package dev.sigstore.tuf;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.base.Preconditions;
import com.google.protobuf.util.JsonFormat;
import dev.sigstore.proto.trustroot.v1.TrustedRoot;
import dev.sigstore.trustroot.SigstoreTrustedRoot;
import java.io.IOException;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.attribute.FileAttribute;
import java.security.InvalidKeyException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.spec.InvalidKeySpecException;
import java.time.Duration;
import java.time.Instant;

/* loaded from: input_file:dev/sigstore/tuf/SigstoreTufClient.class */
public class SigstoreTufClient {

    @VisibleForTesting
    static final String TRUST_ROOT_FILENAME = "trusted_root.json";
    private final Updater updater;
    private Instant lastUpdate;
    private SigstoreTrustedRoot sigstoreTrustedRoot;
    private final Duration cacheValidity;

    /* loaded from: input_file:dev/sigstore/tuf/SigstoreTufClient$Builder.class */
    public static class Builder {
        Duration cacheValidity = Duration.ofDays(1);
        Path tufCacheLocation = Path.of(System.getProperty("user.home"), new String[0]).resolve(".sigstore-java").resolve("root");
        URL remoteMirror;
        RootProvider trustedRoot;

        public Builder usePublicGoodInstance() {
            if (this.remoteMirror != null || this.trustedRoot != null) {
                throw new IllegalStateException("Using public good after configuring remoteMirror and trustedRoot");
            }
            try {
                tufMirror(new URL("https://tuf-repo-cdn.sigstore.dev"), RootProvider.fromResource("dev/sigstore/tuf/sigstore-tuf-root/root.json"));
                return this;
            } catch (MalformedURLException e) {
                throw new AssertionError(e);
            }
        }

        public Builder useStagingInstance() {
            if (this.remoteMirror != null || this.trustedRoot != null) {
                throw new IllegalStateException("Using staging after configuring remoteMirror and trustedRoot");
            }
            try {
                tufMirror(new URL("https://tuf-repo-cdn.sigstage.dev"), RootProvider.fromResource("dev/sigstore/tuf/tuf-root-staging/root.json"));
                this.tufCacheLocation = Path.of(System.getProperty("user.home"), new String[0]).resolve(".sigstore-java").resolve("staging").resolve("root");
                return this;
            } catch (MalformedURLException e) {
                throw new AssertionError(e);
            }
        }

        public Builder tufMirror(URL url, RootProvider rootProvider) {
            this.remoteMirror = url;
            this.trustedRoot = rootProvider;
            return this;
        }

        public Builder cacheValidity(Duration duration) {
            this.cacheValidity = duration;
            return this;
        }

        public Builder tufCacheLocation(Path path) {
            this.tufCacheLocation = path;
            return this;
        }

        public SigstoreTufClient build() throws IOException {
            Preconditions.checkState(!this.cacheValidity.isNegative(), "cacheValidity must be non negative");
            Preconditions.checkNotNull(this.remoteMirror);
            Preconditions.checkNotNull(this.trustedRoot);
            if (!Files.isDirectory(this.tufCacheLocation, new LinkOption[0])) {
                Files.createDirectories(this.tufCacheLocation, new FileAttribute[0]);
            }
            return new SigstoreTufClient(Updater.builder().setTrustedRootPath(this.trustedRoot).setLocalStore(FileSystemTufStore.newFileSystemStore(this.tufCacheLocation)).setFetcher(HttpMetaFetcher.newFetcher(this.remoteMirror)).build(), this.cacheValidity);
        }
    }

    @VisibleForTesting
    SigstoreTufClient(Updater updater, Duration duration) {
        this.updater = updater;
        this.cacheValidity = duration;
    }

    public static Builder builder() {
        return new Builder();
    }

    public void update() throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException, CertificateException {
        if (this.lastUpdate == null || Duration.between(this.lastUpdate, Instant.now()).compareTo(this.cacheValidity) > 0) {
            forceUpdate();
        }
    }

    public void forceUpdate() throws IOException, NoSuchAlgorithmException, InvalidKeySpecException, InvalidKeyException, CertificateException {
        this.updater.update();
        this.lastUpdate = Instant.now();
        TrustedRoot.Builder newBuilder = TrustedRoot.newBuilder();
        JsonFormat.parser().merge(new String(this.updater.getLocalStore().getTargetFile(TRUST_ROOT_FILENAME), StandardCharsets.UTF_8), newBuilder);
        this.sigstoreTrustedRoot = SigstoreTrustedRoot.from(newBuilder.m7320build());
    }

    public SigstoreTrustedRoot getSigstoreTrustedRoot() {
        return this.sigstoreTrustedRoot;
    }
}
