package com.forgerock.opendj.cli;

import com.forgerock.opendj.cli.BooleanArgument;
import com.forgerock.opendj.util.StaticUtils;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509KeyManager;
import javax.net.ssl.X509TrustManager;
import org.forgerock.i18n.LocalizableMessage;
import org.forgerock.i18n.slf4j.LocalizedLogger;
import org.forgerock.opendj.ldap.ConnectionFactory;
import org.forgerock.opendj.ldap.KeyManagers;
import org.forgerock.opendj.ldap.LDAPConnectionFactory;
import org.forgerock.opendj.ldap.SSLContextBuilder;
import org.forgerock.opendj.ldap.TrustManagers;
import org.forgerock.opendj.ldap.controls.AuthorizationIdentityRequestControl;
import org.forgerock.opendj.ldap.controls.PasswordPolicyRequestControl;
import org.forgerock.opendj.ldap.requests.BindRequest;
import org.forgerock.opendj.ldap.requests.Requests;
import org.forgerock.util.Options;
import org.forgerock.util.time.Duration;

/* loaded from: input_file:com/forgerock/opendj/cli/ConnectionFactoryProvider.class */
public final class ConnectionFactoryProvider {
    static final LocalizedLogger logger = LocalizedLogger.getLoggerForThisClass();
    private StringArgument hostNameArg;
    private IntegerArgument portArg;
    private StringArgument bindNameArg;
    private FileBasedArgument bindPasswordFileArg;
    private char[] password;
    private StringArgument bindPasswordArg;
    private IntegerArgument connectTimeOut;
    private BooleanArgument trustAllArg;
    private StringArgument trustStorePathArg;
    private StringArgument trustStorePasswordArg;
    private FileBasedArgument trustStorePasswordFileArg;
    private StringArgument keyStorePathArg;
    private StringArgument keyStorePasswordArg;
    private FileBasedArgument keyStorePasswordFileArg;
    private StringArgument certNicknameArg;
    private BooleanArgument useSSLArg;
    private BooleanArgument useStartTLSArg;
    private StringArgument saslOptionArg;
    private final BooleanArgument reportAuthzIDArg;
    private final BooleanArgument usePasswordPolicyControlArg;
    private SSLContext sslContext;
    private ConnectionFactory connFactory;
    private BindRequest bindRequest;
    private final ConsoleApplication app;
    private boolean isAdminConnection;

    public ConnectionFactoryProvider(ArgumentParser argumentParser, ConsoleApplication consoleApplication) throws ArgumentException {
        this(argumentParser, consoleApplication, "", CliConstants.DEFAULT_LDAP_PORT, false);
    }

    public ConnectionFactoryProvider(ArgumentParser argumentParser, ConsoleApplication consoleApplication, String str, int i, boolean z) throws ArgumentException {
        this.app = consoleApplication;
        this.useSSLArg = CommonArguments.useSSLArgument();
        if (z) {
            this.useSSLArg.setPresent(true);
        } else {
            argumentParser.addLdapConnectionArgument(this.useSSLArg);
        }
        this.useStartTLSArg = CommonArguments.startTLSArgument();
        if (!z) {
            argumentParser.addLdapConnectionArgument(this.useStartTLSArg);
        }
        this.hostNameArg = CommonArguments.hostNameArgument("localhost");
        argumentParser.addLdapConnectionArgument(this.hostNameArg);
        this.portArg = CommonArguments.portArgument(i, z ? CliMessages.INFO_DESCRIPTION_ADMIN_PORT.get() : CliMessages.INFO_DESCRIPTION_PORT.get());
        argumentParser.addLdapConnectionArgument(this.portArg);
        this.bindNameArg = CommonArguments.bindDNArgument(str);
        argumentParser.addLdapConnectionArgument(this.bindNameArg);
        this.bindPasswordArg = CommonArguments.bindPasswordArgument();
        argumentParser.addLdapConnectionArgument(this.bindPasswordArg);
        this.bindPasswordFileArg = CommonArguments.bindPasswordFileArgument();
        argumentParser.addLdapConnectionArgument(this.bindPasswordFileArg);
        this.saslOptionArg = CommonArguments.saslArgument();
        argumentParser.addLdapConnectionArgument(this.saslOptionArg);
        this.trustAllArg = CommonArguments.trustAllArgument();
        argumentParser.addLdapConnectionArgument(this.trustAllArg);
        this.trustStorePathArg = CommonArguments.trustStorePathArgument();
        argumentParser.addLdapConnectionArgument(this.trustStorePathArg);
        this.trustStorePasswordArg = CommonArguments.trustStorePasswordArgument();
        argumentParser.addLdapConnectionArgument(this.trustStorePasswordArg);
        this.trustStorePasswordFileArg = CommonArguments.trustStorePasswordFileArgument();
        argumentParser.addLdapConnectionArgument(this.trustStorePasswordFileArg);
        this.keyStorePathArg = CommonArguments.keyStorePathArgument();
        argumentParser.addLdapConnectionArgument(this.keyStorePathArg);
        this.keyStorePasswordArg = CommonArguments.keyStorePasswordArgument();
        argumentParser.addLdapConnectionArgument(this.keyStorePasswordArg);
        this.keyStorePasswordFileArg = CommonArguments.keyStorePasswordFileArgument();
        argumentParser.addLdapConnectionArgument(this.keyStorePasswordFileArg);
        this.certNicknameArg = CommonArguments.certNickNameArgument();
        argumentParser.addLdapConnectionArgument(this.certNicknameArg);
        this.reportAuthzIDArg = CommonArguments.reportAuthzIdArgument();
        argumentParser.addArgument(this.reportAuthzIDArg);
        this.connectTimeOut = CommonArguments.connectTimeOutArgument();
        argumentParser.addArgument(this.connectTimeOut);
        this.usePasswordPolicyControlArg = (BooleanArgument) ((BooleanArgument.Builder) BooleanArgument.builder(ArgumentConstants.OPTION_LONG_USE_PW_POLICY_CTL).description(CliMessages.INFO_DESCRIPTION_USE_PWP_CONTROL.get())).buildAndAddToParser(argumentParser);
    }

    public int getConnectTimeout() {
        if (!this.connectTimeOut.isPresent()) {
            return Integer.valueOf(this.connectTimeOut.getDefaultValue()).intValue();
        }
        try {
            return this.connectTimeOut.getIntValue();
        } catch (ArgumentException e) {
            return Integer.valueOf(this.connectTimeOut.getDefaultValue()).intValue();
        }
    }

    public String getHostname() throws ArgumentException {
        String readInput;
        if (this.hostNameArg.isPresent()) {
            readInput = this.hostNameArg.getValue();
        } else {
            if (!this.app.isInteractive()) {
                return getHostNameDefaultValue("");
            }
            try {
                readInput = this.app.readInput(CliMessages.INFO_DESCRIPTION_HOST.get(), getHostNameDefaultValue(""));
                this.app.println();
                this.hostNameArg.addValue(readInput);
                this.hostNameArg.setPresent(true);
            } catch (ClientException e) {
                throw new ArgumentException(CliMessages.ERR_ERROR_CANNOT_READ_HOST_NAME.get(), e);
            }
        }
        return Utils.getHostNameForLdapUrl(readInput);
    }

    private String getHostNameDefaultValue(String str) {
        return this.hostNameArg.getDefaultValue() != null ? this.hostNameArg.getDefaultValue() : str;
    }

    public int getPort() {
        if (this.portArg.isPresent()) {
            try {
                return this.portArg.getIntValue();
            } catch (ArgumentException e) {
                return Integer.valueOf(this.portArg.getDefaultValue()).intValue();
            }
        }
        if (!this.app.isInteractive()) {
            return Integer.valueOf(this.portArg.getDefaultValue()).intValue();
        }
        int askPort = this.app.askPort(this.isAdminConnection ? CliMessages.INFO_DESCRIPTION_ADMIN_PORT.get() : CliMessages.INFO_DESCRIPTION_PORT.get(), Integer.valueOf(this.portArg.getDefaultValue()).intValue(), logger);
        this.app.println();
        this.portArg.addValue(Integer.toString(askPort));
        this.portArg.setPresent(true);
        return askPort;
    }

    public boolean useSSL() {
        return this.useSSLArg.isPresent();
    }

    public boolean useStartTLS() {
        return this.useStartTLSArg.isPresent();
    }

    public static List<String> getDefaultProtocols() throws NoSuchAlgorithmException {
        return getDefaultProtocols(SSLContext.getDefault());
    }

    public static List<String> getDefaultProtocols(SSLContext sSLContext) throws NoSuchAlgorithmException {
        List<String> asList = Arrays.asList(sSLContext.createSSLEngine().getEnabledProtocols());
        String property = System.getProperty("org.opends.ldaps.protocols");
        ArrayList arrayList = new ArrayList();
        if (property == null || property.length() == 0) {
            for (String str : asList) {
                if (!str.startsWith("SSL")) {
                    arrayList.add(str);
                }
            }
            return arrayList;
        }
        for (String str2 : property.split(",")) {
            if (asList.contains(str2)) {
                arrayList.add(str2);
            }
        }
        return arrayList;
    }

    public ConnectionFactory getAuthenticatedConnectionFactory() throws ArgumentException {
        return getConnectionFactory(true);
    }

    public ConnectionFactory getUnauthenticatedConnectionFactory() throws ArgumentException {
        return getConnectionFactory(false);
    }

    private ConnectionFactory getConnectionFactory(boolean z) throws ArgumentException {
        if (this.connFactory == null) {
            checkForConflictingArguments();
            if (this.app.isInteractive()) {
                boolean z2 = !this.portArg.isPresent() || this.portArg.getIntValue() == 0;
                boolean z3 = (this.bindPasswordArg.isPresent() || this.bindPasswordFileArg.isPresent()) ? false : true;
                if (!this.hostNameArg.isPresent() || z2 || !this.bindNameArg.isPresent() || z3) {
                    this.app.printHeader(CliMessages.INFO_LDAP_CONN_HEADING_CONNECTION_PARAMETERS.get());
                }
                if (!this.hostNameArg.isPresent()) {
                    getHostname();
                }
                if (z2) {
                    getPort();
                }
                if (!this.bindNameArg.isPresent()) {
                    getBindName();
                }
                if (z3) {
                    getPassword();
                }
            }
            try {
                if (this.useSSLArg.isPresent() || this.useStartTLSArg.isPresent()) {
                    String value = this.certNicknameArg.isPresent() ? this.certNicknameArg.getValue() : null;
                    if (this.sslContext == null) {
                        TrustManager trustManager = getTrustManager();
                        X509KeyManager keyManager = getKeyManager(this.keyStorePathArg.getValue());
                        this.sslContext = new SSLContextBuilder().setTrustManager(trustManager).setKeyManager((keyManager == null || value == null) ? keyManager : KeyManagers.useSingleCertificate(value, keyManager)).getSSLContext();
                    }
                }
                Options defaultOptions = Options.defaultOptions();
                if (this.sslContext != null) {
                    try {
                        defaultOptions.set(LDAPConnectionFactory.SSL_CONTEXT, this.sslContext).set(LDAPConnectionFactory.SSL_USE_STARTTLS, Boolean.valueOf(this.useStartTLSArg.isPresent())).set(LDAPConnectionFactory.SSL_ENABLED_PROTOCOLS, getDefaultProtocols(this.sslContext));
                    } catch (NoSuchAlgorithmException e) {
                        throw new ArgumentException(CliMessages.ERR_LDAP_CONN_CANNOT_INITIALIZE_SSL.get(e.toString()), e);
                    }
                }
                defaultOptions.set(LDAPConnectionFactory.CONNECT_TIMEOUT, Duration.duration(getConnectTimeout(), TimeUnit.MILLISECONDS));
                if (z) {
                    defaultOptions.set(LDAPConnectionFactory.AUTHN_BIND_REQUEST, getBindRequest());
                }
                this.connFactory = new LDAPConnectionFactory(this.hostNameArg.getValue(), this.portArg.getIntValue(), defaultOptions);
            } catch (Exception e2) {
                throw new ArgumentException(CliMessages.ERR_LDAP_CONN_CANNOT_INITIALIZE_SSL.get(e2.toString()), e2);
            }
        }
        return this.connFactory;
    }

    private void checkForConflictingArguments() throws ArgumentException {
        Utils.throwIfArgumentsConflict(this.bindPasswordArg, this.bindPasswordFileArg);
        Utils.throwIfArgumentsConflict(this.trustAllArg, this.trustStorePathArg);
        Utils.throwIfArgumentsConflict(this.trustAllArg, this.trustStorePasswordArg);
        Utils.throwIfArgumentsConflict(this.trustAllArg, this.trustStorePasswordFileArg);
        Utils.throwIfArgumentsConflict(this.trustStorePasswordArg, this.trustStorePasswordFileArg);
        Utils.throwIfArgumentsConflict(this.useStartTLSArg, this.useSSLArg);
        if (this.trustStorePathArg.isPresent()) {
            String value = this.trustStorePathArg.getValue();
            if (!canReadPath(value)) {
                throw new ArgumentException(CliMessages.ERR_CANNOT_READ_TRUSTSTORE.get(value));
            }
        }
        if (this.keyStorePathArg.isPresent()) {
            String value2 = this.keyStorePathArg.getValue();
            if (!canReadPath(value2)) {
                throw new ArgumentException(CliMessages.ERR_CANNOT_READ_KEYSTORE.get(value2));
            }
        }
    }

    private boolean canReadPath(String str) {
        File file = new File(str);
        return file.exists() && file.canRead();
    }

    private String getAuthID(String str) throws ArgumentException {
        String authID = getAuthID();
        if (authID == null && this.bindNameArg.isPresent()) {
            authID = "dn: " + this.bindNameArg.getValue();
        }
        if (authID == null && this.app.isInteractive()) {
            try {
                authID = this.app.readInput(LocalizableMessage.raw("Authentication ID:", new Object[0]), this.bindNameArg.getDefaultValue() == null ? null : "dn: " + this.bindNameArg.getDefaultValue());
            } catch (ClientException e) {
                throw new ArgumentException(LocalizableMessage.raw("Unable to read authentication ID", new Object[0]), e);
            }
        }
        if (authID == null) {
            throw new ArgumentException(CliMessages.ERR_LDAPAUTH_SASL_AUTHID_REQUIRED.get(str));
        }
        return authID;
    }

    private String getAuthID() throws ArgumentException {
        return getSaslProperty(ArgumentConstants.SASL_PROPERTY_AUTHID);
    }

    private String getAuthzID() throws ArgumentException {
        return getSaslProperty(ArgumentConstants.SASL_PROPERTY_AUTHZID);
    }

    public String getBindName() throws ArgumentException {
        String str = "";
        if (this.bindNameArg.isPresent()) {
            str = this.bindNameArg.getValue();
        } else if (this.app.isInteractive()) {
            try {
                str = this.app.readInput(this.isAdminConnection ? CliMessages.INFO_DESCRIPTION_ADMIN_BINDDN.get() : CliMessages.INFO_DESCRIPTION_BINDDN.get(), this.bindNameArg.getDefaultValue() == null ? str : this.bindNameArg.getDefaultValue());
                this.app.println();
                this.bindNameArg.clearValues();
                this.bindNameArg.addValue(str);
                this.bindNameArg.setPresent(true);
            } catch (ClientException e) {
                throw new ArgumentException(CliMessages.ERR_ERROR_CANNOT_READ_BIND_NAME.get(), e);
            }
        }
        return str;
    }

    public BindRequest getBindRequest() throws ArgumentException {
        if (this.bindRequest == null) {
            String mechanism = getMechanism();
            if (mechanism == null) {
                if (this.bindNameArg.isPresent() || this.bindPasswordFileArg.isPresent() || this.bindPasswordArg.isPresent()) {
                    this.bindRequest = Requests.newSimpleBindRequest(getBindName(), getPassword());
                }
            } else if ("DIGEST-MD5".equals(mechanism)) {
                this.bindRequest = Requests.newDigestMD5SASLBindRequest(getAuthID("DIGEST-MD5"), getPassword()).setAuthorizationID(getAuthzID()).setRealm(getRealm());
            } else if ("CRAM-MD5".equals(mechanism)) {
                this.bindRequest = Requests.newCRAMMD5SASLBindRequest(getAuthID("CRAM-MD5"), getPassword());
            } else if ("GSSAPI".equals(mechanism)) {
                this.bindRequest = Requests.newGSSAPISASLBindRequest(getAuthID("GSSAPI"), getPassword()).setKDCAddress(getKDC()).setRealm(getRealm()).setAuthorizationID(getAuthzID());
            } else if ("EXTERNAL".equals(mechanism)) {
                if (this.sslContext == null) {
                    throw new ArgumentException(CliMessages.ERR_TOOL_SASLEXTERNAL_NEEDS_SSL_OR_TLS.get());
                }
                if (!this.keyStorePathArg.isPresent() && getKeyStore() == null) {
                    throw new ArgumentException(CliMessages.ERR_TOOL_SASLEXTERNAL_NEEDS_KEYSTORE.get());
                }
                this.bindRequest = Requests.newExternalSASLBindRequest().setAuthorizationID(getAuthzID());
            } else {
                if (!"PLAIN".equals(mechanism)) {
                    throw new ArgumentException(CliMessages.ERR_LDAPAUTH_UNSUPPORTED_SASL_MECHANISM.get(mechanism));
                }
                this.bindRequest = Requests.newPlainSASLBindRequest(getAuthID("PLAIN"), getPassword()).setAuthorizationID(getAuthzID());
            }
            if (this.bindRequest != null && this.reportAuthzIDArg.isPresent()) {
                this.bindRequest.addControl(AuthorizationIdentityRequestControl.newControl(false));
            }
            if (this.bindRequest != null && this.usePasswordPolicyControlArg.isPresent()) {
                this.bindRequest.addControl(PasswordPolicyRequestControl.newControl(false));
            }
        }
        return this.bindRequest;
    }

    private String getMechanism() throws ArgumentException {
        return getSaslProperty(ArgumentConstants.SASL_PROPERTY_MECH);
    }

    private String getKDC() throws ArgumentException {
        return getSaslProperty(ArgumentConstants.SASL_PROPERTY_KDC);
    }

    private String getRealm() throws ArgumentException {
        return getSaslProperty(ArgumentConstants.SASL_PROPERTY_REALM);
    }

    private String getSaslProperty(String str) throws ArgumentException {
        for (String str2 : this.saslOptionArg.getValues()) {
            if (str2.startsWith(str)) {
                return parseSASLOptionValue(str2);
            }
        }
        return null;
    }

    public String toString() {
        return this.connFactory.toString();
    }

    public X509KeyManager getKeyManager(String str) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException, UnrecoverableKeyException {
        if (str == null) {
            str = getKeyStore();
        }
        if (str == null) {
            return null;
        }
        String keyStorePIN = getKeyStorePIN();
        char[] charArray = keyStorePIN != null ? keyStorePIN.toCharArray() : null;
        boolean isFips = StaticUtils.isFips();
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        if (isFips) {
            keyStore.load(null, charArray);
        } else {
            FileInputStream fileInputStream = new FileInputStream(str);
            try {
                keyStore.load(fileInputStream, charArray);
                fileInputStream.close();
            } catch (Throwable th) {
                try {
                    fileInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }
        if (isFips) {
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(keyStore, charArray);
            for (KeyManager keyManager : keyManagerFactory.getKeyManagers()) {
                if (keyManager instanceof X509KeyManager) {
                    return (X509KeyManager) keyManager;
                }
            }
        }
        return new ApplicationKeyManager(keyStore, charArray);
    }

    private String getKeyStore() {
        return System.getProperty("javax.net.ssl.keyStore");
    }

    private String getKeyStorePIN() {
        return this.keyStorePasswordArg.isPresent() ? this.keyStorePasswordArg.getValue() : this.keyStorePasswordFileArg.isPresent() ? this.keyStorePasswordFileArg.getValue() : System.getProperty("javax.net.ssl.keyStorePassword");
    }

    public char[] getPassword() throws ArgumentException {
        char[] charArray = "".toCharArray();
        if (this.bindPasswordArg.isPresent()) {
            charArray = this.bindPasswordArg.getValue().toCharArray();
        } else if (this.bindPasswordFileArg.isPresent()) {
            charArray = this.bindPasswordFileArg.getValue().toCharArray();
        } else if (this.password != null) {
            return this.password;
        }
        if (charArray.length == 0 && this.app.isInteractive()) {
            try {
                charArray = this.app.readPassword(this.isAdminConnection ? CliMessages.INFO_LDAPAUTH_PASSWORD_PROMPT.get(getBindName()) : CliMessages.INFO_DESCRIPTION_BINDPASSWORD.get());
                this.app.println();
                this.password = charArray;
            } catch (ClientException e) {
                throw new ArgumentException(CliMessages.ERR_ERROR_CANNOT_READ_PASSWORD.get(), e);
            }
        }
        return charArray;
    }

    public TrustManager getTrustManager() throws IOException, GeneralSecurityException {
        if (this.trustAllArg.isPresent()) {
            return TrustManagers.trustAll();
        }
        boolean isFips = StaticUtils.isFips();
        X509TrustManager x509TrustManager = null;
        if (this.trustStorePathArg.isPresent() && this.trustStorePathArg.getValue().length() > 0) {
            x509TrustManager = isFips ? TrustManagers.checkUsingTrustStore(this.trustStorePathArg.getValue(), getTrustStorePIN(), (String) null) : TrustManagers.checkValidityDates(TrustManagers.checkHostName(this.hostNameArg.getValue(), TrustManagers.checkUsingTrustStore(this.trustStorePathArg.getValue(), getTrustStorePIN(), (String) null)));
        } else if (getTrustStore() != null) {
            x509TrustManager = isFips ? TrustManagers.checkUsingTrustStore(getTrustStore(), getTrustStorePIN(), (String) null) : TrustManagers.checkValidityDates(TrustManagers.checkHostName(this.hostNameArg.getValue(), TrustManagers.checkUsingTrustStore(getTrustStore(), getTrustStorePIN(), (String) null)));
        }
        return (this.app == null || this.app.isQuiet() || isFips) ? isFips ? TrustManagers.checkUsingPkcs11TrustStore() : x509TrustManager : new PromptingTrustManager(this.app, x509TrustManager);
    }

    private String getTrustStore() {
        return System.getProperty("javax.net.ssl.trustStore");
    }

    private char[] getTrustStorePIN() {
        String value = this.trustStorePasswordArg.isPresent() ? this.trustStorePasswordArg.getValue() : this.trustStorePasswordFileArg.isPresent() ? this.trustStorePasswordFileArg.getValue() : System.getProperty("javax.net.ssl.trustStorePassword");
        if (value == null) {
            return null;
        }
        return value.toCharArray();
    }

    private String parseSASLOptionValue(String str) throws ArgumentException {
        int indexOf = str.indexOf(61);
        if (indexOf == -1) {
            throw new ArgumentException(CliMessages.ERR_LDAP_CONN_CANNOT_PARSE_SASL_OPTION.get(str));
        }
        return str.substring(indexOf + 1, str.length());
    }

    public void setIsAnAdminConnection() {
        this.isAdminConnection = true;
    }
}
