package io.evitadb.driver.certificate;

import io.evitadb.exception.EvitaInternalError;
import io.evitadb.exception.EvitaInvalidUsageException;
import io.evitadb.utils.Assert;
import io.evitadb.utils.CertificateUtils;
import io.netty.handler.ssl.ApplicationProtocolConfig;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileOutputStream;
import java.io.IOException;
import java.io.Reader;
import java.net.URL;
import java.nio.channels.Channels;
import java.nio.channels.FileChannel;
import java.nio.channels.ReadableByteChannel;
import java.nio.charset.StandardCharsets;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.Optional;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/evitadb/driver/certificate/ClientCertificateManager.class */
public class ClientCertificateManager {
    private static final Logger log = LoggerFactory.getLogger(ClientCertificateManager.class);
    private static final Path DEFAULT_CLIENT_CERTIFICATE_FOLDER_PATH = Paths.get(System.getProperty("java.io.tmpdir"), "evita-client-certificates");
    private static final String TRUST_STORE_FILE_NAME = "trustStore.jks";
    private final String trustStorePassword;
    private final Path certificateClientFolderPath;
    private final Path rootCaCertificateFilePath;
    private final Path clientCertificateFilePath;
    private final Path clientPrivateKeyFilePath;
    private final String clientPrivateKeyPassword;
    private final boolean isMtlsEnabled;
    private final boolean useGeneratedCertificate;
    private final boolean usingTrustedRootCaCertificate;

    /* loaded from: input_file:io/evitadb/driver/certificate/ClientCertificateManager$Builder.class */
    public static class Builder {
        private String host;
        private int port;
        private Path certificateClientFolderPath = ClientCertificateManager.DEFAULT_CLIENT_CERTIFICATE_FOLDER_PATH;
        private Path rootCaCertificatePath = Path.of(CertificateUtils.getGeneratedRootCaCertificateFileName(), new String[0]);
        private Path clientCertificateFilePath = null;
        private Path clientPrivateKeyFilePath = null;
        private String clientPrivateKeyPassword = null;
        private String trustStorePassword = "trustStorePassword";
        private boolean isMtlsEnabled = false;
        private boolean useGeneratedCertificate = true;
        private boolean usingTrustedRootCaCertificate = false;

        public Builder certificateClientFolderPath(@Nonnull Path path) {
            this.certificateClientFolderPath = path;
            return this;
        }

        public Builder rootCaCertificateFilePath(@Nonnull Path path) {
            this.rootCaCertificatePath = path;
            return this;
        }

        public Builder clientCertificateFilePath(@Nullable Path path) {
            this.clientCertificateFilePath = (Path) Optional.ofNullable(path).map(path2 -> {
                return this.certificateClientFolderPath.resolve(path2);
            }).orElse(null);
            return this;
        }

        public Builder clientPrivateKeyFilePath(@Nullable Path path) {
            this.clientPrivateKeyFilePath = (Path) Optional.ofNullable(path).map(path2 -> {
                return this.certificateClientFolderPath.resolve(path2);
            }).orElse(null);
            return this;
        }

        public Builder clientPrivateKeyPassword(@Nullable String str) {
            this.clientPrivateKeyPassword = str;
            return this;
        }

        public Builder trustStorePassword(@Nullable String str) {
            this.trustStorePassword = str;
            return this;
        }

        public Builder mtls(boolean z) {
            this.isMtlsEnabled = z;
            return this;
        }

        public Builder useGeneratedCertificate(boolean z, @Nonnull String str, int i) {
            this.useGeneratedCertificate = z;
            this.host = str;
            this.port = i;
            return this;
        }

        public Builder usingTrustedRootCaCertificate(boolean z) {
            this.usingTrustedRootCaCertificate = z;
            return this;
        }

        public ClientCertificateManager build() {
            return new ClientCertificateManager(this.trustStorePassword, this.certificateClientFolderPath, this.rootCaCertificatePath, this.clientCertificateFilePath, this.clientPrivateKeyFilePath, this.clientPrivateKeyPassword, this.isMtlsEnabled, this.useGeneratedCertificate, this.host, this.port, this.usingTrustedRootCaCertificate);
        }
    }

    public static Path getDefaultClientCertificateFolderPath() {
        return DEFAULT_CLIENT_CERTIFICATE_FOLDER_PATH;
    }

    @Nonnull
    private static Path getCertificatesFromServer(@Nonnull String str, int i, @Nonnull Path path) {
        String str2 = "http://" + str + ":" + i + "/system/";
        try {
            Path resolve = path.resolve(getServerName(str2));
            File file = new File(resolve.toUri());
            if (file.exists()) {
                File file2 = new File(resolve.resolve(CertificateUtils.getGeneratedRootCaCertificateFileName()).toUri());
                File file3 = new File(resolve.resolve(CertificateUtils.getGeneratedClientCertificateFileName()).toUri());
                File file4 = new File(resolve.resolve(CertificateUtils.getGeneratedClientCertificatePrivateKeyFileName()).toUri());
                if (file2.exists() && file3.exists() && file4.exists()) {
                    return resolve;
                }
            } else {
                Assert.isTrue(file.mkdirs(), "Cannot create folder `" + file + "`!");
            }
            downloadFileFromServer(str2, resolve, CertificateUtils.getGeneratedRootCaCertificateFileName());
            downloadFileFromServer(str2, resolve, CertificateUtils.getGeneratedClientCertificateFileName());
            downloadFileFromServer(str2, resolve, CertificateUtils.getGeneratedClientCertificatePrivateKeyFileName());
            return resolve;
        } catch (IOException e) {
            throw new EvitaInvalidUsageException("Failed to download certificates from server", e);
        }
    }

    @Nonnull
    private static Path identifyServerDirectory(@Nonnull String str, int i, @Nonnull Path path) {
        try {
            return path.resolve(getServerName("http://" + str + ":" + i + "/system/"));
        } catch (IOException e) {
            throw new EvitaInvalidUsageException("Failed to download certificates from server", e);
        }
    }

    @Nonnull
    private static String getServerName(@Nonnull String str) throws IOException {
        Reader newReader = Channels.newReader(Channels.newChannel(new URL(str + "server-name").openStream()), StandardCharsets.UTF_8);
        try {
            StringBuilder sb = new StringBuilder(128);
            char[] cArr = new char[128];
            while (true) {
                int read = newReader.read(cArr);
                if (read == -1) {
                    break;
                }
                sb.append(cArr, 0, read);
            }
            String sb2 = sb.toString();
            if (newReader != null) {
                newReader.close();
            }
            return sb2;
        } catch (Throwable th) {
            if (newReader != null) {
                try {
                    newReader.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
            }
            throw th;
        }
    }

    private static void downloadFileFromServer(@Nonnull String str, @Nonnull Path path, @Nonnull String str2) throws IOException {
        ReadableByteChannel newChannel = Channels.newChannel(new URL(str + str2).openStream());
        try {
            FileOutputStream fileOutputStream = new FileOutputStream(path.resolve(str2).toFile());
            try {
                FileChannel channel = fileOutputStream.getChannel();
                try {
                    channel.transferFrom(newChannel, 0L, Long.MAX_VALUE);
                    if (channel != null) {
                        channel.close();
                    }
                    fileOutputStream.close();
                    if (newChannel != null) {
                        newChannel.close();
                    }
                } catch (Throwable th) {
                    if (channel != null) {
                        try {
                            channel.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    }
                    throw th;
                }
            } finally {
            }
        } catch (Throwable th3) {
            if (newChannel != null) {
                try {
                    newChannel.close();
                } catch (Throwable th4) {
                    th3.addSuppressed(th4);
                }
            }
            throw th3;
        }
    }

    public ClientCertificateManager(String str, Path path, Path path2, Path path3, Path path4, String str2, boolean z, boolean z2, String str3, int i, boolean z3) {
        if (z2) {
            this.certificateClientFolderPath = getCertificatesFromServer(str3, i, path);
            this.rootCaCertificateFilePath = this.certificateClientFolderPath.resolve(CertificateUtils.getGeneratedRootCaCertificateFileName());
            this.clientCertificateFilePath = this.certificateClientFolderPath.resolve(CertificateUtils.getGeneratedClientCertificateFileName());
            this.clientPrivateKeyFilePath = this.certificateClientFolderPath.resolve(CertificateUtils.getGeneratedClientCertificatePrivateKeyFileName());
        } else {
            this.certificateClientFolderPath = identifyServerDirectory(str3, i, path);
            this.rootCaCertificateFilePath = path2;
            this.clientCertificateFilePath = path3;
            this.clientPrivateKeyFilePath = path4;
        }
        this.trustStorePassword = str;
        this.clientPrivateKeyPassword = str2;
        this.isMtlsEnabled = z;
        this.useGeneratedCertificate = z2;
        this.usingTrustedRootCaCertificate = z3;
    }

    public SslContext buildClientSslContext() {
        try {
            Path usedRootCaCertificatePath = getUsedRootCaCertificatePath();
            TrustManager trustManager = usedRootCaCertificatePath == null ? null : getTrustManager(usedRootCaCertificatePath);
            SslContextBuilder applicationProtocolConfig = SslContextBuilder.forClient().applicationProtocolConfig(new ApplicationProtocolConfig(ApplicationProtocolConfig.Protocol.ALPN, ApplicationProtocolConfig.SelectorFailureBehavior.NO_ADVERTISE, ApplicationProtocolConfig.SelectedListenerFailureBehavior.ACCEPT, new String[]{"h2"}));
            if (this.isMtlsEnabled) {
                if (this.clientPrivateKeyFilePath == null) {
                    throw new EvitaInvalidUsageException("Client certificate path is not set while using mTLS. Check evita configuration file.");
                }
                applicationProtocolConfig.keyManager(new File(this.clientCertificateFilePath.toUri()), new File(this.clientPrivateKeyFilePath.toUri()), this.clientPrivateKeyPassword);
            }
            if (!this.usingTrustedRootCaCertificate && trustManager != null) {
                applicationProtocolConfig.trustManager(trustManager);
            } else if (usedRootCaCertificatePath != null && usedRootCaCertificatePath.toFile().exists()) {
                applicationProtocolConfig.trustManager(new File(usedRootCaCertificatePath.toUri()));
            }
            return applicationProtocolConfig.build();
        } catch (Exception e) {
            throw new EvitaInvalidUsageException("Failed to initialize EvitaClient", e);
        }
    }

    public TrustManager getTrustManagerTrustingProvidedCertificate(@Nonnull Path path, @Nonnull String str) {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init((KeyStore) null);
            TrustManagerFactory trustManagerFactory2 = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory2.init(getKeyStore(path, str));
            return new TrustManagerDelegate((X509TrustManager) trustManagerFactory2.getTrustManagers()[0], (X509TrustManager) trustManagerFactory.getTrustManagers()[0]);
        } catch (Exception e) {
            throw new EvitaInvalidUsageException("Failed to initialize SSL context.", e);
        }
    }

    public Path getUsedRootCaCertificatePath() {
        return !this.useGeneratedCertificate ? this.rootCaCertificateFilePath : this.certificateClientFolderPath.resolve(CertificateUtils.getGeneratedRootCaCertificateFileName());
    }

    @Nullable
    private TrustManager getTrustManager(@Nonnull Path path) {
        TrustManager trustManager;
        FileInputStream fileInputStream;
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            if (path.toFile().exists()) {
                fileInputStream = new FileInputStream(path.toFile());
                try {
                    Certificate generateCertificate = certificateFactory.generateCertificate(fileInputStream);
                    fileInputStream.close();
                    log.info("Server's CA certificate fingerprint: {}", CertificateUtils.getCertificateFingerprint(generateCertificate));
                    trustManager = getTrustManagerTrustingProvidedCertificate(path, "evita-root-ca");
                } finally {
                }
            } else {
                trustManager = null;
            }
            if (this.isMtlsEnabled) {
                fileInputStream = new FileInputStream(this.clientCertificateFilePath.toFile());
                try {
                    Certificate generateCertificate2 = certificateFactory.generateCertificate(fileInputStream);
                    fileInputStream.close();
                    log.info("Client's certificate fingerprint: {}", CertificateUtils.getCertificateFingerprint(generateCertificate2));
                } finally {
                }
            }
            return trustManager;
        } catch (IOException | NoSuchAlgorithmException | CertificateException e) {
            throw new EvitaInternalError(e.getMessage(), e);
        }
    }

    private KeyStore getKeyStore(@Nonnull Path path, @Nonnull String str) throws KeyStoreException, IOException, NoSuchAlgorithmException, CertificateException {
        FileInputStream fileInputStream;
        FileOutputStream fileOutputStream;
        File file = new File(this.certificateClientFolderPath.resolve(TRUST_STORE_FILE_NAME).toUri());
        KeyStore keyStore = KeyStore.getInstance("JKS");
        char[] charArray = this.trustStorePassword.toCharArray();
        if (!this.certificateClientFolderPath.toFile().exists()) {
            Assert.isTrue(this.certificateClientFolderPath.toFile().mkdirs(), () -> {
                return "Cannot create folder `" + this.certificateClientFolderPath + "`!";
            });
        }
        if (file.exists()) {
            fileInputStream = new FileInputStream(file);
            try {
                keyStore.load(fileInputStream, charArray);
                fileInputStream.close();
            } finally {
            }
        } else {
            keyStore.load(null, null);
            fileOutputStream = new FileOutputStream(file);
            try {
                keyStore.store(fileOutputStream, charArray);
                fileOutputStream.close();
            } finally {
            }
        }
        File file2 = new File(path.toUri());
        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
        fileInputStream = new FileInputStream(file2);
        try {
            Certificate generateCertificate = certificateFactory.generateCertificate(fileInputStream);
            fileInputStream.close();
            keyStore.setCertificateEntry(str, generateCertificate);
            fileOutputStream = new FileOutputStream(file);
            try {
                keyStore.store(fileOutputStream, charArray);
                fileOutputStream.close();
                return keyStore;
            } finally {
            }
        } finally {
        }
    }
}
