package de.gematik.test.tiger.proxy.tls;

import de.gematik.test.tiger.TigerAgent;
import de.gematik.test.tiger.common.data.config.tigerproxy.TigerProxyConfiguration;
import de.gematik.test.tiger.common.data.config.tigerproxy.TigerTlsConfiguration;
import de.gematik.test.tiger.common.pki.TigerConfigurationPkiIdentity;
import de.gematik.test.tiger.common.pki.TigerPkiIdentity;
import de.gematik.test.tiger.mockserver.configuration.MockServerConfiguration;
import de.gematik.test.tiger.mockserver.socket.tls.KeyAndCertificateFactory;
import de.gematik.test.tiger.proxy.TigerProxyMasterSecretListener;
import de.gematik.test.tiger.proxy.exceptions.TigerProxySslException;
import io.netty.handler.ssl.SslProvider;
import java.beans.ConstructorProperties;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Objects;
import java.util.Optional;
import java.util.stream.Stream;
import javax.net.ssl.SSLException;
import lombok.Generated;
import org.apache.commons.collections4.CollectionUtils;
import org.apache.commons.lang3.SystemProperties;
import org.bouncycastle.jsse.provider.BouncyCastleJsseProvider;

/* loaded from: input_file:BOOT-INF/lib/tiger-proxy-3.4.6.jar:de/gematik/test/tiger/proxy/tls/MockServerTlsConfigurator.class */
public class MockServerTlsConfigurator {
    private final MockServerConfiguration mockServerConfiguration;
    private final TigerProxyConfiguration tigerProxyConfiguration;
    private Optional<TigerTlsConfiguration> tlsConfiguration;
    private TigerPkiIdentity serverRootCa;
    private final Optional<String> tigerProxyName;
    private final List<KeyAndCertificateFactory> tlsFactories = new ArrayList();
    private boolean usingGenericCa;

    @Generated
    /* loaded from: input_file:BOOT-INF/lib/tiger-proxy-3.4.6.jar:de/gematik/test/tiger/proxy/tls/MockServerTlsConfigurator$MockServerTlsConfiguratorBuilder.class */
    public static class MockServerTlsConfiguratorBuilder {

        @Generated
        private MockServerConfiguration mockServerConfiguration;

        @Generated
        private TigerProxyConfiguration tigerProxyConfiguration;

        @Generated
        private Optional<TigerTlsConfiguration> tlsConfiguration;

        @Generated
        private TigerPkiIdentity serverRootCa;

        @Generated
        private Optional<String> tigerProxyName;

        @Generated
        private boolean usingGenericCa;

        @Generated
        MockServerTlsConfiguratorBuilder() {
        }

        @Generated
        public MockServerTlsConfiguratorBuilder mockServerConfiguration(MockServerConfiguration mockServerConfiguration) {
            this.mockServerConfiguration = mockServerConfiguration;
            return this;
        }

        @Generated
        public MockServerTlsConfiguratorBuilder tigerProxyConfiguration(TigerProxyConfiguration tigerProxyConfiguration) {
            this.tigerProxyConfiguration = tigerProxyConfiguration;
            return this;
        }

        @Generated
        public MockServerTlsConfiguratorBuilder tlsConfiguration(Optional<TigerTlsConfiguration> optional) {
            this.tlsConfiguration = optional;
            return this;
        }

        @Generated
        public MockServerTlsConfiguratorBuilder serverRootCa(TigerPkiIdentity tigerPkiIdentity) {
            this.serverRootCa = tigerPkiIdentity;
            return this;
        }

        @Generated
        public MockServerTlsConfiguratorBuilder tigerProxyName(Optional<String> optional) {
            this.tigerProxyName = optional;
            return this;
        }

        @Generated
        public MockServerTlsConfiguratorBuilder usingGenericCa(boolean z) {
            this.usingGenericCa = z;
            return this;
        }

        @Generated
        public MockServerTlsConfigurator build() {
            return new MockServerTlsConfigurator(this.mockServerConfiguration, this.tigerProxyConfiguration, this.tlsConfiguration, this.serverRootCa, this.tigerProxyName, this.usingGenericCa);
        }

        @Generated
        public String toString() {
            return "MockServerTlsConfigurator.MockServerTlsConfiguratorBuilder(mockServerConfiguration=" + this.mockServerConfiguration + ", tigerProxyConfiguration=" + this.tigerProxyConfiguration + ", tlsConfiguration=" + this.tlsConfiguration + ", serverRootCa=" + this.serverRootCa + ", tigerProxyName=" + this.tigerProxyName + ", usingGenericCa=" + this.usingGenericCa + ")";
        }
    }

    public void execute() {
        this.tlsConfiguration = Optional.ofNullable(this.tigerProxyConfiguration.getTls());
        this.serverRootCa = determineServerRootCa();
        this.mockServerConfiguration.serverKeyAndCertificateFactory(buildServerKeyAndCertificateFactory());
        this.mockServerConfiguration.clientKeyAndCertificateFactory(buildClientKeyAndCertificateFactory());
        customizeSslIfApplicable();
    }

    private void customizeSslIfApplicable() {
        customizeServerBuilderCustomizer();
        customizeClientBuilderCustomizer();
        customizeClientBuilderFunction();
        this.tlsConfiguration.map((v0) -> {
            return v0.getMasterSecretsFile();
        }).ifPresent(str -> {
            TigerAgent.addListener(new TigerProxyMasterSecretListener(str));
        });
    }

    private void customizeClientBuilderFunction() {
        if (this.tlsConfiguration.map((v0) -> {
            return v0.getClientSupportedGroups();
        }).filter((v0) -> {
            return CollectionUtils.isNotEmpty(v0);
        }).isPresent()) {
            this.mockServerConfiguration.clientSslContextBuilderFunction(sslContextBuilder -> {
                try {
                    System.setProperty(SystemProperties.JDK_TLS_NAMED_GROUPS, String.join(",", this.tlsConfiguration.get().getClientSupportedGroups()));
                    sslContextBuilder.sslProvider(SslProvider.JDK);
                    return sslContextBuilder.build();
                } catch (SSLException e) {
                    throw new TigerProxySslException("Error while building SSL context in Tiger-Proxy " + this.tigerProxyName.orElse(""), e);
                }
            });
        }
    }

    private KeyAndCertificateFactory buildServerKeyAndCertificateFactory() {
        boolean booleanValue = ((Boolean) this.tlsConfiguration.map((v0) -> {
            return v0.isAllowGenericFallbackIdentity();
        }).orElse(false)).booleanValue();
        Optional<KeyAndCertificateFactory> generateStaticFactory = generateStaticFactory();
        if (!generateStaticFactory.isPresent()) {
            DynamicKeyAndCertificateFactory generateDynamicFactory = generateDynamicFactory();
            this.tlsFactories.add(generateDynamicFactory);
            return generateDynamicFactory;
        }
        if (this.usingGenericCa && !booleanValue) {
            this.tlsFactories.add(generateStaticFactory.get());
            return generateStaticFactory.get();
        }
        CombinedKeyAndCertificateFactory combinedKeyAndCertificateFactory = new CombinedKeyAndCertificateFactory(generateStaticFactory.get(), generateDynamicFactory());
        this.tlsFactories.add(combinedKeyAndCertificateFactory);
        return combinedKeyAndCertificateFactory;
    }

    private Optional<KeyAndCertificateFactory> generateStaticFactory() {
        if (this.tlsConfiguration.map((v0) -> {
            return v0.getServerIdentity();
        }).isPresent()) {
            return Optional.of(new StaticKeyAndCertificateFactory(List.of(this.tlsConfiguration.get().getServerIdentity())));
        }
        if (!this.tlsConfiguration.map((v0) -> {
            return v0.getServerIdentities();
        }).isPresent()) {
            return Optional.empty();
        }
        Stream<TigerConfigurationPkiIdentity> stream = this.tlsConfiguration.get().getServerIdentities().stream();
        Class<TigerPkiIdentity> cls = TigerPkiIdentity.class;
        Objects.requireNonNull(TigerPkiIdentity.class);
        return Optional.of(new StaticKeyAndCertificateFactory(stream.map((v1) -> {
            return r3.cast(v1);
        }).toList()));
    }

    private DynamicKeyAndCertificateFactory generateDynamicFactory() {
        return new DynamicKeyAndCertificateFactory(this.tigerProxyConfiguration, this.serverRootCa, this.mockServerConfiguration);
    }

    private KeyAndCertificateFactory buildClientKeyAndCertificateFactory() {
        return this.tlsConfiguration.map((v0) -> {
            return v0.getForwardMutualTlsIdentity();
        }).isPresent() ? new StaticKeyAndCertificateFactory(Collections.singletonList(this.tlsConfiguration.get().getForwardMutualTlsIdentity())) : new DynamicKeyAndCertificateFactory(this.tigerProxyConfiguration, new TigerPkiIdentity("CertificateAuthorityCertificate.pem;CertificateAuthorityPrivateKey.pem;PKCS1"), this.mockServerConfiguration);
    }

    private void customizeServerBuilderCustomizer() {
        this.mockServerConfiguration.sslServerContextBuilderCustomizer(sslContextBuilder -> {
            Optional<U> map = this.tlsConfiguration.map((v0) -> {
                return v0.getServerSslSuites();
            });
            Objects.requireNonNull(sslContextBuilder);
            map.ifPresent((v1) -> {
                r1.ciphers(v1);
            });
            Optional<U> map2 = this.tlsConfiguration.map((v0) -> {
                return v0.getServerTlsProtocols();
            });
            Objects.requireNonNull(sslContextBuilder);
            map2.ifPresent((v1) -> {
                r1.protocols(v1);
            });
            this.tlsConfiguration.map((v0) -> {
                return v0.getOcspSignerIdentity();
            }).ifPresentOrElse(tigerConfigurationPkiIdentity -> {
                sslContextBuilder.enableOcsp(true);
                this.mockServerConfiguration.ocspResponseSupplier(x509Certificate -> {
                    return OcspUtils.buildOcspResponse(x509Certificate, tigerConfigurationPkiIdentity);
                });
                sslContextBuilder.sslProvider(SslProvider.OPENSSL);
            }, () -> {
                sslContextBuilder.sslProvider(SslProvider.JDK);
                sslContextBuilder.sslContextProvider(new BouncyCastleJsseProvider());
            });
            return sslContextBuilder;
        });
    }

    private void customizeClientBuilderCustomizer() {
        this.mockServerConfiguration.sslClientContextBuilderCustomizer(sslContextBuilder -> {
            Optional<U> map = this.tlsConfiguration.map((v0) -> {
                return v0.getClientSslSuites();
            });
            Objects.requireNonNull(sslContextBuilder);
            map.ifPresent((v1) -> {
                r1.ciphers(v1);
            });
            sslContextBuilder.sslProvider(SslProvider.JDK);
            return sslContextBuilder;
        });
    }

    private TigerPkiIdentity determineServerRootCa() {
        if (this.tigerProxyConfiguration.getTls().getServerRootCa() != null) {
            this.usingGenericCa = false;
            return this.tigerProxyConfiguration.getTls().getServerRootCa();
        }
        this.usingGenericCa = true;
        return TlsCertificateGenerator.generateNewCaCertificate();
    }

    @Generated
    public static MockServerTlsConfiguratorBuilder builder() {
        return new MockServerTlsConfiguratorBuilder();
    }

    @Generated
    @ConstructorProperties({"mockServerConfiguration", "tigerProxyConfiguration", "tlsConfiguration", "serverRootCa", "tigerProxyName", "usingGenericCa"})
    private MockServerTlsConfigurator(MockServerConfiguration mockServerConfiguration, TigerProxyConfiguration tigerProxyConfiguration, Optional<TigerTlsConfiguration> optional, TigerPkiIdentity tigerPkiIdentity, Optional<String> optional2, boolean z) {
        this.mockServerConfiguration = mockServerConfiguration;
        this.tigerProxyConfiguration = tigerProxyConfiguration;
        this.tlsConfiguration = optional;
        this.serverRootCa = tigerPkiIdentity;
        this.tigerProxyName = optional2;
        this.usingGenericCa = z;
    }

    @Generated
    public TigerPkiIdentity getServerRootCa() {
        return this.serverRootCa;
    }
}
