package io.gravitee.am.gateway.handler.common.certificate.impl;

import io.gravitee.am.certificate.api.CertificateMetadata;
import io.gravitee.am.certificate.api.DefaultKey;
import io.gravitee.am.certificate.api.Key;
import io.gravitee.am.certificate.api.Keys;
import io.gravitee.am.common.event.CertificateEvent;
import io.gravitee.am.common.event.EventManager;
import io.gravitee.am.common.jwt.SignatureAlgorithm;
import io.gravitee.am.gateway.certificate.CertificateProvider;
import io.gravitee.am.gateway.certificate.CertificateProviderManager;
import io.gravitee.am.gateway.handler.common.auth.idp.IdentityProviderCertificateReloader;
import io.gravitee.am.gateway.handler.common.certificate.CertificateManager;
import io.gravitee.am.model.Certificate;
import io.gravitee.am.model.Domain;
import io.gravitee.am.model.ReferenceType;
import io.gravitee.am.model.common.event.Payload;
import io.gravitee.am.model.jose.JWK;
import io.gravitee.am.repository.management.api.CertificateRepository;
import io.gravitee.common.event.Event;
import io.gravitee.common.event.EventListener;
import io.gravitee.common.service.AbstractService;
import io.gravitee.node.api.configuration.Configuration;
import io.reactivex.rxjava3.core.Flowable;
import io.reactivex.rxjava3.core.Maybe;
import io.reactivex.rxjava3.core.Single;
import io.reactivex.rxjava3.schedulers.Schedulers;
import java.security.InvalidKeyException;
import java.util.Collection;
import java.util.Collections;
import java.util.Date;
import java.util.Optional;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.ConcurrentMap;
import java.util.stream.Collectors;
import javax.crypto.SecretKey;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;

/* loaded from: input_file:io/gravitee/am/gateway/handler/common/certificate/impl/CertificateManagerImpl.class */
public class CertificateManagerImpl extends AbstractService implements CertificateManager, EventListener<CertificateEvent, Payload> {
    private static final Logger logger = LoggerFactory.getLogger(CertificateManagerImpl.class);

    @Autowired
    private Configuration configuration;

    @Autowired
    private Domain domain;

    @Autowired
    private CertificateRepository certificateRepository;

    @Autowired
    private EventManager eventManager;

    @Autowired
    private IdentityProviderCertificateReloader identityProviderReloader;

    @Autowired
    private CertificateProviderManager certificateProviderManager;
    private CertificateProvider defaultCertificateProvider;
    private CertificateProvider noneAlgorithmCertificateProvider;
    private final ConcurrentMap<String, Certificate> certificates = new ConcurrentHashMap();

    /* renamed from: io.gravitee.am.gateway.handler.common.certificate.impl.CertificateManagerImpl$3, reason: invalid class name */
    /* loaded from: input_file:io/gravitee/am/gateway/handler/common/certificate/impl/CertificateManagerImpl$3.class */
    static /* synthetic */ class AnonymousClass3 {
        static final /* synthetic */ int[] $SwitchMap$io$gravitee$am$common$event$CertificateEvent = new int[CertificateEvent.values().length];

        static {
            try {
                $SwitchMap$io$gravitee$am$common$event$CertificateEvent[CertificateEvent.DEPLOY.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$io$gravitee$am$common$event$CertificateEvent[CertificateEvent.UPDATE.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$io$gravitee$am$common$event$CertificateEvent[CertificateEvent.UNDEPLOY.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
        }
    }

    public void onEvent(Event<CertificateEvent, Payload> event) {
        if (((Payload) event.content()).getReferenceType() == ReferenceType.DOMAIN && this.domain.getId().equals(((Payload) event.content()).getReferenceId())) {
            switch (AnonymousClass3.$SwitchMap$io$gravitee$am$common$event$CertificateEvent[event.type().ordinal()]) {
                case 1:
                case 2:
                    deployCertificate(((Payload) event.content()).getId());
                    return;
                case 3:
                    removeCertificate(((Payload) event.content()).getId());
                    return;
                default:
                    return;
            }
        }
    }

    protected void doStart() throws Exception {
        super.doStart();
        initialize();
        logger.info("Register event listener for certificate events for domain {}", this.domain.getName());
        this.eventManager.subscribeForEvents(this, CertificateEvent.class, this.domain.getId());
    }

    private void initialize() throws Exception {
        logger.info("Initializing default certificate provider for domain {}", this.domain.getName());
        initDefaultCertificateProvider();
        logger.info("Default certificate loaded for domain {}", this.domain.getName());
        logger.info("Initializing none algorithm certificate provider for domain {}", this.domain.getName());
        initNoneAlgorithmCertificateProvider();
        logger.info("None algorithm certificate loaded for domain {}", this.domain.getName());
        logger.info("Initializing certificates for domain {}", this.domain.getName());
        this.certificateRepository.findByDomain(this.domain.getId()).subscribeOn(Schedulers.io()).subscribe(certificate -> {
            this.certificateProviderManager.create(certificate);
            this.certificates.put(certificate.getId(), certificate);
            logger.info("Certificate {} loaded for domain {}", certificate.getName(), this.domain.getName());
        }, th -> {
            logger.error("An error has occurred when loading certificates for domain {}", this.domain.getName(), th);
        });
    }

    protected void doStop() throws Exception {
        super.doStop();
        logger.info("Dispose event listener for certificate events for domain {}", this.domain.getName());
        this.eventManager.unsubscribeForEvents(this, CertificateEvent.class, this.domain.getId());
    }

    @Override // io.gravitee.am.gateway.handler.common.certificate.CertificateManager
    public Maybe<CertificateProvider> get(String str) {
        CertificateProvider certificateProvider;
        if (str != null && (certificateProvider = this.certificateProviderManager.get(str)) != null) {
            return Maybe.just(certificateProvider);
        }
        return Maybe.empty();
    }

    public io.gravitee.am.certificate.api.CertificateProvider getCertificate(String str) {
        CertificateProvider certificateProvider = this.certificateProviderManager.get(str);
        if (certificateProvider == null || !this.domain.getId().equals(certificateProvider.getDomain())) {
            return null;
        }
        return certificateProvider.getProvider();
    }

    @Override // io.gravitee.am.gateway.handler.common.certificate.CertificateManager
    public Maybe<CertificateProvider> findByAlgorithm(String str) {
        return (str == null || str.trim().isEmpty()) ? Maybe.empty() : (Maybe) providers().stream().filter(certificateProvider -> {
            return (certificateProvider == null || certificateProvider.getProvider() == null || !str.equals(certificateProvider.getProvider().signatureAlgorithm())) ? false : true;
        }).findFirst().map((v0) -> {
            return Maybe.just(v0);
        }).orElseGet(Maybe::empty);
    }

    @Override // io.gravitee.am.gateway.handler.common.certificate.CertificateManager
    public Collection<CertificateProvider> providers() {
        return (Collection) this.certificateProviderManager.certificateProviders().stream().filter(certificateProvider -> {
            return this.domain.getId().equals(certificateProvider.getDomain());
        }).collect(Collectors.toList());
    }

    @Override // io.gravitee.am.gateway.handler.common.certificate.CertificateManager
    public CertificateProvider defaultCertificateProvider() {
        return this.defaultCertificateProvider;
    }

    @Override // io.gravitee.am.gateway.handler.common.certificate.CertificateManager
    public CertificateProvider noneAlgorithmCertificateProvider() {
        return this.noneAlgorithmCertificateProvider;
    }

    private void deployCertificate(String str) {
        logger.info("Deploying certificate {} for domain {}", str, this.domain.getName());
        this.certificateRepository.findById(str).subscribeOn(Schedulers.io()).subscribe(certificate -> {
            try {
                this.certificateProviderManager.create(certificate);
                this.certificates.put(str, certificate);
                logger.info("Certificate {} loaded for domain {}", str, this.domain.getName());
                reloadIdentityProviders(certificate);
            } catch (Exception e) {
                logger.error("Unable to load certificate {} for domain {}", new Object[]{certificate.getName(), certificate.getDomain(), e});
                this.certificates.remove(str, certificate);
            }
        }, th -> {
            logger.error("An error has occurred when loading certificate {} for domain {}", new Object[]{str, this.domain.getName(), th});
        }, () -> {
            logger.error("No certificate found with id {}", str);
        });
    }

    private void reloadIdentityProviders(Certificate certificate) {
        this.identityProviderReloader.reloadIdentityProvidersWithCertificate(certificate.getId()).subscribe();
    }

    private void removeCertificate(String str) {
        logger.info("Removing certificate {} for domain {}", str, this.domain.getName());
        Certificate remove = this.certificates.remove(str);
        this.certificateProviderManager.delete(str);
        if (remove != null) {
            logger.info("Certificate {} has been removed for domain {}", str, this.domain.getName());
        } else {
            logger.info("Certificate {} was not loaded for domain {}", str, this.domain.getName());
        }
    }

    private void initDefaultCertificateProvider() throws InvalidKeyException {
        byte[] bytes = signingKeySecret().getBytes();
        SecretKey hmacShaKeyFor = Keys.hmacShaKeyFor(bytes);
        final SignatureAlgorithm hmacShaSignatureAlgorithmFor = Keys.hmacShaSignatureAlgorithmFor(bytes);
        final DefaultKey defaultKey = new DefaultKey(signingKeyId(), hmacShaKeyFor);
        final CertificateMetadata certificateMetadata = new CertificateMetadata();
        certificateMetadata.setMetadata(Collections.singletonMap("digestAlgorithmName", hmacShaSignatureAlgorithmFor.getDigestName()));
        this.defaultCertificateProvider = this.certificateProviderManager.create(new io.gravitee.am.certificate.api.CertificateProvider() { // from class: io.gravitee.am.gateway.handler.common.certificate.impl.CertificateManagerImpl.1
            public Optional<Date> getExpirationDate() {
                return Optional.empty();
            }

            public Single<Key> key() {
                return Single.just(defaultKey);
            }

            public Flowable<JWK> privateKey() {
                return null;
            }

            public Single<String> publicKey() {
                return null;
            }

            public Flowable<JWK> keys() {
                return null;
            }

            public String signatureAlgorithm() {
                return hmacShaSignatureAlgorithmFor.getValue();
            }

            public CertificateMetadata certificateMetadata() {
                return certificateMetadata;
            }
        });
    }

    private void initNoneAlgorithmCertificateProvider() {
        final CertificateMetadata certificateMetadata = new CertificateMetadata();
        certificateMetadata.setMetadata(Collections.singletonMap("digestAlgorithmName", SignatureAlgorithm.NONE.getValue()));
        this.noneAlgorithmCertificateProvider = this.certificateProviderManager.create(new io.gravitee.am.certificate.api.CertificateProvider() { // from class: io.gravitee.am.gateway.handler.common.certificate.impl.CertificateManagerImpl.2
            public Optional<Date> getExpirationDate() {
                return Optional.empty();
            }

            public Flowable<JWK> privateKey() {
                throw new UnsupportedOperationException("No private key for \"none\" algorithm");
            }

            public Single<Key> key() {
                throw new UnsupportedOperationException("No key for \"none\" algorithm");
            }

            public Single<String> publicKey() {
                throw new UnsupportedOperationException("No public key for \"none\" algorithm");
            }

            public Flowable<JWK> keys() {
                throw new UnsupportedOperationException("No keys for \"none\" algorithm");
            }

            public String signatureAlgorithm() {
                return SignatureAlgorithm.NONE.getValue();
            }

            public CertificateMetadata certificateMetadata() {
                return certificateMetadata;
            }
        });
    }

    private String signingKeySecret() {
        return this.configuration.getProperty("jwt.secret", "s3cR3t4grAv1t3310AMS1g1ingDftK3y");
    }

    private String signingKeyId() {
        return this.configuration.getProperty("jwt.kid", "default-gravitee-AM-key");
    }
}
