package io.kubernetes.client.util;

import io.kubernetes.client.openapi.ApiClient;
import io.kubernetes.client.openapi.ApiException;
import io.kubernetes.client.openapi.apis.CertificatesV1Api;
import io.kubernetes.client.openapi.models.V1CertificateSigningRequest;
import io.kubernetes.client.openapi.models.V1CertificateSigningRequestCondition;
import io.kubernetes.client.openapi.models.V1CertificateSigningRequestSpec;
import io.kubernetes.client.openapi.models.V1ObjectMeta;
import io.kubernetes.client.util.exception.CSRNotApprovedException;
import io.kubernetes.client.util.exception.CSRSigningException;
import io.kubernetes.client.util.wait.Wait;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.io.PrintStream;
import java.security.KeyPair;
import java.time.Duration;
import java.time.OffsetDateTime;
import java.util.Base64;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.Executors;
import java.util.concurrent.ScheduledExecutorService;
import java.util.concurrent.atomic.AtomicReference;
import javax.security.auth.x500.X500Principal;
import org.bouncycastle.operator.OperatorCreationException;
import org.bouncycastle.operator.jcajce.JcaContentSignerBuilder;
import org.bouncycastle.pkcs.PKCS10CertificationRequest;
import org.bouncycastle.pkcs.jcajce.JcaPKCS10CertificationRequestBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:META-INF/bundled-dependencies/client-java-12.0.1.jar:io/kubernetes/client/util/CSRUtils.class */
public class CSRUtils {
    private static final Logger LOG = LoggerFactory.getLogger((Class<?>) CSRUtils.class);
    public static final String CSR_USAGE_CLIENT_AUTH = "client auth";
    public static final String SIGNER_NAME_KUBE_APISERVER_CLIENT = "kubernetes.io/kube-apiserver-client";

    public static void approve(ApiClient apiClient, String str) throws ApiException {
        CertificatesV1Api certificatesV1Api = new CertificatesV1Api(apiClient);
        OffsetDateTime now = OffsetDateTime.now();
        V1CertificateSigningRequest readCertificateSigningRequest = certificatesV1Api.readCertificateSigningRequest(str, null, null, null);
        readCertificateSigningRequest.getStatus().addConditionsItem(new V1CertificateSigningRequestCondition().type("Approved").status("True").reason("Kubernetes Java Client").lastTransitionTime(now).lastUpdateTime(now));
        certificatesV1Api.replaceCertificateSigningRequestApproval(str, readCertificateSigningRequest, null, null, null);
    }

    public static byte[] createAndWaitUntilCertificateSigned(ApiClient apiClient, V1CertificateSigningRequest v1CertificateSigningRequest) throws CSRNotApprovedException, ApiException {
        if (createIfAbsent(apiClient, v1CertificateSigningRequest) || isIdentical(new CertificatesV1Api(apiClient).readCertificateSigningRequest(v1CertificateSigningRequest.getMetadata().getName(), null, null, null), v1CertificateSigningRequest)) {
            return waitUntilCertificateSigned(apiClient, v1CertificateSigningRequest.getMetadata().getName());
        }
        LOG.error("Existing CertificateSigningRequest object is conflicting with the requesting object");
        throw new IllegalStateException("Conflicting CSR object found in the cluster");
    }

    public static boolean createIfAbsent(ApiClient apiClient, V1CertificateSigningRequest v1CertificateSigningRequest) throws ApiException {
        try {
            new CertificatesV1Api(apiClient).createCertificateSigningRequest(v1CertificateSigningRequest, null, null, null);
            return true;
        } catch (ApiException e) {
            if (e.getCode() == 409) {
                return false;
            }
            LOG.error("Failed creating CSR {} in the cluster: {}", v1CertificateSigningRequest.getMetadata().getName(), e.getResponseBody());
            throw e;
        }
    }

    public static byte[] waitUntilCertificateSigned(ApiClient apiClient, String str) throws CSRNotApprovedException {
        return waitUntilCertificateSigned(apiClient, str, Duration.ofSeconds(5L), Duration.ofMinutes(30L));
    }

    public static byte[] waitUntilCertificateSigned(ApiClient apiClient, String str, Duration duration, Duration duration2) throws CSRNotApprovedException {
        CertificatesV1Api certificatesV1Api = new CertificatesV1Api(apiClient);
        ScheduledExecutorService newSingleThreadScheduledExecutor = Executors.newSingleThreadScheduledExecutor();
        try {
            AtomicReference atomicReference = new AtomicReference();
            if (!Wait.poll(duration, duration2, () -> {
                try {
                    getCertificate(certificatesV1Api.readCertificateSigningRequest(str, null, null, null)).ifPresent(bArr -> {
                        atomicReference.set(bArr);
                    });
                    return true;
                } catch (ApiException e) {
                    LOG.info("Failed acquiring latest state of CertificateSigningRequest resource {} from the cluster", str);
                    return false;
                }
            })) {
                LOG.error("Timeout exceed but the CertificateSigningRequest {} is not approved", str);
                throw new CSRNotApprovedException("Timeout - CertificateSigningRequest not approved: " + str);
            }
            LOG.info("Successfully acquired certificate from CertificateSigningRequest {}", str);
            byte[] bArr = (byte[]) atomicReference.get();
            newSingleThreadScheduledExecutor.shutdown();
            return bArr;
        } catch (Throwable th) {
            newSingleThreadScheduledExecutor.shutdown();
            throw th;
        }
    }

    public static Optional<byte[]> getCertificate(V1CertificateSigningRequest v1CertificateSigningRequest) {
        return (v1CertificateSigningRequest.getStatus() == null || v1CertificateSigningRequest.getStatus().getCertificate() == null) ? Optional.empty() : Optional.of(v1CertificateSigningRequest.getStatus().getCertificate());
    }

    public static boolean isIdentical(V1CertificateSigningRequest v1CertificateSigningRequest, V1CertificateSigningRequest v1CertificateSigningRequest2) {
        if (Objects.equals(v1CertificateSigningRequest.getSpec().getUsages(), v1CertificateSigningRequest2.getSpec().getUsages())) {
            return Objects.equals(v1CertificateSigningRequest.getSpec().getSignerName(), v1CertificateSigningRequest2.getSpec().getSignerName());
        }
        return false;
    }

    public static byte[] sign(KeyPair keyPair, String str) throws CSRSigningException {
        return sign(keyPair, "SHA512withRSA", str, "");
    }

    public static byte[] sign(KeyPair keyPair, String str, String str2, String str3) throws CSRSigningException {
        return sign(keyPair, str, String.join(", ", "CN=" + str2, "O=" + str3));
    }

    public static byte[] sign(KeyPair keyPair, String str, String str2) throws CSRSigningException {
        try {
            PKCS10CertificationRequest build = new JcaPKCS10CertificationRequestBuilder(new X500Principal(str2), keyPair.getPublic()).build(new JcaContentSignerBuilder(str).build(keyPair.getPrivate()));
            ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
            PrintStream printStream = new PrintStream(byteArrayOutputStream);
            printStream.println("-----BEGIN CERTIFICATE REQUEST-----");
            printStream.println(Base64.getMimeEncoder(64, new byte[]{13, 10}).encodeToString(build.getEncoded()));
            printStream.println("-----END CERTIFICATE REQUEST-----");
            return byteArrayOutputStream.toByteArray();
        } catch (IOException | OperatorCreationException e) {
            throw new CSRSigningException(e);
        }
    }

    public static V1CertificateSigningRequest newV1CertificateSigningRequest(String str, byte[] bArr) {
        return newV1CertificateSigningRequest(str, bArr, SIGNER_NAME_KUBE_APISERVER_CLIENT, CSR_USAGE_CLIENT_AUTH);
    }

    public static V1CertificateSigningRequest newV1CertificateSigningRequest(String str, byte[] bArr, String str2, String str3) {
        return new V1CertificateSigningRequest().metadata(new V1ObjectMeta().name(str)).spec(new V1CertificateSigningRequestSpec().request(bArr).signerName(str2).addUsagesItem(str3));
    }
}
