package org.kaazing.gateway.transport.ssl;

import java.io.IOException;
import java.net.URI;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.SortedSet;
import java.util.concurrent.Callable;
import javax.annotation.Resource;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import org.apache.mina.core.filterchain.IoFilter;
import org.apache.mina.core.filterchain.IoFilterAdapter;
import org.apache.mina.core.filterchain.IoFilterChain;
import org.apache.mina.core.future.IoFuture;
import org.apache.mina.core.service.IoHandler;
import org.apache.mina.core.service.TransportMetadata;
import org.apache.mina.core.session.IdleStatus;
import org.apache.mina.core.session.IoSession;
import org.apache.mina.filter.ssl.SslContextFactory;
import org.kaazing.gateway.resource.address.ResourceAddress;
import org.kaazing.gateway.resource.address.ResourceAddressFactory;
import org.kaazing.gateway.resource.address.ResourceOptions;
import org.kaazing.gateway.resource.address.ssl.SslResourceAddress;
import org.kaazing.gateway.security.KeySelector;
import org.kaazing.gateway.security.SecurityContext;
import org.kaazing.gateway.transport.AbstractBridgeAcceptor;
import org.kaazing.gateway.transport.Bindings;
import org.kaazing.gateway.transport.BridgeAcceptor;
import org.kaazing.gateway.transport.BridgeServiceFactory;
import org.kaazing.gateway.transport.BridgeSession;
import org.kaazing.gateway.transport.BridgeSessionInitializer;
import org.kaazing.gateway.transport.BridgeSessionInitializerAdapter;
import org.kaazing.gateway.transport.DefaultIoSessionConfigEx;
import org.kaazing.gateway.transport.DefaultTransportMetadata;
import org.kaazing.gateway.transport.IoHandlerAdapter;
import org.kaazing.gateway.transport.NextProtocolBindings;
import org.kaazing.gateway.transport.NextProtocolFilter;
import org.kaazing.gateway.transport.NioBindException;
import org.kaazing.gateway.transport.TransportKeySelector;
import org.kaazing.gateway.transport.TypedAttributeKey;
import org.kaazing.gateway.transport.ssl.bridge.filter.SslCertificateSelectionFilter;
import org.kaazing.gateway.transport.ssl.bridge.filter.SslCipherSelectionFilter;
import org.kaazing.gateway.transport.ssl.bridge.filter.SslClientHelloDecoder;
import org.kaazing.gateway.transport.ssl.bridge.filter.SslClientHelloEncoder;
import org.kaazing.gateway.transport.ssl.bridge.filter.SslFilter;
import org.kaazing.gateway.transport.ssl.cert.VirtualHostKeySelector;
import org.kaazing.gateway.util.ssl.SslCipherSuites;
import org.kaazing.mina.core.buffer.IoBufferAllocatorEx;
import org.kaazing.mina.core.future.UnbindFuture;
import org.kaazing.mina.core.service.IoProcessorEx;
import org.kaazing.mina.core.session.IoSessionEx;
import org.kaazing.mina.filter.codec.ProtocolCodecFilter;

/* loaded from: input_file:org/kaazing/gateway/transport/ssl/SslAcceptor.class */
public class SslAcceptor extends AbstractBridgeAcceptor<SslSession, NextProtocolBindings.NextProtocolBinding> {
    private static final TypedAttributeKey<SslSession> SESSION_KEY;
    private static final String CODEC_FILTER = "ssl#codec";
    private static final String CERTIFICATE_SELECTION_FILTER = "ssl#certificate_selection";
    private static final String CIPHER_SELECTION_FILTER = "ssl#cipher_selection";
    public static final String CLIENT_HELLO_CODEC_FILTER = "ssl#client_hello_codec";
    private static final String NEXT_PROTOCOL_FILTER = "ssl#nextProtocol";
    private static final String ENCRYPTION_DISABLED_FILTER = "ssl#encryption_disabled";
    private SSLContext sslContext;
    private SslContextFactory sslContextFactory;
    private SslCertificateSelectionFilter certificateSelection;
    private ResourceAddressFactory resourceAddressFactory;
    private BridgeServiceFactory bridgeServiceFactory;
    private VirtualHostKeySelector vhostKeySelector;
    private IoHandler secureBridgeHandler;
    private BridgeHandler unsecureBridgeHandler;

    @Deprecated
    public static final TypedAttributeKey<ResourceAddress> SSL_RESOURCE_ADDRESS;
    static final /* synthetic */ boolean $assertionsDisabled;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/kaazing/gateway/transport/ssl/SslAcceptor$BridgeHandler.class */
    public final class BridgeHandler extends IoHandlerAdapter<IoSessionEx> {
        private final boolean sslEncryptionEnabled;
        static final /* synthetic */ boolean $assertionsDisabled;

        public BridgeHandler(boolean z) {
            this.sslEncryptionEnabled = z;
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public void doExceptionCaught(IoSessionEx ioSessionEx, Throwable th) throws Exception {
            if (SslAcceptor.this.logger.isDebugEnabled()) {
                String format = String.format("Error on SSL connection, closing connection: %s", th);
                if (SslAcceptor.this.logger.isTraceEnabled()) {
                    SslAcceptor.this.logger.debug(format, th);
                } else {
                    SslAcceptor.this.logger.debug(format);
                }
            }
            ioSessionEx.close(true);
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public void doMessageReceived(IoSessionEx ioSessionEx, Object obj) throws Exception {
            if (obj == SslFilter.SESSION_SECURED) {
                SslAcceptor.this.removeFilter(ioSessionEx.getFilterChain(), SslAcceptor.this.certificateSelection);
                IoSession ioSession = (IoSession) SslAcceptor.SESSION_KEY.get(ioSessionEx);
                if (!$assertionsDisabled && ioSession != null) {
                    throw new AssertionError();
                }
                SslAcceptor.SESSION_KEY.set(ioSessionEx, createSslSession(ioSessionEx));
                return;
            }
            if (obj == SslFilter.SESSION_UNSECURED) {
                SslSession sslSession = (SslSession) SslAcceptor.SESSION_KEY.remove(ioSessionEx);
                if (sslSession == null || sslSession.isClosing()) {
                    return;
                }
                sslSession.getProcessor().remove(sslSession);
                return;
            }
            IoSession ioSession2 = (IoSession) SslAcceptor.SESSION_KEY.get(ioSessionEx);
            if (!$assertionsDisabled && ioSession2 == null) {
                throw new AssertionError();
            }
            ioSession2.getFilterChain().fireMessageReceived(obj);
        }

        /* JADX INFO: Access modifiers changed from: private */
        public SslSession createSslSession(final IoSessionEx ioSessionEx) throws Exception {
            return (SslSession) SslAcceptor.this.newSession(null, new Callable<SslSession>() { // from class: org.kaazing.gateway.transport.ssl.SslAcceptor.BridgeHandler.1
                static final /* synthetic */ boolean $assertionsDisabled;

                /* JADX WARN: Can't rename method to resolve collision */
                @Override // java.util.concurrent.Callable
                public SslSession call() {
                    ResourceAddress sslSessionLocalAddress = getSslSessionLocalAddress(ioSessionEx);
                    SslSession sslSession = new SslSession(SslAcceptor.this, SslAcceptor.this.getProcessor(), sslSessionLocalAddress, getSslSessionRemoteAddress(ioSessionEx, sslSessionLocalAddress), ioSessionEx);
                    sslSession.setHandler(SslAcceptor.this.getHandler(sslSession.getLocalAddress()));
                    return sslSession;
                }

                private ResourceAddress getSslSessionLocalAddress(IoSession ioSession) {
                    ResourceAddress resourceAddress = (ResourceAddress) SslAcceptor.SSL_RESOURCE_ADDRESS.remove(ioSession);
                    if (!$assertionsDisabled && resourceAddress == null) {
                        throw new AssertionError();
                    }
                    URI externalURI = resourceAddress.getExternalURI();
                    ResourceOptions newResourceOptions = ResourceOptions.FACTORY.newResourceOptions(resourceAddress);
                    newResourceOptions.setOption(ResourceAddress.NEXT_PROTOCOL, BridgeSession.NEXT_PROTOCOL_KEY.get(ioSession));
                    newResourceOptions.setOption(ResourceAddress.TRANSPORT, BridgeSession.LOCAL_ADDRESS.get(ioSession));
                    Bindings.Binding binding = SslAcceptor.this.bindings.getBinding(SslAcceptor.this.resourceAddressFactory.newResourceAddress(externalURI, newResourceOptions));
                    if (binding != null) {
                        return binding.bindAddress();
                    }
                    return null;
                }

                private ResourceAddress getSslSessionRemoteAddress(IoSession ioSession, ResourceAddress resourceAddress) {
                    return SslAcceptor.this.resourceAddressFactory.newResourceAddress(resourceAddress, (ResourceAddress) BridgeSession.REMOTE_ADDRESS.get(ioSession));
                }

                static {
                    $assertionsDisabled = !SslAcceptor.class.desiredAssertionStatus();
                }
            });
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public void doSessionClosed(IoSessionEx ioSessionEx) throws Exception {
            SslSession sslSession = (SslSession) SslAcceptor.SESSION_KEY.remove(ioSessionEx);
            if (sslSession != null) {
                if (sslSession.isClosing()) {
                    sslSession.getProcessor().remove(sslSession);
                } else {
                    sslSession.reset(new IOException("Early termination of IO session").fillInStackTrace());
                }
            }
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public void doSessionIdle(IoSessionEx ioSessionEx, IdleStatus idleStatus) throws Exception {
            SslSession sslSession = (SslSession) SslAcceptor.SESSION_KEY.get(ioSessionEx);
            if (sslSession != null) {
                sslSession.getFilterChain().fireSessionIdle(idleStatus);
            }
        }

        /* JADX INFO: Access modifiers changed from: protected */
        public void doSessionCreated(IoSessionEx ioSessionEx) throws Exception {
            ioSessionEx.setAttribute(SslFilter.USE_NOTIFICATION);
            SslAcceptor.this.addBridgeFilters(ioSessionEx.getFilterChain());
        }

        static {
            $assertionsDisabled = !SslAcceptor.class.desiredAssertionStatus();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/kaazing/gateway/transport/ssl/SslAcceptor$EncryptionDisabledFilter.class */
    public final class EncryptionDisabledFilter extends IoFilterAdapter {
        private EncryptionDisabledFilter() {
        }

        public void messageReceived(IoFilter.NextFilter nextFilter, IoSession ioSession, Object obj) throws Exception {
            SslAcceptor.SESSION_KEY.set(ioSession, SslAcceptor.this.unsecureBridgeHandler.createSslSession((IoSessionEx) ioSession));
            ioSession.getFilterChain().remove(this);
            super.messageReceived(nextFilter, ioSession, obj);
        }
    }

    public SslAcceptor() {
        super(new DefaultIoSessionConfigEx());
        this.secureBridgeHandler = new BridgeHandler(true);
        this.unsecureBridgeHandler = new BridgeHandler(false);
    }

    @Resource(name = "bridgeServiceFactory")
    public void setBridgeServiceFactory(BridgeServiceFactory bridgeServiceFactory) {
        this.bridgeServiceFactory = bridgeServiceFactory;
    }

    @Resource(name = "resourceAddressFactory")
    public void setResourceAddressFactory(ResourceAddressFactory resourceAddressFactory) {
        this.resourceAddressFactory = resourceAddressFactory;
    }

    @Resource(name = "securityContext")
    public void setSecurityContext(SecurityContext securityContext) {
        this.vhostKeySelector = new VirtualHostKeySelector();
        try {
            this.vhostKeySelector.init(securityContext.getKeyStore(), securityContext.getKeyStorePassword());
            try {
                this.sslContextFactory = new SslContextFactory();
                this.sslContextFactory.setTrustManagerFactoryKeyStore(securityContext.getTrustStore());
                char[] keyStorePassword = securityContext.getKeyStorePassword();
                this.sslContextFactory.setKeyManagerFactoryKeyStorePassword(keyStorePassword == null ? null : new String(keyStorePassword));
                this.sslContextFactory.setKeyManagerFactoryKeyStore(securityContext.getKeyStore());
                this.sslContextFactory.setKeyManagerFactory(KeyManagerFactory.getInstance("SslTransport", new SslProvider()));
                this.sslContextFactory.setServerSessionCacheSize(1);
            } catch (NoSuchAlgorithmException e) {
                throw new RuntimeException(e);
            }
        } catch (KeyStoreException e2) {
            throw new RuntimeException(e2);
        }
    }

    public TransportMetadata getTransportMetadata() {
        return new DefaultTransportMetadata(SslProtocol.NAME);
    }

    protected void init() {
        super.init();
        try {
            this.sslContext = this.sslContextFactory.newInstance();
        } catch (UnrecoverableKeyException e) {
            throw new RuntimeException("Unable to load necessary certificate keys from keystore; perhaps your keys are protected by passwords that are different from the keystore password?", e);
        } catch (Exception e2) {
            this.logger.error("Exception while creating SSL context: ", e2);
        }
        this.certificateSelection = new SslCertificateSelectionFilter(false);
    }

    protected Bindings<NextProtocolBindings.NextProtocolBinding> initBindings() {
        return new NextProtocolBindings();
    }

    protected IoProcessorEx<SslSession> initProcessor() {
        return new SslAcceptProcessor();
    }

    public void addBridgeFilters(IoFilterChain ioFilterChain) {
        SslFilter sslFilter = new SslFilter(this.sslContext, false, this.logger);
        IoSessionEx session = ioFilterChain.getSession();
        ResourceAddress resourceAddress = (ResourceAddress) SSL_RESOURCE_ADDRESS.get(session);
        boolean booleanValue = ((Boolean) resourceAddress.getOption(SslResourceAddress.ENCRYPTION_ENABLED)).booleanValue();
        if (booleanValue) {
            boolean booleanValue2 = ((Boolean) resourceAddress.getOption(SslResourceAddress.WANT_CLIENT_AUTH)).booleanValue();
            boolean booleanValue3 = ((Boolean) resourceAddress.getOption(SslResourceAddress.NEED_CLIENT_AUTH)).booleanValue();
            List resolve = SslCipherSuites.resolve(toCipherList((String[]) resourceAddress.getOption(SslResourceAddress.CIPHERS)));
            String[] strArr = (String[]) resolve.toArray(new String[resolve.size()]);
            if (this.logger.isTraceEnabled()) {
                this.logger.trace(String.format("Configured SSL/TLS ciphersuites:\n  %s", toCipherString(toCipherList(strArr))));
            }
            sslFilter.setWantClientAuth(booleanValue2);
            sslFilter.setNeedClientAuth(booleanValue3);
            sslFilter.setEnabledCipherSuites(strArr);
            sslFilter.setEnabledProtocols((String[]) resourceAddress.getOption(SslResourceAddress.PROTOCOLS));
            SslCipherSelectionFilter sslCipherSelectionFilter = new SslCipherSelectionFilter(CIPHER_SELECTION_FILTER, CODEC_FILTER, sslFilter, this.logger);
            IoBufferAllocatorEx bufferAllocator = session.getBufferAllocator();
            ioFilterChain.addFirst(CERTIFICATE_SELECTION_FILTER, this.certificateSelection);
            ioFilterChain.addAfter(CERTIFICATE_SELECTION_FILTER, CLIENT_HELLO_CODEC_FILTER, new ProtocolCodecFilter(new SslClientHelloEncoder(), new SslClientHelloDecoder(bufferAllocator)));
            ioFilterChain.addAfter(CLIENT_HELLO_CODEC_FILTER, CIPHER_SELECTION_FILTER, sslCipherSelectionFilter);
        }
        NextProtocolBindings.NextProtocolBinding binding0 = this.bindings.getBinding0(resourceAddress);
        if (binding0 == null) {
            session.close(true);
            return;
        }
        SortedSet nextProtocolNames = binding0.getNextProtocolNames();
        if (nextProtocolNames.isEmpty()) {
            BridgeSession.NEXT_PROTOCOL_KEY.set(session, (Object) null);
        } else if (nextProtocolNames.size() == 1) {
            BridgeSession.NEXT_PROTOCOL_KEY.set(session, nextProtocolNames.first());
        } else {
            ioFilterChain.addLast(NEXT_PROTOCOL_FILTER, new NextProtocolFilter(this.bridgeServiceFactory.getTransportFactory().getProtocolDispatchers().values()));
        }
        if (booleanValue) {
            return;
        }
        ioFilterChain.addLast(ENCRYPTION_DISABLED_FILTER, new EncryptionDisabledFilter());
    }

    private List<String> toCipherList(String[] strArr) {
        if (strArr == null || strArr.length == 0) {
            return null;
        }
        ArrayList arrayList = new ArrayList(strArr.length);
        Collections.addAll(arrayList, strArr);
        return arrayList;
    }

    private String toCipherString(List<String> list) {
        if (list == null || list.size() == 0) {
            return null;
        }
        StringBuilder sb = new StringBuilder();
        Iterator<String> it = list.iterator();
        while (it.hasNext()) {
            sb.append("  ").append(it.next()).append("\n");
        }
        return sb.toString().trim();
    }

    public void removeBridgeFilters(IoFilterChain ioFilterChain) {
        removeFilter(ioFilterChain, CODEC_FILTER);
        removeFilter(ioFilterChain, CIPHER_SELECTION_FILTER);
        removeFilter(ioFilterChain, CLIENT_HELLO_CODEC_FILTER);
        removeFilter(ioFilterChain, CERTIFICATE_SELECTION_FILTER);
        removeFilter(ioFilterChain, NEXT_PROTOCOL_FILTER);
    }

    protected boolean canBind(String str) {
        return str.equals(SslProtocol.NAME);
    }

    protected <T extends IoFuture> void bindInternal(final ResourceAddress resourceAddress, IoHandler ioHandler, BridgeSessionInitializer<T> bridgeSessionInitializer) {
        boolean booleanValue = ((Boolean) resourceAddress.getOption(SslResourceAddress.ENCRYPTION_ENABLED)).booleanValue();
        if (booleanValue) {
            try {
                VirtualHostKeySelector virtualHostKeySelector = (KeySelector) resourceAddress.getOption(SslResourceAddress.KEY_SELECTOR);
                if (virtualHostKeySelector == null) {
                    virtualHostKeySelector = this.vhostKeySelector;
                }
                TransportKeySelector transportKeySelector = (TransportKeySelector) TransportKeySelector.class.cast(virtualHostKeySelector);
                this.certificateSelection.setKeySelector(transportKeySelector);
                transportKeySelector.bind(resourceAddress);
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
        ResourceAddress transport = resourceAddress.getTransport();
        if (!$assertionsDisabled && transport == null) {
            throw new AssertionError();
        }
        IoHandler ioHandler2 = booleanValue ? this.secureBridgeHandler : this.unsecureBridgeHandler;
        BridgeAcceptor newBridgeAcceptor = this.bridgeServiceFactory.newBridgeAcceptor(transport);
        try {
            final BridgeSessionInitializer parentInitializer = bridgeSessionInitializer != null ? bridgeSessionInitializer.getParentInitializer(this.bridgeServiceFactory.getTransportFactory().getProtocol(transport.getResource().getScheme())) : null;
            newBridgeAcceptor.bind(transport, ioHandler2, new BridgeSessionInitializerAdapter<T>() { // from class: org.kaazing.gateway.transport.ssl.SslAcceptor.1
                /* JADX WARN: Incorrect types in method signature: (Lorg/apache/mina/core/session/IoSession;TT;)V */
                public void initializeSession(IoSession ioSession, IoFuture ioFuture) {
                    SslAcceptor.SSL_RESOURCE_ADDRESS.set(ioSession, resourceAddress);
                    if (parentInitializer != null) {
                        parentInitializer.initializeSession(ioSession, ioFuture);
                    }
                }
            });
        } catch (NioBindException e2) {
            Iterable<ResourceAddress> failedAddresses = e2.getFailedAddresses();
            for (ResourceAddress resourceAddress2 : failedAddresses) {
                if (newBridgeAcceptor.getHandler(resourceAddress2) == this.secureBridgeHandler) {
                    throw new RuntimeException(resourceAddress2 + " is configured as a secure port in a service already and cannot be bound as an unsecure port in service: " + resourceAddress, e2);
                }
            }
            throw new RuntimeException("Unable to bind address " + failedAddresses.iterator().next() + ": " + e2.getMessage(), e2);
        }
    }

    protected UnbindFuture unbindInternal(ResourceAddress resourceAddress, IoHandler ioHandler, BridgeSessionInitializer<? extends IoFuture> bridgeSessionInitializer) {
        ResourceAddress transport = resourceAddress.getTransport();
        if (!$assertionsDisabled && transport == null) {
            throw new AssertionError();
        }
        ResourceAddress transport2 = resourceAddress.getTransport();
        if (((Boolean) resourceAddress.getOption(SslResourceAddress.ENCRYPTION_ENABLED)).booleanValue()) {
            try {
                VirtualHostKeySelector virtualHostKeySelector = (KeySelector) resourceAddress.getOption(SslResourceAddress.KEY_SELECTOR);
                if (virtualHostKeySelector == null) {
                    virtualHostKeySelector = this.vhostKeySelector;
                }
                ((TransportKeySelector) TransportKeySelector.class.cast(virtualHostKeySelector)).unbind(resourceAddress);
            } catch (Exception e) {
                throw new RuntimeException(e);
            }
        }
        return this.bridgeServiceFactory.newBridgeAcceptor(transport2).unbind(transport2);
    }

    static {
        $assertionsDisabled = !SslAcceptor.class.desiredAssertionStatus();
        SESSION_KEY = new TypedAttributeKey<>(SslAcceptor.class, "session");
        SSL_RESOURCE_ADDRESS = new TypedAttributeKey<>(SslFilter.class, "sslResourceAddress");
    }
}
