package io.kroxylicious.proxy.tls;

import edu.umd.cs.findbugs.annotations.NonNull;
import edu.umd.cs.findbugs.annotations.Nullable;
import io.kroxylicious.proxy.config.secret.PasswordProvider;
import io.kroxylicious.proxy.config.tls.AllowDeny;
import io.kroxylicious.proxy.config.tls.InsecureTls;
import io.kroxylicious.proxy.config.tls.KeyPair;
import io.kroxylicious.proxy.config.tls.KeyProvider;
import io.kroxylicious.proxy.config.tls.KeyProviderVisitor;
import io.kroxylicious.proxy.config.tls.KeyStore;
import io.kroxylicious.proxy.config.tls.PlatformTrustProvider;
import io.kroxylicious.proxy.config.tls.Tls;
import io.kroxylicious.proxy.config.tls.TrustProvider;
import io.kroxylicious.proxy.config.tls.TrustProviderVisitor;
import io.kroxylicious.proxy.config.tls.TrustStore;
import java.io.FileInputStream;
import java.net.http.HttpClient;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.util.Arrays;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.Set;
import java.util.function.Function;
import java.util.function.Predicate;
import java.util.function.UnaryOperator;
import java.util.stream.Collectors;
import java.util.stream.Stream;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/kroxylicious/proxy/tls/TlsHttpClientConfigurator.class */
public class TlsHttpClientConfigurator implements UnaryOperator<HttpClient.Builder> {
    private static final Logger LOGGER = LoggerFactory.getLogger(TlsHttpClientConfigurator.class);
    private static final SSLContext PLATFORM_SSL_CONTEXT;
    private static final X509TrustManager INSECURE_TRUST_MANAGER;
    private static final TrustManager[] INSECURE_TRUST_MANAGERS;

    @Nullable
    private final Tls tls;

    public TlsHttpClientConfigurator(@Nullable Tls tls) {
        if (tls != null && tls.key() != null) {
            LOGGER.warn("TLS key material is currently not supported by this client");
        }
        this.tls = tls;
    }

    private SSLContext sslContext() {
        try {
            if (this.tls == null || (this.tls.trust() == null && this.tls.key() == null)) {
                return PLATFORM_SSL_CONTEXT;
            }
            TrustManager[] trustManagerArr = null;
            KeyManager[] keyManagerArr = null;
            if (this.tls.trust() != null) {
                trustManagerArr = getTrustManagers(this.tls.trust());
            }
            if (this.tls.key() != null) {
                keyManagerArr = getKeyManagers(this.tls.key());
            }
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(keyManagerArr, trustManagerArr, new SecureRandom());
            return sSLContext;
        } catch (Exception e) {
            throw new SslConfigurationException(e);
        }
    }

    private SSLParameters sslParameters() {
        SSLParameters defaultSSLParameters = PLATFORM_SSL_CONTEXT.getDefaultSSLParameters();
        if (this.tls == null || (this.tls.protocols() == null && this.tls.cipherSuites() == null)) {
            return defaultSSLParameters;
        }
        SSLParameters supportedSSLParameters = PLATFORM_SSL_CONTEXT.getSupportedSSLParameters();
        String[] applyRestriction = applyRestriction("protocol", this.tls.protocols(), defaultSSLParameters, supportedSSLParameters, (v0) -> {
            return v0.getProtocols();
        });
        String[] applyRestriction2 = applyRestriction("cipher suite", this.tls.cipherSuites(), defaultSSLParameters, supportedSSLParameters, (v0) -> {
            return v0.getCipherSuites();
        });
        defaultSSLParameters.setProtocols(applyRestriction);
        defaultSSLParameters.setCipherSuites(applyRestriction2);
        return defaultSSLParameters;
    }

    @NonNull
    private String[] applyRestriction(String str, AllowDeny<String> allowDeny, SSLParameters sSLParameters, SSLParameters sSLParameters2, Function<SSLParameters, String[]> function) {
        List list = Arrays.stream(function.apply(sSLParameters)).toList();
        if (allowDeny != null) {
            Set set = (Set) Arrays.stream(function.apply(sSLParameters2)).collect(Collectors.toSet());
            List allowed = allowDeny.allowed();
            if (allowed != null && !allowed.isEmpty()) {
                Stream stream = allowed.stream();
                Objects.requireNonNull(set);
                stream.filter(Predicate.not((v1) -> {
                    return r1.contains(v1);
                })).forEach(str2 -> {
                    LOGGER.warn("Ignoring allowed {} '{}' as it is not recognized by this platform (supported: {})", new Object[]{str, str2, set});
                });
                Stream stream2 = allowed.stream();
                Objects.requireNonNull(set);
                list = stream2.filter((v1) -> {
                    return r1.contains(v1);
                }).toList();
            }
            Set denied = allowDeny.denied();
            if (denied != null) {
                Stream stream3 = denied.stream();
                Objects.requireNonNull(set);
                stream3.filter(Predicate.not((v1) -> {
                    return r1.contains(v1);
                })).forEach(str3 -> {
                    LOGGER.warn("Ignoring denied {}} '{}' as it is not recognized by this platform (supported: {})", new Object[]{str, str3, set});
                });
                Stream stream4 = list.stream();
                Objects.requireNonNull(denied);
                list = stream4.filter(Predicate.not((v1) -> {
                    return r1.contains(v1);
                })).toList();
            }
            if (list.isEmpty()) {
                throw new SslConfigurationException("The configuration you have in place has resulted in no %ss being available. Allowed: %s, Denied: %s".formatted(str, allowed, denied));
            }
        }
        return (String[]) list.toArray(new String[0]);
    }

    static KeyManager[] getKeyManagers(KeyProvider keyProvider) {
        return (KeyManager[]) keyProvider.accept(new KeyProviderVisitor<KeyManager[]>() { // from class: io.kroxylicious.proxy.tls.TlsHttpClientConfigurator.1
            /* renamed from: visit, reason: merged with bridge method [inline-methods] */
            public KeyManager[] m2visit(KeyPair keyPair) {
                throw new SslConfigurationException("KeyPair is not supported by this client");
            }

            /* renamed from: visit, reason: merged with bridge method [inline-methods] */
            public KeyManager[] m1visit(KeyStore keyStore) {
                try {
                    if (keyStore.isPemType()) {
                        throw new SslConfigurationException("PEM is not supported by this client");
                    }
                    java.security.KeyStore keyStore2 = java.security.KeyStore.getInstance(keyStore.getType());
                    char[] passwordOrNull = passwordOrNull(keyStore.storePasswordProvider());
                    FileInputStream fileInputStream = new FileInputStream(keyStore.storeFile());
                    try {
                        keyStore2.load(fileInputStream, passwordOrNull);
                        fileInputStream.close();
                        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
                        char[] passwordOrNull2 = passwordOrNull(keyStore.keyPasswordProvider());
                        keyManagerFactory.init(keyStore2, passwordOrNull2 == null ? passwordOrNull : passwordOrNull2);
                        return keyManagerFactory.getKeyManagers();
                    } finally {
                    }
                } catch (Exception e) {
                    throw new SslConfigurationException(e);
                }
            }

            @Nullable
            private static char[] passwordOrNull(PasswordProvider passwordProvider) {
                return (char[]) Optional.ofNullable(passwordProvider).map((v0) -> {
                    return v0.getProvidedPassword();
                }).map((v0) -> {
                    return v0.toCharArray();
                }).orElse(null);
            }
        });
    }

    static TrustManager[] getTrustManagers(TrustProvider trustProvider) {
        return (TrustManager[]) trustProvider.accept(new TrustProviderVisitor<TrustManager[]>() { // from class: io.kroxylicious.proxy.tls.TlsHttpClientConfigurator.2
            /* renamed from: visit, reason: merged with bridge method [inline-methods] */
            public TrustManager[] m5visit(TrustStore trustStore) {
                if (trustStore.isPemType()) {
                    throw new SslConfigurationException("PEM trust not supported by vault yet");
                }
                try {
                    java.security.KeyStore keyStore = java.security.KeyStore.getInstance(trustStore.getType());
                    keyStore.load(new FileInputStream(trustStore.storeFile()), trustStore.storePasswordProvider() != null ? trustStore.storePasswordProvider().getProvidedPassword().toCharArray() : null);
                    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                    trustManagerFactory.init(keyStore);
                    return trustManagerFactory.getTrustManagers();
                } catch (Exception e) {
                    throw new SslConfigurationException(e);
                }
            }

            /* renamed from: visit, reason: merged with bridge method [inline-methods] */
            public TrustManager[] m4visit(InsecureTls insecureTls) {
                return insecureTls.insecure() ? TlsHttpClientConfigurator.INSECURE_TRUST_MANAGERS : getDefaultTrustManagers();
            }

            /* renamed from: visit, reason: merged with bridge method [inline-methods] */
            public TrustManager[] m3visit(PlatformTrustProvider platformTrustProvider) {
                return getDefaultTrustManagers();
            }

            private static TrustManager[] getDefaultTrustManagers() {
                try {
                    TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                    trustManagerFactory.init((java.security.KeyStore) null);
                    return trustManagerFactory.getTrustManagers();
                } catch (Exception e) {
                    throw new SslConfigurationException(e);
                }
            }
        });
    }

    @Override // java.util.function.Function
    public HttpClient.Builder apply(@NonNull HttpClient.Builder builder) {
        Objects.requireNonNull(builder);
        builder.sslContext(sslContext()).sslParameters(sslParameters());
        return builder;
    }

    static {
        try {
            PLATFORM_SSL_CONTEXT = SSLContext.getDefault();
            INSECURE_TRUST_MANAGER = new InsecureTrustManager();
            INSECURE_TRUST_MANAGERS = new TrustManager[]{INSECURE_TRUST_MANAGER};
        } catch (NoSuchAlgorithmException e) {
            ExceptionInInitializerError exceptionInInitializerError = new ExceptionInInitializerError("Failed to access default SSL context for platform");
            exceptionInInitializerError.initCause(e);
            throw exceptionInInitializerError;
        }
    }
}
