package io.quarkus.tls.cli.letsencrypt;

import io.smallrye.certs.ca.CaGenerator;
import io.vertx.core.Future;
import io.vertx.core.Vertx;
import io.vertx.core.buffer.Buffer;
import io.vertx.ext.web.client.HttpRequest;
import io.vertx.ext.web.client.HttpResponse;
import io.vertx.ext.web.client.WebClient;
import io.vertx.ext.web.client.WebClientOptions;
import java.lang.System;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.TimeUnit;
import org.wildfly.common.Assert;
import org.wildfly.security.x500.cert.acme.Acme;
import org.wildfly.security.x500.cert.acme.AcmeAccount;
import org.wildfly.security.x500.cert.acme.AcmeChallenge;
import org.wildfly.security.x500.cert.acme.AcmeClientSpi;
import org.wildfly.security.x500.cert.acme.AcmeException;

/* loaded from: input_file:io/quarkus/tls/cli/letsencrypt/AcmeClient.class */
public class AcmeClient extends AcmeClientSpi {
    static System.Logger LOGGER = System.getLogger("lets-encrypt-acme-client");
    private static final String TOKEN_REGEX = "[A-Za-z0-9_-]+";
    private final String challengeUrl;
    private final String certsUrl;
    private final WebClientOptions options;
    private final Vertx vertx = Vertx.vertx();
    final String managementUser;
    final String managementPassword;
    final String managementKey;
    private final WebClient managementClient;

    public AcmeClient(String str, String str2, String str3, String str4) {
        LOGGER.log(System.Logger.Level.INFO, "�� Creating AcmeClient with {0}", new Object[]{str});
        this.options = new WebClientOptions();
        if (str.startsWith("https://")) {
            this.options.setSsl(true).setTrustAll(true).setVerifyHost(false);
        }
        this.managementClient = WebClient.create(this.vertx, this.options);
        if (str.endsWith("/q/lets-encrypt")) {
            this.challengeUrl = str + "/challenge";
            this.certsUrl = str + "/certs";
        } else {
            this.challengeUrl = str + "/q/lets-encrypt/challenge";
            this.certsUrl = str + "/q/lets-encrypt/certs";
        }
        this.managementUser = str2;
        this.managementPassword = str3;
        this.managementKey = str4;
    }

    public boolean checkReadiness() {
        LOGGER.log(System.Logger.Level.INFO, "�� Checking management challenge endpoint status using {0}", new Object[]{this.challengeUrl});
        HttpRequest<Buffer> abs = this.managementClient.getAbs(this.challengeUrl);
        addKeyAndUser(abs);
        try {
            int statusCode = ((HttpResponse) await(abs.send())).statusCode();
            switch (statusCode) {
                case 200:
                case 204:
                    return true;
                case 404:
                    LOGGER.log(System.Logger.Level.ERROR, "⚠️ Let's Encrypt challenge endpoint is not found, make sure that the build-time property `quarkus.tls.lets-encrypt.enabled` is set to `true`");
                    return false;
                default:
                    LOGGER.log(System.Logger.Level.WARNING, "⚠️ Unexpected status code from the management challenge endpoint: " + statusCode);
                    return false;
            }
        } catch (Exception e) {
            LOGGER.log(System.Logger.Level.DEBUG, "Failed to check the management challenge endpoint status", e);
            LOGGER.log(System.Logger.Level.ERROR, "⚠️ Quarkus management endpoint is not ready, make sure the Quarkus application is running.");
            return false;
        }
    }

    @Override // org.wildfly.security.x500.cert.acme.AcmeClientSpi
    public AcmeChallenge proveIdentifierControl(AcmeAccount acmeAccount, List<AcmeChallenge> list) throws AcmeException {
        Assert.checkNotNullParam(Acme.ACCOUNT, acmeAccount);
        Assert.checkNotNullParam(Acme.CHALLENGES, list);
        AcmeChallenge acmeChallenge = null;
        Iterator<AcmeChallenge> it = list.iterator();
        while (true) {
            if (!it.hasNext()) {
                break;
            }
            AcmeChallenge next = it.next();
            if (next.getType() == AcmeChallenge.Type.HTTP_01) {
                LOGGER.log(System.Logger.Level.DEBUG, "HTTP 01 challenge is selected");
                acmeChallenge = next;
                break;
            }
        }
        if (acmeChallenge == null) {
            throw new RuntimeException("Missing certificate authority challenge");
        }
        String token = acmeChallenge.getToken();
        if (!token.matches(TOKEN_REGEX)) {
            throw new RuntimeException("Invalid certificate authority challenge");
        }
        LOGGER.log(System.Logger.Level.DEBUG, "Preparing a selected challenge content for token {0}", new Object[]{token});
        String keyAuthorization = acmeChallenge.getKeyAuthorization(acmeAccount);
        if (this.managementClient != null) {
            HttpRequest<Buffer> abs = this.managementClient.getAbs(this.challengeUrl);
            abs.addQueryParam("challenge-resource", token).addQueryParam("challenge-content", keyAuthorization);
            addKeyAndUser(abs);
            LOGGER.log(System.Logger.Level.DEBUG, "Sending token {0} and challenge content to the management challenge endpoint", new Object[]{token, keyAuthorization});
            HttpResponse httpResponse = (HttpResponse) await(abs.send());
            if (httpResponse.statusCode() != 204) {
                LOGGER.log(System.Logger.Level.ERROR, "⚠️ Failed to upload challenge content to the management challenge endpoint, status code: " + httpResponse.statusCode());
                throw new RuntimeException("Failed to respond to certificate authority challenge");
            }
            LOGGER.log(System.Logger.Level.INFO, "�� Challenge ready for token {0}, waiting for Let's Encrypt to validate...", new Object[]{token});
        }
        return acmeChallenge;
    }

    @Override // org.wildfly.security.x500.cert.acme.AcmeClientSpi
    public void cleanupAfterChallenge(AcmeAccount acmeAccount, AcmeChallenge acmeChallenge) throws AcmeException {
        LOGGER.log(System.Logger.Level.INFO, "�� Performing cleanup after the challenge");
        Assert.checkNotNullParam(Acme.ACCOUNT, acmeAccount);
        Assert.checkNotNullParam("challenge", acmeChallenge);
        String token = acmeChallenge.getToken();
        if (!token.matches(TOKEN_REGEX)) {
            throw new RuntimeException("Invalid certificate authority challenge");
        }
        LOGGER.log(System.Logger.Level.DEBUG, "Requesting the management challenge endpoint to delete a challenge resource {0}", new Object[]{token});
        HttpRequest<Buffer> deleteAbs = this.managementClient.deleteAbs(this.challengeUrl);
        addKeyAndUser(deleteAbs);
        if (((HttpResponse) await(deleteAbs.send())).statusCode() != 204) {
            throw new RuntimeException("Failed to clear challenge content in the Quarkus management endpoint");
        }
    }

    public void certificateChainAndKeyAreReady() {
        LOGGER.log(System.Logger.Level.INFO, "�� Notifying management challenge endpoint that a new certificate chain and private key are ready");
        HttpRequest<Buffer> postAbs = this.managementClient.postAbs(this.certsUrl);
        addKeyAndUser(postAbs);
        if (((HttpResponse) await(postAbs.send())).statusCode() != 204) {
            throw new RuntimeException("Failed to notify the Quarkus management endpoint");
        }
    }

    private void addKeyAndUser(HttpRequest<Buffer> httpRequest) {
        if (this.managementKey != null) {
            httpRequest.addQueryParam(CaGenerator.KEYSTORE_KEY_ENTRY, this.managementKey);
        }
        if (this.managementUser == null || this.managementPassword == null) {
            return;
        }
        httpRequest.basicAuthentication(this.managementUser, this.managementPassword);
    }

    private <T> T await(Future<T> future) {
        try {
            return future.toCompletionStage().toCompletableFuture().get(30L, TimeUnit.SECONDS);
        } catch (Exception e) {
            throw new RuntimeException(e);
        }
    }
}
