DirectoryServer.getServerErrorResultCode(), e);
        }
    }

    private void handleInstanceKeySearchEntry(SearchResultEntry searchResultEntry) throws DirectoryException {
        RDN rdn = searchResultEntry.getDN().getRDN();
        if (rdn.isMultiValued() || !rdn.getAttributeType(0).equals(this.attrAlias)) {
            return;
        }
        DN concat = this.trustStoreRootDN.concat(rdn);
        EntryChangeNotificationControl entryChangeNotificationControl = null;
        try {
            for (Control control : searchResultEntry.getControls()) {
                if (control.getOID().equals(ServerConstants.OID_ENTRY_CHANGE_NOTIFICATION)) {
                    entryChangeNotificationControl = control instanceof LDAPControl ? EntryChangeNotificationControl.DECODER.decode(control.isCritical(), ((LDAPControl) control).getValue()) : (EntryChangeNotificationControl) control;
                }
            }
        } catch (DirectoryException e) {
        }
        Entry entry = DirectoryServer.getEntry(concat);
        if (entryChangeNotificationControl != null && entryChangeNotificationControl.getChangeType() == PersistentSearchChangeType.DELETE) {
            if (entry != null) {
                deleteEntry(concat);
            }
        } else if (searchResultEntry.hasAttribute(this.attrCompromisedTime)) {
            if (entry != null) {
                deleteEntry(concat);
            }
        } else if (entry == null) {
            addEntry(searchResultEntry, concat);
        } else {
            modifyEntry(searchResultEntry, entry);
        }
    }

    private void modifyEntry(Entry entry, Entry entry2) {
        List<Attribute> attribute = entry.getAttribute(this.attrCert);
        List<Attribute> attribute2 = entry2.getAttribute(this.attrCert);
        boolean z = false;
        if (attribute == null) {
            if (attribute2 != null) {
                z = true;
            }
        } else if (attribute2 == null) {
            z = true;
        } else if (attribute.size() != attribute2.size()) {
            z = true;
        } else if (!attribute.equals(attribute2)) {
            z = true;
        }
        if (z) {
            DN dn = entry2.getDN();
            deleteEntry(dn);
            addEntry(entry, dn);
        }
    }

    private void deleteEntry(DN dn) {
        DeleteOperation processDelete = InternalClientConnection.getRootConnection().processDelete(dn);
        if (processDelete.getResultCode() != ResultCode.SUCCESS) {
            ErrorLogger.logError(CoreMessages.INFO_TRUSTSTORESYNC_DELETE_FAILED.get(String.valueOf(dn), String.valueOf(processDelete.getErrorMessage())));
        }
    }

    private void addEntry(Entry entry, DN dn) {
        LinkedHashMap linkedHashMap = new LinkedHashMap(2);
        linkedHashMap.put(DirectoryServer.getTopObjectClass(), "top");
        linkedHashMap.put(this.ocInstanceKey, ConfigConstants.OC_CRYPTO_INSTANCE_KEY);
        HashMap hashMap = new HashMap();
        List<Attribute> attribute = entry.getAttribute(this.attrAlias);
        if (attribute != null) {
            hashMap.put(this.attrAlias, attribute);
        }
        List<Attribute> attribute2 = entry.getAttribute(this.attrCert);
        if (attribute2 != null) {
            hashMap.put(this.attrCert, attribute2);
        }
        AddOperation processAdd = InternalClientConnection.getRootConnection().processAdd(new Entry(dn, linkedHashMap, hashMap, null));
        if (processAdd.getResultCode() != ResultCode.SUCCESS) {
            ErrorLogger.logError(CoreMessages.INFO_TRUSTSTORESYNC_ADD_FAILED.get(String.valueOf(dn), String.valueOf(processAdd.getErrorMessage())));
        }
    }

    @Override // org.opends.server.api.ChangeNotificationListener
    public void handleAddOperation(PostResponseAddOperation postResponseAddOperation, Entry entry) {
        if (postResponseAddOperation.getEntryDN().isDescendantOf(this.instanceKeysDN)) {
            handleInstanceKeyAddOperation(entry);
            return;
        }
        if (postResponseAddOperation.getEntryDN().isDescendantOf(this.secretKeysDN)) {
            try {
                if (entry.hasObjectClass(this.ocCipherKey)) {
                    DirectoryServer.getCryptoManager().importCipherKeyEntry(entry);
                } else if (entry.hasObjectClass(this.ocMacKey)) {
                    DirectoryServer.getCryptoManager().importMacKeyEntry(entry);
                }
            } catch (CryptoManagerException e) {
                ErrorLogger.logError(Message.raw("Failed to import key entry: %s", e.getMessage()));
            }
        }
    }

    private void handleInstanceKeyAddOperation(Entry entry) {
        RDN rdn = entry.getDN().getRDN();
        if (rdn.isMultiValued() || !rdn.getAttributeType(0).equals(this.attrAlias)) {
            return;
        }
        DN concat = this.trustStoreRootDN.concat(rdn);
        if (entry.hasAttribute(this.attrCompromisedTime)) {
            return;
        }
        addEntry(entry, concat);
    }

    @Override // org.opends.server.api.ChangeNotificationListener
    public void handleDeleteOperation(PostResponseDeleteOperation postResponseDeleteOperation, Entry entry) {
        if (postResponseDeleteOperation.getEntryDN().isDescendantOf(this.instanceKeysDN)) {
            RDN rdn = entry.getDN().getRDN();
            if (rdn.isMultiValued() || !rdn.getAttributeType(0).equals(this.attrAlias)) {
                return;
            }
            deleteEntry(this.trustStoreRootDN.concat(rdn));
        }
    }

    @Override // org.opends.server.api.ChangeNotificationListener
    public void handleModifyOperation(PostResponseModifyOperation postResponseModifyOperation, Entry entry, Entry entry2) {
        if (postResponseModifyOperation.getEntryDN().isDescendantOf(this.instanceKeysDN)) {
            handleInstanceKeyModifyOperation(entry2);
            return;
        }
        if (postResponseModifyOperation.getEntryDN().isDescendantOf(this.secretKeysDN)) {
            try {
                if (entry2.hasObjectClass(this.ocCipherKey)) {
                    DirectoryServer.getCryptoManager().importCipherKeyEntry(entry2);
                } else if (entry2.hasObjectClass(this.ocMacKey)) {
                    DirectoryServer.getCryptoManager().importMacKeyEntry(entry2);
                }
            } catch (CryptoManagerException e) {
                ErrorLogger.logError(Message.raw("Failed to import modified key entry: %s", e.getMessage()));
            }
        }
    }

    private void handleInstanceKeyModifyOperation(Entry entry) {
        RDN rdn = entry.getDN().getRDN();
        if (rdn.isMultiValued() || !rdn.getAttributeType(0).equals(this.attrAlias)) {
            return;
        }
        DN concat = this.trustStoreRootDN.concat(rdn);
        Entry entry2 = null;
        try {
            entry2 = DirectoryServer.getEntry(concat);
        } catch (DirectoryException e) {
        }
        if (entry.hasAttribute(this.attrCompromisedTime)) {
            if (entry2 != null) {
                deleteEntry(concat);
            }
        } else if (entry2 == null) {
            addEntry(entry, concat);
        } else {
            modifyEntry(entry, entry2);
        }
    }

    @Override // org.opends.server.api.ChangeNotificationListener
    public void handleModifyDNOperation(PostResponseModifyDNOperation postResponseModifyDNOperation, Entry entry, Entry entry2) {
    }
}
