package io.quarkus.vault.runtime.client;

import io.quarkus.vault.VaultException;
import io.quarkus.vault.runtime.config.VaultAuthenticationType;
import io.quarkus.vault.runtime.config.VaultRuntimeConfig;
import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.cert.X509Certificate;
import javax.net.ssl.TrustManager;
import javax.net.ssl.X509TrustManager;
import okhttp3.OkHttpClient;
import org.jboss.logging.Logger;

/* loaded from: input_file:io/quarkus/vault/runtime/client/OkHttpClientFactory.class */
public class OkHttpClientFactory {
    private static final Logger log = Logger.getLogger(OkHttpClientFactory.class.getName());

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/quarkus/vault/runtime/client/OkHttpClientFactory$TrustAllTrustManager.class */
    public static class TrustAllTrustManager implements X509TrustManager {
        TrustAllTrustManager() {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) {
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }
    }

    public static OkHttpClient createHttpClient(VaultRuntimeConfig vaultRuntimeConfig) {
        OkHttpClient.Builder readTimeout = new OkHttpClient.Builder().connectTimeout(vaultRuntimeConfig.connectTimeout).readTimeout(vaultRuntimeConfig.readTimeout);
        try {
            if (vaultRuntimeConfig.tls.skipVerify) {
                skipVerify(readTimeout);
            } else if (vaultRuntimeConfig.tls.caCert.isPresent()) {
                cacert(readTimeout, vaultRuntimeConfig.tls.caCert.get());
            } else if (vaultRuntimeConfig.getAuthenticationType() == VaultAuthenticationType.KUBERNETES && vaultRuntimeConfig.tls.useKubernetesCaCert) {
                cacert(readTimeout, VaultRuntimeConfig.KUBERNETES_CACERT);
            }
            return readTimeout.build();
        } catch (IOException | GeneralSecurityException e) {
            throw new VaultException(e);
        }
    }

    private static void cacert(OkHttpClient.Builder builder, String str) throws GeneralSecurityException, IOException {
        log.debug("create SSLSocketFactory with tls " + str);
        sslSocketFactory(builder, CertificateHelper.createTrustManagers(str));
    }

    private static void skipVerify(OkHttpClient.Builder builder) throws GeneralSecurityException {
        log.debug("create SSLSocketFactory with tls.skip-verify");
        builder.hostnameVerifier((str, sSLSession) -> {
            return true;
        });
        sslSocketFactory(builder, new TrustManager[]{new TrustAllTrustManager()});
    }

    private static void sslSocketFactory(OkHttpClient.Builder builder, TrustManager[] trustManagerArr) throws GeneralSecurityException {
        builder.sslSocketFactory(CertificateHelper.createSslContext(trustManagerArr).getSocketFactory(), (X509TrustManager) trustManagerArr[0]);
    }
}
