package org.zowe.apiml.security;

import ch.qos.logback.classic.Level;
import com.netflix.discovery.shared.transport.jersey.EurekaJerseyClientImpl;
import java.io.File;
import java.io.IOException;
import java.net.URL;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import lombok.Generated;
import org.apache.commons.configuration.tree.DefaultExpressionEngine;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.conn.HttpClientConnectionManager;
import org.apache.http.conn.socket.ConnectionSocketFactory;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.ssl.PrivateKeyStrategy;
import org.apache.http.ssl.SSLContextBuilder;
import org.apache.http.ssl.SSLContexts;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.zowe.apiml.message.log.ApimlLogger;
import org.zowe.apiml.message.yaml.YamlMessageServiceInstance;
import org.zowe.apiml.security.HttpsConfigError;

/* loaded from: input_file:BOOT-INF/lib/common-service-core-2.13.0.jar:org/zowe/apiml/security/HttpsFactory.class */
public class HttpsFactory {

    @Generated
    private static final Logger log = LoggerFactory.getLogger((Class<?>) HttpsFactory.class);
    private HttpsConfig config;
    private SSLContext secureSslContext;
    private KeyStore usedKeyStore = null;
    private ApimlLogger apimlLog = ApimlLogger.of(HttpsFactory.class, YamlMessageServiceInstance.getInstance());

    public HttpsFactory(HttpsConfig httpsConfig) {
        this.config = httpsConfig;
    }

    public CloseableHttpClient createSecureHttpClient(HttpClientConnectionManager httpClientConnectionManager) {
        return HttpClientBuilder.create().setDefaultRequestConfig(RequestConfig.custom().setConnectTimeout(this.config.getRequestConnectionTimeout()).setSocketTimeout(this.config.getRequestConnectionTimeout()).setConnectionRequestTimeout(this.config.getRequestConnectionTimeout()).build()).setSSLHostnameVerifier(getHostnameVerifier()).setConnectionTimeToLive(this.config.getTimeToLive(), TimeUnit.MILLISECONDS).setConnectionManager(httpClientConnectionManager).disableCookieManagement().setUserTokenHandler(httpContext -> {
            return httpContext.getAttribute("my-token");
        }).setKeepAliveStrategy(ApimlKeepAliveStrategy.INSTANCE).disableAuthCaching().build();
    }

    public ConnectionSocketFactory createSslSocketFactory() {
        if (this.config.isVerifySslCertificatesOfServices()) {
            return getSSLConnectionSocketFactory();
        }
        this.apimlLog.log("org.zowe.apiml.common.ignoringSsl", new Object[0]);
        return createIgnoringSslSocketFactory();
    }

    private ConnectionSocketFactory createIgnoringSslSocketFactory() {
        return new SSLConnectionSocketFactory(createIgnoringSslContext(), new NoopHostnameVerifier());
    }

    private SSLContext createIgnoringSslContext() {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null, null);
            this.usedKeyStore = keyStore;
            return new SSLContextBuilder().loadTrustMaterial((KeyStore) null, (x509CertificateArr, str) -> {
                return true;
            }).loadKeyMaterial(keyStore, null).setProtocol(this.config.getProtocol()).build();
        } catch (Exception e) {
            this.apimlLog.log("org.zowe.apiml.common.errorInitSsl", e.getMessage());
            throw new HttpsConfigError("Error initializing SSL/TLS context: " + e.getMessage(), e, HttpsConfigError.ErrorCode.SSL_CONTEXT_INITIALIZATION_FAILED, this.config);
        }
    }

    private void loadTrustMaterial(SSLContextBuilder sSLContextBuilder) throws NoSuchAlgorithmException, KeyStoreException, CertificateException, IOException {
        if (!StringUtils.isNotEmpty(this.config.getTrustStore())) {
            if (this.config.isTrustStoreRequired()) {
                this.apimlLog.log("org.zowe.apiml.common.truststoreNotDefined", new Object[0]);
                throw new HttpsConfigError("server.ssl.trustStore configuration parameter is not defined but trust store is required", HttpsConfigError.ErrorCode.TRUSTSTORE_NOT_DEFINED, this.config);
            }
            log.info("No trust store is defined");
            return;
        }
        sSLContextBuilder.setKeyStoreType(this.config.getTrustStoreType()).setProtocol(this.config.getProtocol());
        if (SecurityUtils.isKeyring(this.config.getTrustStore())) {
            log.info("Original truststore keyring URL from configuration: " + this.config.getTrustStore());
            URL keyRingUrl = SecurityUtils.keyRingUrl(this.config.getTrustStore());
            log.info("Loading trusted certificates from keyring: " + keyRingUrl);
            sSLContextBuilder.loadTrustMaterial(keyRingUrl, this.config.getTrustStorePassword());
            return;
        }
        if (this.config.getTrustStorePassword() == null) {
            this.apimlLog.log("org.zowe.apiml.common.truststorePasswordNotDefined", new Object[0]);
            throw new HttpsConfigError("server.ssl.trustStorePassword configuration parameter is not defined", HttpsConfigError.ErrorCode.TRUSTSTORE_PASSWORD_NOT_DEFINED, this.config);
        }
        log.info("Loading trust store file: " + this.config.getTrustStore());
        sSLContextBuilder.loadTrustMaterial(new File(this.config.getTrustStore()), this.config.getTrustStorePassword());
    }

    private void loadKeyMaterial(SSLContextBuilder sSLContextBuilder) throws NoSuchAlgorithmException, KeyStoreException, CertificateException, IOException, UnrecoverableKeyException {
        if (StringUtils.isNotEmpty(this.config.getKeyStore())) {
            sSLContextBuilder.setKeyStoreType(this.config.getKeyStoreType()).setProtocol(this.config.getProtocol());
            if (SecurityUtils.isKeyring(this.config.getKeyStore())) {
                loadKeyringMaterial(sSLContextBuilder);
                return;
            } else {
                loadKeystoreMaterial(sSLContextBuilder);
                return;
            }
        }
        log.info("No keystore is defined and empty will be used.");
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null, null);
        this.usedKeyStore = keyStore;
        sSLContextBuilder.loadKeyMaterial(keyStore, null);
    }

    private void loadKeystoreMaterial(SSLContextBuilder sSLContextBuilder) throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, CertificateException, IOException {
        if (StringUtils.isEmpty(this.config.getKeyStore())) {
            this.apimlLog.log("org.zowe.apiml.common.keystoreNotDefined", new Object[0]);
            throw new HttpsConfigError("server.ssl.keyStore configuration parameter is not defined", HttpsConfigError.ErrorCode.KEYSTORE_NOT_DEFINED, this.config);
        }
        if (this.config.getKeyStorePassword() == null) {
            this.apimlLog.log("org.zowe.apiml.common.keystorePasswordNotDefined", new Object[0]);
            throw new HttpsConfigError("server.ssl.keyStorePassword configuration parameter is not defined", HttpsConfigError.ErrorCode.KEYSTORE_PASSWORD_NOT_DEFINED, this.config);
        }
        log.info("Loading keystore file: " + this.config.getKeyStore());
        sSLContextBuilder.loadKeyMaterial(new File(this.config.getKeyStore()), this.config.getKeyStorePassword(), this.config.getKeyPassword(), getPrivateKeyStrategy());
    }

    private PrivateKeyStrategy getPrivateKeyStrategy() {
        if (this.config.getKeyAlias() != null) {
            return (map, socket) -> {
                return this.config.getKeyAlias();
            };
        }
        return null;
    }

    private void loadKeyringMaterial(SSLContextBuilder sSLContextBuilder) throws UnrecoverableKeyException, NoSuchAlgorithmException, KeyStoreException, CertificateException, IOException {
        log.info("Original keyring URL from configuration: " + this.config.getKeyStore());
        URL keyRingUrl = SecurityUtils.keyRingUrl(this.config.getKeyStore());
        log.info("Loading keyring from updated URL: " + keyRingUrl);
        sSLContextBuilder.loadKeyMaterial(keyRingUrl, this.config.getKeyStorePassword(), this.config.getKeyPassword(), getPrivateKeyStrategy());
    }

    private synchronized SSLContext createSecureSslContext() {
        log.debug("Protocol: {}", this.config.getProtocol());
        SSLContextBuilder custom = SSLContexts.custom();
        try {
            loadTrustMaterial(custom);
            loadKeyMaterial(custom);
            this.secureSslContext = custom.build();
            validateSslConfig();
            return this.secureSslContext;
        } catch (IOException | KeyManagementException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableKeyException | CertificateException e) {
            log.error("error", (Throwable) e);
            this.apimlLog.log("org.zowe.apiml.common.sslContextInitializationError", e.getMessage());
            throw new HttpsConfigError("Error initializing SSL Context: " + e.getMessage(), e, HttpsConfigError.ErrorCode.HTTP_CLIENT_INITIALIZATION_FAILED, this.config);
        }
    }

    private void validateSslConfig() throws KeyStoreException, NoSuchAlgorithmException, CertificateException, IOException {
        if (!StringUtils.isNotEmpty(this.config.getKeyAlias()) || SecurityUtils.loadKeyStore(this.config).containsAlias(this.config.getKeyAlias())) {
            return;
        }
        this.apimlLog.log("org.zowe.apiml.common.invalidKeyAlias", this.config.getKeyAlias());
        throw new HttpsConfigError(String.format("Invalid key alias '%s'", this.config.getKeyAlias()), HttpsConfigError.ErrorCode.WRONG_KEY_ALIAS, this.config);
    }

    private ConnectionSocketFactory getSSLConnectionSocketFactory() {
        return new SSLConnectionSocketFactory(createSecureSslContext(), this.config.getEnabledProtocols(), (String[]) null, getHostnameVerifier());
    }

    public SSLContext getSslContext() {
        return this.config.isVerifySslCertificatesOfServices() ? createSecureSslContext() : createIgnoringSslContext();
    }

    private void setSystemProperty(String str, String str2) {
        if (str2 == null) {
            System.clearProperty(str);
        } else {
            System.setProperty(str, str2);
        }
    }

    public void setSystemSslProperties() {
        setSystemProperty("javax.net.ssl.keyStore", SecurityUtils.formatKeyringUrl(this.config.getKeyStore()));
        setSystemProperty("javax.net.ssl.keyStorePassword", this.config.getKeyStorePassword() == null ? null : String.valueOf(this.config.getKeyStorePassword()));
        setSystemProperty("javax.net.ssl.keyStoreType", this.config.getKeyStoreType());
        setSystemProperty("javax.net.ssl.trustStore", SecurityUtils.formatKeyringUrl(this.config.getTrustStore()));
        setSystemProperty("javax.net.ssl.trustStorePassword", this.config.getTrustStorePassword() == null ? null : String.valueOf(this.config.getTrustStorePassword()));
        setSystemProperty("javax.net.ssl.trustStoreType", this.config.getTrustStoreType());
    }

    public HostnameVerifier getHostnameVerifier() {
        return (!this.config.isVerifySslCertificatesOfServices() || this.config.isNonStrictVerifySslCertificatesOfServices()) ? new NoopHostnameVerifier() : SSLConnectionSocketFactory.getDefaultHostnameVerifier();
    }

    public EurekaJerseyClientImpl.EurekaJerseyClientBuilder createEurekaJerseyClientBuilder(String str, String str2) {
        EurekaJerseyClientImpl.EurekaJerseyClientBuilder eurekaJerseyClientBuilder = new EurekaJerseyClientImpl.EurekaJerseyClientBuilder();
        eurekaJerseyClientBuilder.withClientName(str2);
        eurekaJerseyClientBuilder.withMaxTotalConnections(10);
        eurekaJerseyClientBuilder.withMaxConnectionsPerHost(10);
        eurekaJerseyClientBuilder.withConnectionIdleTimeout(10);
        eurekaJerseyClientBuilder.withConnectionTimeout(Level.TRACE_INT);
        eurekaJerseyClientBuilder.withReadTimeout(Level.TRACE_INT);
        if (str.startsWith("http://")) {
            this.apimlLog.log("org.zowe.apiml.common.insecureHttpWarning", new Object[0]);
        } else {
            System.setProperty("com.netflix.eureka.shouldSSLConnectionsUseSystemSocketFactory", "true");
            if (this.config.isVerifySslCertificatesOfServices()) {
                setSystemSslProperties();
            }
            eurekaJerseyClientBuilder.withCustomSSL(getSslContext());
            eurekaJerseyClientBuilder.withHostnameVerifier(getHostnameVerifier());
        }
        return eurekaJerseyClientBuilder;
    }

    @Generated
    public HttpsConfig getConfig() {
        return this.config;
    }

    @Generated
    public SSLContext getSecureSslContext() {
        return this.secureSslContext;
    }

    @Generated
    public KeyStore getUsedKeyStore() {
        return this.usedKeyStore;
    }

    @Generated
    public ApimlLogger getApimlLog() {
        return this.apimlLog;
    }

    @Generated
    public void setConfig(HttpsConfig httpsConfig) {
        this.config = httpsConfig;
    }

    @Generated
    public void setSecureSslContext(SSLContext sSLContext) {
        this.secureSslContext = sSLContext;
    }

    @Generated
    public void setUsedKeyStore(KeyStore keyStore) {
        this.usedKeyStore = keyStore;
    }

    @Generated
    public void setApimlLog(ApimlLogger apimlLogger) {
        this.apimlLog = apimlLogger;
    }

    @Generated
    public boolean equals(Object obj) {
        if (obj == this) {
            return true;
        }
        if (!(obj instanceof HttpsFactory)) {
            return false;
        }
        HttpsFactory httpsFactory = (HttpsFactory) obj;
        if (!httpsFactory.canEqual(this)) {
            return false;
        }
        HttpsConfig config = getConfig();
        HttpsConfig config2 = httpsFactory.getConfig();
        if (config == null) {
            if (config2 != null) {
                return false;
            }
        } else if (!config.equals(config2)) {
            return false;
        }
        SSLContext secureSslContext = getSecureSslContext();
        SSLContext secureSslContext2 = httpsFactory.getSecureSslContext();
        if (secureSslContext == null) {
            if (secureSslContext2 != null) {
                return false;
            }
        } else if (!secureSslContext.equals(secureSslContext2)) {
            return false;
        }
        KeyStore usedKeyStore = getUsedKeyStore();
        KeyStore usedKeyStore2 = httpsFactory.getUsedKeyStore();
        if (usedKeyStore == null) {
            if (usedKeyStore2 != null) {
                return false;
            }
        } else if (!usedKeyStore.equals(usedKeyStore2)) {
            return false;
        }
        ApimlLogger apimlLog = getApimlLog();
        ApimlLogger apimlLog2 = httpsFactory.getApimlLog();
        return apimlLog == null ? apimlLog2 == null : apimlLog.equals(apimlLog2);
    }

    @Generated
    protected boolean canEqual(Object obj) {
        return obj instanceof HttpsFactory;
    }

    @Generated
    public int hashCode() {
        HttpsConfig config = getConfig();
        int hashCode = (1 * 59) + (config == null ? 43 : config.hashCode());
        SSLContext secureSslContext = getSecureSslContext();
        int hashCode2 = (hashCode * 59) + (secureSslContext == null ? 43 : secureSslContext.hashCode());
        KeyStore usedKeyStore = getUsedKeyStore();
        int hashCode3 = (hashCode2 * 59) + (usedKeyStore == null ? 43 : usedKeyStore.hashCode());
        ApimlLogger apimlLog = getApimlLog();
        return (hashCode3 * 59) + (apimlLog == null ? 43 : apimlLog.hashCode());
    }

    @Generated
    public String toString() {
        return "HttpsFactory(config=" + getConfig() + ", secureSslContext=" + getSecureSslContext() + ", usedKeyStore=" + getUsedKeyStore() + ", apimlLog=" + getApimlLog() + DefaultExpressionEngine.DEFAULT_INDEX_END;
    }
}
