package org.nhindirect.dns;

import com.google.inject.Inject;
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.net.URL;
import java.security.Security;
import java.security.cert.X509Certificate;
import java.security.interfaces.RSAKey;
import java.util.ArrayList;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.Iterator;
import java.util.Map;
import org.apache.commons.io.IOUtils;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.nhind.config.CertPolicy;
import org.nhind.config.Certificate;
import org.nhind.config.CertificateGetOptions;
import org.nhind.config.ConfigurationServiceProxy;
import org.nhind.config.DnsRecord;
import org.nhindirect.config.model.exceptions.CertificateConversionException;
import org.nhindirect.config.model.utils.CertUtils;
import org.nhindirect.dns.annotation.ConfigServiceURL;
import org.nhindirect.policy.PolicyExpression;
import org.nhindirect.policy.PolicyFilter;
import org.nhindirect.policy.PolicyFilterFactory;
import org.nhindirect.policy.PolicyLexicon;
import org.nhindirect.policy.PolicyLexiconParser;
import org.nhindirect.policy.PolicyLexiconParserFactory;
import org.xbill.DNS.CERTRecord;
import org.xbill.DNS.Header;
import org.xbill.DNS.Message;
import org.xbill.DNS.Name;
import org.xbill.DNS.RRset;
import org.xbill.DNS.Record;

/* loaded from: input_file:org/nhindirect/dns/ConfigServiceDNSStore.class */
public class ConfigServiceDNSStore implements DNSStore {
    protected static final String DNS_CERT_POLICY_NAME_VAR = "org.nhindirect.dns.CertPolicyName";
    protected static final String DEFAULT_JCE_PROVIDER_STRING = "BC";
    protected static final String JCE_PROVIDER_STRING_SYS_PARAM = "org.nhindirect.dns.JCEProviderName";
    protected static final Log LOGGER = LogFactory.getFactory().getInstance(ConfigServiceDNSStore.class);
    protected Map<String, Record> soaRecords = null;
    protected PolicyFilter polFilter = null;
    protected PolicyExpression polExpression = null;
    final ConfigurationServiceProxy proxy;

    public static String getJCEProviderName() {
        String property = System.getProperty(JCE_PROVIDER_STRING_SYS_PARAM);
        if (property == null || property.isEmpty()) {
            property = DEFAULT_JCE_PROVIDER_STRING;
        }
        return property;
    }

    public static void setJCEProviderName(String str) {
        if (str == null || str.isEmpty()) {
            System.setProperty(JCE_PROVIDER_STRING_SYS_PARAM, DEFAULT_JCE_PROVIDER_STRING);
        } else {
            System.setProperty(JCE_PROVIDER_STRING_SYS_PARAM, str);
        }
    }

    @Inject
    public ConfigServiceDNSStore(@ConfigServiceURL URL url) {
        this.proxy = new ConfigurationServiceProxy(url.toString());
        try {
            configCertPolicy();
        } catch (DNSException e) {
            throw new IllegalStateException(e);
        }
    }

    protected void configCertPolicy() throws DNSException {
        String property = System.getProperty(DNS_CERT_POLICY_NAME_VAR);
        if (StringUtils.isEmpty(property)) {
            LOGGER.info("No certificate policy has been configured.");
            return;
        }
        LOGGER.info("Certificate policy name " + property + " has been configured.");
        try {
            try {
                CertPolicy policyByName = this.proxy.getPolicyByName(property);
                if (policyByName == null) {
                    LOGGER.warn("Certificate policy " + property + " could not be found in the system.  Falling back to no policy.");
                    IOUtils.closeQuietly((InputStream) null);
                    return;
                }
                PolicyLexiconParser policyLexiconParserFactory = PolicyLexiconParserFactory.getInstance(PolicyLexicon.valueOf(policyByName.getLexicon().getValue()));
                ByteArrayInputStream byteArrayInputStream = new ByteArrayInputStream(policyByName.getPolicyData());
                this.polExpression = policyLexiconParserFactory.parse(byteArrayInputStream);
                this.polFilter = PolicyFilterFactory.getInstance();
                IOUtils.closeQuietly(byteArrayInputStream);
            } catch (Exception e) {
                LOGGER.warn("Error loading and compling certificate policy " + property + ".  Will fallback to no policy filter.", e);
                IOUtils.closeQuietly((InputStream) null);
            }
        } catch (Throwable th) {
            IOUtils.closeQuietly((InputStream) null);
            throw th;
        }
    }

    @Override // org.nhindirect.dns.DNSStore
    public Message get(Message message) throws DNSException {
        LOGGER.trace("get(Message) Entered");
        if (message == null) {
            throw new DNSException((DNSError<?>) DNSError.newError(1));
        }
        Header header = message.getHeader();
        if (header.getFlag(0) || header.getRcode() != 0) {
            throw new DNSException((DNSError<?>) DNSError.newError(1));
        }
        if (header.getOpcode() != 0) {
            throw new DNSException((DNSError<?>) DNSError.newError(4));
        }
        Record question = message.getQuestion();
        if (question == null || question.getDClass() != 1) {
            throw new DNSException((DNSError<?>) DNSError.newError(4));
        }
        Record question2 = message.getQuestion();
        Name name = question2.getName();
        int type = question2.getType();
        if (LOGGER.isDebugEnabled()) {
            StringBuilder sb = new StringBuilder("Recieved Query Request:");
            sb.append("\r\n\tName: " + name.toString());
            sb.append("\r\n\tType: " + type);
            sb.append("\r\n\tDClass: " + question2.getDClass());
            LOGGER.debug(sb.toString());
        }
        ArrayList arrayList = null;
        switch (question.getType()) {
            case 1:
            case 2:
            case 5:
            case 6:
            case 15:
            case 33:
                try {
                    RRset processGenericRecordRequest = processGenericRecordRequest(name.toString(), type);
                    if (processGenericRecordRequest != null) {
                        arrayList = new ArrayList();
                        Iterator rrs = processGenericRecordRequest.rrs();
                        while (rrs.hasNext()) {
                            arrayList.add(rrs.next());
                        }
                    }
                    break;
                } catch (Exception e) {
                    throw new DNSException(DNSError.newError(2), "DNS service proxy call failed: " + e.getMessage(), e);
                }
            case 37:
                RRset processCERTRecordRequest = processCERTRecordRequest(name.toString());
                if (processCERTRecordRequest != null) {
                    arrayList = new ArrayList();
                    Iterator rrs2 = processCERTRecordRequest.rrs();
                    while (rrs2.hasNext()) {
                        arrayList.add(rrs2.next());
                    }
                    break;
                }
                break;
            case 255:
                Collection<Record> processGenericANYRecordRequest = processGenericANYRecordRequest(name.toString());
                RRset processCERTRecordRequest2 = processCERTRecordRequest(name.toString());
                if (processGenericANYRecordRequest != null || processCERTRecordRequest2 != null) {
                    arrayList = new ArrayList();
                    if (processGenericANYRecordRequest != null) {
                        arrayList.addAll(processGenericANYRecordRequest);
                    }
                    if (processCERTRecordRequest2 != null) {
                        Iterator rrs3 = processCERTRecordRequest2.rrs();
                        while (rrs3.hasNext()) {
                            arrayList.add(rrs3.next());
                        }
                        break;
                    }
                }
                break;
            default:
                LOGGER.debug("Query Type " + type + " not implemented");
                throw new DNSException((DNSError<?>) DNSError.newError(4), "Query Type " + type + " not implemented");
        }
        if (arrayList == null || arrayList.size() == 0) {
            LOGGER.debug("No records found.");
            return null;
        }
        Message message2 = new Message(message.getHeader().getID());
        message2.getHeader().setFlag(0);
        if (message.getHeader().getFlag(7)) {
            message2.getHeader().setFlag(7);
        }
        message2.addRecord(question2, 0);
        Iterator it = arrayList.iterator();
        while (it.hasNext()) {
            message2.addRecord((Record) it.next(), 1);
        }
        message2.getHeader().setFlag(5);
        Record checkForSoaRecord = checkForSoaRecord(name.toString());
        if (checkForSoaRecord != null) {
            message2.addRecord(checkForSoaRecord, 2);
        }
        LOGGER.trace("get(Message) Exit");
        return message2;
    }

    protected RRset processGenericRecordRequest(String str, int i) throws DNSException {
        try {
            DnsRecord[] dNSByNameAndType = this.proxy.getDNSByNameAndType(str, i);
            if (dNSByNameAndType == null || dNSByNameAndType.length == 0) {
                return null;
            }
            RRset rRset = new RRset();
            try {
                for (DnsRecord dnsRecord : dNSByNameAndType) {
                    rRset.addRR(Record.newRecord(Name.fromString(dnsRecord.getName()), dnsRecord.getType(), dnsRecord.getDclass(), dnsRecord.getTtl(), dnsRecord.getData()));
                }
                return rRset;
            } catch (Exception e) {
                throw new DNSException(DNSError.newError(2), "Failure while parsing generic record data: " + e.getMessage(), e);
            }
        } catch (Exception e2) {
            throw new DNSException(DNSError.newError(2), "DNS service proxy call for DNS records failed: " + e2.getMessage(), e2);
        }
    }

    protected Collection<Record> processGenericANYRecordRequest(String str) throws DNSException {
        try {
            DnsRecord[] dNSByNameAndType = this.proxy.getDNSByNameAndType(str, 255);
            if (dNSByNameAndType == null || dNSByNameAndType.length == 0) {
                return null;
            }
            ArrayList arrayList = new ArrayList();
            try {
                for (DnsRecord dnsRecord : dNSByNameAndType) {
                    arrayList.add(Record.newRecord(Name.fromString(dnsRecord.getName()), dnsRecord.getType(), dnsRecord.getDclass(), dnsRecord.getTtl(), dnsRecord.getData()));
                }
                return arrayList;
            } catch (Exception e) {
                throw new DNSException(DNSError.newError(2), "Failure while parsing generic record data: " + e.getMessage(), e);
            }
        } catch (Exception e2) {
            throw new DNSException(DNSError.newError(2), "DNS service proxy call for DNS records failed: " + e2.getMessage(), e2);
        }
    }

    protected RRset processCERTRecordRequest(String str) throws DNSException {
        if (str.endsWith(".")) {
            str = str.substring(0, str.length() - 1);
        }
        try {
            Certificate[] certificatesForOwner = this.proxy.getCertificatesForOwner(str, (CertificateGetOptions) null);
            if (certificatesForOwner == null || certificatesForOwner.length == 0) {
                int i = 0;
                while (true) {
                    int indexOf = str.indexOf(".", i);
                    if (indexOf <= -1) {
                        break;
                    }
                    char[] charArray = str.toCharArray();
                    charArray[indexOf] = '@';
                    try {
                        certificatesForOwner = this.proxy.getCertificatesForOwner(String.copyValueOf(charArray), (CertificateGetOptions) null);
                        if ((certificatesForOwner != null && certificatesForOwner.length > 0) || indexOf >= str.length() - 1) {
                            break;
                        }
                        i = indexOf + 1;
                    } catch (Exception e) {
                        throw new DNSException(DNSError.newError(2), "DNS service proxy call for certificates failed: " + e.getMessage(), e);
                    }
                }
            }
            if (certificatesForOwner == null || certificatesForOwner.length == 0) {
                return null;
            }
            if (!str.endsWith(".")) {
                str = str + ".";
            }
            RRset rRset = new RRset();
            try {
                for (Certificate certificate : certificatesForOwner) {
                    int i2 = 1;
                    byte[] bArr = null;
                    X509Certificate x509Certificate = null;
                    try {
                        x509Certificate = CertUtils.toCertContainer(certificate.getData()).getCert();
                    } catch (CertificateConversionException e2) {
                    }
                    if (isCertCompliantWithPolicy(x509Certificate)) {
                        bArr = x509Certificate.getEncoded();
                        if (x509Certificate == null) {
                            try {
                                bArr = certificate.getData();
                                new URL(new String(bArr));
                                i2 = 253;
                            } catch (Exception e3) {
                                throw new DNSException(DNSError.newError(2), "Failure while parsing CERT record data: " + e3.getMessage(), e3);
                            }
                        }
                        int i3 = 0;
                        int i4 = 0;
                        if (x509Certificate != null && (x509Certificate.getPublicKey() instanceof RSAKey)) {
                            byte[] byteArray = ((RSAKey) x509Certificate.getPublicKey()).getModulus().toByteArray();
                            i3 = ((byteArray[byteArray.length - 2] << 8) & 65280) | (byteArray[byteArray.length - 1] & 255);
                            i4 = 5;
                        }
                        rRset.addRR(new CERTRecord(Name.fromString(str), 1, 86400L, i2, i3, i4, bArr));
                    }
                }
                if (rRset.size() == 0) {
                    return null;
                }
                return rRset;
            } catch (Exception e4) {
                throw new DNSException(DNSError.newError(2), "Failure while parsing CERT record data: " + e4.getMessage(), e4);
            }
        } catch (Exception e5) {
            throw new DNSException(DNSError.newError(2), "DNS service proxy call for certificates failed: " + e5.getMessage(), e5);
        }
    }

    protected synchronized Record checkForSoaRecord(String str) {
        if (!str.endsWith(".")) {
            str = str + ".";
        }
        if (this.soaRecords == null) {
            try {
                DnsRecord[] dNSByType = this.proxy.getDNSByType(6);
                if (dNSByType == null || dNSByType.length == 0) {
                    this.soaRecords = Collections.emptyMap();
                } else {
                    this.soaRecords = new HashMap();
                    for (DnsRecord dnsRecord : dNSByType) {
                        Record newRecord = Record.newRecord(Name.fromString(dnsRecord.getName()), 6, dnsRecord.getDclass(), dnsRecord.getTtl(), dnsRecord.getData());
                        this.soaRecords.put(newRecord.getName().toString(), newRecord);
                    }
                }
            } catch (Exception e) {
                LOGGER.error("Failed to load SOA records from config service.");
            }
        }
        Record record = null;
        if (this.soaRecords.size() > 0) {
            record = this.soaRecords.get(str);
            if (record == null) {
                do {
                    int indexOf = str.indexOf(".");
                    if (indexOf <= 0 || indexOf >= str.length() - 1) {
                        break;
                    }
                    str = str.substring(indexOf + 1);
                    record = this.soaRecords.get(str);
                } while (record == null);
            }
        }
        return record;
    }

    protected boolean isCertCompliantWithPolicy(X509Certificate x509Certificate) {
        if (this.polFilter == null) {
            return true;
        }
        try {
            return this.polFilter.isCompliant(x509Certificate, this.polExpression);
        } catch (Exception e) {
            LOGGER.warn("Error testing certificate for policy compliance.  Default to compliant.", e);
            return true;
        }
    }

    static {
        Security.addProvider(new BouncyCastleProvider());
    }
}
