package net.unit8.bouncr.proxy;

import enkan.collection.OptionMap;
import enkan.component.ComponentLifecycle;
import enkan.component.WebServerComponent;
import enkan.exception.MisconfigurationException;
import enkan.exception.UnreachableException;
import io.undertow.Handlers;
import io.undertow.Undertow;
import io.undertow.io.IoCallback;
import io.undertow.io.Sender;
import io.undertow.security.api.AuthenticationMode;
import io.undertow.security.handlers.AuthenticationCallHandler;
import io.undertow.security.handlers.AuthenticationConstraintHandler;
import io.undertow.security.handlers.AuthenticationMechanismsHandler;
import io.undertow.security.handlers.SecurityInitialHandler;
import io.undertow.security.idm.Account;
import io.undertow.security.idm.Credential;
import io.undertow.security.idm.IdentityManager;
import io.undertow.security.idm.X509CertificateCredential;
import io.undertow.security.impl.ClientCertAuthenticationMechanism;
import io.undertow.server.HttpHandler;
import io.undertow.server.HttpServerExchange;
import io.undertow.server.handlers.ResponseCodeHandler;
import io.undertow.server.handlers.proxy.ProxyHandler;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.InputStream;
import java.nio.ByteBuffer;
import java.nio.channels.Channels;
import java.nio.channels.FileChannel;
import java.nio.channels.ReadableByteChannel;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.Collections;
import java.util.Set;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import net.unit8.bouncr.component.BouncrConfiguration;
import net.unit8.bouncr.component.RealmCache;
import net.unit8.bouncr.component.StoreProvider;
import net.unit8.bouncr.proxy.cert.ReloadableTrustManager;
import net.unit8.bouncr.sign.JsonWebToken;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.xnio.Options;
import org.xnio.SslClientAuthMode;

/* loaded from: input_file:net/unit8/bouncr/proxy/ReverseProxyComponent.class */
public class ReverseProxyComponent extends WebServerComponent<ReverseProxyComponent> {
    private static final Logger LOG = LoggerFactory.getLogger(ReverseProxyComponent.class);
    private static IoCallback callback = new IoCallback() { // from class: net.unit8.bouncr.proxy.ReverseProxyComponent.1
        public void onComplete(HttpServerExchange httpServerExchange, Sender sender) {
        }

        public void onException(HttpServerExchange httpServerExchange, Sender sender, IOException iOException) {
        }
    };
    private int ioThreads = 4;
    private int maxRequestTime = 30000;
    private boolean rewriteHostHeader = false;
    private boolean reuseXForwarded = true;
    private Undertow server;

    protected ComponentLifecycle<ReverseProxyComponent> lifecycle() {
        return new ComponentLifecycle<ReverseProxyComponent>() { // from class: net.unit8.bouncr.proxy.ReverseProxyComponent.2
            public void start(ReverseProxyComponent reverseProxyComponent) {
                StoreProvider dependency = ReverseProxyComponent.this.getDependency(StoreProvider.class);
                RealmCache dependency2 = ReverseProxyComponent.this.getDependency(RealmCache.class);
                BouncrConfiguration dependency3 = ReverseProxyComponent.this.getDependency(BouncrConfiguration.class);
                JsonWebToken dependency4 = ReverseProxyComponent.this.getDependency(JsonWebToken.class);
                if (ReverseProxyComponent.this.server == null) {
                    OptionMap buildOptionMap = ReverseProxyComponent.this.buildOptionMap();
                    ProxyHandler build = ProxyHandler.builder().setProxyClient(new MultiAppProxyClient(dependency3, dependency.getStore(StoreProvider.StoreType.BOUNCR_TOKEN), dependency2, dependency4)).setMaxRequestTime(ReverseProxyComponent.this.maxRequestTime).setRewriteHostHeader(ReverseProxyComponent.this.rewriteHostHeader).setReuseXForwarded(ReverseProxyComponent.this.reuseXForwarded).setNext(ResponseCodeHandler.HANDLE_404).build();
                    HealthCheckHandler healthCheckHandler = new HealthCheckHandler();
                    CacheRefreshHandler cacheRefreshHandler = new CacheRefreshHandler(dependency2);
                    Undertow.Builder handler = Undertow.builder().setHandler(ReverseProxyComponent.this.addSecurity(Handlers.path().addPrefixPath("/_healthcheck", healthCheckHandler).addPrefixPath("/_refresh", cacheRefreshHandler).addPrefixPath("/", build), new IdentityManager() { // from class: net.unit8.bouncr.proxy.ReverseProxyComponent.2.1
                        public Account verify(Account account) {
                            return account;
                        }

                        public Account verify(String str, Credential credential) {
                            return null;
                        }

                        public Account verify(Credential credential) {
                            if (!(credential instanceof X509CertificateCredential)) {
                                return null;
                            }
                            final X509CertificateCredential x509CertificateCredential = (X509CertificateCredential) credential;
                            return new Account() { // from class: net.unit8.bouncr.proxy.ReverseProxyComponent.2.1.1
                                public Principal getPrincipal() {
                                    return x509CertificateCredential.getCertificate().getSubjectX500Principal();
                                }

                                public Set<String> getRoles() {
                                    return Collections.emptySet();
                                }
                            };
                        }
                    }, buildOptionMap));
                    if (buildOptionMap.getBoolean("http?", true)) {
                        handler.addHttpListener(buildOptionMap.getInt("port"), buildOptionMap.getString("host"));
                    }
                    if (buildOptionMap.getBoolean("ssl?", false)) {
                        handler.addHttpsListener(buildOptionMap.getInt("sslPort"), buildOptionMap.getString("host"), ReverseProxyComponent.this.createSSLContext(buildOptionMap));
                    }
                    if (buildOptionMap.get("truststore") != null) {
                        handler.setSocketOption(Options.SSL_CLIENT_AUTH_MODE, SslClientAuthMode.REQUESTED);
                    }
                    ReverseProxyComponent.this.server = handler.build();
                    ReverseProxyComponent.this.server.start();
                    ReverseProxyComponent.LOG.info("start server {}:{}", buildOptionMap.getString("host"), Integer.valueOf(buildOptionMap.getInt("port")));
                }
            }

            public void stop(ReverseProxyComponent reverseProxyComponent) {
                if (ReverseProxyComponent.this.server != null) {
                    ReverseProxyComponent.this.server.stop();
                    ReverseProxyComponent.this.server = null;
                }
            }
        };
    }

    public void setMaxRequestTime(int i) {
        this.maxRequestTime = i;
    }

    public void setIoThreads(int i) {
        this.ioThreads = i;
    }

    private KeyManager[] getKeyManagers(OptionMap optionMap) throws KeyStoreException, IOException, CertificateException, NoSuchAlgorithmException, UnrecoverableKeyException {
        KeyStore keyStore = (KeyStore) optionMap.get("keystore");
        if (keyStore == null) {
            return null;
        }
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        keyManagerFactory.init(keyStore, optionMap.getString("keystorePassword").toCharArray());
        return keyManagerFactory.getKeyManagers();
    }

    private SSLContext createSSLContext(OptionMap optionMap) {
        try {
            SSLContext sSLContext = SSLContext.getInstance("TLSv1.2");
            ReloadableTrustManager reloadableTrustManager = (ReloadableTrustManager) getDependency(ReloadableTrustManager.class);
            sSLContext.init(getKeyManagers(optionMap), reloadableTrustManager.initialized() ? new TrustManager[]{reloadableTrustManager} : null, null);
            return sSLContext;
        } catch (IOException | KeyManagementException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e) {
            throw new MisconfigurationException("bouncr.", new Object[]{e});
        }
    }

    private static void setBody(Sender sender, Object obj) throws IOException {
        if (obj == null) {
            return;
        }
        if (obj instanceof String) {
            sender.send((String) obj);
            return;
        }
        if (obj instanceof InputStream) {
            ReadableByteChannel newChannel = Channels.newChannel((InputStream) obj);
            ByteBuffer allocate = ByteBuffer.allocate(4096);
            while (newChannel.read(allocate) > 0) {
                allocate.flip();
                sender.send(allocate, callback);
                allocate.clear();
            }
            sender.close(IoCallback.END_EXCHANGE);
            return;
        }
        if (!(obj instanceof File)) {
            throw new UnreachableException();
        }
        FileInputStream fileInputStream = new FileInputStream((File) obj);
        try {
            FileChannel channel = fileInputStream.getChannel();
            try {
                ByteBuffer allocate2 = ByteBuffer.allocate(4096);
                while (channel.read(allocate2) > 0) {
                    allocate2.flip();
                    sender.send(allocate2, callback);
                    allocate2.clear();
                }
                sender.close(IoCallback.END_EXCHANGE);
                if (channel != null) {
                    channel.close();
                }
                fileInputStream.close();
            } finally {
            }
        } catch (Throwable th) {
            try {
                fileInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private HttpHandler addSecurity(HttpHandler httpHandler, IdentityManager identityManager, OptionMap optionMap) {
        HttpHandler httpHandler2 = httpHandler;
        if (((KeyStore) optionMap.get("truststore")) != null) {
            httpHandler2 = new SecurityInitialHandler(AuthenticationMode.PRO_ACTIVE, identityManager, new AuthenticationMechanismsHandler(new AuthenticationConstraintHandler(new AuthenticationCallHandler(httpHandler2)) { // from class: net.unit8.bouncr.proxy.ReverseProxyComponent.3
                protected boolean isAuthenticationRequired(HttpServerExchange httpServerExchange) {
                    return false;
                }
            }, Collections.singletonList(new ClientCertAuthenticationMechanism("Bouncr"))));
        }
        return httpHandler2;
    }
}
