package org.wildfly.security.tool;

import java.io.BufferedReader;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileReader;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Paths;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.NoSuchAlgorithmException;
import java.security.spec.AlgorithmParameterSpec;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import org.apache.commons.cli.CommandLine;
import org.apache.commons.cli.CommandLineParser;
import org.apache.commons.cli.DefaultParser;
import org.apache.commons.cli.HelpFormatter;
import org.apache.commons.cli.Option;
import org.apache.commons.cli.Options;
import org.apache.lucene.analysis.fa.PersianAnalyzer;
import org.jboss.resteasy.security.doseta.DKIMSignature;
import org.jgroups.protocols.INJECT_VIEW;
import org.jose4j.jwe.KeyManagementAlgorithmIdentifiers;
import org.jose4j.jwk.OctetSequenceJsonWebKey;
import org.picketbox.plugins.vault.PicketBoxSecurityVault;
import org.wildfly.extension.elytron.ElytronDescriptionConstants;
import org.wildfly.security.auth.SupportLevel;
import org.wildfly.security.auth.server.IdentityCredentials;
import org.wildfly.security.credential.Credential;
import org.wildfly.security.credential.PasswordCredential;
import org.wildfly.security.credential.SecretKeyCredential;
import org.wildfly.security.credential.source.CredentialSource;
import org.wildfly.security.credential.store.CredentialStore;
import org.wildfly.security.credential.store.impl.KeyStoreCredentialStore;
import org.wildfly.security.credential.store.impl.VaultCredentialStore;
import org.wildfly.security.password.interfaces.ClearPassword;
import org.wildfly.security.util.PasswordBasedEncryptionUtil;

/* loaded from: input_file:wildfly.zip:bin/wildfly-elytron-tool.jar:org/wildfly/security/tool/VaultCommand.class */
public class VaultCommand extends Command {
    static final String defaultKeyStoreType = "JCEKS";
    public static final String VAULT_COMMAND = "vault";
    public static final String STORE_LOCATION_PARAM = "location";
    public static final String PRINT_SUMMARY_PARAM = "summary";
    public static final String FAIL_IF_EXIST_PARAM = "fail-if-exist";
    public static String BULK_CONVERT_PARAM = "bulk-convert";
    public static final String KEYSTORE_PARAM = "keystore";
    public static final String KEYSTORE_PASSWORD_PARAM = "keystore-password";
    public static final String ENC_DIR_PARAM = "enc-dir";
    public static final String SALT_PARAM = "salt";
    public static final String ITERATION_PARAM = "iteration";
    public static final String ALIAS_PARAM = "alias";
    public static final String HELP_PARAM = "help";
    public static final String DEBUG_PARAM = "debug";
    private CommandLineParser parser = new DefaultParser();
    private CommandLine cmdLine = null;
    private final Options options = new Options();

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:wildfly.zip:bin/wildfly-elytron-tool.jar:org/wildfly/security/tool/VaultCommand$Descriptor.class */
    public static final class Descriptor {
        String keyStoreURL;
        String vaultPassword;
        String encryptionDirectory;
        String salt;
        int iterationCount;
        String secretKeyAlias;
        Map<String, String> implProps;
        String outputFile;
        String csType;
        String csProvider;
        String csOtherProviders;

        private Descriptor() {
        }
    }

    public VaultCommand() {
        Option option = new Option(OctetSequenceJsonWebKey.KEY_VALUE_MEMBER_NAME, KEYSTORE_PARAM, true, ElytronToolMessages.msg.cmdLineVaultKeyStoreURL());
        option.setArgName(KEYSTORE_PARAM);
        this.options.addOption(option);
        Option option2 = new Option("p", "keystore-password", true, ElytronToolMessages.msg.cmdLineVaultKeyStorePassword());
        option2.setArgName("pwd");
        this.options.addOption(option2);
        Option option3 = new Option("e", ENC_DIR_PARAM, true, ElytronToolMessages.msg.cmdLineVaultEncryptionDirectory());
        option3.setArgName(KeyManagementAlgorithmIdentifiers.DIRECT);
        this.options.addOption(option3);
        Option option4 = new Option("s", "salt", true, ElytronToolMessages.msg.cmdVaultLineSalt());
        option4.setArgName("salt");
        this.options.addOption(option4);
        this.options.addOption(new Option("i", "iteration", true, ElytronToolMessages.msg.cmdLineVaultIterationCount()));
        this.options.addOption(new Option(DKIMSignature.VERSION, "alias", true, ElytronToolMessages.msg.cmdLineVaultKeyStoreAlias()));
        Option option5 = new Option(DKIMSignature.LENGTH, "location", true, ElytronToolMessages.msg.cmdLineVaultCSLocationDesc());
        option5.setArgName("loc");
        this.options.addOption(option5);
        Option option6 = new Option("u", "properties", true, ElytronToolMessages.msg.cmdLineVaultCSParametersDesc());
        option6.setValueSeparator(';');
        option6.setOptionalArg(true);
        this.options.addOption(option6);
        Option option7 = new Option("t", "type", true, ElytronToolMessages.msg.cmdLineVaultCSTypeDesc());
        option7.setArgName("type");
        this.options.addOption(option7);
        Option option8 = new Option("o", "other-providers", true, ElytronToolMessages.msg.cmdLineOtherProvidersDesc());
        option8.setArgName("providers");
        option8.setOptionalArg(true);
        this.options.addOption(option8);
        Option option9 = new Option("q", CredentialStoreCommand.CUSTOM_CREDENTIAL_STORE_PROVIDER_PARAM, true, ElytronToolMessages.msg.cmdLineCustomCredentialStoreProviderDesc());
        option9.setArgName("cs-provider");
        option9.setOptionalArg(true);
        this.options.addOption(option9);
        this.options.addOption("f", "summary", false, ElytronToolMessages.msg.cmdLineVaultPrintSummary());
        Option option10 = new Option("b", BULK_CONVERT_PARAM, true, ElytronToolMessages.msg.cliCommandBulkVaultCredentialStoreConversion());
        option10.setArgName("description file");
        Option option11 = new Option("h", "help", false, ElytronToolMessages.msg.cmdLineHelp());
        Option option12 = new Option("d", "debug", false, ElytronToolMessages.msg.cmdLineDebug());
        this.options.addOption(option10);
        this.options.addOption(option11);
        this.options.addOption(option12);
    }

    @Override // org.wildfly.security.tool.Command
    public void execute(String[] strArr) throws Exception {
        setStatus(GENERAL_CONFIGURATION_ERROR);
        this.cmdLine = this.parser.parse(this.options, strArr, false);
        setEnableDebug(this.cmdLine.hasOption("debug"));
        if (this.cmdLine.hasOption("help")) {
            help();
            setStatus(ElytronTool.ElytronToolExitStatus_OK);
            return;
        }
        boolean hasOption = this.cmdLine.hasOption("summary");
        printDuplicatesWarning(this.cmdLine);
        String optionValue = this.cmdLine.getOptionValue(BULK_CONVERT_PARAM);
        if (optionValue != null && !optionValue.isEmpty()) {
            checkInvalidOptions(KEYSTORE_PARAM, "keystore-password", ENC_DIR_PARAM, "salt", "iteration", "alias", "location");
            List<Descriptor> parseDescriptorFile = parseDescriptorFile(optionValue);
            if (parseDescriptorFile.size() == 0) {
                throw ElytronToolMessages.msg.undefinedKeystore(optionValue);
            }
            for (Descriptor descriptor : parseDescriptorFile) {
                try {
                    HashMap<String, String> convert = convert(descriptor.keyStoreURL, descriptor.vaultPassword, descriptor.encryptionDirectory, descriptor.salt, descriptor.iterationCount, descriptor.secretKeyAlias, descriptor.outputFile, descriptor.implProps, descriptor.csType, descriptor.csProvider, descriptor.csOtherProviders);
                    System.out.println(ElytronToolMessages.msg.vaultConvertedToCS(descriptor.encryptionDirectory, descriptor.keyStoreURL, descriptor.outputFile));
                    if (hasOption) {
                        printSummary(descriptor.vaultPassword, descriptor.salt, descriptor.iterationCount, convert);
                    }
                } catch (Throwable th) {
                    throw ElytronToolMessages.msg.bulkConversionProblem(descriptor.encryptionDirectory, descriptor.keyStoreURL, th);
                }
            }
            setStatus(ElytronTool.ElytronToolExitStatus_OK);
            return;
        }
        String optionValue2 = this.cmdLine.getOptionValue(KEYSTORE_PARAM, "vault.keystore");
        String optionValue3 = this.cmdLine.getOptionValue("keystore-password");
        String optionValue4 = this.cmdLine.getOptionValue(ENC_DIR_PARAM, "vault");
        String optionValue5 = this.cmdLine.getOptionValue("salt", "12345678");
        int parseInt = Integer.parseInt(this.cmdLine.getOptionValue("iteration", "23"));
        String optionValue6 = this.cmdLine.getOptionValue("alias", "vault");
        String optionValue7 = this.cmdLine.getOptionValue("location");
        Map<String, String> parseCredentialStoreProperties = CredentialStoreCommand.parseCredentialStoreProperties(this.cmdLine.getOptionValue("properties"));
        String optionValue8 = this.cmdLine.getOptionValue("type", KeyStoreCredentialStore.KEY_STORE_CREDENTIAL_STORE);
        String optionValue9 = this.cmdLine.getOptionValue(CredentialStoreCommand.CUSTOM_CREDENTIAL_STORE_PROVIDER_PARAM);
        String optionValue10 = this.cmdLine.getOptionValue("other-providers");
        if (optionValue7 == null || optionValue7.isEmpty()) {
            optionValue7 = convertedStoreName(optionValue4, parseCredentialStoreProperties);
        }
        if (optionValue3 == null) {
            optionValue3 = prompt(false, ElytronToolMessages.msg.vaultPasswordPrompt(), true, ElytronToolMessages.msg.vaultPasswordPromptConfirm());
        }
        HashMap<String, String> convert2 = convert(optionValue2, optionValue3, optionValue4, optionValue5, parseInt, optionValue6, optionValue7, parseCredentialStoreProperties, optionValue8, optionValue9, optionValue10);
        System.out.println(ElytronToolMessages.msg.vaultConvertedToCS(optionValue4, optionValue2, optionValue7));
        setStatus(ElytronTool.ElytronToolExitStatus_OK);
        if (hasOption) {
            printSummary(optionValue3, optionValue5, parseInt, convert2);
        }
    }

    private void checkInvalidOptions(String... strArr) throws Exception {
        for (String str : strArr) {
            if (this.cmdLine.hasOption(str)) {
                throw ElytronToolMessages.msg.bulkConversionInvalidOption(str);
            }
        }
    }

    @Override // org.wildfly.security.tool.Command
    public void help() {
        HelpFormatter helpFormatter = new HelpFormatter();
        helpFormatter.setWidth(WIDTH);
        helpFormatter.printHelp(ElytronToolMessages.msg.cmdHelp(getToolCommand(), "vault"), ElytronToolMessages.msg.cmdVaultHelpHeader().concat(ElytronToolMessages.msg.cmdLineActionsHelpHeader()), this.options, "", true);
    }

    private String convertedStoreName(String str, Map<String, String> map) {
        String str2 = map.get("location");
        if (str2 == null || str2.isEmpty()) {
            return str + ((str.isEmpty() || str.endsWith(File.separator)) ? "" : File.separator) + "converted-vault.cr-store";
        }
        return str2;
    }

    private HashMap<String, String> convert(String str, String str2, String str3, String str4, int i, String str5, String str6, Map<String, String> map, String str7, String str8, String str9) throws Exception {
        CredentialStore credentialStore;
        HashMap hashMap = new HashMap();
        if (str3 == null || "".equals(str3)) {
            throw ElytronToolMessages.msg.undefinedEncryptionDirectory();
        }
        if (!new File(str3, "VAULT.dat").exists()) {
            throw ElytronToolMessages.msg.vaultFileNotFound(str3);
        }
        hashMap.put("location", str3);
        if (str5 == null || "".equals(str5)) {
            throw ElytronToolMessages.msg.undefinedAlias();
        }
        if (str6 == null || "".equals(str6)) {
            throw ElytronToolMessages.msg.undefinedOutputLocation();
        }
        if (str2 == null || "".equals(str2)) {
            throw ElytronToolMessages.msg.undefinedVaultPassword();
        }
        CredentialStore credentialStore2 = CredentialStore.getInstance(VaultCredentialStore.VAULT_CREDENTIAL_STORE);
        credentialStore2.initialize(hashMap, getVaultCredentialStoreProtectionParameter(str, str2, str4, i, str5));
        HashMap<String, String> hashMap2 = new HashMap<>();
        if (Files.exists(Paths.get(str6, new String[0]), new LinkOption[0])) {
            throw ElytronToolMessages.msg.storageFileExists(str6);
        }
        hashMap2.put("location", str6);
        hashMap2.put(ElytronDescriptionConstants.MODIFIABLE, Boolean.TRUE.toString());
        hashMap2.put("create", Boolean.TRUE.toString());
        if (map != null) {
            hashMap2.putAll(map);
        }
        hashMap2.put("create", Boolean.TRUE.toString());
        if (str7 == null || "".equals(str7)) {
            str7 = KeyStoreCredentialStore.KEY_STORE_CREDENTIAL_STORE;
        }
        if (str7.equals(KeyStoreCredentialStore.KEY_STORE_CREDENTIAL_STORE)) {
            hashMap2.put("keyStoreType", defaultKeyStoreType);
        }
        if (str8 != null) {
            credentialStore = CredentialStore.getInstance(str7, str8, getProvidersSupplier(str8));
        } else {
            try {
                credentialStore = CredentialStore.getInstance(str7);
            } catch (NoSuchAlgorithmException e) {
                credentialStore = CredentialStore.getInstance(str7, getProvidersSupplier(null));
            }
        }
        credentialStore.initialize(hashMap2, getCredentialStoreProtectionParameter(str2, str4, i), getProvidersSupplier(str9).get());
        for (String str10 : credentialStore2.getAliases()) {
            credentialStore.store(str10, (PasswordCredential) credentialStore2.retrieve(str10, PasswordCredential.class));
        }
        credentialStore.flush();
        return hashMap2;
    }

    private List<Descriptor> parseDescriptorFile(String str) throws IOException {
        BufferedReader bufferedReader = new BufferedReader(new FileReader(new File(str)));
        try {
            ArrayList arrayList = new ArrayList();
            int i = 0;
            int i2 = 0;
            Descriptor descriptor = new Descriptor();
            while (true) {
                String readLine = bufferedReader.readLine();
                if (readLine == null) {
                    if (descriptor.keyStoreURL != null) {
                        arrayList.add(descriptor);
                    }
                    bufferedReader.close();
                    return arrayList;
                }
                i2++;
                String trim = readLine.trim();
                if (!trim.isEmpty() && !trim.startsWith(PersianAnalyzer.STOPWORDS_COMMENT)) {
                    int indexOf = trim.indexOf(58);
                    if (indexOf == -1) {
                        throw ElytronToolMessages.msg.descriptorParseMissingColon(str, Integer.toString(i2));
                    }
                    String trim2 = trim.substring(0, indexOf).trim();
                    String trim3 = trim.substring(indexOf + 1).trim();
                    if (trim2.equals(KEYSTORE_PARAM)) {
                        if (i > 0) {
                            arrayList.add(descriptor);
                            descriptor = new Descriptor();
                        }
                        i++;
                        descriptor.keyStoreURL = trim3;
                    } else if (trim2.equals("keystore-password")) {
                        descriptor.vaultPassword = trim3;
                    } else if (trim2.equals(ENC_DIR_PARAM)) {
                        descriptor.encryptionDirectory = trim3;
                    } else if (trim2.equals("salt")) {
                        descriptor.salt = trim3;
                    } else if (trim2.equals("iteration")) {
                        descriptor.iterationCount = Integer.parseInt(trim3);
                    } else if (trim2.equals("alias")) {
                        descriptor.secretKeyAlias = trim3;
                    } else if (trim2.equals("location")) {
                        descriptor.outputFile = trim3;
                    } else if (trim2.equals("properties")) {
                        descriptor.implProps = CredentialStoreCommand.parseCredentialStoreProperties(trim3);
                    } else if (trim2.equals("type")) {
                        descriptor.csType = trim3;
                    } else if (trim2.equals(CredentialStoreCommand.CUSTOM_CREDENTIAL_STORE_PROVIDER_PARAM)) {
                        descriptor.csProvider = trim3;
                    } else {
                        if (!trim2.equals("other-providers")) {
                            throw ElytronToolMessages.msg.unrecognizedDescriptorAttribute(Integer.toString(i2));
                        }
                        descriptor.csOtherProviders = trim3;
                    }
                }
            }
        } catch (Throwable th) {
            try {
                bufferedReader.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private CredentialStore.CredentialSourceProtectionParameter getCredentialStoreProtectionParameter(String str, String str2, int i) throws GeneralSecurityException {
        return new CredentialStore.CredentialSourceProtectionParameter(IdentityCredentials.NONE.withCredential(new PasswordCredential(ClearPassword.createRaw("clear", str.startsWith(PicketBoxSecurityVault.PASS_MASK_PREFIX) ? decodeMaskedPassword(str.substring(PicketBoxSecurityVault.PASS_MASK_PREFIX.length()), str2, i) : str.toCharArray()))));
    }

    private CredentialStore.CredentialSourceProtectionParameter getVaultCredentialStoreProtectionParameter(String str, String str2, String str3, int i, String str4) throws GeneralSecurityException, IOException {
        char[] decodeMaskedPassword = str2.startsWith(PicketBoxSecurityVault.PASS_MASK_PREFIX) ? decodeMaskedPassword(str2.substring(PicketBoxSecurityVault.PASS_MASK_PREFIX.length()), str3, i) : str2.toCharArray();
        KeyStore keyStore = KeyStore.getInstance(defaultKeyStoreType);
        FileInputStream fileInputStream = new FileInputStream(new File(str));
        try {
            keyStore.load(fileInputStream, decodeMaskedPassword);
            fileInputStream.close();
            final KeyStore.Entry entry = keyStore.getEntry(str4, new KeyStore.PasswordProtection(decodeMaskedPassword));
            if (entry instanceof KeyStore.SecretKeyEntry) {
                return new CredentialStore.CredentialSourceProtectionParameter(new CredentialSource() { // from class: org.wildfly.security.tool.VaultCommand.1
                    @Override // org.wildfly.security.credential.source.CredentialSource
                    public SupportLevel getCredentialAcquireSupport(Class<? extends Credential> cls, String str5, AlgorithmParameterSpec algorithmParameterSpec) throws IOException {
                        return null;
                    }

                    @Override // org.wildfly.security.credential.source.CredentialSource
                    public <C extends Credential> C getCredential(Class<C> cls, String str5, AlgorithmParameterSpec algorithmParameterSpec) throws IOException {
                        return (C) new SecretKeyCredential(((KeyStore.SecretKeyEntry) entry).getSecretKey()).castAs(cls, str5, algorithmParameterSpec);
                    }
                });
            }
            throw ElytronToolMessages.msg.cannotLocateAdminKey(str4);
        } catch (Throwable th) {
            try {
                fileInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private char[] decodeMaskedPassword(String str, String str2, int i) throws GeneralSecurityException {
        return new PasswordBasedEncryptionUtil.Builder().picketBoxCompatibility().salt(str2).iteration(i).decryptMode().build().decodeAndDecrypt(str);
    }

    private void printSummary(String str, String str2, int i, Map<String, String> map) throws GeneralSecurityException {
        StringBuilder sb = new StringBuilder();
        sb.append(ElytronToolMessages.msg.conversionSuccessful());
        sb.append(ElytronToolMessages.msg.cliCommandToNewCredentialStore());
        String str3 = "";
        if (str != null) {
            str3 = str;
            if (str2 != null && i > -1) {
                str3 = str.startsWith(PicketBoxSecurityVault.PASS_MASK_PREFIX) ? str + INJECT_VIEW.NODE_VIEWS_SEPARATOR + str2 + INJECT_VIEW.NODE_VIEWS_SEPARATOR + String.valueOf(i) : MaskCommand.computeMasked(str, str2, i);
            }
        }
        CredentialStoreCommand.getCreateSummary(map, sb, str3);
        System.out.println(ElytronToolMessages.msg.vaultConversionSummary(sb.toString()));
    }
}
