package org.cloudfoundry.reactor.util;

import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.Collections;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicReference;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.cloudfoundry.reactor.ProxyConfiguration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import reactor.io.netty.config.ClientOptions;
import reactor.io.netty.tcp.TcpClient;
import reactor.util.function.Tuple2;
import reactor.util.function.Tuples;

/* loaded from: input_file:org/cloudfoundry/reactor/util/DefaultSslCertificateTruster.class */
public final class DefaultSslCertificateTruster implements SslCertificateTruster {
    private final Optional<ProxyConfiguration> proxyConfiguration;
    private final Logger logger = LoggerFactory.getLogger("cloudfoundry-client.trust");
    private final AtomicReference<X509TrustManager> delegate = new AtomicReference<>(getTrustManager(getTrustManagerFactory(null)));
    private final Set<Tuple2<String, Integer>> trustedHostsAndPorts = Collections.newSetFromMap(new ConcurrentHashMap());

    public DefaultSslCertificateTruster(Optional<ProxyConfiguration> optional) {
        this.proxyConfiguration = optional;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.delegate.get().checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.delegate.get().checkServerTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.delegate.get().getAcceptedIssuers();
    }

    @Override // org.cloudfoundry.reactor.util.SslCertificateTruster
    public void trust(String str, int i, Duration duration) {
        Tuple2<String, Integer> of = Tuples.of(str, Integer.valueOf(i));
        if (this.trustedHostsAndPorts.contains(of)) {
            return;
        }
        this.logger.warn("Trusting SSL Certificate for {}:{}", str, Integer.valueOf(i));
        X509TrustManager x509TrustManager = this.delegate.get();
        X509Certificate[] untrustedCertificates = getUntrustedCertificates(duration, str, i, this.proxyConfiguration, x509TrustManager);
        if (untrustedCertificates != null) {
            this.delegate.set(getTrustManager(getTrustManagerFactory(addToTrustStore(untrustedCertificates, x509TrustManager))));
        }
        this.trustedHostsAndPorts.add(of);
    }

    private static KeyStore addToTrustStore(X509Certificate[] x509CertificateArr, X509TrustManager x509TrustManager) {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null);
            int i = 0;
            for (X509Certificate x509Certificate : x509CertificateArr) {
                int i2 = i;
                i++;
                keyStore.setCertificateEntry(String.valueOf(i2), x509Certificate);
            }
            for (X509Certificate x509Certificate2 : x509TrustManager.getAcceptedIssuers()) {
                int i3 = i;
                i++;
                keyStore.setCertificateEntry(String.valueOf(i3), x509Certificate2);
            }
            return keyStore;
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new RuntimeException(e);
        }
    }

    private static TcpClient getTcpClient(Optional<ProxyConfiguration> optional, CertificateCollectingTrustManager certificateCollectingTrustManager, String str, int i) {
        ClientOptions sslConfigurer = ClientOptions.to(str, i).sslSupport().sslConfigurer(sslContextBuilder -> {
            sslContextBuilder.trustManager(new StaticTrustManagerFactory(certificateCollectingTrustManager));
        });
        optional.ifPresent(proxyConfiguration -> {
            sslConfigurer.proxy(ClientOptions.Proxy.HTTP, proxyConfiguration.getHost(), proxyConfiguration.getPort().orElse(null).intValue(), proxyConfiguration.getUsername().orElse(null), str2 -> {
                return proxyConfiguration.getPassword().orElse(null);
            });
        });
        return TcpClient.create(sslConfigurer);
    }

    private static X509TrustManager getTrustManager(TrustManagerFactory trustManagerFactory) {
        for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
            if (trustManager instanceof X509TrustManager) {
                return (X509TrustManager) trustManager;
            }
        }
        throw new IllegalStateException("No X509TrustManager in TrustManagerFactory");
    }

    private static TrustManagerFactory getTrustManagerFactory(KeyStore keyStore) {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            return trustManagerFactory;
        } catch (KeyStoreException | NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    private static X509Certificate[] getUntrustedCertificates(Duration duration, String str, int i, Optional<ProxyConfiguration> optional, X509TrustManager x509TrustManager) {
        CertificateCollectingTrustManager certificateCollectingTrustManager = new CertificateCollectingTrustManager(x509TrustManager);
        getTcpClient(optional, certificateCollectingTrustManager, str, i).start(nettyChannel -> {
            return nettyChannel.receive().then();
        }).block(duration);
        X509Certificate[] collectedCertificateChain = certificateCollectingTrustManager.getCollectedCertificateChain();
        if (collectedCertificateChain == null) {
            throw new IllegalStateException("Could not obtain server certificate chain");
        }
        if (certificateCollectingTrustManager.isTrusted().booleanValue()) {
            return null;
        }
        return collectedCertificateChain;
    }
}
