package com.ibm.ws.security.acme.internal.web;

import com.ibm.websphere.ras.Tr;
import com.ibm.websphere.ras.TraceComponent;
import com.ibm.websphere.ras.annotation.TraceObjectField;
import com.ibm.websphere.ras.annotation.TraceOptions;
import com.ibm.ws.ffdc.FFDCFilter;
import com.ibm.ws.ffdc.annotation.FFDCIgnore;
import com.ibm.ws.ras.instrument.annotation.InjectedFFDC;
import com.ibm.ws.security.acme.AcmeCaException;
import com.ibm.ws.security.acme.AcmeProvider;
import com.ibm.ws.security.acme.internal.AcmeClient;
import com.ibm.ws.security.acme.internal.TraceConstants;
import com.ibm.ws.security.acme.internal.exceptions.CertificateRenewRequestBlockedException;
import com.ibm.ws.security.acme.internal.exceptions.IllegalRevocationReasonException;
import com.ibm.ws.security.acme.internal.util.AcmeConstants;
import com.ibm.ws.ssl.KeyStoreService;
import com.ibm.wsspi.rest.handler.RESTHandler;
import com.ibm.wsspi.rest.handler.RESTRequest;
import com.ibm.wsspi.rest.handler.RESTResponse;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.InputStream;
import java.io.UnsupportedEncodingException;
import java.net.URI;
import java.nio.charset.StandardCharsets;
import java.security.KeyStoreException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.Arrays;
import java.util.Collections;
import java.util.Iterator;
import java.util.Map;
import java.util.concurrent.atomic.AtomicReference;
import org.bouncycastle.asn1.x509.DisplayText;
import org.jose4j.json.JsonUtil;
import org.jose4j.json.internal.json_simple.JSONObject;
import org.jose4j.lang.JoseException;
import org.osgi.service.component.annotations.Component;
import org.osgi.service.component.annotations.ConfigurationPolicy;
import org.osgi.service.component.annotations.Reference;
import org.osgi.service.component.annotations.ReferenceCardinality;
import org.osgi.service.component.annotations.ReferencePolicy;

@InjectedFFDC
@TraceObjectField(fieldName = "tc", fieldDesc = "Lcom/ibm/websphere/ras/TraceComponent;")
@Component(configurationPolicy = ConfigurationPolicy.IGNORE, immediate = true, property = {"service.vendor=IBM", "com.ibm.wsspi.rest.handler.root=/acmeca", "com.ibm.wsspi.rest.handler.custom.security=true"})
@TraceOptions
/* loaded from: input_file:com/ibm/ws/security/acme/internal/web/AcmeCaRestHandler.class */
public class AcmeCaRestHandler implements RESTHandler {
    private static final TraceComponent tc = Tr.register(AcmeCaRestHandler.class, TraceConstants.TRACE_GROUP, TraceConstants.MESSAGE_BUNDLE);
    private final AtomicReference<AcmeProvider> acmeProviderRef = new AtomicReference<>();
    private final AtomicReference<KeyStoreService> keyStoreServiceRef = new AtomicReference<>();
    public static final String PATH_ROOT = "/acmeca";
    public static final String PATH_ACCOUNT = "/acmeca/account";
    public static final String PATH_CERTIFICATE = "/acmeca/certificate";
    private static final String HTTP_GET = "GET";
    private static final String HTTP_POST = "POST";
    public static final String OP_KEY = "operation";
    public static final String REASON_KEY = "reason";
    public static final String OP_RENEW_CERT = "renewCertificate";
    public static final String OP_REVOKE_CERT = "revokeCertificate";
    public static final String OP_RENEW_ACCT_KEY_PAIR = "renewAccountKeyPair";
    static final long serialVersionUID = -5234712359171257951L;

    public void handleRequest(RESTRequest rESTRequest, RESTResponse rESTResponse) throws IOException {
        String path = rESTRequest.getPath();
        if (PATH_ROOT.equals(path)) {
            handleRoot(rESTRequest, rESTResponse);
            return;
        }
        if (PATH_ACCOUNT.equals(path)) {
            handleAccount(rESTRequest, rESTResponse);
        } else if (PATH_CERTIFICATE.equals(path)) {
            handleCertificate(rESTRequest, rESTResponse);
        } else {
            rESTResponse.sendError(404, "Not Found");
        }
    }

    private void handleRoot(RESTRequest rESTRequest, RESTResponse rESTResponse) throws IOException {
        String method = rESTRequest.getMethod();
        if (!HTTP_GET.equalsIgnoreCase(method)) {
            commitJsonResponse(rESTResponse, 405, Tr.formatMessage(tc, "REST_METHOD_NOT_SUPPORTED", new Object[]{method}));
            return;
        }
        if (hasReadRole(rESTRequest, rESTResponse)) {
            StringBuilder sb = new StringBuilder();
            sb.append("<html><body>");
            appendAccountText(sb);
            appendCertificateText(sb);
            sb.append("</body></html>");
            rESTResponse.setStatus(DisplayText.DISPLAY_TEXT_MAXIMUM_SIZE);
            rESTResponse.setContentType("text/html");
            rESTResponse.setContentLength(sb.length());
            rESTResponse.getOutputStream().write(sb.toString().getBytes());
        }
    }

    private void handleAccount(RESTRequest rESTRequest, RESTResponse rESTResponse) throws IOException {
        String method = rESTRequest.getMethod();
        if (HTTP_GET.equalsIgnoreCase(method)) {
            if (hasReadRole(rESTRequest, rESTResponse)) {
                StringBuilder sb = new StringBuilder();
                sb.append("<html><body>");
                appendAccountText(sb);
                sb.append("</body></html>");
                rESTResponse.setStatus(DisplayText.DISPLAY_TEXT_MAXIMUM_SIZE);
                rESTResponse.setContentType("text/html");
                rESTResponse.setContentLength(sb.length());
                rESTResponse.getOutputStream().write(sb.toString().getBytes());
                return;
            }
            return;
        }
        if (!HTTP_POST.equalsIgnoreCase(method)) {
            commitJsonResponse(rESTResponse, 405, Tr.formatMessage(tc, "REST_METHOD_NOT_SUPPORTED", new Object[]{method}));
            return;
        }
        if (hasAdminRole(rESTRequest, rESTResponse)) {
            String contentType = rESTRequest.getContentType();
            if (contentType == null || !contentType.contains("application/json")) {
                commitJsonResponse(rESTResponse, 415, Tr.formatMessage(tc, "REST_INVALID_CONTENT_TYPE", new Object[0]));
                return;
            }
            String operation = getOperation(getContentAsJsonMap(rESTRequest));
            if (operation == null) {
                commitJsonResponse(rESTResponse, 400, Tr.formatMessage(tc, "REST_MISSING_OPERATION", new Object[0]));
                return;
            }
            if (!OP_RENEW_ACCT_KEY_PAIR.equals(operation)) {
                commitJsonResponse(rESTResponse, 400, Tr.formatMessage(tc, "REST_OPERATION_NOT_SUPPORTED", new Object[]{operation}));
                return;
            }
            AcmeProvider acmeProvider = getAcmeProvider(rESTResponse);
            if (acmeProvider == null) {
                return;
            }
            try {
                acmeProvider.renewAccountKeyPair();
                commitJsonResponse(rESTResponse, DisplayText.DISPLAY_TEXT_MAXIMUM_SIZE, null);
            } catch (AcmeCaException e) {
                FFDCFilter.processException(e, "com.ibm.ws.security.acme.internal.web.AcmeCaRestHandler", "236", this, new Object[]{rESTRequest, rESTResponse});
                commitJsonResponse(rESTResponse, 500, e.getMessage());
            }
        }
    }

    @FFDCIgnore({AcmeCaException.class, IllegalRevocationReasonException.class, CertificateRenewRequestBlockedException.class})
    private void handleCertificate(RESTRequest rESTRequest, RESTResponse rESTResponse) throws IOException {
        String method = rESTRequest.getMethod();
        if (HTTP_GET.equalsIgnoreCase(method)) {
            if (hasReadRole(rESTRequest, rESTResponse)) {
                StringBuilder sb = new StringBuilder();
                sb.append("<html><body>");
                appendCertificateText(sb);
                sb.append("</body></html>");
                rESTResponse.setStatus(DisplayText.DISPLAY_TEXT_MAXIMUM_SIZE);
                rESTResponse.setContentType("text/html");
                rESTResponse.setContentLength(sb.length());
                rESTResponse.getOutputStream().write(sb.toString().getBytes());
                return;
            }
            return;
        }
        if (!HTTP_POST.equalsIgnoreCase(method)) {
            commitJsonResponse(rESTResponse, 405, Tr.formatMessage(tc, "REST_METHOD_NOT_SUPPORTED", new Object[]{method}));
            return;
        }
        if (hasAdminRole(rESTRequest, rESTResponse)) {
            String contentType = rESTRequest.getContentType();
            if (contentType == null || !contentType.contains("application/json")) {
                commitJsonResponse(rESTResponse, 415, Tr.formatMessage(tc, "REST_INVALID_CONTENT_TYPE", new Object[0]));
                return;
            }
            Map<String, Object> contentAsJsonMap = getContentAsJsonMap(rESTRequest);
            String operation = getOperation(contentAsJsonMap);
            if (operation == null) {
                commitJsonResponse(rESTResponse, 400, Tr.formatMessage(tc, "REST_MISSING_OPERATION", new Object[0]));
                return;
            }
            if (OP_RENEW_CERT.equalsIgnoreCase(operation)) {
                AcmeProvider acmeProvider = getAcmeProvider(rESTResponse);
                if (acmeProvider == null) {
                    return;
                }
                try {
                    acmeProvider.checkCertificateRenewAllowed();
                    acmeProvider.renewCertificate();
                    commitJsonResponse(rESTResponse, DisplayText.DISPLAY_TEXT_MAXIMUM_SIZE, null);
                    return;
                } catch (CertificateRenewRequestBlockedException e) {
                    commitJsonResponse(rESTResponse, 429, Tr.formatMessage(tc, "REST_TOO_MANY_REQUESTS", new Object[]{e.getTimeLeftForBlackout() + "ms"}));
                    return;
                } catch (AcmeCaException e2) {
                    commitJsonResponse(rESTResponse, 500, e2.getMessage());
                    return;
                }
            }
            if (!OP_REVOKE_CERT.equalsIgnoreCase(operation)) {
                commitJsonResponse(rESTResponse, 400, Tr.formatMessage(tc, "REST_OPERATION_NOT_SUPPORTED", new Object[]{operation}));
                return;
            }
            AcmeProvider acmeProvider2 = getAcmeProvider(rESTResponse);
            if (acmeProvider2 == null) {
                return;
            }
            try {
                acmeProvider2.revokeCertificate(getRevocationReason(contentAsJsonMap));
                commitJsonResponse(rESTResponse, DisplayText.DISPLAY_TEXT_MAXIMUM_SIZE, null);
            } catch (IllegalRevocationReasonException e3) {
                commitJsonResponse(rESTResponse, 400, e3.getMessage());
            } catch (AcmeCaException e4) {
                commitJsonResponse(rESTResponse, 500, e4.getMessage());
            }
        }
    }

    @FFDCIgnore({AcmeCaException.class})
    private void appendAccountText(StringBuilder sb) {
        sb.append("<br/><hr>");
        sb.append("<h1>ACME CA Account Details</h1>");
        sb.append("<hr>");
        try {
            AcmeClient.AcmeAccount account = this.acmeProviderRef.get().getAccount();
            sb.append("<pre>");
            sb.append("Location:                  ").append(account.getLocation()).append("\n");
            sb.append("Status:                    ").append(account.getStatus()).append("\n");
            sb.append("Contacts:                  ").append("\n");
            if (account.getContacts() == null || account.getContacts().isEmpty()) {
                sb.append("    ").append("NONE");
            } else {
                Iterator<URI> it = account.getContacts().iterator();
                while (it.hasNext()) {
                    sb.append("    ").append(it.next()).append("\n");
                }
            }
            sb.append("\n");
            sb.append("Orders:                    ").append("\n");
            if (account.getOrders() == null || account.getOrders().isEmpty()) {
                sb.append("    ").append("NONE");
            } else {
                Iterator<String> it2 = account.getOrders().iterator();
                while (it2.hasNext()) {
                    sb.append("    ").append(it2.next()).append("\n");
                }
            }
            sb.append("\n");
            sb.append("</pre>");
        } catch (AcmeCaException e) {
            sb.append("<pre>Unable to load certificate chain: ").append(e.getMessage()).append("</pre>");
        }
    }

    @FFDCIgnore({KeyStoreException.class})
    private void appendCertificateText(StringBuilder sb) {
        sb.append("<br/><hr>");
        sb.append("<h1>Active Certificate Chain</h1>");
        sb.append("<hr>");
        try {
            Certificate[] certificateChainFromKeyStore = this.keyStoreServiceRef.get().getCertificateChainFromKeyStore(AcmeConstants.DEFAULT_KEY_STORE, AcmeConstants.DEFAULT_ALIAS);
            sb.append("<pre>");
            sb.append(Arrays.asList(certificateChainFromKeyStore));
            sb.append("</pre>");
        } catch (KeyStoreException | CertificateException e) {
            sb.append("<br/><h1>Unable to load certificate chain: ").append(e.getMessage()).append("</h1>");
        }
    }

    @FFDCIgnore({JoseException.class})
    private static Map<String, Object> getContentAsJsonMap(RESTRequest rESTRequest) throws IOException {
        try {
            InputStream inputStream = rESTRequest.getInputStream();
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            byte[] bArr = new byte[1024];
            while (true) {
                int read = inputStream.read(bArr);
                if (read == -1) {
                    return JsonUtil.parseJson(byteArrayOutputStream.toString(StandardCharsets.UTF_8.name()));
                }
                byteArrayOutputStream.write(bArr, 0, read);
            }
        } catch (UnsupportedEncodingException e) {
            FFDCFilter.processException(e, "com.ibm.ws.security.acme.internal.web.AcmeCaRestHandler", "483", (Object) null, new Object[]{rESTRequest});
            throw new IOException("Unsupported content payload encoding: " + e.getMessage(), e);
        } catch (IOException e2) {
            FFDCFilter.processException(e2, "com.ibm.ws.security.acme.internal.web.AcmeCaRestHandler", "490", (Object) null, new Object[]{rESTRequest});
            throw new IOException("Error loading request payload: " + e2.getMessage(), e2);
        } catch (JoseException e3) {
            return Collections.emptyMap();
        }
    }

    @FFDCIgnore({ClassCastException.class})
    private static String getOperation(Map<String, Object> map) {
        try {
            return (String) map.get(OP_KEY);
        } catch (ClassCastException e) {
            return null;
        }
    }

    @FFDCIgnore({ClassCastException.class})
    private static String getRevocationReason(Map<String, Object> map) {
        try {
            return (String) map.get(REASON_KEY);
        } catch (ClassCastException e) {
            return null;
        }
    }

    private static void commitJsonResponse(RESTResponse rESTResponse, int i, String str) throws IOException {
        StringBuffer stringBuffer = new StringBuffer();
        stringBuffer.append("{\"httpCode\":").append(String.valueOf(i));
        if (str != null) {
            stringBuffer.append(", \"message\":\"").append(JSONObject.escape(str)).append("\"");
        }
        stringBuffer.append("}");
        rESTResponse.setStatus(i);
        rESTResponse.setContentType("application/json");
        rESTResponse.setContentLength(stringBuffer.length());
        rESTResponse.getOutputStream().write(stringBuffer.toString().getBytes());
    }

    private AcmeProvider getAcmeProvider(RESTResponse rESTResponse) throws IOException {
        AcmeProvider acmeProvider = this.acmeProviderRef.get();
        if (acmeProvider != null) {
            return acmeProvider;
        }
        commitJsonResponse(rESTResponse, 500, Tr.formatMessage(tc, "REST_NO_ACME_SERVICE", new Object[0]));
        return null;
    }

    private static boolean hasAdminRole(RESTRequest rESTRequest, RESTResponse rESTResponse) throws IOException {
        boolean isUserInRole = rESTRequest.isUserInRole("Administrator");
        if (!isUserInRole) {
            commitJsonResponse(rESTResponse, 403, Tr.formatMessage(tc, "REST_FORBIDDEN", new Object[0]));
        }
        return isUserInRole;
    }

    private static boolean hasReadRole(RESTRequest rESTRequest, RESTResponse rESTResponse) throws IOException {
        boolean z = rESTRequest.isUserInRole("Administrator") || rESTRequest.isUserInRole("Reader");
        if (!z) {
            commitJsonResponse(rESTResponse, 403, Tr.formatMessage(tc, "REST_FORBIDDEN", new Object[0]));
        }
        return z;
    }

    @Reference(cardinality = ReferenceCardinality.MANDATORY, policy = ReferencePolicy.DYNAMIC)
    protected void setAcmeProvider(AcmeProvider acmeProvider) {
        this.acmeProviderRef.set(acmeProvider);
    }

    protected void unsetAcmeProvider(AcmeProvider acmeProvider) {
        this.acmeProviderRef.compareAndSet(acmeProvider, null);
    }

    @Reference(name = AcmeConstants.KEY_KEYSTORE_SERVICE, service = KeyStoreService.class, cardinality = ReferenceCardinality.MANDATORY)
    protected void setKeyStoreService(KeyStoreService keyStoreService) {
        this.keyStoreServiceRef.set(keyStoreService);
    }

    protected void unsetKeyStoreService(KeyStoreService keyStoreService) {
        this.keyStoreServiceRef.compareAndSet(keyStoreService, null);
    }
}
