package com.atlassian.bamboo.upgrade.tasks.v9_4;

import com.atlassian.bamboo.fileserver.SystemDirectory;
import com.atlassian.bamboo.security.JmsSslManagementUtils;
import com.atlassian.bamboo.upgrade.AbstractBootstrapUpgradeTask;
import com.atlassian.bamboo.utils.BambooPathUtils;
import com.atlassian.bamboo.utils.Pair;
import com.atlassian.bamboo.utils.SystemProperty;
import com.atlassian.config.ConfigurationException;
import com.atlassian.upgrade.UpgradeException;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileOutputStream;
import java.io.IOException;
import java.security.Key;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.util.Optional;
import org.apache.commons.io.FileUtils;
import org.apache.commons.lang3.RandomStringUtils;
import org.apache.commons.lang3.StringUtils;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;

/* loaded from: input_file:com/atlassian/bamboo/upgrade/tasks/v9_4/UpgradeTask90408ChangeDefaultJmsKeyStorePassword.class */
public class UpgradeTask90408ChangeDefaultJmsKeyStorePassword extends AbstractBootstrapUpgradeTask {
    private static final Logger log = LogManager.getLogger(UpgradeTask90408ChangeDefaultJmsKeyStorePassword.class);
    private static final String DOCUMENTATION_URL = "https://confluence.atlassian.com/bamboo/securing-your-remote-agents-289277197.html";
    static final String OLD_DEFAULT_PASSWORD = "bamboo";

    public UpgradeTask90408ChangeDefaultJmsKeyStorePassword() {
        super("Change default JMS keystore password");
    }

    public void doUpgrade() throws UpgradeException {
        if (StringUtils.isNotBlank(this.bootstrapManager.getBambooSharedProperties().getJmsKeyStorePasswordEncrypted())) {
            log.info("Keystore password was already changed");
            return;
        }
        File file = FileUtils.getFile(SystemDirectory.getConfigDirectory(), new String[]{"broker.ks"});
        boolean exists = file.exists();
        log.debug("Default keystore file path: {} ", file.getAbsolutePath());
        if (JmsSslManagementUtils.isJmsKeystoreAutomaticManagementDisabled()) {
            log.info("Automatic JMS keystore management is disabled, skipping password change");
            warnIfDefaultKeyStoreExists(exists, file, System.getProperty("javax.net.ssl.keyStore"));
            return;
        }
        String value = SystemProperty.BAMBOO_JMS_SSL_KEYSTORE.getValue();
        if (StringUtils.isNotBlank(value)) {
            log.info("Custom JMS keystore is configured, skipping password change");
            warnIfDefaultKeyStoreExists(exists, file, value);
            return;
        }
        if (!exists) {
            log.info("Bamboo keystore file doesn't exist, skipping password change");
            return;
        }
        Optional<KeyStore> loadOldKeyStore = loadOldKeyStore(file);
        if (loadOldKeyStore.isEmpty()) {
            log.warn("Couldn't load the keystore {} using default password, skipping password change", file.getAbsolutePath());
            return;
        }
        Optional<Pair<Key, Certificate[]>> oldKeyAndCertificateChain = getOldKeyAndCertificateChain(loadOldKeyStore.get());
        if (oldKeyAndCertificateChain.isEmpty()) {
            log.warn("Couldn't load old key/certificate chain, skipping password change");
            return;
        }
        String randomAlphanumeric = RandomStringUtils.randomAlphanumeric(16, 20);
        KeyStore createNewKeyStore = createNewKeyStore(randomAlphanumeric, oldKeyAndCertificateChain.get());
        File backupKeyStore = backupKeyStore(file);
        try {
            try {
                FileOutputStream fileOutputStream = new FileOutputStream(file);
                try {
                    createNewKeyStore.store(fileOutputStream, randomAlphanumeric.toCharArray());
                    log.info("Keystore was successfully saved with a new password");
                    fileOutputStream.close();
                    try {
                        this.bootstrapManager.getBambooSharedProperties().createNewJmsKeyStorePassword(randomAlphanumeric);
                        log.info("Bamboo JMS keystore was saved with a new password.");
                        if (1 != 0) {
                            log.debug("Deleting keystore file backup");
                            BambooPathUtils.deleteQuietly(backupKeyStore.toPath());
                        }
                    } catch (ConfigurationException e) {
                        log.error("Saving the new password failed. Restore the keystore from {}", backupKeyStore.getAbsolutePath());
                        throw new UpgradeException("Saving the new keystore password failed", e);
                    }
                } catch (Throwable th) {
                    try {
                        fileOutputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                    throw th;
                }
            } catch (Throwable th3) {
                if (0 != 0) {
                    log.debug("Deleting keystore file backup");
                    BambooPathUtils.deleteQuietly(backupKeyStore.toPath());
                }
                throw th3;
            }
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e2) {
            log.error("Saving keystore with a new password failed. Restore the keystore from {}", backupKeyStore.getAbsolutePath());
            throw new UpgradeException("Failed to save keystore with the new password", e2);
        }
    }

    private Optional<KeyStore> loadOldKeyStore(File file) throws UpgradeException {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            String format = String.format("Failed to load keystore from %s. Please contact the Support or force generation of new key stores following the instructions from %s", file.getAbsolutePath(), DOCUMENTATION_URL);
            try {
                FileInputStream fileInputStream = new FileInputStream(file);
                try {
                    keyStore.load(fileInputStream, OLD_DEFAULT_PASSWORD.toCharArray());
                    fileInputStream.close();
                    return Optional.of(keyStore);
                } finally {
                }
            } catch (FileNotFoundException | NoSuchAlgorithmException | CertificateException e) {
                throw new UpgradeException(format, e);
            } catch (IOException e2) {
                if (!(e2.getCause() instanceof UnrecoverableKeyException)) {
                    throw new UpgradeException(format, e2);
                }
                log.debug("Failed to load keystore", e2);
                return Optional.empty();
            }
        } catch (KeyStoreException e3) {
            throw new UpgradeException("Failed to get keystore", e3);
        }
    }

    private Optional<Pair<Key, Certificate[]>> getOldKeyAndCertificateChain(KeyStore keyStore) {
        try {
            Key key = keyStore.getKey("jmsbrokerkey", OLD_DEFAULT_PASSWORD.toCharArray());
            if (key == null) {
                log.warn("The old broker key is missing from keystore");
                return Optional.empty();
            }
            try {
                Certificate[] certificateChain = keyStore.getCertificateChain("jmsbrokerkey");
                if (certificateChain != null) {
                    return Optional.of(Pair.make(key, certificateChain));
                }
                log.warn("The old certificate chain is missing from keystore");
                return Optional.empty();
            } catch (KeyStoreException e) {
                log.error("Failed to load certificate chain from keystore", e);
                return Optional.empty();
            }
        } catch (KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException e2) {
            log.warn("Failed to load broker key from keystore", e2);
            return Optional.empty();
        }
    }

    private KeyStore createNewKeyStore(String str, Pair<Key, Certificate[]> pair) throws UpgradeException {
        Key key = (Key) pair.getFirst();
        Certificate[] certificateArr = (Certificate[]) pair.getSecond();
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, str.toCharArray());
            keyStore.setKeyEntry("jmsbrokerkey", key, str.toCharArray(), certificateArr);
            return keyStore;
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            log.error("Failed to create new keystore");
            throw new UpgradeException(e);
        }
    }

    private void warnIfDefaultKeyStoreExists(boolean z, File file, String str) {
        if (!z || file.equals(new File(str))) {
            return;
        }
        log.warn("Bamboo is configured to use {} as JMS keystore, but the default JMS keystore still exists under {}. Consider removing it", str, file.getAbsolutePath());
    }

    private File backupKeyStore(File file) throws UpgradeException {
        File file2 = FileUtils.getFile(SystemDirectory.getConfigDirectory(), new String[]{String.format("%s.backup_%d", "broker.ks", Long.valueOf(System.currentTimeMillis()))});
        log.debug("Backing up keystore to {}", file2.getAbsolutePath());
        if (file.renameTo(file2)) {
            return file2;
        }
        throw new UpgradeException("Failed to backup keystore file");
    }
}
