package com.aeontronix.kryptotek.rest.client.httpcomponents;

import com.aeontronix.commons.StringUtils;
import com.aeontronix.commons.io.BoundedOutputStream;
import com.aeontronix.kryptotek.CryptoEngine;
import com.aeontronix.kryptotek.CryptoUtils;
import com.aeontronix.kryptotek.DigestAlgorithm;
import com.aeontronix.kryptotek.key.SignatureVerificationKey;
import com.aeontronix.kryptotek.key.SigningKey;
import com.aeontronix.kryptotek.rest.RESTRequestSigner;
import com.aeontronix.kryptotek.rest.RESTResponseSigner;
import java.io.ByteArrayOutputStream;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.SignatureException;
import java.util.logging.Level;
import java.util.logging.Logger;
import org.apache.http.Header;
import org.apache.http.HttpEntity;
import org.apache.http.HttpEntityEnclosingRequest;
import org.apache.http.HttpException;
import org.apache.http.HttpHost;
import org.apache.http.HttpRequest;
import org.apache.http.HttpRequestInterceptor;
import org.apache.http.HttpResponse;
import org.apache.http.HttpResponseInterceptor;
import org.apache.http.RequestLine;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.Credentials;
import org.apache.http.client.CredentialsProvider;
import org.apache.http.client.protocol.HttpClientContext;
import org.apache.http.entity.ByteArrayEntity;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.protocol.HttpContext;
import org.jetbrains.annotations.NotNull;

/* loaded from: input_file:com/aeontronix/kryptotek/rest/client/httpcomponents/HCInterceptor.class */
public class HCInterceptor implements HttpRequestInterceptor, HttpResponseInterceptor {
    private static final Logger logger = Logger.getLogger(HCInterceptor.class.getName());
    public static final String REQUEST_AUTHZ = "request_authz";
    private final CryptoEngine cryptoEngine;
    private Long responseSizeLimit;

    public HCInterceptor(Long l) {
        this(CryptoUtils.getEngine(), l);
    }

    public HCInterceptor(@NotNull CryptoEngine cryptoEngine, Long l) {
        this.cryptoEngine = cryptoEngine;
        this.responseSizeLimit = l;
        logger.info("REST HCInterceptor using crypto engine: " + cryptoEngine.getClass().getName());
    }

    @Override // org.apache.http.HttpRequestInterceptor
    public void process(HttpRequest httpRequest, HttpContext httpContext) throws HttpException, IOException {
        RestAuthCredential credentials = getCredentials(httpContext);
        if (credentials != null) {
            Long timeDifferential = credentials.getTimeDifferential();
            TimeSync timeSync = credentials.getTimeSync();
            if (timeSync != null && timeDifferential == null) {
                timeDifferential = Long.valueOf(timeSync.getTimeDifferential(httpRequest, httpContext));
                credentials.setTimeDifferential(timeDifferential);
            }
            RequestLine requestLine = httpRequest.getRequestLine();
            RESTRequestSigner rESTRequestSigner = new RESTRequestSigner(requestLine.getMethod(), requestLine.getUri(), timeDifferential != null ? timeDifferential.longValue() : 0L, credentials.getIdentity());
            httpRequest.addHeader(RESTRequestSigner.HEADER_NONCE, rESTRequestSigner.getNonce());
            httpContext.setAttribute(RESTRequestSigner.HEADER_NONCE, rESTRequestSigner.getNonce());
            httpRequest.addHeader(RESTRequestSigner.HEADER_TIMESTAMP, rESTRequestSigner.getTimestamp());
            httpRequest.addHeader(RESTRequestSigner.HEADER_IDENTITY, credentials.getIdentity());
            byte[] content = getContent(httpRequest);
            if (content != null) {
                rESTRequestSigner.setContent(content);
            }
            try {
                String sign = sign(rESTRequestSigner.getDataToSign(), credentials.getClientKey(), credentials.getDigestAlgorithm());
                httpContext.setAttribute(REQUEST_AUTHZ, sign);
                httpRequest.addHeader(RESTRequestSigner.HEADER_SIGNATURE, sign);
            } catch (Exception e) {
                throw new HttpException(e.getMessage(), e);
            }
        }
    }

    @Override // org.apache.http.HttpResponseInterceptor
    public void process(HttpResponse httpResponse, HttpContext httpContext) throws HttpException, IOException {
        if (httpResponse.getStatusLine().getStatusCode() != 401) {
            Header[] headers = httpResponse.getHeaders(RESTRequestSigner.HEADER_SIGNATURE);
            if (headers == null || headers.length != 1) {
                throw new HttpException("response is missing (or has more than one) X-KT-SIGNATURE header");
            }
            RestAuthCredential credentials = getCredentials(httpContext);
            if (credentials != null) {
                RESTResponseSigner rESTResponseSigner = new RESTResponseSigner((String) httpContext.getAttribute(RESTRequestSigner.HEADER_NONCE), (String) httpContext.getAttribute(REQUEST_AUTHZ), httpResponse.getStatusLine().getStatusCode());
                Header[] headers2 = httpResponse.getHeaders(RESTRequestSigner.HEADER_EXCLUDEBODY);
                rESTResponseSigner.setExcludeContent(headers2.length > 0 && Boolean.parseBoolean(headers2[0].getValue()));
                byte[] content = getContent(loadEntity(httpResponse, this.responseSizeLimit));
                if (content != null) {
                    rESTResponseSigner.setContent(content);
                }
                if (credentials.getServerKey() != null) {
                    try {
                        verifySignature(headers[0].getValue(), rESTResponseSigner.getDataToSign(), credentials.getServerKey(), credentials.getDigestAlgorithm());
                    } catch (InvalidKeyException e) {
                        throw new HttpException(e.getMessage(), e);
                    } catch (SignatureException e2) {
                        throw new HttpException("Invalid response signature");
                    }
                }
            }
        }
    }

    private RestAuthCredential getCredentials(HttpContext httpContext) {
        HttpHost targetHost = ((HttpClientContext) httpContext).getTargetHost();
        int port = targetHost.getPort();
        if (port == -1) {
            port = targetHost.getSchemeName().equals("https") ? 443 : 80;
        }
        Credentials credentials = ((HttpClientContext) httpContext).getCredentialsProvider().getCredentials(new AuthScope(targetHost.getHostName(), port));
        if (credentials instanceof RestAuthCredential) {
            return (RestAuthCredential) credentials;
        }
        return null;
    }

    private String sign(byte[] bArr, SigningKey signingKey, DigestAlgorithm digestAlgorithm) throws InvalidKeyException, SignatureException {
        if (logger.isLoggable(Level.FINE)) {
            logger.fine("Signing REST request - key: " + CryptoUtils.fingerprint(signingKey.getEncoded().getEncodedKey()) + " alg: " + digestAlgorithm + " data: " + CryptoUtils.fingerprint(bArr));
        }
        return StringUtils.base64Encode(this.cryptoEngine.sign(signingKey, digestAlgorithm, bArr));
    }

    private void verifySignature(String str, byte[] bArr, SignatureVerificationKey signatureVerificationKey, DigestAlgorithm digestAlgorithm) throws InvalidKeyException, SignatureException {
        byte[] base64Decode = StringUtils.base64Decode(str);
        if (logger.isLoggable(Level.FINE)) {
            logger.fine("Verifying REST response - key: " + CryptoUtils.fingerprint(signatureVerificationKey.getEncoded().getEncodedKey()) + " alg: " + digestAlgorithm + " data: " + CryptoUtils.fingerprint(bArr) + " signature: " + CryptoUtils.fingerprint(base64Decode));
        }
        this.cryptoEngine.verifySignature(signatureVerificationKey, digestAlgorithm, bArr, base64Decode);
    }

    public HttpClientBuilder add(HttpClientBuilder httpClientBuilder) {
        return httpClientBuilder.addInterceptorLast((HttpRequestInterceptor) this).addInterceptorFirst((HttpResponseInterceptor) this);
    }

    public HttpClientBuilder createClientBuilder() {
        return add(HttpClientBuilder.create());
    }

    public CloseableHttpClient createClient(CredentialsProvider credentialsProvider) {
        return createClientBuilder().setDefaultCredentialsProvider(credentialsProvider).build();
    }

    public Long getResponseSizeLimit() {
        return this.responseSizeLimit;
    }

    public void setResponseSizeLimit(Long l) {
        this.responseSizeLimit = l;
    }

    private static byte[] getContent(HttpRequest httpRequest) throws IOException {
        return getContent(loadEntity(httpRequest));
    }

    private static byte[] getContent(HttpEntity httpEntity) throws IOException {
        if (httpEntity == null) {
            return null;
        }
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        httpEntity.writeTo(byteArrayOutputStream);
        byteArrayOutputStream.close();
        return byteArrayOutputStream.toByteArray();
    }

    private static HttpEntity loadEntity(HttpRequest httpRequest) throws IOException {
        HttpEntity entity;
        if (!(httpRequest instanceof HttpEntityEnclosingRequest) || (entity = ((HttpEntityEnclosingRequest) httpRequest).getEntity()) == null) {
            return null;
        }
        HttpEntity loadEntity = loadEntity(entity, (Long) null);
        ((HttpEntityEnclosingRequest) httpRequest).setEntity(loadEntity);
        return loadEntity;
    }

    private HttpEntity loadEntity(HttpResponse httpResponse, Long l) throws IOException {
        if (httpResponse.getEntity() == null) {
            return null;
        }
        HttpEntity loadEntity = loadEntity(httpResponse.getEntity(), l);
        httpResponse.setEntity(loadEntity);
        return loadEntity;
    }

    private static HttpEntity loadEntity(HttpEntity httpEntity, Long l) throws IOException {
        if (httpEntity.isRepeatable()) {
            return httpEntity;
        }
        ByteArrayOutputStream byteArrayOutputStream = new ByteArrayOutputStream();
        if (l != null) {
            httpEntity.writeTo(new BoundedOutputStream(byteArrayOutputStream, l.longValue(), true));
        } else {
            httpEntity.writeTo(byteArrayOutputStream);
        }
        byteArrayOutputStream.close();
        return new ByteArrayEntity(byteArrayOutputStream.toByteArray());
    }
}
