package org.forgerock.audit.handlers.csv;

import java.io.File;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.Writer;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.security.SignatureException;
import java.util.Collections;
import java.util.HashMap;
import java.util.Map;
import java.util.Random;
import java.util.concurrent.Executors;
import java.util.concurrent.RejectedExecutionException;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.ScheduledFuture;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.locks.ReentrantLock;
import javax.crypto.SecretKey;
import javax.crypto.spec.SecretKeySpec;
import org.forgerock.audit.events.handlers.writers.RotatableWriter;
import org.forgerock.audit.events.handlers.writers.TextWriter;
import org.forgerock.audit.events.handlers.writers.TextWriterAdapter;
import org.forgerock.audit.handlers.csv.CsvAuditEventHandlerConfiguration;
import org.forgerock.audit.handlers.csv.CsvSecureVerifier;
import org.forgerock.audit.rotation.RotationContext;
import org.forgerock.audit.rotation.RotationHooks;
import org.forgerock.audit.secure.JcaKeyStoreHandler;
import org.forgerock.audit.secure.KeyStoreHandler;
import org.forgerock.audit.secure.KeyStoreHandlerDecorator;
import org.forgerock.audit.secure.KeyStoreSecureStorage;
import org.forgerock.audit.secure.SecureStorageException;
import org.forgerock.util.Reject;
import org.forgerock.util.annotations.VisibleForTesting;
import org.forgerock.util.encode.Base64;
import org.forgerock.util.time.Duration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.supercsv.prefs.CsvPreference;

/* JADX INFO: Access modifiers changed from: package-private */
/* loaded from: input_file:WEB-INF/lib/handler-csv-2.0.12.jar:org/forgerock/audit/handlers/csv/SecureCsvWriter.class */
public class SecureCsvWriter implements CsvWriter, RotatableWriter.RolloverLifecycleHook {
    private static final Logger logger = LoggerFactory.getLogger((Class<?>) SecureCsvWriter.class);
    private final CsvFormatter csvFormatter;
    private final String[] headers;
    private Writer csvWriter;
    private RotatableWriter rotatableWriter;
    private HmacCalculator hmacCalculator;
    private final ScheduledExecutorService scheduler;
    private final ReentrantLock signatureLock = new ReentrantLock();
    private final Runnable signatureTask;
    private KeyStoreSecureStorage secureStorage;
    private final Duration signatureInterval;
    private ScheduledFuture<?> scheduledSignature;
    private String lastHMAC;
    private byte[] lastSignature;
    private boolean headerWritten;
    private final Random random;
    private File keyStoreFile;
    private String keyStorePassword;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:WEB-INF/lib/handler-csv-2.0.12.jar:org/forgerock/audit/handlers/csv/SecureCsvWriter$SecureCsvWriterRotationHooks.class */
    public class SecureCsvWriterRotationHooks implements RotationHooks {
        private SecureCsvWriterRotationHooks() {
        }

        @Override // org.forgerock.audit.rotation.RotationHooks
        public void preRotationAction(RotationContext rotationContext) throws IOException {
            SecureCsvWriter.this.forceWriteSignature(rotationContext.getWriter());
        }

        @Override // org.forgerock.audit.rotation.RotationHooks
        public void postRotationAction(RotationContext rotationContext) throws IOException {
            String name = SecureCsvWriter.this.keyStoreFile.getName();
            String replaceFirst = name.replaceFirst(rotationContext.getInitialFile().getName(), rotationContext.getNextFile().getName());
            File file = new File(SecureCsvWriter.this.keyStoreFile.getParent(), replaceFirst);
            SecureCsvWriter.logger.trace("Renaming keystore file {} to {}", name, replaceFirst);
            if (!SecureCsvWriter.this.keyStoreFile.renameTo(file)) {
                SecureCsvWriter.logger.error("Unable to rename {} to {}", SecureCsvWriter.this.keyStoreFile.getAbsolutePath(), file.getAbsolutePath());
            }
            try {
                SecureCsvWriter.this.secureStorage.setKeyStoreHandler(new JcaKeyStoreHandler(KeyStoreSecureStorage.JCEKS_KEYSTORE_TYPE, SecureCsvWriter.this.keyStoreFile.getPath(), SecureCsvWriter.this.keyStorePassword));
                SecureCsvWriter.logger.trace("Updated secureStorage to reference new keyStoreFile");
                SecureCsvWriter.this.initHmacCalculatorWithRandomData();
                Writer writer = rotationContext.getWriter();
                SecureCsvWriter.this.writeHeader(writer, SecureCsvWriter.this.headers);
                SecureCsvWriter.this.writeLastSignature(writer);
                writer.flush();
            } catch (Exception e) {
                throw new IOException(e);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SecureCsvWriter(File file, String[] strArr, CsvPreference csvPreference, CsvAuditEventHandlerConfiguration csvAuditEventHandlerConfiguration, KeyStoreHandler keyStoreHandler, Random random) throws IOException {
        this.headerWritten = false;
        Reject.ifFalse(csvAuditEventHandlerConfiguration.getSecurity().isEnabled(), "SecureCsvWriter should only be used if security is enabled");
        boolean z = file.exists() && file.length() > 0;
        this.random = random;
        this.keyStoreFile = new File(file.getPath() + ".keystore");
        this.headers = (String[]) Reject.checkNotNull(strArr, "The headers can't be null.");
        this.csvFormatter = new CsvFormatter(csvPreference);
        this.csvWriter = constructWriter(file, z, csvAuditEventHandlerConfiguration);
        this.hmacCalculator = new HmacCalculator(KeyStoreSecureStorage.HMAC_ALGORITHM);
        try {
            KeyStoreHandlerDecorator keyStoreHandlerDecorator = new KeyStoreHandlerDecorator(keyStoreHandler);
            SecretKey readSecretKeyFromKeyStore = keyStoreHandlerDecorator.readSecretKeyFromKeyStore("Password");
            if (readSecretKeyFromKeyStore == null) {
                throw new IllegalArgumentException(String.format("No '%s' symmetric key found in the provided keystore: %s. This key must be provided.", "Password", keyStoreHandlerDecorator.getLocation()));
            }
            this.keyStorePassword = Base64.encode(readSecretKeyFromKeyStore.getEncoded());
            JcaKeyStoreHandler jcaKeyStoreHandler = new JcaKeyStoreHandler(KeyStoreSecureStorage.JCEKS_KEYSTORE_TYPE, this.keyStoreFile.getPath(), this.keyStorePassword);
            PublicKey readPublicKeyFromKeyStore = keyStoreHandlerDecorator.readPublicKeyFromKeyStore(KeyStoreSecureStorage.ENTRY_SIGNATURE);
            PrivateKey readPrivateKeyFromKeyStore = keyStoreHandlerDecorator.readPrivateKeyFromKeyStore(KeyStoreSecureStorage.ENTRY_SIGNATURE);
            if (readPublicKeyFromKeyStore == null || readPrivateKeyFromKeyStore == null) {
                throw new IllegalArgumentException(String.format("No '%s' signing key found in the provided keystore: %s. This key must be provided.", KeyStoreSecureStorage.ENTRY_SIGNATURE, keyStoreHandlerDecorator.getLocation()));
            }
            this.secureStorage = new KeyStoreSecureStorage(jcaKeyStoreHandler, readPublicKeyFromKeyStore, readPrivateKeyFromKeyStore);
            CsvAuditEventHandlerConfiguration.CsvSecurity security = csvAuditEventHandlerConfiguration.getSecurity();
            if (z) {
                CsvSecureVerifier csvSecureVerifier = new CsvSecureVerifier(file, csvPreference, this.secureStorage);
                CsvSecureVerifier.VerificationResult verify = csvSecureVerifier.verify();
                if (!verify.hasPassedVerification()) {
                    throw new IOException("The CSV file was tampered: " + verify.getFailureReason());
                }
                String[] headers = csvSecureVerifier.getHeaders();
                if (headers != null) {
                    if (headers.length != strArr.length) {
                        throw new IOException("Resuming an existing CSV file but the headers do not match.");
                    }
                    for (int i = 0; i < headers.length; i++) {
                        if (!headers[i].equals(strArr[i])) {
                            throw new IOException("Resuming an existing CSV file but the headers do not match.");
                        }
                    }
                }
                SecretKey readCurrentKey = this.secureStorage.readCurrentKey();
                if (readCurrentKey == null) {
                    throw new IllegalStateException("We are supposed to resume but there is not entry for CurrentKey.");
                }
                this.hmacCalculator.setCurrentKey(readCurrentKey.getEncoded());
                setLastHMAC(csvSecureVerifier.getLastHMAC());
                setLastSignature(csvSecureVerifier.getLastSignature());
                this.headerWritten = true;
            } else {
                initHmacCalculatorWithRandomData();
            }
            this.signatureInterval = security.getSignatureIntervalDuration();
            this.scheduler = Executors.newScheduledThreadPool(1);
            this.signatureTask = new Runnable() { // from class: org.forgerock.audit.handlers.csv.SecureCsvWriter.1
                @Override // java.lang.Runnable
                public void run() {
                    try {
                        SecureCsvWriter.logger.trace("THREAD !!!");
                        if (!SecureCsvWriter.this.signatureLock.isLocked()) {
                            SecureCsvWriter.this.writeSignature(SecureCsvWriter.this.csvWriter);
                        }
                    } catch (Exception e) {
                        SecureCsvWriter.logger.error("An error occurred while writing the signature", (Throwable) e);
                    }
                }
            };
        } catch (Exception e) {
            throw new RuntimeException("Error when initializing a secure CSV writer", e);
        }
    }

    @Override // org.forgerock.audit.events.handlers.writers.RotatableWriter.RolloverLifecycleHook
    public void beforeRollingOver() {
        this.signatureLock.lock();
    }

    @Override // org.forgerock.audit.events.handlers.writers.RotatableWriter.RolloverLifecycleHook
    public void afterRollingOver() {
        this.signatureLock.unlock();
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void initHmacCalculatorWithRandomData() throws SecureStorageException {
        this.hmacCalculator.setCurrentKey(getRandomBytes());
        this.secureStorage.writeInitialKey(this.hmacCalculator.getCurrentKey());
        this.secureStorage.writeCurrentKey(this.hmacCalculator.getCurrentKey());
    }

    private byte[] getRandomBytes() {
        byte[] bArr = new byte[32];
        this.random.nextBytes(bArr);
        return bArr;
    }

    private Writer constructWriter(File file, boolean z, CsvAuditEventHandlerConfiguration csvAuditEventHandlerConfiguration) throws IOException {
        TextWriter stream;
        if (csvAuditEventHandlerConfiguration.getFileRotation().isRotationEnabled()) {
            this.rotatableWriter = new RotatableWriter(file, csvAuditEventHandlerConfiguration, z, this);
            this.rotatableWriter.registerRotationHooks(new SecureCsvWriterRotationHooks());
            stream = this.rotatableWriter;
        } else {
            stream = new TextWriter.Stream(new FileOutputStream(file, z));
        }
        if (csvAuditEventHandlerConfiguration.getBuffering().isEnabled()) {
            logger.warn("Secure CSV logging does not support buffering. Buffering config will be ignored.");
        }
        return new TextWriterAdapter(stream);
    }

    @Override // org.forgerock.audit.handlers.csv.CsvWriter
    public void flush() throws IOException {
        this.csvWriter.flush();
    }

    @Override // org.forgerock.audit.handlers.csv.CsvWriter, java.lang.AutoCloseable
    public void close() throws IOException {
        flush();
        this.signatureLock.lock();
        try {
            forceWriteSignature(this.csvWriter);
            this.scheduler.shutdown();
            while (!this.scheduler.awaitTermination(500L, TimeUnit.MILLISECONDS)) {
                try {
                    logger.debug("Waiting to terminate the scheduler.");
                } catch (InterruptedException e) {
                    logger.error("Unable to terminate the scheduler", (Throwable) e);
                    Thread.currentThread().interrupt();
                }
            }
            this.csvWriter.close();
        } finally {
            this.signatureLock.unlock();
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void forceWriteSignature(Writer writer) throws IOException {
        if (this.scheduledSignature == null || !this.scheduledSignature.cancel(false)) {
            return;
        }
        writeSignature(writer);
    }

    public void writeHeader(String... strArr) throws IOException {
        writeHeader(this.csvWriter, strArr);
    }

    public void writeHeader(Writer writer, String... strArr) throws IOException {
        writer.write(this.csvFormatter.formatHeader(addExtraColumns(strArr)));
        logger.trace("Header written to file");
        this.headerWritten = true;
    }

    @VisibleForTesting
    void writeSignature(Writer writer) throws IOException {
        this.signatureLock.lock();
        try {
            try {
                this.lastSignature = this.secureStorage.sign(CsvSecureUtils.dataToSign(this.lastSignature, this.lastHMAC));
                logger.trace("Calculated new Signature");
                writeEvent(writer, Collections.singletonMap("SIGNATURE", Base64.encode(this.lastSignature)));
                logger.trace("Signature written to file");
                this.secureStorage.writeCurrentSignatureKey(new SecretKeySpec(this.lastSignature, KeyStoreSecureStorage.SIGNATURE_ALGORITHM));
                logger.trace("Signature written to secureStorage");
                this.signatureLock.unlock();
                flush();
            } catch (SecureStorageException e) {
                logger.error(e.getMessage(), (Throwable) e);
                throw new IOException(e);
            }
        } catch (Throwable th) {
            this.signatureLock.unlock();
            flush();
            throw th;
        }
    }

    @Override // org.forgerock.audit.handlers.csv.CsvWriter
    public boolean forceRotation() throws IOException {
        if (this.rotatableWriter != null) {
            return this.rotatableWriter.forceRotation();
        }
        return false;
    }

    @Override // org.forgerock.audit.handlers.csv.CsvWriter
    public void writeEvent(Map<String, String> map) throws IOException {
        writeEvent(this.csvWriter, map);
    }

    public void writeEvent(Writer writer, Map<String, String> map) throws IOException {
        this.signatureLock.lock();
        try {
            try {
                if (!this.headerWritten) {
                    writeHeader(this.headers);
                }
                String[] addExtraColumns = addExtraColumns(this.headers);
                HashMap hashMap = new HashMap(map);
                if (!map.containsKey("SIGNATURE")) {
                    insertHMACSignature(hashMap, this.headers);
                }
                writer.write(this.csvFormatter.formatEvent(hashMap, addExtraColumns));
                writer.flush();
                this.secureStorage.writeCurrentKey(this.hmacCalculator.getCurrentKey());
                if (!map.containsKey("SIGNATURE") && (this.scheduledSignature == null || this.scheduledSignature.isDone())) {
                    logger.trace("Triggering a new signature task to be executed in {}", this.signatureInterval);
                    try {
                        logger.trace("SHCHEDULED!!");
                        this.scheduledSignature = this.scheduler.schedule(this.signatureTask, this.signatureInterval.getValue(), this.signatureInterval.getUnit());
                    } catch (RejectedExecutionException e) {
                        logger.error(e.getMessage(), (Throwable) e);
                    }
                }
            } catch (SecureStorageException e2) {
                throw new IOException(e2);
            }
        } finally {
            this.signatureLock.unlock();
        }
    }

    private void insertHMACSignature(Map<String, String> map, String[] strArr) throws IOException {
        try {
            this.lastHMAC = this.hmacCalculator.calculate(CsvSecureUtils.dataToSign(logger, map, strArr));
            map.put("HMAC", this.lastHMAC);
        } catch (SignatureException e) {
            logger.error(e.getMessage(), (Throwable) e);
            throw new IOException(e);
        }
    }

    private String[] addExtraColumns(String... strArr) {
        String[] strArr2 = new String[strArr.length + 2];
        System.arraycopy(strArr, 0, strArr2, 0, strArr.length);
        strArr2[strArr.length] = "HMAC";
        strArr2[strArr.length + 1] = "SIGNATURE";
        return strArr2;
    }

    private void setLastHMAC(String str) {
        this.lastHMAC = str;
    }

    private void setLastSignature(byte[] bArr) {
        this.lastSignature = bArr;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public void writeLastSignature(Writer writer) throws IOException {
        this.signatureLock.lock();
        try {
            try {
                writeEvent(writer, Collections.singletonMap("SIGNATURE", Base64.encode(this.lastSignature)));
                logger.trace("Signature from previous file written to new file");
                this.signatureLock.unlock();
            } catch (IOException e) {
                logger.error(e.getMessage(), (Throwable) e);
                throw new IOException(e);
            }
        } catch (Throwable th) {
            this.signatureLock.unlock();
            throw th;
        }
    }
}
