package com.sun.enterprise.security.admin.cli;

import com.sun.enterprise.config.serverbeans.Config;
import com.sun.enterprise.config.serverbeans.Configs;
import com.sun.enterprise.config.serverbeans.HttpService;
import com.sun.enterprise.config.serverbeans.SecureAdminHelper;
import com.sun.enterprise.config.serverbeans.VirtualServer;
import com.sun.enterprise.security.SecurityUpgradeService;
import com.sun.enterprise.universal.process.ProcessManager;
import com.sun.enterprise.universal.process.ProcessManagerException;
import com.sun.enterprise.util.net.NetUtils;
import jakarta.inject.Inject;
import java.beans.PropertyVetoException;
import java.io.BufferedInputStream;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.lang.annotation.Annotation;
import java.net.UnknownHostException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.HashMap;
import java.util.Map;
import java.util.Properties;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.glassfish.api.admin.ServerEnvironment;
import org.glassfish.api.admin.config.ConfigurationUpgrade;
import org.glassfish.config.support.GrizzlyConfigSchemaMigrator;
import org.glassfish.grizzly.config.dom.NetworkConfig;
import org.glassfish.grizzly.config.dom.NetworkListener;
import org.glassfish.grizzly.config.dom.NetworkListeners;
import org.glassfish.grizzly.config.dom.Protocol;
import org.glassfish.hk2.api.PostConstruct;
import org.glassfish.internal.api.Globals;
import org.glassfish.security.common.MasterPassword;
import org.jvnet.hk2.annotations.Service;
import org.jvnet.hk2.config.RetryableException;
import org.jvnet.hk2.config.Transaction;
import org.jvnet.hk2.config.TransactionFailure;

@Service
/* loaded from: input_file:com/sun/enterprise/security/admin/cli/SecureAdminConfigUpgrade.class */
public class SecureAdminConfigUpgrade extends SecureAdminUpgradeHelper implements ConfigurationUpgrade, PostConstruct {
    private static final String ADMIN_LISTENER_NAME = "admin-listener";
    private static final String ASADMIN_LISTENER_PORT = "${ASADMIN_LISTENER_PORT}";
    private static final String ASADMIN_LISTENER_TRANSPORT = "tcp";
    private static final String ASADMIN_LISTENER_THREADPOOL = "http-thread-pool";
    private static final String ASADMIN_VS_NAME = "__asadmin";

    @Inject
    private GrizzlyConfigSchemaMigrator grizzlyMigrator;

    @Inject
    private SecurityUpgradeService securityUpgradeService;

    @Inject
    private Configs configs;

    @Inject
    private ServerEnvironment serverEnv;

    @Inject
    private MasterPassword masterPassword;
    private Map<String, Config> writableConfigs = new HashMap();
    private static final String INSTANCE_CN_SUFFIX = "-instance";
    private static final Logger logger = Logger.getAnonymousLogger();
    private static String CERTIFICATE_DN_PREFIX = "CN=";
    private static String CERTIFICATE_DN_SUFFIX = ",OU=GlassFish,O=Eclipse.org Foundation Inc,L=Ottawa,ST=Ontario,C=CA";

    public void postConstruct() {
        if (Globals.getDefaultHabitat() == null) {
            Globals.setDefaultHabitat(this.habitat);
        }
        Object obj = null;
        try {
            ensureNonDASConfigsHaveAdminNetworkListener();
            logger.log(Level.INFO, "Added admin-listener network listeners to non-DAS configurations");
            setupNewDefaultConfig();
            if (requiresSecureAdmin()) {
                obj = "upgrading secure admin set-up";
                try {
                    ((EnableSecureAdminCommand) this.habitat.getService(EnableSecureAdminCommand.class, new Annotation[0])).run();
                    logger.log(Level.INFO, "Upgraded secure admin set-up");
                } catch (SecureAdminHelper.SecureAdminCommandException e) {
                    logger.log(Level.INFO, "Attempt to upgrade secure admin set-up failed", e);
                    throw e;
                }
            } else {
                logger.log(Level.INFO, "No secure admin set-up was detected in the original configuration so no upgrade of it was needed");
            }
            commit();
        } catch (Exception e2) {
            logger.log(Level.SEVERE, "Error " + obj, (Throwable) e2);
            rollback();
        }
    }

    private void setupNewDefaultConfig() throws IOException, NoSuchAlgorithmException, CertificateException, KeyStoreException, UnrecoverableKeyException, ProcessManagerException, TransactionFailure, RetryableException, PropertyVetoException {
        ensureKeyPairForInstanceAlias();
        ensureSecureAdminReady();
        prepareDASConfig();
    }

    private boolean requiresSecureAdmin() {
        return isOriginalAdminSecured() || this.securityUpgradeService.requiresSecureAdmin();
    }

    private void prepareDASConfig() throws TransactionFailure, PropertyVetoException {
        transaction().enroll(writableConfig(this.configs.getConfigByName("server-config")).getNetworkConfig().getNetworkListener("admin-listener")).setProtocol("admin-listener");
    }

    private void ensureConfigReady(Config config, String str) throws TransactionFailure, PropertyVetoException {
        NetworkConfig networkConfig = config.getNetworkConfig();
        if (networkConfig.getNetworkListener("admin-listener") != null) {
            return;
        }
        Config writableConfig = writableConfig(config);
        createAdminNetworkListener(transaction(), networkConfig, str);
        createAdminVirtualServer(transaction(), writableConfig);
    }

    private Config writableConfig(Config config) throws TransactionFailure {
        Config config2 = this.writableConfigs.get(config.getName());
        if (config2 == null) {
            config2 = (Config) transaction().enroll(config);
            this.writableConfigs.put(config.getName(), config2);
        }
        return config2;
    }

    private void ensureNonDASConfigsHaveAdminNetworkListener() throws TransactionFailure, PropertyVetoException {
        for (Config config : this.configs.getConfig()) {
            if (!config.getName().equals("server-config")) {
                ensureConfigReady(config, "pu-protocol");
            }
        }
    }

    private NetworkListener createAdminNetworkListener(Transaction transaction, NetworkConfig networkConfig, String str) throws TransactionFailure {
        NetworkListeners enroll = transaction.enroll(networkConfig.getNetworkListeners());
        NetworkListener createChild = enroll.createChild(NetworkListener.class);
        enroll.getNetworkListener().add(createChild);
        createChild.setName("admin-listener");
        createChild.setProtocol(str);
        createChild.setPort(ASADMIN_LISTENER_PORT);
        createChild.setTransport(ASADMIN_LISTENER_TRANSPORT);
        createChild.setThreadPool(ASADMIN_LISTENER_THREADPOOL);
        return createChild;
    }

    private VirtualServer createAdminVirtualServer(Transaction transaction, Config config) throws TransactionFailure, PropertyVetoException {
        HttpService enroll = transaction.enroll(config.getHttpService());
        VirtualServer createChild = enroll.createChild(VirtualServer.class);
        enroll.getVirtualServer().add(createChild);
        createChild.setId(ASADMIN_VS_NAME);
        createChild.setNetworkListeners("admin-listener");
        return createChild;
    }

    private boolean isOriginalAdminSecured() {
        NetworkConfig networkConfig;
        Protocol findProtocol;
        Config configByName = this.configs.getConfigByName("server-config");
        return (configByName == null || (networkConfig = configByName.getNetworkConfig()) == null || (findProtocol = networkConfig.findProtocol("admin-listener")) == null || findProtocol.getSsl() == null) ? false : true;
    }

    private void ensureKeyPairForInstanceAlias() throws IOException, NoSuchAlgorithmException, CertificateException, KeyStoreException, UnrecoverableKeyException, ProcessManagerException {
        if (sslUtils().getKeyStore().containsAlias("glassfish-instance")) {
            return;
        }
        File jks = this.serverEnv.getJKS();
        File file = new File(this.serverEnv.getConfigDirPath(), "cacerts.jks");
        String masterPassword = masterPassword();
        ProcessManager processManager = new ProcessManager(new String[]{"keytool", "-genkey", "-keyalg", "RSA", "-keystore", jks.getAbsolutePath(), "-alias", "glassfish-instance", "-dname", getCertificateDN(), "-validity", "3650", "-keypass", masterPassword, "-storepass", masterPassword});
        processManager.execute();
        if (processManager.getExitValue() != 0) {
            throw new RuntimeException(processManager.getStdout());
        }
        File file2 = new File(this.serverEnv.getConfigDirPath(), "temp.cer");
        file2.deleteOnExit();
        ProcessManager processManager2 = new ProcessManager(new String[]{"keytool", "-exportcert", "-keystore", jks.getAbsolutePath(), "-alias", "glassfish-instance", "-keypass", masterPassword, "-storepass", masterPassword, "-file", file2.getAbsolutePath()});
        processManager2.execute();
        if (processManager2.getExitValue() != 0) {
            throw new RuntimeException(processManager2.getStderr());
        }
        ProcessManager processManager3 = new ProcessManager(new String[]{"keytool", "-importcert", "-noprompt", "-trustcacerts", "-storepass", masterPassword, "-keypass", masterPassword, "-keystore", file.getAbsolutePath(), "-file", file2.getAbsolutePath(), "-alias", "glassfish-instance"});
        processManager3.execute();
        if (!file2.delete()) {
            logger.log(Level.FINE, "Unable to delete temp file {0}; continuing", file2.getAbsolutePath());
        }
        if (processManager3.getExitValue() != 0) {
            throw new RuntimeException(processManager3.getStderr());
        }
        reload(sslUtils().getKeyStore(), jks, masterPassword);
        reload(sslUtils().getTrustStore(), this.serverEnv.getTrustStore(), masterPassword);
    }

    private void reload(KeyStore keyStore, File file, String str) throws FileNotFoundException, IOException, NoSuchAlgorithmException, CertificateException {
        BufferedInputStream bufferedInputStream = null;
        try {
            bufferedInputStream = new BufferedInputStream(new FileInputStream(file));
            keyStore.load(bufferedInputStream, str.toCharArray());
            if (bufferedInputStream != null) {
                bufferedInputStream.close();
            }
        } catch (Throwable th) {
            if (bufferedInputStream != null) {
                bufferedInputStream.close();
            }
            throw th;
        }
    }

    private String masterPassword() throws CertificateException, IOException, KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException {
        String property;
        String str = "changeit";
        String startupArg = startupArg("-passwordfile");
        if (startupArg != null && (property = pwProps(startupArg).getProperty("AS_ADMIN_MASTERPASSWORD")) != null) {
            str = property;
        }
        return str;
    }

    private Properties pwProps(String str) throws IOException {
        Properties properties = new Properties();
        BufferedInputStream bufferedInputStream = null;
        try {
            bufferedInputStream = new BufferedInputStream(new FileInputStream(str));
            properties.load(bufferedInputStream);
            if (bufferedInputStream != null) {
                bufferedInputStream.close();
            }
            return properties;
        } catch (Throwable th) {
            if (bufferedInputStream != null) {
                bufferedInputStream.close();
            }
            return properties;
        }
    }

    private String getCertificateDN() throws UnknownHostException {
        String str;
        try {
            str = NetUtils.getCanonicalHostName();
        } catch (Exception e) {
            str = "localhost";
        }
        return CERTIFICATE_DN_PREFIX + str + "-instance" + CERTIFICATE_DN_SUFFIX;
    }
}
