package com.floragunn.signals.watch.common;

import com.floragunn.codova.documents.DocNode;
import com.floragunn.codova.documents.Format;
import com.floragunn.codova.validation.ConfigValidationException;
import com.floragunn.codova.validation.ValidatingDocNode;
import com.floragunn.codova.validation.ValidationErrors;
import com.floragunn.codova.validation.errors.ValidationError;
import com.floragunn.signals.CertificatesParser;
import com.floragunn.signals.truststore.service.TrustManagerRegistry;
import com.google.common.base.Strings;
import com.google.common.base.Supplier;
import com.google.common.collect.ImmutableList;
import java.io.IOException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509ExtendedTrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.http.conn.ssl.DefaultHostnameVerifier;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.xcontent.ToXContent;
import org.elasticsearch.xcontent.ToXContentObject;
import org.elasticsearch.xcontent.XContentBuilder;

/* loaded from: input_file:com/floragunn/signals/watch/common/TlsConfig.class */
public class TlsConfig implements ToXContentObject {
    private static final Logger log = LogManager.getLogger(TlsConfig.class);
    private static final List<String> DEFAULT_TLS_PROTOCOLS = ImmutableList.of("TLSv1.2", "TLSv1.1");
    public static final String FIELD_TRUSTSTORE_ID = "truststore_id";
    public static final String FIELD_CLIENT_SESSION_TIMEOUT = "client_session_timeout";
    private String inlineTruststorePem;
    private Collection<? extends Certificate> inlineTrustCerts;
    private KeyStore trustStore;
    private TlsClientAuthConfig clientAuthConfig;
    private boolean verifyHostnames;
    private boolean trustAll;
    private SSLContext sslContext;
    private final TrustManagerRegistry trustManagerRegistry;
    private final ValidationLevel validationLevel;
    private String truststoreId;
    private Integer clientSessionTimeout = null;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/signals/watch/common/TlsConfig$OverlyTrustfulSSLContextBuilder.class */
    public static class OverlyTrustfulSSLContextBuilder extends SSLContextBuilder {
        private OverlyTrustfulSSLContextBuilder() {
        }

        protected void initSSLContext(SSLContext sSLContext, Collection<KeyManager> collection, Collection<TrustManager> collection2, SecureRandom secureRandom) throws KeyManagementException {
            sSLContext.init(!collection.isEmpty() ? (KeyManager[]) collection.toArray(new KeyManager[collection.size()]) : null, new TrustManager[]{new OverlyTrustfulTrustManager()}, secureRandom);
        }
    }

    /* loaded from: input_file:com/floragunn/signals/watch/common/TlsConfig$OverlyTrustfulTrustManager.class */
    private static class OverlyTrustfulTrustManager implements X509TrustManager {
        private OverlyTrustfulTrustManager() {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/signals/watch/common/TlsConfig$RefreshableTruststoreSSLContextBuilder.class */
    public static class RefreshableTruststoreSSLContextBuilder extends SSLContextBuilder {
        private volatile TrustManager trustManager;
        private volatile Integer clientSessionTimeout;

        private RefreshableTruststoreSSLContextBuilder() {
        }

        public static RefreshableTruststoreSSLContextBuilder createRefreshable() {
            return new RefreshableTruststoreSSLContextBuilder();
        }

        public void setTrustManager(TrustManager trustManager) {
            this.trustManager = trustManager;
        }

        public void setClientSessionTimeout(Integer num) {
            this.clientSessionTimeout = num;
        }

        protected void initSSLContext(SSLContext sSLContext, Collection<KeyManager> collection, Collection<TrustManager> collection2, SecureRandom secureRandom) throws KeyManagementException {
            TrustManager trustManager = this.trustManager;
            if (trustManager != null) {
                collection2 = Collections.singleton(trustManager);
            }
            if (Objects.nonNull(this.clientSessionTimeout)) {
                sSLContext.getClientSessionContext().setSessionTimeout(this.clientSessionTimeout.intValue());
            }
            TlsConfig.log.debug("Trust managers inserted into SSL context '{}', client session timeout '{}'.", collection2, this.clientSessionTimeout);
            super.initSSLContext(sSLContext, collection, collection2, secureRandom);
        }
    }

    public TlsConfig(TrustManagerRegistry trustManagerRegistry, ValidationLevel validationLevel) {
        this.trustManagerRegistry = (TrustManagerRegistry) Objects.requireNonNull(trustManagerRegistry, "TrustManagerRegistry ia required");
        this.validationLevel = validationLevel;
        log.debug("TlsConfig created with trust manager registry '{}' and strict validation '{}'", trustManagerRegistry, this.validationLevel);
    }

    public void init(DocNode docNode) throws ConfigValidationException {
        ValidationErrors validationErrors = new ValidationErrors();
        ValidatingDocNode validatingDocNode = new ValidatingDocNode(docNode, validationErrors);
        this.inlineTruststorePem = validatingDocNode.get("trusted_certs").asString();
        this.truststoreId = validatingDocNode.get(FIELD_TRUSTSTORE_ID).withDefault((String) null).asString();
        this.verifyHostnames = validatingDocNode.get("verify_hostnames").withDefault(true).asBoolean();
        this.trustAll = validatingDocNode.get("trust_all").withDefault(false).asBoolean();
        this.clientAuthConfig = (TlsClientAuthConfig) validatingDocNode.get("client_auth").by(TlsClientAuthConfig::create);
        if (validatingDocNode.hasNonNull(FIELD_CLIENT_SESSION_TIMEOUT)) {
            this.clientSessionTimeout = validatingDocNode.get(FIELD_CLIENT_SESSION_TIMEOUT).asInteger();
        } else {
            this.clientSessionTimeout = null;
        }
        init(validationErrors);
        validationErrors.throwExceptionForPresentErrors();
    }

    public void init() throws ConfigValidationException {
        ValidationErrors validationErrors = new ValidationErrors();
        init(validationErrors);
        validationErrors.throwExceptionForPresentErrors();
    }

    private void init(ValidationErrors validationErrors) {
        log.info("Init TLS config with strict validation '{}'.", this.validationLevel);
        String str = this.truststoreId;
        try {
            if (Strings.isNullOrEmpty(str)) {
                this.inlineTrustCerts = CertificatesParser.parseCertificates(this.inlineTruststorePem);
            }
            this.trustStore = CertificatesParser.toTruststore("prefix", this.inlineTrustCerts);
            if (!Strings.isNullOrEmpty(str) && !Strings.isNullOrEmpty(this.inlineTruststorePem)) {
                validationErrors.add("tls", new ValidationErrors(new ValidationError(FIELD_TRUSTSTORE_ID, "Parameters truststore_id and trusted_certs cannot be combined.")));
            }
        } catch (ConfigValidationException e) {
            validationErrors.add("trusted_certs", e);
        }
        try {
            this.sslContext = buildSSLContext(validationErrors);
        } catch (ConfigValidationException e2) {
            validationErrors.add((String) null, e2);
        }
    }

    public void setTruststoreId(String str) {
        this.truststoreId = str;
    }

    public void setClientSessionTimeout(Integer num) {
        this.clientSessionTimeout = num;
    }

    KeyStore getTrustStore() {
        return this.trustStore;
    }

    SSLContext buildSSLContext(ValidationErrors validationErrors) throws ConfigValidationException {
        log.debug("Building SSL context");
        try {
            if (this.trustAll) {
                log.debug("Overly trustful SSL context created");
                return new OverlyTrustfulSSLContextBuilder().build();
            }
            RefreshableTruststoreSSLContextBuilder createRefreshable = RefreshableTruststoreSSLContextBuilder.createRefreshable();
            String str = this.truststoreId;
            log.debug("Trust store id defined in tls config '{}', and trust store '{}'", str, this.trustStore);
            createRefreshable.setClientSessionTimeout(this.clientSessionTimeout);
            if (!Strings.isNullOrEmpty(str)) {
                validateTruststoreIdIfStrictValidationIsRequired(str);
                createRefreshable.setTrustManager(new RefreshableX509TrustManager(str, createTrustManagerSupplier(str)));
            } else if (this.trustStore != null) {
                try {
                    createRefreshable.loadTrustMaterial(this.trustStore, null);
                } catch (KeyStoreException | NoSuchAlgorithmException e) {
                    log.error("Error while building SSLContext for " + String.valueOf(this), e);
                    throw new ConfigValidationException(new ValidationError((String) null, e.getMessage()).cause(e));
                }
            }
            if (this.clientAuthConfig != null) {
                log.debug("Client auth for SSL context available");
                try {
                    this.clientAuthConfig.loadKeyMaterial(createRefreshable);
                } catch (ConfigValidationException e2) {
                    validationErrors.add("client_auth", e2);
                }
            }
            log.debug("SSL context will be created using builder '{}'", createRefreshable);
            return createRefreshable.build();
        } catch (KeyManagementException | NoSuchAlgorithmException e3) {
            log.error("Error while building SSLContext for " + String.valueOf(this), e3);
            throw new ConfigValidationException(new ValidationError((String) null, e3.getMessage()).cause(e3));
        }
    }

    private void validateTruststoreIdIfStrictValidationIsRequired(String str) throws ConfigValidationException {
        log.debug("Validation of truststore with id '{}' will be performed '{}'.", str, this.validationLevel);
        if (this.validationLevel.isStrictValidation()) {
            this.trustManagerRegistry.findTrustManager(str).orElseThrow(() -> {
                return new ConfigValidationException(new ValidationError((String) null, "Trust store " + str + " not found."));
            });
        }
    }

    private Supplier<X509ExtendedTrustManager> createTrustManagerSupplier(String str) {
        return () -> {
            return this.trustManagerRegistry.findTrustManager(str).orElseGet(() -> {
                log.warn("Watch uses not existing truststore with id '{}', all TLS connection will be impossible.", str);
                return new RejectAllTrustManager(str);
            });
        };
    }

    private HostnameVerifier getHostnameVerifier() {
        return this.verifyHostnames ? new DefaultHostnameVerifier() : NoopHostnameVerifier.INSTANCE;
    }

    private String[] getSupportedProtocols() {
        return (String[]) DEFAULT_TLS_PROTOCOLS.toArray(new String[DEFAULT_TLS_PROTOCOLS.size()]);
    }

    private String[] getSupportedCipherSuites() {
        return null;
    }

    public SSLConnectionSocketFactory toSSLConnectionSocketFactory() {
        return new SSLConnectionSocketFactory(this.sslContext, getSupportedProtocols(), getSupportedCipherSuites(), getHostnameVerifier());
    }

    public static TlsConfig create(DocNode docNode, TrustManagerRegistry trustManagerRegistry, ValidationLevel validationLevel) throws ConfigValidationException {
        TlsConfig tlsConfig = new TlsConfig(trustManagerRegistry, validationLevel);
        tlsConfig.init(docNode);
        return tlsConfig;
    }

    public static TlsConfig parseJson(String str, TrustManagerRegistry trustManagerRegistry) throws ConfigValidationException {
        return create(DocNode.parse(Format.JSON).from(str), trustManagerRegistry, ValidationLevel.LENIENT);
    }

    public XContentBuilder toXContent(XContentBuilder xContentBuilder, ToXContent.Params params) throws IOException {
        xContentBuilder.startObject();
        if (this.inlineTruststorePem != null) {
            xContentBuilder.field("trusted_certs", this.inlineTruststorePem);
        }
        if (this.truststoreId != null) {
            xContentBuilder.field(FIELD_TRUSTSTORE_ID, this.truststoreId);
        }
        if (this.clientSessionTimeout != null) {
            xContentBuilder.field(FIELD_CLIENT_SESSION_TIMEOUT, this.clientSessionTimeout);
        }
        if (this.clientAuthConfig != null) {
            xContentBuilder.field("client_auth");
            this.clientAuthConfig.toXContent(xContentBuilder, params);
        }
        if (this.verifyHostnames) {
            xContentBuilder.field("verify_hostnames", this.verifyHostnames);
        }
        if (this.trustAll) {
            xContentBuilder.field("trust_all", this.trustAll);
        }
        xContentBuilder.endObject();
        return xContentBuilder;
    }

    public String getInlineTruststorePem() {
        return this.inlineTruststorePem;
    }

    public void setInlineTruststorePem(String str) {
        this.inlineTruststorePem = str;
    }

    public TlsClientAuthConfig getClientAuthConfig() {
        return this.clientAuthConfig;
    }

    public void setClientAuthConfig(TlsClientAuthConfig tlsClientAuthConfig) {
        this.clientAuthConfig = tlsClientAuthConfig;
    }

    public boolean isVerifyHostnames() {
        return this.verifyHostnames;
    }

    public void setVerifyHostnames(boolean z) {
        this.verifyHostnames = z;
    }

    public boolean isTrustAll() {
        return this.trustAll;
    }

    public void setTrustAll(boolean z) {
        this.trustAll = z;
    }
}
