package org.cloudfoundry.reactor.util;

import io.netty.handler.ssl.SslContextBuilder;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.util.Collections;
import java.util.Optional;
import java.util.Set;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicReference;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.cloudfoundry.reactor.ProxyConfiguration;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import reactor.core.publisher.Mono;
import reactor.netty.resources.LoopResources;
import reactor.netty.tcp.SslProvider;
import reactor.netty.tcp.TcpClient;
import reactor.util.function.Tuple2;
import reactor.util.function.Tuples;

/* loaded from: input_file:BOOT-INF/lib/cloudfoundry-client-reactor-4.16.0.RELEASE.jar:org/cloudfoundry/reactor/util/DefaultSslCertificateTruster.class */
public final class DefaultSslCertificateTruster implements SslCertificateTruster {
    private final Optional<ProxyConfiguration> proxyConfiguration;
    private final LoopResources threadPool;
    private final Logger logger = LoggerFactory.getLogger("cloudfoundry-client.trust");
    private final AtomicReference<X509TrustManager> delegate = new AtomicReference<>(getTrustManager(getTrustManagerFactory(null)));
    private final Set<Tuple2<String, Integer>> trustedHostsAndPorts = Collections.newSetFromMap(new ConcurrentHashMap());

    public DefaultSslCertificateTruster(Optional<ProxyConfiguration> optional, LoopResources loopResources) {
        this.proxyConfiguration = optional;
        this.threadPool = loopResources;
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.delegate.get().checkClientTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        this.delegate.get().checkServerTrusted(x509CertificateArr, str);
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return this.delegate.get().getAcceptedIssuers();
    }

    @Override // org.cloudfoundry.reactor.util.SslCertificateTruster
    public Mono<Void> trust(String str, int i, Duration duration) {
        Tuple2 of = Tuples.of(str, Integer.valueOf(i));
        if (this.trustedHostsAndPorts.contains(of)) {
            return Mono.empty();
        }
        this.logger.warn("Trusting SSL Certificate for {}:{}", str, Integer.valueOf(i));
        X509TrustManager x509TrustManager = this.delegate.get();
        return getUntrustedCertificates(duration, str, i, this.proxyConfiguration, this.threadPool, x509TrustManager).doOnNext(x509CertificateArr -> {
            this.delegate.set(getTrustManager(getTrustManagerFactory(addToTrustStore(x509CertificateArr, x509TrustManager))));
        }).doOnSuccess(x509CertificateArr2 -> {
            this.trustedHostsAndPorts.add(of);
            this.logger.debug("Trusted SSL Certificate for {}:{}", str, Integer.valueOf(i));
        }).then();
    }

    private static KeyStore addToTrustStore(X509Certificate[] x509CertificateArr, X509TrustManager x509TrustManager) {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null);
            int i = 0;
            for (X509Certificate x509Certificate : x509CertificateArr) {
                int i2 = i;
                i++;
                keyStore.setCertificateEntry(String.valueOf(i2), x509Certificate);
            }
            for (X509Certificate x509Certificate2 : x509TrustManager.getAcceptedIssuers()) {
                int i3 = i;
                i++;
                keyStore.setCertificateEntry(String.valueOf(i3), x509Certificate2);
            }
            return keyStore;
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new RuntimeException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static void configureSsl(SslProvider.SslContextSpec sslContextSpec, CertificateCollectingTrustManager certificateCollectingTrustManager) {
        sslContextSpec.sslContext(SslContextBuilder.forClient().trustManager(new StaticTrustManagerFactory(certificateCollectingTrustManager)));
    }

    private static TcpClient getTcpClient(Optional<ProxyConfiguration> optional, LoopResources loopResources, CertificateCollectingTrustManager certificateCollectingTrustManager, String str, int i) {
        TcpClient secure = TcpClient.create().runOn(loopResources).host(str).port(i).secure(sslContextSpec -> {
            configureSsl(sslContextSpec, certificateCollectingTrustManager);
        });
        return (TcpClient) optional.map(proxyConfiguration -> {
            return proxyConfiguration.configure(secure);
        }).orElse(secure);
    }

    private static X509TrustManager getTrustManager(TrustManagerFactory trustManagerFactory) {
        for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
            if (trustManager instanceof X509TrustManager) {
                return (X509TrustManager) trustManager;
            }
        }
        throw new IllegalStateException("No X509TrustManager in TrustManagerFactory");
    }

    private static TrustManagerFactory getTrustManagerFactory(KeyStore keyStore) {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            return trustManagerFactory;
        } catch (KeyStoreException | NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    private static Mono<X509Certificate[]> getUntrustedCertificates(Duration duration, String str, int i, Optional<ProxyConfiguration> optional, LoopResources loopResources, X509TrustManager x509TrustManager) {
        CertificateCollectingTrustManager certificateCollectingTrustManager = new CertificateCollectingTrustManager(x509TrustManager);
        return getTcpClient(optional, loopResources, certificateCollectingTrustManager, str, i).handle((nettyInbound, nettyOutbound) -> {
            return nettyInbound.receive().then();
        }).connect().timeout(duration).handle((connection, synchronousSink) -> {
            X509Certificate[] collectedCertificateChain = certificateCollectingTrustManager.getCollectedCertificateChain();
            if (collectedCertificateChain == null) {
                synchronousSink.error(new IllegalStateException("Could not obtain server certificate chain"));
            }
            if (certificateCollectingTrustManager.isTrusted().booleanValue()) {
                synchronousSink.complete();
            } else {
                synchronousSink.next(collectedCertificateChain);
            }
            connection.dispose();
        });
    }
}
