package io.quarkus.vault.runtime.client;

import io.quarkus.vault.client.VaultException;
import io.quarkus.vault.pki.X509Parsing;
import io.quarkus.vault.runtime.config.VaultAuthenticationType;
import io.quarkus.vault.runtime.config.VaultRuntimeConfig;
import io.quarkus.vault.runtime.config.VaultTlsConfig;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.Proxy;
import java.net.ProxySelector;
import java.net.Socket;
import java.net.SocketAddress;
import java.net.URI;
import java.net.http.HttpClient;
import java.nio.charset.StandardCharsets;
import java.nio.file.Files;
import java.nio.file.Paths;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.List;
import java.util.Objects;
import java.util.stream.Stream;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedTrustManager;

/* loaded from: input_file:io/quarkus/vault/runtime/client/JDKClientFactory.class */
public class JDKClientFactory {

    /* loaded from: input_file:io/quarkus/vault/runtime/client/JDKClientFactory$NonProxyHostsSupportingProxySelector.class */
    static class NonProxyHostsSupportingProxySelector extends ProxySelector {
        private final ProxySelector delegate;
        private final List<String> nonProxyHosts;

        public NonProxyHostsSupportingProxySelector(InetSocketAddress inetSocketAddress, List<String> list) {
            this.delegate = ProxySelector.of(inetSocketAddress);
            this.nonProxyHosts = list;
        }

        @Override // java.net.ProxySelector
        public List<Proxy> select(URI uri) {
            Stream<String> stream = this.nonProxyHosts.stream();
            String host = uri.getHost();
            Objects.requireNonNull(host);
            return stream.anyMatch(host::matches) ? List.of(Proxy.NO_PROXY) : this.delegate.select(uri);
        }

        @Override // java.net.ProxySelector
        public void connectFailed(URI uri, SocketAddress socketAddress, IOException iOException) {
            this.delegate.connectFailed(uri, socketAddress, iOException);
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:io/quarkus/vault/runtime/client/JDKClientFactory$TrustAllManager.class */
    public static class TrustAllManager extends X509ExtendedTrustManager {
        TrustAllManager() {
        }

        @Override // javax.net.ssl.X509TrustManager
        public X509Certificate[] getAcceptedIssuers() {
            return new X509Certificate[0];
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        }

        @Override // javax.net.ssl.X509TrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, Socket socket) throws CertificateException {
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        }

        @Override // javax.net.ssl.X509ExtendedTrustManager
        public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str, SSLEngine sSLEngine) throws CertificateException {
        }
    }

    public static HttpClient createHttpClient(VaultRuntimeConfig vaultRuntimeConfig, boolean z) {
        HttpClient.Builder followRedirects = HttpClient.newBuilder().connectTimeout(vaultRuntimeConfig.connectTimeout()).followRedirects(HttpClient.Redirect.NORMAL);
        if (vaultRuntimeConfig.proxyHost().isPresent()) {
            followRedirects = followRedirects.proxy(new NonProxyHostsSupportingProxySelector(new InetSocketAddress(vaultRuntimeConfig.proxyHost().get(), vaultRuntimeConfig.proxyPort().intValue()), vaultRuntimeConfig.nonProxyHosts().orElse(List.of())));
        }
        SSLContext createSSLContext = createSSLContext(vaultRuntimeConfig, z);
        if (createSSLContext != null) {
            followRedirects.sslContext(createSSLContext);
        }
        return followRedirects.build();
    }

    private static SSLContext createSSLContext(VaultRuntimeConfig vaultRuntimeConfig, boolean z) {
        VaultTlsConfig tls = vaultRuntimeConfig.tls();
        if (tls.skipVerify().orElseGet(() -> {
            return Boolean.valueOf(z);
        }).booleanValue()) {
            return skipVerify();
        }
        if (tls.caCert().isPresent()) {
            return buildSslContextFromPem(tls.caCert().get());
        }
        if (vaultRuntimeConfig.getAuthenticationType() == VaultAuthenticationType.KUBERNETES && tls.useKubernetesCaCert()) {
            return buildSslContextFromPem(VaultRuntimeConfig.KUBERNETES_CACERT);
        }
        return null;
    }

    private static SSLContext buildSslContextFromPem(String str) throws VaultException {
        try {
            X509Certificate parsePEMCertificate = X509Parsing.parsePEMCertificate(Files.readString(Paths.get(str, new String[0]), StandardCharsets.UTF_8));
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null);
            keyStore.setCertificateEntry("caCert", parsePEMCertificate);
            trustManagerFactory.init(keyStore);
            TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(null, trustManagers, null);
            return sSLContext;
        } catch (IOException | KeyManagementException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new VaultException(e);
        }
    }

    private static SSLContext skipVerify() {
        try {
            SSLContext sSLContext = SSLContext.getInstance("TLS");
            sSLContext.init(null, new TrustManager[]{new TrustAllManager()}, new SecureRandom());
            return sSLContext;
        } catch (KeyManagementException | NoSuchAlgorithmException e) {
            throw new VaultException(e);
        }
    }
}
