package io.evitadb.externalApi.grpc.utils;

import io.evitadb.core.Evita;
import io.evitadb.exception.EvitaInternalError;
import io.evitadb.externalApi.certificate.ServerCertificateManager;
import io.evitadb.externalApi.configuration.ApiOptions;
import io.evitadb.externalApi.configuration.CertificatePath;
import io.evitadb.externalApi.configuration.HostDefinition;
import io.evitadb.externalApi.configuration.MtlsConfiguration;
import io.evitadb.externalApi.grpc.configuration.GrpcConfig;
import io.evitadb.externalApi.grpc.services.EvitaService;
import io.evitadb.externalApi.grpc.services.EvitaSessionService;
import io.evitadb.externalApi.grpc.services.interceptors.GlobalExceptionHandlerInterceptor;
import io.evitadb.externalApi.grpc.services.interceptors.ServerSessionInterceptor;
import io.evitadb.utils.CertificateUtils;
import io.grpc.Server;
import io.grpc.TlsServerCredentials;
import io.grpc.netty.NettyServerBuilder;
import java.io.File;
import java.io.FileInputStream;
import java.net.InetSocketAddress;
import java.security.cert.CertificateFactory;
import javax.annotation.Nonnull;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/evitadb/externalApi/grpc/utils/GrpcServer.class */
public class GrpcServer {
    private static final Logger log = LoggerFactory.getLogger(GrpcServer.class);
    private Server server;

    public GrpcServer(@Nonnull Evita evita, @Nonnull ApiOptions apiOptions, @Nonnull GrpcConfig grpcConfig) {
        setUpServer(evita, apiOptions, grpcConfig);
    }

    private void setUpServer(@Nonnull Evita evita, @Nonnull ApiOptions apiOptions, @Nonnull GrpcConfig grpcConfig) {
        HostDefinition[] host = grpcConfig.getHost();
        CertificatePath certificatePath = ServerCertificateManager.getCertificatePath(apiOptions.certificate());
        if (certificatePath.certificate() == null || certificatePath.privateKey() == null) {
            throw new EvitaInternalError("Certificate path is not set.");
        }
        try {
            TlsServerCredentials.Builder newBuilder = TlsServerCredentials.newBuilder();
            newBuilder.keyManager(new File(certificatePath.certificate()), new File(certificatePath.privateKey()), certificatePath.privateKeyPassword());
            MtlsConfiguration mtlsConfiguration = grpcConfig.getMtlsConfiguration();
            if (mtlsConfiguration == null || !Boolean.TRUE.equals(mtlsConfiguration.enabled())) {
                newBuilder.clientAuth(TlsServerCredentials.ClientAuth.OPTIONAL);
            } else {
                if (apiOptions.certificate().generateAndUseSelfSigned()) {
                    newBuilder.trustManager(apiOptions.certificate().getFolderPath().resolve(CertificateUtils.getGeneratedRootCaCertificateFileName()).toFile());
                }
                newBuilder.clientAuth(TlsServerCredentials.ClientAuth.REQUIRE);
                CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
                for (String str : mtlsConfiguration.allowedClientCertificatePaths()) {
                    newBuilder.trustManager(new FileInputStream(str));
                    FileInputStream fileInputStream = new FileInputStream(str);
                    try {
                        log.info("Whitelisted client's certificate fingerprint: {}", CertificateUtils.getCertificateFingerprint(certificateFactory.generateCertificate(fileInputStream)));
                        fileInputStream.close();
                    } finally {
                    }
                }
            }
            this.server = NettyServerBuilder.forAddress(new InetSocketAddress(host[0].host(), host[0].port()), newBuilder.build()).intercept(new ServerSessionInterceptor(evita)).intercept(new GlobalExceptionHandlerInterceptor()).executor(evita.getExecutor()).addService(new EvitaService(evita)).addService(new EvitaSessionService(evita)).build();
        } catch (Exception e) {
            throw new EvitaInternalError("Failed to create gRPC server credentials with provided certificate and private key: " + e.getMessage(), "Failed to create gRPC server credentials with provided certificate and private key.", e);
        }
    }

    public Server getServer() {
        return this.server;
    }
}
