package org.geoserver.security.password;

import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.OutputStream;
import java.net.URL;
import java.net.URLConnection;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.io.IOUtils;
import org.geoserver.config.util.XStreamPersister;
import org.geoserver.platform.resource.Resource;
import org.geoserver.security.GeoServerSecurityManager;
import org.geoserver.security.GeoServerSecurityProvider;
import org.geoserver.security.MasterPasswordProvider;
import org.geoserver.security.SecurityUtils;
import org.geoserver.security.config.SecurityNamedServiceConfig;
import org.geoserver.security.validation.SecurityConfigException;
import org.geoserver.security.validation.SecurityConfigValidator;
import org.geotools.util.URLs;
import org.jasypt.encryption.pbe.StandardPBEByteEncryptor;

/* loaded from: input_file:WEB-INF/lib/gs-main-2.18.7-georchestra.jar:org/geoserver/security/password/URLMasterPasswordProvider.class */
public final class URLMasterPasswordProvider extends MasterPasswordProvider {
    static final char[] BASE = {'U', 'n', '6', 'd', 'I', 'l', 'X', 'T', 'Q', 'c', 'L', ')', '$', '#', 'q', 'J', 'U', 'l', 'X', 'Q', 'U', '!', 'n', 'n', 'p', '%', 'U', 'r', '5', 'U', 'u', '3', '5', 'H', '`', 'x', 'P', 'F', 'r', 'X'};
    static final int[] PERM = {32, 19, 30, 11, 34, 26, 3, 21, 9, 37, 38, 13, 23, 2, 18, 4, 20, 1, 29, 17, 0, 31, 14, 36, 12, 24, 15, 35, 16, 39, 25, 5, 10, 8, 7, 6, 33, 27, 28, 22};
    URLMasterPasswordProviderConfig config;

    /* loaded from: input_file:WEB-INF/lib/gs-main-2.18.7-georchestra.jar:org/geoserver/security/password/URLMasterPasswordProvider$SecurityProvider.class */
    public static class SecurityProvider extends GeoServerSecurityProvider {
        @Override // org.geoserver.security.GeoServerSecurityProvider
        public void configure(XStreamPersister xStreamPersister) {
            super.configure(xStreamPersister);
            xStreamPersister.getXStream().alias("urlProvider", URLMasterPasswordProviderConfig.class);
        }

        @Override // org.geoserver.security.GeoServerSecurityProvider
        public Class<? extends MasterPasswordProvider> getMasterPasswordProviderClass() {
            return URLMasterPasswordProvider.class;
        }

        @Override // org.geoserver.security.GeoServerSecurityProvider
        public MasterPasswordProvider createMasterPasswordProvider(MasterPasswordProviderConfig masterPasswordProviderConfig) throws IOException {
            return new URLMasterPasswordProvider();
        }

        @Override // org.geoserver.security.GeoServerSecurityProvider
        public SecurityConfigValidator createConfigurationValidator(GeoServerSecurityManager geoServerSecurityManager) {
            return new URLMasterPasswordProviderValidator(geoServerSecurityManager);
        }
    }

    /* loaded from: input_file:WEB-INF/lib/gs-main-2.18.7-georchestra.jar:org/geoserver/security/password/URLMasterPasswordProvider$URLMasterPasswordProviderValidator.class */
    public static class URLMasterPasswordProviderValidator extends SecurityConfigValidator {
        public URLMasterPasswordProviderValidator(GeoServerSecurityManager geoServerSecurityManager) {
            super(geoServerSecurityManager);
        }

        @Override // org.geoserver.security.validation.SecurityConfigValidator
        public void validate(MasterPasswordProviderConfig masterPasswordProviderConfig) throws SecurityConfigException {
            super.validate(masterPasswordProviderConfig);
            URL url = ((URLMasterPasswordProviderConfig) masterPasswordProviderConfig).getURL();
            if (url == null) {
                throw new URLMasterPasswordProviderException(URLMasterPasswordProviderException.URL_REQUIRED, new Object[0]);
            }
            if (masterPasswordProviderConfig.isReadOnly()) {
                try {
                    InputStream input = URLMasterPasswordProvider.input(url, this.manager.masterPasswordProvider().get(masterPasswordProviderConfig.getName()));
                    try {
                        input.read();
                        input.close();
                    } catch (Throwable th) {
                        input.close();
                        throw th;
                    }
                } catch (IOException e) {
                    throw new URLMasterPasswordProviderException(URLMasterPasswordProviderException.URL_LOCATION_NOT_READABLE, url);
                }
            }
        }
    }

    @Override // org.geoserver.security.impl.AbstractGeoServerSecurityService, org.geoserver.security.GeoServerSecurityService
    public void initializeFromConfig(SecurityNamedServiceConfig securityNamedServiceConfig) throws IOException {
        super.initializeFromConfig(securityNamedServiceConfig);
        this.config = (URLMasterPasswordProviderConfig) securityNamedServiceConfig;
    }

    @Override // org.geoserver.security.MasterPasswordProvider
    protected char[] doGetMasterPassword() throws Exception {
        try {
            InputStream input = input(this.config.getURL(), getConfigDir());
            try {
                return SecurityUtils.toChars(decode(IOUtils.toByteArray(input)));
            } finally {
                input.close();
            }
        } catch (IOException e) {
            throw new RuntimeException(e);
        }
    }

    @Override // org.geoserver.security.MasterPasswordProvider
    protected void doSetMasterPassword(char[] cArr) throws Exception {
        OutputStream output = output(this.config.getURL(), getConfigDir());
        try {
            output.write(encode(cArr));
        } finally {
            output.close();
        }
    }

    Resource getConfigDir() throws IOException {
        return getSecurityManager().masterPasswordProvider().get(getName());
    }

    byte[] encode(char[] cArr) {
        if (!this.config.isEncrypting()) {
            return SecurityUtils.toBytes(cArr);
        }
        StandardPBEByteEncryptor standardPBEByteEncryptor = new StandardPBEByteEncryptor();
        char[] key = key();
        try {
            standardPBEByteEncryptor.setPasswordCharArray(key);
            byte[] encodeBase64 = Base64.encodeBase64(standardPBEByteEncryptor.encrypt(SecurityUtils.toBytes(cArr)));
            SecurityUtils.scramble(key);
            return encodeBase64;
        } catch (Throwable th) {
            SecurityUtils.scramble(key);
            throw th;
        }
    }

    byte[] decode(byte[] bArr) {
        if (!this.config.isEncrypting()) {
            return bArr;
        }
        StandardPBEByteEncryptor standardPBEByteEncryptor = new StandardPBEByteEncryptor();
        char[] key = key();
        try {
            standardPBEByteEncryptor.setPasswordCharArray(key);
            byte[] decrypt = standardPBEByteEncryptor.decrypt(Base64.decodeBase64(bArr));
            SecurityUtils.scramble(key);
            return decrypt;
        } catch (Throwable th) {
            SecurityUtils.scramble(key);
            throw th;
        }
    }

    char[] key() {
        return SecurityUtils.permute(BASE, 32, PERM);
    }

    static OutputStream output(URL url, Resource resource) throws IOException {
        if ("file".equalsIgnoreCase(url.getProtocol())) {
            File urlToFile = URLs.urlToFile(url);
            return !urlToFile.isAbsolute() ? resource.get(urlToFile.getPath()).out() : new FileOutputStream(urlToFile);
        }
        URLConnection openConnection = url.openConnection();
        openConnection.setDoOutput(true);
        return openConnection.getOutputStream();
    }

    static InputStream input(URL url, Resource resource) throws IOException {
        if (!"file".equalsIgnoreCase(url.getProtocol())) {
            return url.openStream();
        }
        File urlToFile = URLs.urlToFile(url);
        if (urlToFile.isAbsolute()) {
            return new FileInputStream(urlToFile);
        }
        Resource resource2 = resource.get(urlToFile.getPath());
        if (resource2.getType() != Resource.Type.RESOURCE) {
            throw new FileNotFoundException();
        }
        return resource2.in();
    }
}
