package com.floragunn.signals.watch.common;

import com.fasterxml.jackson.databind.JsonNode;
import com.floragunn.searchsupport.config.validation.ConfigValidationException;
import com.floragunn.searchsupport.config.validation.InvalidAttributeValue;
import com.floragunn.searchsupport.config.validation.ValidatingJsonNode;
import com.floragunn.searchsupport.config.validation.ValidatingJsonParser;
import com.floragunn.searchsupport.config.validation.ValidationError;
import com.floragunn.searchsupport.config.validation.ValidationErrors;
import com.google.common.collect.ImmutableList;
import java.io.ByteArrayInputStream;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.List;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import org.apache.http.conn.ssl.DefaultHostnameVerifier;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.ssl.TrustStrategy;
import org.apache.logging.log4j.LogManager;
import org.apache.logging.log4j.Logger;
import org.elasticsearch.common.xcontent.ToXContent;
import org.elasticsearch.common.xcontent.ToXContentObject;
import org.elasticsearch.common.xcontent.XContentBuilder;

/* loaded from: input_file:com/floragunn/signals/watch/common/TlsConfig.class */
public class TlsConfig implements ToXContentObject {
    private static final Logger log = LogManager.getLogger(TlsConfig.class);
    private static final List<String> DEFAULT_TLS_PROTOCOLS = ImmutableList.of("TLSv1.2", "TLSv1.1");
    private String inlineTruststorePem;
    private Collection<? extends Certificate> inlineTrustCerts;
    private KeyStore trustStore;
    private TlsClientAuthConfig clientAuthConfig;
    private boolean verifyHostnames;
    private boolean trustAll;
    private SSLContext sslContext;

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:com/floragunn/signals/watch/common/TlsConfig$OverlyTrustfulSSLContextBuilder.class */
    public static class OverlyTrustfulSSLContextBuilder extends SSLContextBuilder {
        private OverlyTrustfulSSLContextBuilder() {
        }

        protected void initSSLContext(SSLContext sSLContext, Collection<KeyManager> collection, Collection<TrustManager> collection2, SecureRandom secureRandom) throws KeyManagementException {
            sSLContext.init(!collection.isEmpty() ? (KeyManager[]) collection.toArray(new KeyManager[collection.size()]) : null, new TrustManager[]{new OverlyTrustfulTrustManager()}, secureRandom);
        }
    }

    /* loaded from: input_file:com/floragunn/signals/watch/common/TlsConfig$OverlyTrustfulTrustManager.class */
    private static class OverlyTrustfulTrustManager implements X509TrustManager {
        private OverlyTrustfulTrustManager() {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }
    }

    public void init(JsonNode jsonNode) throws ConfigValidationException {
        ValidationErrors validationErrors = new ValidationErrors();
        ValidatingJsonNode validatingJsonNode = new ValidatingJsonNode(jsonNode, validationErrors);
        this.inlineTruststorePem = validatingJsonNode.string("trusted_certs");
        this.verifyHostnames = validatingJsonNode.booleanAttribute("verify_hostnames", true).booleanValue();
        this.trustAll = validatingJsonNode.booleanAttribute("trust_all", false).booleanValue();
        JsonNode jsonNode2 = validatingJsonNode.get("client_auth");
        if (jsonNode2 != null) {
            try {
                this.clientAuthConfig = TlsClientAuthConfig.create(jsonNode2);
            } catch (ConfigValidationException e) {
                validationErrors.add("client_auth", e);
            }
        }
        init(validationErrors);
        validationErrors.throwExceptionForPresentErrors();
    }

    public void init() throws ConfigValidationException {
        ValidationErrors validationErrors = new ValidationErrors();
        init(validationErrors);
        validationErrors.throwExceptionForPresentErrors();
    }

    private void init(ValidationErrors validationErrors) {
        try {
            this.inlineTrustCerts = parseCertificates(this.inlineTruststorePem);
            this.trustStore = toTruststore("prefix", this.inlineTrustCerts);
        } catch (ConfigValidationException e) {
            validationErrors.add("trusted_certs", e);
        }
        try {
            this.sslContext = buildSSLContext(validationErrors);
        } catch (ConfigValidationException e2) {
            validationErrors.add((String) null, e2);
        }
    }

    SSLContext buildSSLContext(ValidationErrors validationErrors) throws ConfigValidationException {
        try {
            if (this.trustAll) {
                return new OverlyTrustfulSSLContextBuilder().build();
            }
            SSLContextBuilder custom = SSLContexts.custom();
            if (this.trustStore != null) {
                try {
                    custom.loadTrustMaterial(this.trustStore, (TrustStrategy) null);
                } catch (KeyStoreException | NoSuchAlgorithmException e) {
                    log.error("Error while building SSLContext for " + this, e);
                    throw new ConfigValidationException(new ValidationError((String) null, e.getMessage()).cause(e));
                }
            }
            if (this.clientAuthConfig != null) {
                try {
                    this.clientAuthConfig.loadKeyMaterial(custom);
                } catch (ConfigValidationException e2) {
                    validationErrors.add("client_auth", e2);
                }
            }
            return custom.build();
        } catch (KeyManagementException | NoSuchAlgorithmException e3) {
            log.error("Error while building SSLContext for " + this, e3);
            throw new ConfigValidationException(new ValidationError((String) null, e3.getMessage()).cause(e3));
        }
    }

    private HostnameVerifier getHostnameVerifier() {
        return this.verifyHostnames ? new DefaultHostnameVerifier() : NoopHostnameVerifier.INSTANCE;
    }

    private String[] getSupportedProtocols() {
        return (String[]) DEFAULT_TLS_PROTOCOLS.toArray(new String[DEFAULT_TLS_PROTOCOLS.size()]);
    }

    private String[] getSupportedCipherSuites() {
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static Collection<? extends Certificate> parseCertificates(String str) throws ConfigValidationException {
        if (str == null) {
            return null;
        }
        try {
            try {
                return CertificateFactory.getInstance("X.509").generateCertificates(new ByteArrayInputStream(str.getBytes(StandardCharsets.US_ASCII)));
            } catch (CertificateException e) {
                throw new ConfigValidationException(new InvalidAttributeValue((String) null, str, "PEM File").cause(e));
            }
        } catch (CertificateException e2) {
            log.error("Could not initialize X.509", e2);
            throw new ConfigValidationException(new ValidationError((String) null, "Could not initialize X.509").cause(e2));
        }
    }

    private KeyStore toTruststore(String str, Collection<? extends Certificate> collection) throws ConfigValidationException {
        if (collection == null) {
            return null;
        }
        try {
            KeyStore keyStore = KeyStore.getInstance("JKS");
            keyStore.load(null);
            int i = 0;
            for (Certificate certificate : collection) {
                try {
                    keyStore.setCertificateEntry(str + "_" + i, certificate);
                    i++;
                } catch (KeyStoreException e) {
                    throw new ConfigValidationException(new InvalidAttributeValue((String) null, certificate, "PEM File").cause(e));
                }
            }
            return keyStore;
        } catch (Exception e2) {
            log.error("Could not initialize JKS KeyStore", e2);
            throw new ConfigValidationException(new ValidationError((String) null, "Could not initialize JKS KeyStore").cause(e2));
        }
    }

    public SSLConnectionSocketFactory toSSLConnectionSocketFactory() {
        return new SSLConnectionSocketFactory(this.sslContext, getSupportedProtocols(), getSupportedCipherSuites(), getHostnameVerifier());
    }

    public static TlsConfig create(JsonNode jsonNode) throws ConfigValidationException {
        TlsConfig tlsConfig = new TlsConfig();
        tlsConfig.init(jsonNode);
        return tlsConfig;
    }

    public static TlsConfig parseJson(String str) throws ConfigValidationException {
        return create(ValidatingJsonParser.readTree(str));
    }

    public XContentBuilder toXContent(XContentBuilder xContentBuilder, ToXContent.Params params) throws IOException {
        xContentBuilder.startObject();
        if (this.inlineTruststorePem != null) {
            xContentBuilder.field("trusted_certs", this.inlineTruststorePem);
        }
        if (this.clientAuthConfig != null) {
            xContentBuilder.field("client_auth");
            this.clientAuthConfig.toXContent(xContentBuilder, params);
        }
        if (this.verifyHostnames) {
            xContentBuilder.field("verify_hostnames", this.verifyHostnames);
        }
        if (this.trustAll) {
            xContentBuilder.field("trust_all", this.trustAll);
        }
        xContentBuilder.endObject();
        return xContentBuilder;
    }

    public String getInlineTruststorePem() {
        return this.inlineTruststorePem;
    }

    public void setInlineTruststorePem(String str) {
        this.inlineTruststorePem = str;
    }

    public TlsClientAuthConfig getClientAuthConfig() {
        return this.clientAuthConfig;
    }

    public void setClientAuthConfig(TlsClientAuthConfig tlsClientAuthConfig) {
        this.clientAuthConfig = tlsClientAuthConfig;
    }

    public boolean isVerifyHostnames() {
        return this.verifyHostnames;
    }

    public void setVerifyHostnames(boolean z) {
        this.verifyHostnames = z;
    }

    public boolean isTrustAll() {
        return this.trustAll;
    }

    public void setTrustAll(boolean z) {
        this.trustAll = z;
    }
}
