package skuber.api.security;

import java.security.KeyStore;
import java.security.SecureRandom;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import scala.None$;
import scala.Option;
import scala.Predef$;
import scala.Some;
import scala.collection.immutable.StringOps;
import scala.collection.mutable.StringBuilder;
import scala.util.Either;
import scala.util.matching.Regex;
import skuber.api.client.Cpackage;

/* compiled from: TLS.scala */
/* loaded from: input_file:skuber/api/security/TLS$.class */
public final class TLS$ {
    public static final TLS$ MODULE$ = null;
    private final TrustManager[] skipTLSTrustManagers;
    private final Regex HttpsPattern;
    private final Regex HttpPattern;

    static {
        new TLS$();
    }

    public TrustManager[] skipTLSTrustManagers() {
        return this.skipTLSTrustManagers;
    }

    public Regex HttpsPattern() {
        return this.HttpsPattern;
    }

    public Regex HttpPattern() {
        return this.HttpPattern;
    }

    public Option<SSLContext> establishSSLContext(Cpackage.Context context) {
        Some some;
        String server = context.cluster().server();
        if (!HttpPattern().unapplySeq(server).isEmpty()) {
            some = None$.MODULE$;
        } else {
            if (HttpsPattern().unapplySeq(server).isEmpty()) {
                throw new Exception(new StringBuilder().append("Kubernetes cluster API server URL does not begin with either http or https : ").append(context.cluster().server()).toString());
            }
            some = new Some(buildSSLContext(context));
        }
        return some;
    }

    private SSLContext buildSSLContext(Cpackage.Context context) {
        SSLContext sSLContext = SSLContext.getInstance("TLS");
        sSLContext.init((KeyManager[]) getKeyManagers(context.authInfo()).orNull(Predef$.MODULE$.$conforms()), (TrustManager[]) getTrustManagers(context.cluster().insecureSkipTLSVerify(), context.cluster().certificateAuthority()).orNull(Predef$.MODULE$.$conforms()), new SecureRandom());
        return sSLContext;
    }

    private Option<TrustManager[]> getTrustManagers(boolean z, Option<Either<String, byte[]>> option) {
        return z ? new Some(skipTLSTrustManagers()) : option.map(new TLS$$anonfun$getTrustManagers$1());
    }

    private Option<KeyManager[]> getKeyManagers(Cpackage.AuthInfo authInfo) {
        Some some;
        if (authInfo instanceof Cpackage.CertAuth) {
            Cpackage.CertAuth certAuth = (Cpackage.CertAuth) authInfo;
            Either<String, byte[]> clientCertificate = certAuth.clientCertificate();
            Either<String, byte[]> clientKey = certAuth.clientKey();
            Option<String> user = certAuth.user();
            KeyStore createKeyStore = SecurityHelper$.MODULE$.createKeyStore((String) user.getOrElse(new TLS$$anonfun$1()), SecurityHelper$.MODULE$.getCertificates(clientCertificate), SecurityHelper$.MODULE$.getPrivateKey(clientKey), SecurityHelper$.MODULE$.createKeyStore$default$4());
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            keyManagerFactory.init(createKeyStore, "changeit".toCharArray());
            some = new Some(keyManagerFactory.getKeyManagers());
        } else {
            some = None$.MODULE$;
        }
        return some;
    }

    private TLS$() {
        MODULE$ = this;
        this.skipTLSTrustManagers = new TrustManager[]{TLS$InsecureSkipTLSVerifyTrustManager$.MODULE$};
        this.HttpsPattern = new StringOps(Predef$.MODULE$.augmentString("https:.*")).r();
        this.HttpPattern = new StringOps(Predef$.MODULE$.augmentString("http:.*")).r();
    }
}
