package org.jivesoftware.util.cert;

import java.time.Duration;
import java.time.Instant;
import java.time.temporal.ChronoUnit;
import java.time.temporal.TemporalAmount;
import java.util.HashSet;
import java.util.Iterator;
import java.util.Objects;
import java.util.Optional;
import java.util.TimerTask;
import org.jivesoftware.openfire.XMPPServer;
import org.jivesoftware.openfire.container.BasicModule;
import org.jivesoftware.openfire.keystore.CertificateStoreManager;
import org.jivesoftware.openfire.keystore.IdentityStore;
import org.jivesoftware.openfire.spi.ConnectionType;
import org.jivesoftware.util.LocaleUtils;
import org.jivesoftware.util.SystemProperty;
import org.jivesoftware.util.TaskEngine;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/jivesoftware/util/cert/CertificateExpiryChecker.class */
public class CertificateExpiryChecker extends BasicModule {
    private static final Logger Log = LoggerFactory.getLogger(CertificateExpiryChecker.class);
    public static final SystemProperty<Boolean> ENABLED = SystemProperty.Builder.ofType(Boolean.class).setKey("ssl.certificates.expirycheck.service-enabled").setDynamic(true).setDefaultValue(true).build();
    public static final SystemProperty<Boolean> NOTIFY_ADMINS = SystemProperty.Builder.ofType(Boolean.class).setKey("ssl.certificates.expirycheck.notify-admins").setDynamic(true).setDefaultValue(true).build();
    public static final SystemProperty<Duration> FREQUENCY = SystemProperty.Builder.ofType(Duration.class).setKey("ssl.certificates.expirycheck.frequency").setDynamic(true).setChronoUnit(ChronoUnit.HOURS).setDefaultValue(Duration.ofHours(6)).setMinValue(Duration.ofHours(1)).addListener(duration -> {
        XMPPServer.getInstance().getCertificateExpiryChecker().stop();
        XMPPServer.getInstance().getCertificateExpiryChecker().start();
    }).build();
    public static final SystemProperty<Duration> WARNING_PERIOD = SystemProperty.Builder.ofType(Duration.class).setKey("ssl.certificates.expirycheck.warning-period").setDynamic(true).setChronoUnit(ChronoUnit.HOURS).setMinValue(Duration.ofHours(1)).setDefaultValue(Duration.ofDays(7)).build();
    private ExpiryCheckerTask expiryCheckerTask;

    /* loaded from: input_file:org/jivesoftware/util/cert/CertificateExpiryChecker$ExpiryCheckerTask.class */
    public static class ExpiryCheckerTask extends TimerTask {
        @Override // java.util.TimerTask, java.lang.Runnable
        public void run() {
            if (!CertificateExpiryChecker.ENABLED.getValue().booleanValue()) {
                CertificateExpiryChecker.Log.debug("Skipping TLS certificate expiry check, as it has been disabled by configuration.");
                return;
            }
            CertificateExpiryChecker.Log.debug("Starting TLS certificate expiry check.");
            try {
                CertificateStoreManager certificateStoreManager = XMPPServer.getInstance().getCertificateStoreManager();
                HashSet hashSet = new HashSet();
                for (ConnectionType connectionType : ConnectionType.values()) {
                    hashSet.add(certificateStoreManager.getIdentityStore(connectionType));
                }
                Instant instant = Instant.MAX;
                Iterator it = hashSet.iterator();
                while (it.hasNext()) {
                    Optional findFirst = ((IdentityStore) it.next()).getAllCertificates().values().stream().map((v0) -> {
                        return v0.getNotAfter();
                    }).filter((v0) -> {
                        return Objects.nonNull(v0);
                    }).map((v0) -> {
                        return v0.toInstant();
                    }).sorted().findFirst();
                    if (findFirst.isPresent()) {
                        Instant instant2 = (Instant) findFirst.get();
                        if (instant2.isBefore(instant)) {
                            instant = instant2;
                        }
                    }
                }
                boolean isBefore = instant.isBefore(Instant.now());
                boolean isBefore2 = instant.minus((TemporalAmount) CertificateExpiryChecker.WARNING_PERIOD.getValue()).isBefore(Instant.now());
                if (isBefore) {
                    CertificateExpiryChecker.Log.warn("One or more TLS certificates used by Openfire have expired. This can cause connectivity issues. Please use the Openfire Admin Console to review the state of all certificates in each of Openfire's \"identity\" certificate stores. Replace certificates where need.");
                    if (CertificateExpiryChecker.NOTIFY_ADMINS.getValue().booleanValue()) {
                        XMPPServer.getInstance().sendMessageToAdmins(LocaleUtils.getLocalizedString("ssl.certificates.expirycheck.notification-message.expired"));
                    }
                } else if (isBefore2) {
                    CertificateExpiryChecker.Log.info("One or more TLS certificates used by Openfire will expire soon. This can cause connectivity issues. Please use the Openfire Admin Console to review the state of all certificates in each of Openfire's \"identity\" certificate stores. Replace certificates where need.");
                    if (CertificateExpiryChecker.NOTIFY_ADMINS.getValue().booleanValue()) {
                        XMPPServer.getInstance().sendMessageToAdmins(LocaleUtils.getLocalizedString("ssl.certificates.expirycheck.notification-message.nearly-expired"));
                    }
                } else {
                    CertificateExpiryChecker.Log.debug("None of the TLS certificates used by Openfire have expired or will expire soon.");
                }
            } catch (Throwable th) {
                CertificateExpiryChecker.Log.warn("An unexpected exception prevented the period check for expired TLS certificates from executing successfully.", th);
            }
        }
    }

    public CertificateExpiryChecker() {
        super("Certificate Expiry Checker");
    }

    @Override // org.jivesoftware.openfire.container.BasicModule, org.jivesoftware.openfire.container.Module
    public void start() throws IllegalStateException {
        this.expiryCheckerTask = new ExpiryCheckerTask();
        TaskEngine.getInstance().schedule(this.expiryCheckerTask, Duration.ofSeconds(20L), FREQUENCY.getValue());
    }

    @Override // org.jivesoftware.openfire.container.BasicModule, org.jivesoftware.openfire.container.Module
    public void stop() {
        if (this.expiryCheckerTask != null) {
            TaskEngine.getInstance().cancelScheduledTask(this.expiryCheckerTask);
            this.expiryCheckerTask = null;
        }
    }
}
