package com.floragunn.dlic.auth.http.jwt.keybyoidc;

import com.floragunn.searchguard.support.PemKeyReader;
import com.google.common.collect.ImmutableList;
import java.net.Socket;
import java.nio.file.Path;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Map;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import org.apache.http.conn.ssl.DefaultHostnameVerifier;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.nio.conn.ssl.SSLIOSessionStrategy;
import org.apache.http.ssl.PrivateKeyDetails;
import org.apache.http.ssl.PrivateKeyStrategy;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.ssl.TrustStrategy;
import org.elasticsearch.common.settings.Settings;

/* loaded from: input_file:com/floragunn/dlic/auth/http/jwt/keybyoidc/SettingsBasedSSLConfigurator.class */
public class SettingsBasedSSLConfigurator {
    public static final String CERT_ALIAS = "cert_alias";
    public static final String ENABLE_SSL = "enable_ssl";
    public static final String ENABLE_SSL_CLIENT_AUTH = "enable_ssl_client_auth";
    public static final String PEMKEY_FILEPATH = "pemkey_filepath";
    public static final String PEMKEY_CONTENT = "pemkey_content";
    public static final String PEMKEY_PASSWORD = "pemkey_password";
    public static final String PEMCERT_FILEPATH = "pemcert_filepath";
    public static final String PEMCERT_CONTENT = "pemcert_content";
    public static final String PEMTRUSTEDCAS_CONTENT = "pemtrustedcas_content";
    public static final String PEMTRUSTEDCAS_FILEPATH = "pemtrustedcas_filepath";
    public static final String VERIFY_HOSTNAMES = "verify_hostnames";
    private static final List<String> DEFAULT_TLS_PROTOCOLS = ImmutableList.of("TLSv1.2", "TLSv1.1");
    private final SSLContextBuilder delegate = SSLContexts.custom();
    private final Settings settings;
    private final String settingsKeyPrefix;
    private final Path configPath;
    private boolean enabled;
    private boolean enableSslClientAuth;
    private KeyStore effectiveTruststore;
    private KeyStore effectiveKeystore;
    private char[] effectiveKeyPassword;
    private String effectiveKeyAlias;

    /* loaded from: input_file:com/floragunn/dlic/auth/http/jwt/keybyoidc/SettingsBasedSSLConfigurator$SSLConfig.class */
    public static class SSLConfig {
        private final SSLContext sslContext;
        private final String[] supportedProtocols;
        private final String[] supportedCipherSuites;
        private final HostnameVerifier hostnameVerifier;

        SSLConfig(SSLContext sSLContext, String[] strArr, String[] strArr2, HostnameVerifier hostnameVerifier) {
            this.sslContext = sSLContext;
            this.supportedProtocols = strArr;
            this.supportedCipherSuites = strArr2;
            this.hostnameVerifier = hostnameVerifier;
        }

        public SSLContext getSslContext() {
            return this.sslContext;
        }

        public String[] getSupportedProtocols() {
            return this.supportedProtocols;
        }

        public String[] getSupportedCipherSuites() {
            return this.supportedCipherSuites;
        }

        public HostnameVerifier getHostnameVerifier() {
            return this.hostnameVerifier;
        }

        public SSLIOSessionStrategy toSSLIOSessionStrategy() {
            return new SSLIOSessionStrategy(this.sslContext, this.supportedProtocols, this.supportedCipherSuites, this.hostnameVerifier);
        }

        public SSLConnectionSocketFactory toSSLConnectionSocketFactory() {
            return new SSLConnectionSocketFactory(this.sslContext, this.supportedProtocols, this.supportedCipherSuites, this.hostnameVerifier);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SettingsBasedSSLConfigurator(Settings settings, Path path, String str) {
        this.settings = settings;
        this.configPath = path;
        this.settingsKeyPrefix = normalizeSettingsKeyPrefix(str);
    }

    SSLContext buildSSLContext() throws Exception {
        configureWithSettings();
        if (this.enabled) {
            return this.delegate.build();
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public SSLConfig buildSSLConfig() throws Exception {
        SSLContext buildSSLContext = buildSSLContext();
        if (buildSSLContext == null) {
            return null;
        }
        return new SSLConfig(buildSSLContext, getSupportedProtocols(), getSupportedCipherSuites(), getHostnameVerifier());
    }

    private HostnameVerifier getHostnameVerifier() {
        return getSettingAsBoolean(VERIFY_HOSTNAMES, true).booleanValue() ? new DefaultHostnameVerifier() : NoopHostnameVerifier.INSTANCE;
    }

    private String[] getSupportedProtocols() {
        return getSettingAsArray("enabled_ssl_protocols", DEFAULT_TLS_PROTOCOLS);
    }

    private String[] getSupportedCipherSuites() {
        return getSettingAsArray("enabled_ssl_ciphers", null);
    }

    private void configureWithSettings() throws Exception {
        this.enabled = getSettingAsBoolean(ENABLE_SSL, false).booleanValue();
        if (this.enabled) {
            this.enableSslClientAuth = getSettingAsBoolean(ENABLE_SSL_CLIENT_AUTH, false).booleanValue();
            if (this.settings.get(PEMTRUSTEDCAS_FILEPATH, (String) null) == null && this.settings.get(PEMTRUSTEDCAS_CONTENT, (String) null) == null) {
                initFromKeyStore();
            } else {
                initFromPem();
            }
            if (this.enableSslClientAuth) {
                if (this.effectiveTruststore != null) {
                    this.delegate.loadTrustMaterial(this.effectiveTruststore, (TrustStrategy) null);
                }
                if (this.effectiveKeystore != null) {
                    try {
                        this.delegate.loadKeyMaterial(this.effectiveKeystore, this.effectiveKeyPassword, new PrivateKeyStrategy() { // from class: com.floragunn.dlic.auth.http.jwt.keybyoidc.SettingsBasedSSLConfigurator.1
                            public String chooseAlias(Map<String, PrivateKeyDetails> map, Socket socket) {
                                return (map == null || map.isEmpty()) ? SettingsBasedSSLConfigurator.this.effectiveKeyAlias : (SettingsBasedSSLConfigurator.this.effectiveKeyAlias == null || SettingsBasedSSLConfigurator.this.effectiveKeyAlias.isEmpty()) ? map.keySet().iterator().next() : SettingsBasedSSLConfigurator.this.effectiveKeyAlias;
                            }
                        });
                    } catch (UnrecoverableKeyException e) {
                        throw new RuntimeException(e);
                    }
                }
            }
        }
    }

    private void initFromPem() throws Exception {
        X509Certificate[] loadCertificatesFromStream = PemKeyReader.loadCertificatesFromStream(PemKeyReader.resolveStream(this.settingsKeyPrefix + PEMTRUSTEDCAS_CONTENT, this.settings));
        if (loadCertificatesFromStream == null) {
            loadCertificatesFromStream = PemKeyReader.loadCertificatesFromFile(PemKeyReader.resolve(this.settingsKeyPrefix + PEMTRUSTEDCAS_FILEPATH, this.settings, this.configPath, true));
        }
        X509Certificate[] loadCertificatesFromStream2 = PemKeyReader.loadCertificatesFromStream(PemKeyReader.resolveStream(this.settingsKeyPrefix + PEMCERT_CONTENT, this.settings));
        if (loadCertificatesFromStream2 == null) {
            loadCertificatesFromStream2 = PemKeyReader.loadCertificatesFromFile(PemKeyReader.resolve(this.settingsKeyPrefix + PEMCERT_FILEPATH, this.settings, this.configPath, this.enableSslClientAuth));
        }
        PrivateKey loadKeyFromStream = PemKeyReader.loadKeyFromStream(getSetting(PEMKEY_PASSWORD), PemKeyReader.resolveStream(this.settingsKeyPrefix + PEMKEY_CONTENT, this.settings));
        if (loadKeyFromStream == null) {
            loadKeyFromStream = PemKeyReader.loadKeyFromFile(getSetting(PEMKEY_PASSWORD), PemKeyReader.resolve(this.settingsKeyPrefix + PEMKEY_FILEPATH, this.settings, this.configPath, this.enableSslClientAuth));
        }
        this.effectiveKeyPassword = PemKeyReader.randomChars(12);
        this.effectiveKeyAlias = "al";
        this.effectiveTruststore = PemKeyReader.toTruststore(this.effectiveKeyAlias, loadCertificatesFromStream);
        this.effectiveKeystore = PemKeyReader.toKeystore(this.effectiveKeyAlias, this.effectiveKeyPassword, loadCertificatesFromStream2, loadKeyFromStream);
    }

    private void initFromKeyStore() throws Exception {
        KeyStore loadKeyStore = PemKeyReader.loadKeyStore(PemKeyReader.resolve("searchguard.ssl.transport.truststore_filepath", this.settings, this.configPath, true), this.settings.get("searchguard.ssl.transport.truststore_password", "changeit"), this.settings.get("searchguard.ssl.transport.truststore_type"));
        KeyStore loadKeyStore2 = PemKeyReader.loadKeyStore(PemKeyReader.resolve("searchguard.ssl.transport.keystore_filepath", this.settings, this.configPath, this.enableSslClientAuth), this.settings.get("searchguard.ssl.transport.keystore_password", "changeit"), this.settings.get("searchguard.ssl.transport.keystore_type"));
        String str = this.settings.get("searchguard.ssl.transport.keystore_password", "changeit");
        this.effectiveKeyPassword = (str == null || str.isEmpty()) ? null : str.toCharArray();
        this.effectiveKeyAlias = getSetting(CERT_ALIAS);
        if (this.enableSslClientAuth && this.effectiveKeyAlias == null) {
            throw new IllegalArgumentException(this.settingsKeyPrefix + CERT_ALIAS + " not given");
        }
        this.effectiveTruststore = loadKeyStore;
        this.effectiveKeystore = loadKeyStore2;
    }

    private String getSetting(String str) {
        return this.settings.get(this.settingsKeyPrefix + str);
    }

    private Boolean getSettingAsBoolean(String str, Boolean bool) {
        return this.settings.getAsBoolean(this.settingsKeyPrefix + str, bool);
    }

    private List<String> getSettingAsList(String str, List<String> list) {
        return this.settings.getAsList(this.settingsKeyPrefix + str, list);
    }

    private String[] getSettingAsArray(String str, List<String> list) {
        List<String> settingAsList = getSettingAsList(str, list);
        if (settingAsList == null) {
            return null;
        }
        return (String[]) settingAsList.toArray(new String[settingAsList.size()]);
    }

    private static String normalizeSettingsKeyPrefix(String str) {
        return (str == null || str.length() == 0) ? "" : !str.endsWith(".") ? str + "." : str;
    }
}
