package otoroshi.plugins.external;

import akka.actor.ActorRef;
import akka.http.scaladsl.util.FastFuture$;
import java.security.MessageDigest;
import java.security.cert.X509Certificate;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.commons.codec.binary.Hex;
import otoroshi.env.Env;
import otoroshi.events.OtoroshiEvent;
import otoroshi.models.ApiKey;
import otoroshi.models.GlobalConfig;
import otoroshi.models.PrivateAppsUser;
import otoroshi.models.ServiceDescriptor;
import otoroshi.next.plugins.api.NgPluginCategory;
import otoroshi.next.plugins.api.NgPluginCategory$AccessControl$;
import otoroshi.next.plugins.api.NgPluginVisibility;
import otoroshi.next.plugins.api.NgPluginVisibility$NgUserLand$;
import otoroshi.next.plugins.api.NgStep;
import otoroshi.next.plugins.api.NgStep$ValidateAccess$;
import otoroshi.script.Access;
import otoroshi.script.AccessContext;
import otoroshi.script.AccessValidator;
import otoroshi.script.NamedPlugin;
import otoroshi.script.PluginType;
import otoroshi.ssl.SSLImplicits$;
import otoroshi.ssl.SSLImplicits$EnhancedX509Certificate$;
import otoroshi.utils.http.Implicits$;
import otoroshi.utils.http.Implicits$BetterStandaloneWSRequest$;
import otoroshi.utils.http.Implicits$BetterStandaloneWSResponse$;
import play.api.libs.json.JsArray$;
import play.api.libs.json.JsLookup$;
import play.api.libs.json.JsNull$;
import play.api.libs.json.JsObject;
import play.api.libs.json.JsObject$;
import play.api.libs.json.JsReadable;
import play.api.libs.json.JsString;
import play.api.libs.json.JsValue;
import play.api.libs.json.JsValue$;
import play.api.libs.json.Json$;
import play.api.libs.json.Reads$;
import play.api.libs.json.Writes$;
import play.api.libs.ws.package$;
import scala.MatchError;
import scala.None$;
import scala.Option;
import scala.Predef$;
import scala.Predef$ArrowAssoc$;
import scala.Some;
import scala.Tuple2;
import scala.collection.Seq;
import scala.collection.Seq$;
import scala.collection.TraversableLike;
import scala.collection.TraversableOnce;
import scala.collection.immutable.$colon;
import scala.collection.immutable.Nil$;
import scala.collection.immutable.StringOps;
import scala.concurrent.ExecutionContext;
import scala.concurrent.Future;
import scala.concurrent.duration.Duration$;
import scala.reflect.ScalaSignature;
import scala.runtime.BoxedUnit;
import scala.runtime.BoxesRunTime;

/* compiled from: external.scala */
@ScalaSignature(bytes = "\u0006\u0001\u0005]h\u0001B\u000b\u0017\u0001uAQA\u000b\u0001\u0005\u0002-BQA\f\u0001\u0005B=BQa\u000f\u0001\u0005BqBQ\u0001\u0014\u0001\u0005B5CQa\u0014\u0001\u0005BqBQ\u0001\u0015\u0001\u0005\u0002ECQA\u0017\u0001\u0005\u0002mCQ\u0001\u001b\u0001\u0005\u0002%DqA\u001c\u0001C\u0002\u0013%q\u000e\u0003\u0004y\u0001\u0001\u0006I\u0001\u001d\u0005\u0006s\u0002!IA\u001f\u0005\b\u0003\u000b\u0001A\u0011BA\u0004\u0011\u001d\ty\u0001\u0001C\u0005\u0003#Aq!!\u0012\u0001\t\u0013\t9\u0005C\u0004\u0002d\u0001!I!!\u001a\t\u000f\u0005M\u0004\u0001\"\u0003\u0002v!I\u0011\u0011\u0017\u0001\u0012\u0002\u0013%\u00111\u0017\u0005\n\u0003\u0013\u0004\u0011\u0013!C\u0005\u0003\u0017Dq!a4\u0001\t\u0003\t\t\u000eC\u0004\u0002l\u0002!\t%!<\u0003+\u0015CH/\u001a:oC2DE\u000f\u001e9WC2LG-\u0019;pe*\u0011q\u0003G\u0001\tKb$XM\u001d8bY*\u0011\u0011DG\u0001\ba2,x-\u001b8t\u0015\u0005Y\u0012\u0001C8u_J|7\u000f[5\u0004\u0001M\u0019\u0001A\b\u0013\u0011\u0005}\u0011S\"\u0001\u0011\u000b\u0003\u0005\nQa]2bY\u0006L!a\t\u0011\u0003\r\u0005s\u0017PU3g!\t)\u0003&D\u0001'\u0015\t9#$\u0001\u0004tGJL\u0007\u000f^\u0005\u0003S\u0019\u0012q\"Q2dKN\u001ch+\u00197jI\u0006$xN]\u0001\u0007y%t\u0017\u000e\u001e \u0015\u00031\u0002\"!\f\u0001\u000e\u0003Y\tAA\\1nKV\t\u0001\u0007\u0005\u00022q9\u0011!G\u000e\t\u0003g\u0001j\u0011\u0001\u000e\u0006\u0003kq\ta\u0001\u0010:p_Rt\u0014BA\u001c!\u0003\u0019\u0001&/\u001a3fM&\u0011\u0011H\u000f\u0002\u0007'R\u0014\u0018N\\4\u000b\u0005]\u0002\u0013!\u00043fM\u0006,H\u000e^\"p]\u001aLw-F\u0001>!\ryb\bQ\u0005\u0003\u007f\u0001\u0012aa\u00149uS>t\u0007CA!K\u001b\u0005\u0011%BA\"E\u0003\u0011Q7o\u001c8\u000b\u0005\u00153\u0015\u0001\u00027jENT!a\u0012%\u0002\u0007\u0005\u0004\u0018NC\u0001J\u0003\u0011\u0001H.Y=\n\u0005-\u0013%\u0001\u0003&t\u001f\nTWm\u0019;\u0002\u0017\u0011,7o\u0019:jaRLwN\\\u000b\u0002\u001dB\u0019qD\u0010\u0019\u0002\u0019\r|gNZ5h'\u000eDW-\\1\u0002\u0015YL7/\u001b2jY&$\u00180F\u0001S!\t\u0019\u0006,D\u0001U\u0015\t9UK\u0003\u0002\u001a-*\u0011qKG\u0001\u0005]\u0016DH/\u0003\u0002Z)\n\u0011bj\u001a)mk\u001eLgNV5tS\nLG.\u001b;z\u0003)\u0019\u0017\r^3h_JLWm]\u000b\u00029B\u0019QLY3\u000f\u0005y\u0003gBA\u001a`\u0013\u0005\t\u0013BA1!\u0003\u001d\u0001\u0018mY6bO\u0016L!a\u00193\u0003\u0007M+\u0017O\u0003\u0002bAA\u00111KZ\u0005\u0003OR\u0013\u0001CT4QYV<\u0017N\\\"bi\u0016<wN]=\u0002\u000bM$X\r]:\u0016\u0003)\u00042!\u00182l!\t\u0019F.\u0003\u0002n)\n1ajZ*uKB\f\u0001\u0002Z5hKN$XM]\u000b\u0002aB\u0011\u0011O^\u0007\u0002e*\u00111\u000f^\u0001\tg\u0016\u001cWO]5us*\tQ/\u0001\u0003kCZ\f\u0017BA<s\u00055iUm]:bO\u0016$\u0015nZ3ti\u0006IA-[4fgR,'\u000fI\u0001\u0013G>l\u0007/\u001e;f\r&tw-\u001a:Qe&tG\u000f\u0006\u00021w\")Ap\u0003a\u0001{\u0006!1-\u001a:u!\rq\u0018\u0011A\u0007\u0002\u007f*\u0011AP]\u0005\u0004\u0003\u0007y(a\u0004-6ae\u001aUM\u001d;jM&\u001c\u0017\r^3\u0002'\r|W\u000e];uK.+\u0017P\u0012:p[\u000eC\u0017-\u001b8\u0015\u0007A\nI\u0001C\u0004\u0002\f1\u0001\r!!\u0004\u0002\u000b\rD\u0017-\u001b8\u0011\u0007u\u0013W0\u0001\nhKRdunY1m-\u0006d\u0017\u000eZ1uS>tG\u0003BA\n\u0003\u0003\"b!!\u0006\u0002*\u0005M\u0002CBA\f\u0003;\t\t#\u0004\u0002\u0002\u001a)\u0019\u00111\u0004\u0011\u0002\u0015\r|gnY;se\u0016tG/\u0003\u0003\u0002 \u0005e!A\u0002$viV\u0014X\r\u0005\u0003 }\u0005\r\u0002cA\u0010\u0002&%\u0019\u0011q\u0005\u0011\u0003\u000f\t{w\u000e\\3b]\"9\u00111F\u0007A\u0004\u00055\u0012AA3d!\u0011\t9\"a\f\n\t\u0005E\u0012\u0011\u0004\u0002\u0011\u000bb,7-\u001e;j_:\u001cuN\u001c;fqRDq!!\u000e\u000e\u0001\b\t9$A\u0002f]Z\u0004B!!\u000f\u0002>5\u0011\u00111\b\u0006\u0004\u0003kQ\u0012\u0002BA \u0003w\u00111!\u00128w\u0011\u0019\t\u0019%\u0004a\u0001a\u0005\u00191.Z=\u0002-M,GoR8pI2{7-\u00197WC2LG-\u0019;j_:$b!!\u0013\u0002X\u0005eCCBA&\u0003'\n)\u0006\u0005\u0004\u0002\u0018\u0005u\u0011Q\n\t\u0004?\u0005=\u0013bAA)A\t!QK\\5u\u0011\u001d\tYC\u0004a\u0002\u0003[Aq!!\u000e\u000f\u0001\b\t9\u0004\u0003\u0004\u0002D9\u0001\r\u0001\r\u0005\b\u00037r\u0001\u0019AA/\u0003\u001d9wn\u001c3Ui2\u00042aHA0\u0013\r\t\t\u0007\t\u0002\u0005\u0019>tw-A\u000btKR\u0014\u0015\r\u001a'pG\u0006dg+\u00197jI\u0006$\u0018n\u001c8\u0015\r\u0005\u001d\u0014QNA8)\u0019\tY%!\u001b\u0002l!9\u00111F\bA\u0004\u00055\u0002bBA\u001b\u001f\u0001\u000f\u0011q\u0007\u0005\u0007\u0003\u0007z\u0001\u0019\u0001\u0019\t\u000f\u0005Et\u00021\u0001\u0002^\u00051!-\u00193Ui2\f\u0001D^1mS\u0012\fG/Z\"feRLg-[2bi\u0016\u001c\u0005.Y5o)1\t9(! \u0002��\u0005=\u00151TAT)\u0019\t)\"!\u001f\u0002|!9\u00111\u0006\tA\u0004\u00055\u0002bBA\u001b!\u0001\u000f\u0011q\u0007\u0005\b\u0003\u0017\u0001\u0002\u0019AA\u0007\u0011\u001d\t\t\t\u0005a\u0001\u0003\u0007\u000bA\u0001Z3tGB!\u0011QQAF\u001b\t\t9IC\u0002\u0002\nj\ta!\\8eK2\u001c\u0018\u0002BAG\u0003\u000f\u0013\u0011cU3sm&\u001cW\rR3tGJL\u0007\u000f^8s\u0011%\t\t\n\u0005I\u0001\u0002\u0004\t\u0019*\u0001\u0004ba&\\W-\u001f\t\u0005?y\n)\n\u0005\u0003\u0002\u0006\u0006]\u0015\u0002BAM\u0003\u000f\u0013a!\u00119j\u0017\u0016L\b\"CAO!A\u0005\t\u0019AAP\u0003\u0011)8/\u001a:\u0011\t}q\u0014\u0011\u0015\t\u0005\u0003\u000b\u000b\u0019+\u0003\u0003\u0002&\u0006\u001d%a\u0004)sSZ\fG/Z!qaN,6/\u001a:\t\u000f\u0005%\u0006\u00031\u0001\u0002,\u0006\u00191MZ4\u0011\u00075\ni+C\u0002\u00020Z\u00111$\u0012=uKJt\u0017\r\u001c%uiB4\u0016\r\\5eCR|'oQ8oM&<\u0017A\t<bY&$\u0017\r^3DKJ$\u0018NZ5dCR,7\t[1j]\u0012\"WMZ1vYR$3'\u0006\u0002\u00026*\"\u00111SA\\W\t\tI\f\u0005\u0003\u0002<\u0006\u0015WBAA_\u0015\u0011\ty,!1\u0002\u0013Ut7\r[3dW\u0016$'bAAbA\u0005Q\u0011M\u001c8pi\u0006$\u0018n\u001c8\n\t\u0005\u001d\u0017Q\u0018\u0002\u0012k:\u001c\u0007.Z2lK\u00124\u0016M]5b]\u000e,\u0017A\t<bY&$\u0017\r^3DKJ$\u0018NZ5dCR,7\t[1j]\u0012\"WMZ1vYR$C'\u0006\u0002\u0002N*\"\u0011qTA\\\u0003q\u0019\u0017M\\!dG\u0016\u001c8oV5uQ\u000ec\u0017.\u001a8u\u0007\u0016\u0014Ho\u00115bS:$\u0002\"a5\u0002\\\u0006u\u0017q\u001d\u000b\u0007\u0003+\f9.!7\u0011\r\u0005]\u0011QDA\u0012\u0011\u001d\t)d\u0005a\u0002\u0003oAq!a\u000b\u0014\u0001\b\ti\u0003C\u0004\u0002\fM\u0001\r!!\u0004\t\u000f\u0005}7\u00031\u0001\u0002b\u000691m\u001c8uKb$\bcA\u0013\u0002d&\u0019\u0011Q\u001d\u0014\u0003\u001b\u0005\u001b7-Z:t\u0007>tG/\u001a=u\u0011\u001d\tIo\u0005a\u0001\u0003W\u000baA^1m\u0007\u001a<\u0017!C2b]\u0006\u001b7-Z:t)\u0011\ty/!>\u0015\r\u0005U\u0017\u0011_Az\u0011\u001d\t)\u0004\u0006a\u0002\u0003oAq!a\u000b\u0015\u0001\b\ti\u0003C\u0004\u0002`R\u0001\r!!9")
/* loaded from: input_file:otoroshi/plugins/external/ExternalHttpValidator.class */
public class ExternalHttpValidator implements AccessValidator {
    private final MessageDigest digester;
    private final AtomicReference<ActorRef> otoroshi$script$InternalEventListener$$ref;
    private final Future<BoxedUnit> funit;

    @Override // otoroshi.script.AccessValidator, otoroshi.script.NamedPlugin
    public PluginType pluginType() {
        PluginType pluginType;
        pluginType = pluginType();
        return pluginType;
    }

    @Override // otoroshi.script.AccessValidator
    public Future<Access> access(AccessContext accessContext, Env env, ExecutionContext executionContext) {
        Future<Access> access;
        access = access(accessContext, env, executionContext);
        return access;
    }

    @Override // otoroshi.script.InternalEventListener
    public boolean listening() {
        boolean listening;
        listening = listening();
        return listening;
    }

    @Override // otoroshi.script.InternalEventListener
    public void onEvent(OtoroshiEvent otoroshiEvent, Env env) {
        onEvent(otoroshiEvent, env);
    }

    @Override // otoroshi.script.InternalEventListener
    public void startEvent(String str, Env env) {
        startEvent(str, env);
    }

    @Override // otoroshi.script.InternalEventListener
    public void stopEvent(Env env) {
        stopEvent(env);
    }

    @Override // otoroshi.script.NamedPlugin
    public boolean deprecated() {
        boolean deprecated;
        deprecated = deprecated();
        return deprecated;
    }

    @Override // otoroshi.script.NamedPlugin
    public boolean core() {
        boolean core;
        core = core();
        return core;
    }

    @Override // otoroshi.script.NamedPlugin
    public String internalName() {
        String internalName;
        internalName = internalName();
        return internalName;
    }

    @Override // otoroshi.script.NamedPlugin
    public Option<String> documentation() {
        Option<String> documentation;
        documentation = documentation();
        return documentation;
    }

    @Override // otoroshi.script.NamedPlugin
    public Option<String> configRoot() {
        Option<String> configRoot;
        configRoot = configRoot();
        return configRoot;
    }

    @Override // otoroshi.script.NamedPlugin
    public Seq<String> configFlow() {
        Seq<String> configFlow;
        configFlow = configFlow();
        return configFlow;
    }

    @Override // otoroshi.script.NamedPlugin
    public JsObject jsonDescription() {
        JsObject jsonDescription;
        jsonDescription = jsonDescription();
        return jsonDescription;
    }

    @Override // otoroshi.script.StartableAndStoppable
    public Future<BoxedUnit> startWithPluginId(String str, Env env) {
        Future<BoxedUnit> startWithPluginId;
        startWithPluginId = startWithPluginId(str, env);
        return startWithPluginId;
    }

    @Override // otoroshi.script.StartableAndStoppable
    public Future<BoxedUnit> start(Env env) {
        Future<BoxedUnit> start;
        start = start(env);
        return start;
    }

    @Override // otoroshi.script.StartableAndStoppable
    public Future<BoxedUnit> stop(Env env) {
        Future<BoxedUnit> stop;
        stop = stop(env);
        return stop;
    }

    @Override // otoroshi.script.InternalEventListener
    public AtomicReference<ActorRef> otoroshi$script$InternalEventListener$$ref() {
        return this.otoroshi$script$InternalEventListener$$ref;
    }

    @Override // otoroshi.script.InternalEventListener
    public final void otoroshi$script$InternalEventListener$_setter_$otoroshi$script$InternalEventListener$$ref_$eq(AtomicReference<ActorRef> atomicReference) {
        this.otoroshi$script$InternalEventListener$$ref = atomicReference;
    }

    @Override // otoroshi.script.StartableAndStoppable
    public Future<BoxedUnit> funit() {
        return this.funit;
    }

    @Override // otoroshi.script.StartableAndStoppable
    public void otoroshi$script$StartableAndStoppable$_setter_$funit_$eq(Future<BoxedUnit> future) {
        this.funit = future;
    }

    @Override // otoroshi.script.NamedPlugin
    public String name() {
        return "External Http Validator";
    }

    @Override // otoroshi.script.NamedPlugin
    public Option<JsObject> defaultConfig() {
        return new Some(Json$.MODULE$.obj(Predef$.MODULE$.wrapRefArray(new Tuple2[]{Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("ExternalHttpValidator"), Json$.MODULE$.toJsFieldJsValueWrapper(Json$.MODULE$.obj(Predef$.MODULE$.wrapRefArray(new Tuple2[]{Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("url"), Json$.MODULE$.toJsFieldJsValueWrapper("http://foo.bar", Writes$.MODULE$.StringWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("host"), Json$.MODULE$.toJsFieldJsValueWrapper("api.foo.bar", Writes$.MODULE$.StringWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("goodTtl"), Json$.MODULE$.toJsFieldJsValueWrapper(BoxesRunTime.boxToInteger(600000), Writes$.MODULE$.IntWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("badTtl"), Json$.MODULE$.toJsFieldJsValueWrapper(BoxesRunTime.boxToInteger(60000), Writes$.MODULE$.IntWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("method"), Json$.MODULE$.toJsFieldJsValueWrapper("POST", Writes$.MODULE$.StringWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("path"), Json$.MODULE$.toJsFieldJsValueWrapper("/certificates/_validate", Writes$.MODULE$.StringWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("timeout"), Json$.MODULE$.toJsFieldJsValueWrapper(BoxesRunTime.boxToInteger(10000), Writes$.MODULE$.IntWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("noCache"), Json$.MODULE$.toJsFieldJsValueWrapper(BoxesRunTime.boxToBoolean(false), Writes$.MODULE$.BooleanWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("allowNoClientCert"), Json$.MODULE$.toJsFieldJsValueWrapper(BoxesRunTime.boxToBoolean(false), Writes$.MODULE$.BooleanWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("headers"), Json$.MODULE$.toJsFieldJsValueWrapper(Json$.MODULE$.obj(Nil$.MODULE$), JsObject$.MODULE$.writes())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("mtlsConfig"), Json$.MODULE$.toJsFieldJsValueWrapper(Json$.MODULE$.obj(Predef$.MODULE$.wrapRefArray(new Tuple2[]{Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("certId"), Json$.MODULE$.toJsFieldJsValueWrapper("...", Writes$.MODULE$.StringWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("mtls"), Json$.MODULE$.toJsFieldJsValueWrapper(BoxesRunTime.boxToBoolean(false), Writes$.MODULE$.BooleanWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("loose"), Json$.MODULE$.toJsFieldJsValueWrapper(BoxesRunTime.boxToBoolean(false), Writes$.MODULE$.BooleanWrites()))})), JsObject$.MODULE$.writes()))})), JsObject$.MODULE$.writes()))})));
    }

    @Override // otoroshi.script.NamedPlugin
    public Option<String> description() {
        return new Some(new StringOps(Predef$.MODULE$.augmentString("Calls an external http service to know if a user has access or not. Uses cache for performances.\n      |\n      |The sent payload is the following:\n      |\n      |```json\n      |{\n      |  \"apikey\": {...},\n      |  \"user\": {...},\n      |  \"service\": : {...},\n      |  \"chain\": \"...\",  // PEM cert chain\n      |  \"fingerprints\": [...]\n      |}\n      |```\n      |\n      |This plugin can accept the following configuration\n      |\n      |```json\n      |{\n      |  \"ExternalHttpValidator\": {\n      |    \"url\": \"...\",                      // url for the http call\n      |    \"host\": \"...\",                     // value of the host header for the call. default is host of the url\n      |    \"goodTtl\": 600000,                 // ttl in ms for a validated call\n      |    \"badTtl\": 60000,                   // ttl in ms for a not validated call\n      |    \"method\": \"POST\",                  // http methode\n      |    \"path\": \"/certificates/_validate\", // http uri path\n      |    \"timeout\": 10000,                  // http call timeout\n      |    \"noCache\": false,                  // use cache or not\n      |    \"allowNoClientCert\": false,        //\n      |    \"headers\": {},                      // headers for the http call if needed\n      |    \"mtlsConfig\": {\n      |      \"certId\": \"xxxxx\",\n      |       \"mtls\": false,\n      |       \"loose\": false\n      |    }\n      |  }\n      |}\n      |```\n    ")).stripMargin());
    }

    @Override // otoroshi.script.NamedPlugin
    /* renamed from: configSchema */
    public Option<JsObject> mo650configSchema() {
        Option mo650configSchema;
        mo650configSchema = mo650configSchema();
        return mo650configSchema.map(jsObject -> {
            return jsObject.$plus$plus(Json$.MODULE$.obj(Predef$.MODULE$.wrapRefArray(new Tuple2[]{Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("mtlsConfig.certId"), Json$.MODULE$.toJsFieldJsValueWrapper(Json$.MODULE$.obj(Predef$.MODULE$.wrapRefArray(new Tuple2[]{Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("type"), Json$.MODULE$.toJsFieldJsValueWrapper("select", Writes$.MODULE$.StringWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("props"), Json$.MODULE$.toJsFieldJsValueWrapper(Json$.MODULE$.obj(Predef$.MODULE$.wrapRefArray(new Tuple2[]{Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("label"), Json$.MODULE$.toJsFieldJsValueWrapper("certId", Writes$.MODULE$.StringWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("placeholer"), Json$.MODULE$.toJsFieldJsValueWrapper("Client cert used for mTLS call", Writes$.MODULE$.StringWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("valuesFrom"), Json$.MODULE$.toJsFieldJsValueWrapper("/bo/api/proxy/api/certificates?client=true", Writes$.MODULE$.StringWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("transformerMapping"), Json$.MODULE$.toJsFieldJsValueWrapper(Json$.MODULE$.obj(Predef$.MODULE$.wrapRefArray(new Tuple2[]{Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("label"), Json$.MODULE$.toJsFieldJsValueWrapper("name", Writes$.MODULE$.StringWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("value"), Json$.MODULE$.toJsFieldJsValueWrapper("id", Writes$.MODULE$.StringWrites()))})), JsObject$.MODULE$.writes()))})), JsObject$.MODULE$.writes()))})), JsObject$.MODULE$.writes()))})));
        });
    }

    @Override // otoroshi.script.NamedPlugin
    public NgPluginVisibility visibility() {
        return NgPluginVisibility$NgUserLand$.MODULE$;
    }

    @Override // otoroshi.script.NamedPlugin
    public Seq<NgPluginCategory> categories() {
        return new $colon.colon<>(NgPluginCategory$AccessControl$.MODULE$, Nil$.MODULE$);
    }

    @Override // otoroshi.script.NamedPlugin
    public Seq<NgStep> steps() {
        return new $colon.colon<>(NgStep$ValidateAccess$.MODULE$, Nil$.MODULE$);
    }

    private MessageDigest digester() {
        return this.digester;
    }

    /* JADX INFO: Access modifiers changed from: private */
    public String computeFingerPrint(X509Certificate x509Certificate) {
        return Hex.encodeHexString(digester().digest(x509Certificate.getEncoded())).toLowerCase();
    }

    private String computeKeyFromChain(Seq<X509Certificate> seq) {
        return ((TraversableOnce) seq.map(x509Certificate -> {
            return this.computeFingerPrint(x509Certificate);
        }, Seq$.MODULE$.canBuildFrom())).mkString("-");
    }

    private Future<Option<Object>> getLocalValidation(String str, ExecutionContext executionContext, Env env) {
        return env.datastores().clientCertificateValidationDataStore().getValidation(str, executionContext, env);
    }

    private Future<BoxedUnit> setGoodLocalValidation(String str, long j, ExecutionContext executionContext, Env env) {
        return env.datastores().clientCertificateValidationDataStore().setValidation(str, true, j, executionContext, env).map(obj -> {
            $anonfun$setGoodLocalValidation$1(BoxesRunTime.unboxToBoolean(obj));
            return BoxedUnit.UNIT;
        }, executionContext);
    }

    private Future<BoxedUnit> setBadLocalValidation(String str, long j, ExecutionContext executionContext, Env env) {
        return env.datastores().clientCertificateValidationDataStore().setValidation(str, false, j, executionContext, env).map(obj -> {
            $anonfun$setBadLocalValidation$1(BoxesRunTime.unboxToBoolean(obj));
            return BoxedUnit.UNIT;
        }, executionContext);
    }

    private Future<Option<Object>> validateCertificateChain(Seq<X509Certificate> seq, ServiceDescriptor serviceDescriptor, Option<ApiKey> option, Option<PrivateAppsUser> option2, ExternalHttpValidatorConfig externalHttpValidatorConfig, ExecutionContext executionContext, Env env) {
        GlobalConfig latest = env.datastores().globalConfigDataStore().latest(executionContext, env);
        return Implicits$BetterStandaloneWSRequest$.MODULE$.withMaybeProxyServer$extension(Implicits$.MODULE$.BetterStandaloneWSRequest(env.MtlsWs().url(new StringBuilder(0).append(externalHttpValidatorConfig.url()).append(externalHttpValidatorConfig.path()).toString(), externalHttpValidatorConfig.mtlsConfig()).withHttpHeaders((Seq) externalHttpValidatorConfig.headers().toSeq().$plus$plus(new $colon.colon(Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("Host"), externalHttpValidatorConfig.host()), new $colon.colon(Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("Content-Type"), "application/json"), new $colon.colon(Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("Accept"), "application/json"), Nil$.MODULE$))), Seq$.MODULE$.canBuildFrom())).withMethod(externalHttpValidatorConfig.method()).withBody(Json$.MODULE$.obj(Predef$.MODULE$.wrapRefArray(new Tuple2[]{Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("apikey"), Json$.MODULE$.toJsFieldJsValueWrapper(((JsReadable) option.map(apiKey -> {
            return ((JsObject) apiKey.toJson().as(Reads$.MODULE$.JsObjectReads())).$minus("clientSecret");
        }).getOrElse(() -> {
            return JsNull$.MODULE$;
        })).as(Reads$.MODULE$.JsValueReads()), Writes$.MODULE$.jsValueWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("user"), Json$.MODULE$.toJsFieldJsValueWrapper(((JsReadable) option2.map(privateAppsUser -> {
            return privateAppsUser.toJson();
        }).getOrElse(() -> {
            return JsNull$.MODULE$;
        })).as(Reads$.MODULE$.JsValueReads()), Writes$.MODULE$.jsValueWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("service"), Json$.MODULE$.toJsFieldJsValueWrapper(Json$.MODULE$.obj(Predef$.MODULE$.wrapRefArray(new Tuple2[]{Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("id"), Json$.MODULE$.toJsFieldJsValueWrapper(serviceDescriptor.id(), Writes$.MODULE$.StringWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("name"), Json$.MODULE$.toJsFieldJsValueWrapper(serviceDescriptor.name(), Writes$.MODULE$.StringWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("groups"), Json$.MODULE$.toJsFieldJsValueWrapper(serviceDescriptor.groups(), Writes$.MODULE$.iterableWrites2(Predef$.MODULE$.$conforms(), Writes$.MODULE$.StringWrites()))), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("domain"), Json$.MODULE$.toJsFieldJsValueWrapper(serviceDescriptor.domain(), Writes$.MODULE$.StringWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("env"), Json$.MODULE$.toJsFieldJsValueWrapper(serviceDescriptor.env(), Writes$.MODULE$.StringWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("subdomain"), Json$.MODULE$.toJsFieldJsValueWrapper(serviceDescriptor.subdomain(), Writes$.MODULE$.StringWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("root"), Json$.MODULE$.toJsFieldJsValueWrapper(serviceDescriptor.root(), Writes$.MODULE$.StringWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("metadata"), Json$.MODULE$.toJsFieldJsValueWrapper(serviceDescriptor.metadata(), Writes$.MODULE$.genericMapWrites(Writes$.MODULE$.StringWrites())))})), JsObject$.MODULE$.writes())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("chain"), Json$.MODULE$.toJsFieldJsValueWrapper(((TraversableOnce) seq.map(x509Certificate -> {
            return SSLImplicits$EnhancedX509Certificate$.MODULE$.asPem$extension(SSLImplicits$.MODULE$.EnhancedX509Certificate(x509Certificate));
        }, Seq$.MODULE$.canBuildFrom())).mkString("\n"), Writes$.MODULE$.StringWrites())), Predef$ArrowAssoc$.MODULE$.$minus$greater$extension(Predef$.MODULE$.ArrowAssoc("fingerprints"), Json$.MODULE$.toJsFieldJsValueWrapper(JsArray$.MODULE$.apply((Seq) ((TraversableLike) seq.map(x509Certificate2 -> {
            return this.computeFingerPrint(x509Certificate2);
        }, Seq$.MODULE$.canBuildFrom())).map(str -> {
            return new JsString(str);
        }, Seq$.MODULE$.canBuildFrom())), Writes$.MODULE$.jsValueWrites()))})), package$.MODULE$.writeableOf_JsValue()).withRequestTimeout(Duration$.MODULE$.apply(externalHttpValidatorConfig.timeout(), TimeUnit.MILLISECONDS))), externalHttpValidatorConfig.proxy().orElse(() -> {
            return latest.proxies().authority();
        })).execute().map(wSResponse -> {
            switch (wSResponse.status()) {
                case 200:
                    return JsLookup$.MODULE$.$bslash$extension1(JsValue$.MODULE$.jsValueToJsLookup((JsValue) wSResponse.json().as(Reads$.MODULE$.JsObjectReads())), "status").asOpt(Reads$.MODULE$.StringReads()).map(str2 -> {
                        return BoxesRunTime.boxToBoolean($anonfun$validateCertificateChain$10(str2));
                    });
                default:
                    Implicits$BetterStandaloneWSResponse$.MODULE$.ignore$extension(Implicits$.MODULE$.BetterStandaloneWSResponse(wSResponse), env.otoroshiMaterializer());
                    return None$.MODULE$;
            }
        }, executionContext).recover(new ExternalHttpValidator$$anonfun$validateCertificateChain$11(null), executionContext);
    }

    private Option<ApiKey> validateCertificateChain$default$3() {
        return None$.MODULE$;
    }

    private Option<PrivateAppsUser> validateCertificateChain$default$4() {
        return None$.MODULE$;
    }

    public Future<Object> canAccessWithClientCertChain(Seq<X509Certificate> seq, AccessContext accessContext, ExternalHttpValidatorConfig externalHttpValidatorConfig, Env env, ExecutionContext executionContext) {
        Option<ApiKey> apikey = accessContext.apikey();
        Option<PrivateAppsUser> user = accessContext.user();
        ServiceDescriptor descriptor = accessContext.descriptor();
        String sb = new StringBuilder(2).append(computeKeyFromChain(seq)).append("-").append(apikey.map(apiKey -> {
            return apiKey.clientId();
        }).orElse(() -> {
            return user.map(privateAppsUser -> {
                return privateAppsUser.randomId();
            });
        }).getOrElse(() -> {
            return "none";
        })).append("-").append(descriptor.id()).toString();
        return externalHttpValidatorConfig.noCache() ? validateCertificateChain(seq, descriptor, apikey, user, externalHttpValidatorConfig, executionContext, env).map(option -> {
            return BoxesRunTime.boxToBoolean($anonfun$canAccessWithClientCertChain$5(option));
        }, executionContext) : getLocalValidation(sb, executionContext, env).flatMap(option2 -> {
            Future flatMap;
            boolean z = false;
            Some some = null;
            if (option2 instanceof Some) {
                z = true;
                some = (Some) option2;
                if (true == BoxesRunTime.unboxToBoolean(some.value())) {
                    flatMap = (Future) FastFuture$.MODULE$.successful().apply(BoxesRunTime.boxToBoolean(true));
                    return flatMap;
                }
            }
            if (z && false == BoxesRunTime.unboxToBoolean(some.value())) {
                flatMap = (Future) FastFuture$.MODULE$.successful().apply(BoxesRunTime.boxToBoolean(false));
            } else {
                if (!None$.MODULE$.equals(option2)) {
                    throw new MatchError(option2);
                }
                flatMap = this.validateCertificateChain(seq, descriptor, apikey, user, externalHttpValidatorConfig, executionContext, env).flatMap(option2 -> {
                    Future map;
                    boolean z2 = false;
                    Some some2 = null;
                    if (option2 instanceof Some) {
                        z2 = true;
                        some2 = (Some) option2;
                        if (false == BoxesRunTime.unboxToBoolean(some2.value())) {
                            map = this.setBadLocalValidation(sb, externalHttpValidatorConfig.badTtl(), executionContext, env).map(boxedUnit -> {
                                return BoxesRunTime.boxToBoolean($anonfun$canAccessWithClientCertChain$8(boxedUnit));
                            }, executionContext);
                            return map;
                        }
                    }
                    if (z2 && true == BoxesRunTime.unboxToBoolean(some2.value())) {
                        map = this.setGoodLocalValidation(sb, externalHttpValidatorConfig.goodTtl(), executionContext, env).map(boxedUnit2 -> {
                            return BoxesRunTime.boxToBoolean($anonfun$canAccessWithClientCertChain$9(boxedUnit2));
                        }, executionContext);
                    } else {
                        if (!None$.MODULE$.equals(option2)) {
                            throw new MatchError(option2);
                        }
                        map = this.setBadLocalValidation(sb, externalHttpValidatorConfig.badTtl(), executionContext, env).map(boxedUnit3 -> {
                            return BoxesRunTime.boxToBoolean($anonfun$canAccessWithClientCertChain$10(boxedUnit3));
                        }, executionContext);
                    }
                    return map;
                }, executionContext);
            }
            return flatMap;
        }, executionContext);
    }

    @Override // otoroshi.script.AccessValidator
    public Future<Object> canAccess(AccessContext accessContext, Env env, ExecutionContext executionContext) {
        Future<Object> canAccessWithClientCertChain;
        ExternalHttpValidatorConfig externalHttpValidatorConfig = new ExternalHttpValidatorConfig((JsValue) JsLookup$.MODULE$.$bslash$extension1(JsValue$.MODULE$.jsValueToJsLookup(accessContext.config()), "ExternalHttpValidator").asOpt(Reads$.MODULE$.JsValueReads()).orElse(() -> {
            return JsLookup$.MODULE$.$bslash$extension1(JsValue$.MODULE$.jsValueToJsLookup(accessContext.config()), "ExternalHttpValidator").asOpt(Reads$.MODULE$.JsValueReads());
        }).getOrElse(() -> {
            return accessContext.config();
        }));
        boolean z = false;
        Some clientCertificateChain = accessContext.request().clientCertificateChain();
        if (None$.MODULE$.equals(clientCertificateChain)) {
            z = true;
            if (!externalHttpValidatorConfig.allowNoClientCert()) {
                canAccessWithClientCertChain = (Future) FastFuture$.MODULE$.successful().apply(BoxesRunTime.boxToBoolean(false));
                return canAccessWithClientCertChain;
            }
        }
        if (z && externalHttpValidatorConfig.allowNoClientCert()) {
            canAccessWithClientCertChain = canAccessWithClientCertChain((Seq) Nil$.MODULE$, accessContext, externalHttpValidatorConfig, env, executionContext);
        } else {
            if (!(clientCertificateChain instanceof Some)) {
                throw new MatchError(clientCertificateChain);
            }
            canAccessWithClientCertChain = canAccessWithClientCertChain((Seq) clientCertificateChain.value(), accessContext, externalHttpValidatorConfig, env, executionContext);
        }
        return canAccessWithClientCertChain;
    }

    public static final /* synthetic */ void $anonfun$setGoodLocalValidation$1(boolean z) {
    }

    public static final /* synthetic */ void $anonfun$setBadLocalValidation$1(boolean z) {
    }

    public static final /* synthetic */ boolean $anonfun$validateCertificateChain$10(String str) {
        String lowerCase = str.toLowerCase();
        return lowerCase != null ? lowerCase.equals("good") : "good" == 0;
    }

    public static final /* synthetic */ boolean $anonfun$canAccessWithClientCertChain$5(Option option) {
        boolean z;
        if (option instanceof Some) {
            z = BoxesRunTime.unboxToBoolean(((Some) option).value());
        } else {
            if (!None$.MODULE$.equals(option)) {
                throw new MatchError(option);
            }
            z = false;
        }
        return z;
    }

    public static final /* synthetic */ boolean $anonfun$canAccessWithClientCertChain$8(BoxedUnit boxedUnit) {
        return false;
    }

    public static final /* synthetic */ boolean $anonfun$canAccessWithClientCertChain$9(BoxedUnit boxedUnit) {
        return true;
    }

    public static final /* synthetic */ boolean $anonfun$canAccessWithClientCertChain$10(BoxedUnit boxedUnit) {
        return false;
    }

    public ExternalHttpValidator() {
        otoroshi$script$StartableAndStoppable$_setter_$funit_$eq((Future) FastFuture$.MODULE$.successful().apply(BoxedUnit.UNIT));
        NamedPlugin.$init$(this);
        otoroshi$script$InternalEventListener$_setter_$otoroshi$script$InternalEventListener$$ref_$eq(new AtomicReference<>());
        AccessValidator.$init$((AccessValidator) this);
        this.digester = MessageDigest.getInstance("SHA-1");
    }
}
