package org.apereo.cas.acme;

import java.io.File;
import java.io.FileReader;
import java.io.FileWriter;
import java.io.IOException;
import java.nio.charset.StandardCharsets;
import java.security.KeyPair;
import java.util.Collection;
import java.util.Objects;
import java.util.function.Supplier;
import lombok.Generated;
import org.apereo.cas.configuration.CasConfigurationProperties;
import org.apereo.cas.configuration.model.support.acme.AcmeProperties;
import org.apereo.cas.configuration.support.Beans;
import org.jooq.lambda.Unchecked;
import org.shredzone.acme4j.Account;
import org.shredzone.acme4j.AccountBuilder;
import org.shredzone.acme4j.AcmeJsonResource;
import org.shredzone.acme4j.Authorization;
import org.shredzone.acme4j.Certificate;
import org.shredzone.acme4j.Order;
import org.shredzone.acme4j.Session;
import org.shredzone.acme4j.Status;
import org.shredzone.acme4j.challenge.Challenge;
import org.shredzone.acme4j.challenge.Http01Challenge;
import org.shredzone.acme4j.exception.AcmeException;
import org.shredzone.acme4j.util.CSRBuilder;
import org.shredzone.acme4j.util.KeyPairUtils;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/apereo/cas/acme/DefaultAcmeCertificateManager.class */
public class DefaultAcmeCertificateManager implements AcmeCertificateManager {

    @Generated
    private static final Logger LOGGER = LoggerFactory.getLogger(DefaultAcmeCertificateManager.class);
    private final AcmeChallengeRepository acmeChallengeRepository;
    private final CasConfigurationProperties casProperties;
    private final AcmeAuthorizationExecutor locator;

    private static Account findOrRegisterAccount(Session session, KeyPair keyPair) throws AcmeException {
        LOGGER.debug("Accepted terms of service url: [{}]", session.getMetadata().getTermsOfService());
        Account create = new AccountBuilder().agreeToTermsOfService().useKeyPair(keyPair).create(session);
        LOGGER.info("Registered new user w/ URL: [{}]", create.getLocation());
        return create;
    }

    @Override // org.apereo.cas.acme.AcmeCertificateManager
    public void fetchCertificate(Collection<String> collection) throws Exception {
        AcmeProperties acme = this.casProperties.getAcme();
        KeyPair loadOrCreateUserKeyPair = loadOrCreateUserKeyPair();
        KeyPair loadOrCreateDomainKeyPair = loadOrCreateDomainKeyPair();
        CSRBuilder cSRBuilder = new CSRBuilder();
        cSRBuilder.addDomains(collection);
        cSRBuilder.sign(loadOrCreateDomainKeyPair);
        FileWriter fileWriter = new FileWriter(acme.getDomainCsr().getLocation().getFile(), StandardCharsets.UTF_8);
        try {
            cSRBuilder.write(fileWriter);
            fileWriter.close();
            Order certificateOrder = getCertificateOrder(collection, cSRBuilder, findOrRegisterAccount(new Session(acme.getServerUrl()), loadOrCreateUserKeyPair));
            Objects.requireNonNull(certificateOrder);
            fetchStatusAndUpdate(certificateOrder, certificateOrder::getStatus);
            Certificate certificate = certificateOrder.getCertificate();
            LOGGER.info("The certificate for domains [{}] has been successfully generated.", collection);
            LOGGER.info("Certificate URL is [{}]", ((Certificate) Objects.requireNonNull(certificate)).getLocation());
            fileWriter = new FileWriter(acme.getDomainChain().getLocation().getFile(), StandardCharsets.UTF_8);
            try {
                certificate.writeCertificate(fileWriter);
                fileWriter.close();
                LOGGER.info("Configure the web server to use [{}] and [{}] for domains [{}]", new Object[]{acme.getDomainKey().getLocation(), acme.getDomainChain().getLocation(), acme.getDomains()});
            } finally {
            }
        } finally {
        }
    }

    private Order getCertificateOrder(Collection<String> collection, CSRBuilder cSRBuilder, Account account) throws Exception {
        Order create = account.newOrder().domains(collection).create();
        create.getAuthorizations().forEach(Unchecked.consumer(this::authorize));
        return this.locator.execute(create, cSRBuilder);
    }

    private void fetchStatusAndUpdate(AcmeJsonResource acmeJsonResource, Supplier<Status> supplier) throws Exception {
        AcmeProperties acme = this.casProperties.getAcme();
        int retryAttempts = acme.getRetryAttempts();
        while (supplier.get() != Status.VALID) {
            int i = retryAttempts;
            retryAttempts--;
            if (i <= 0) {
                return;
            }
            if (supplier.get() == Status.INVALID) {
                throw new AcmeException("Order failed");
            }
            Thread.sleep(Beans.newDuration(acme.getRetryInternal()).toMillis());
            acmeJsonResource.update();
        }
    }

    private Challenge httpChallenge(Authorization authorization) {
        Http01Challenge orElseThrow = this.locator.find(authorization).orElseThrow();
        this.acmeChallengeRepository.add(orElseThrow.getToken(), orElseThrow.getAuthorization());
        return orElseThrow;
    }

    private void authorize(Authorization authorization) throws Exception {
        Challenge httpChallenge = httpChallenge(authorization);
        if (httpChallenge.getStatus() != Status.VALID) {
            httpChallenge.trigger();
            Objects.requireNonNull(httpChallenge);
            fetchStatusAndUpdate(httpChallenge, httpChallenge::getStatus);
            if (httpChallenge.getStatus() != Status.VALID) {
                throw new AcmeException("Failed to pass the challenge for domain " + authorization.getIdentifier().getDomain());
            }
        }
    }

    private KeyPair loadOrCreateDomainKeyPair() throws Exception {
        return loadOrCreateKeyPair(this.casProperties.getAcme().getDomainKey().getLocation().getFile());
    }

    private KeyPair loadOrCreateKeyPair(File file) throws IOException {
        AcmeProperties acme = this.casProperties.getAcme();
        if (file.exists()) {
            FileReader fileReader = new FileReader(file, StandardCharsets.UTF_8);
            try {
                KeyPair readKeyPair = KeyPairUtils.readKeyPair(fileReader);
                fileReader.close();
                return readKeyPair;
            } catch (Throwable th) {
                try {
                    fileReader.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        }
        KeyPair createKeyPair = KeyPairUtils.createKeyPair(acme.getKeySize());
        FileWriter fileWriter = new FileWriter(file, StandardCharsets.UTF_8);
        try {
            KeyPairUtils.writeKeyPair(createKeyPair, fileWriter);
            fileWriter.close();
            return createKeyPair;
        } catch (Throwable th3) {
            try {
                fileWriter.close();
            } catch (Throwable th4) {
                th3.addSuppressed(th4);
            }
            throw th3;
        }
    }

    private KeyPair loadOrCreateUserKeyPair() throws IOException {
        File file = this.casProperties.getAcme().getUserKey().getLocation().getFile();
        LOGGER.info("Locating user keypair [{}]. Keep this key pair in a safe place. In a production, you will not be able to access your account if you lose the key pair.", file);
        return loadOrCreateKeyPair(file);
    }

    @Generated
    public DefaultAcmeCertificateManager(AcmeChallengeRepository acmeChallengeRepository, CasConfigurationProperties casConfigurationProperties, AcmeAuthorizationExecutor acmeAuthorizationExecutor) {
        this.acmeChallengeRepository = acmeChallengeRepository;
        this.casProperties = casConfigurationProperties;
        this.locator = acmeAuthorizationExecutor;
    }
}
