package dev.dsf.common.jetty;

import de.rwh.utils.crypto.CertificateHelper;
import de.rwh.utils.crypto.io.CertificateReader;
import de.rwh.utils.crypto.io.PemIo;
import java.io.IOException;
import java.io.InputStream;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.HashMap;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.UUID;
import java.util.function.BiFunction;
import java.util.stream.Stream;
import org.bouncycastle.pkcs.PKCSException;
import org.eclipse.jetty.http.HttpVersion;
import org.eclipse.jetty.server.ConnectionFactory;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.ForwardedRequestCustomizer;
import org.eclipse.jetty.server.HttpConfiguration;
import org.eclipse.jetty.server.HttpConnectionFactory;
import org.eclipse.jetty.server.SecureRequestCustomizer;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.ServerConnector;
import org.eclipse.jetty.server.SslConnectionFactory;
import org.eclipse.jetty.util.resource.Resource;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:dev/dsf/common/jetty/AbstractJettyConfig.class */
public abstract class AbstractJettyConfig implements JettyConfig {
    private static final Logger logger = LoggerFactory.getLogger(AbstractJettyConfig.class);
    private final BiFunction<JettyConfig, Server, Connector> connectorFactory;

    public AbstractJettyConfig(BiFunction<JettyConfig, Server, Connector> biFunction) {
        this.connectorFactory = biFunction;
    }

    @Override // dev.dsf.common.jetty.JettyConfig
    public BiFunction<JettyConfig, Server, Connector> getConnectorFactory() {
        return this.connectorFactory;
    }

    @Override // dev.dsf.common.jetty.JettyConfig
    public final Connector createStatusConnector(Server server) {
        ServerConnector serverConnector = new ServerConnector(server, new ConnectionFactory[]{httpConnectionFactory(new HttpConfiguration.Customizer[0])});
        serverConnector.setHost(getStatusHost().orElseThrow(JettyConfig.propertyNotDefined(JettyConfig.PROPERTY_JETTY_STATUS_HOST)));
        serverConnector.setPort(getStatusPort().orElseThrow(JettyConfig.propertyNotDefined(JettyConfig.PROPERTY_JETTY_STATUS_PORT)).intValue());
        return serverConnector;
    }

    @Override // dev.dsf.common.jetty.JettyConfig
    public Map<String, String> getAllProperties() {
        HashMap hashMap = new HashMap();
        hashMap.put(JettyConfig.PROPERTY_JETTY_STATUS_HOST, getStatusHost().orElse(null));
        hashMap.put(JettyConfig.PROPERTY_JETTY_STATUS_PORT, (String) getStatusPort().map((v0) -> {
            return String.valueOf(v0);
        }).orElse(null));
        hashMap.put(JettyConfig.PROPERTY_JETTY_HOST, getHost().orElse(null));
        hashMap.put(JettyConfig.PROPERTY_JETTY_PORT, (String) getPort().map((v0) -> {
            return String.valueOf(v0);
        }).orElse(null));
        hashMap.put(JettyConfig.PROPERTY_JETTY_CONTEXT_PATH, getContextPath().orElse(null));
        hashMap.put(JettyConfig.PROPERTY_JETTY_SERVER_CERTIFICATE, (String) getServerCertificatePath().map((v0) -> {
            return v0.toString();
        }).orElse(null));
        hashMap.put(JettyConfig.PROPERTY_JETTY_SERVER_CERTIFICATE_CHAIN, (String) getServerCertificateChainPath().map((v0) -> {
            return v0.toString();
        }).orElse(null));
        hashMap.put(JettyConfig.PROPERTY_JETTY_SERVER_CERTIFICATE_PRIVATE_KEY, (String) getServerCertificatePrivateKeyPath().map((v0) -> {
            return v0.toString();
        }).orElse(null));
        hashMap.put(JettyConfig.PROPERTY_JETTY_SERVER_CERTIFICATE_PRIVATE_KEY_PASSWORD, (String) getServerCertificatePrivateKeyPassword().map(String::valueOf).orElse(null));
        hashMap.put(JettyConfig.PROPERTY_JETTY_AUTH_CLIENT_TRUST_CERTIFICATES, (String) getClientTrustCertificatesPath().map((v0) -> {
            return v0.toString();
        }).orElse(null));
        hashMap.put(JettyConfig.PROPERTY_JETTY_AUTH_CLIENT_CERTIFICATE_HEADER_NAME, getClientCertificateHeaderName().orElse(null));
        hashMap.put(JettyConfig.PROPERTY_JETTY_AUTH_OIDC_PROVIDER_BASE_URL, getOidcProviderBaseUrl().orElse(null));
        hashMap.put(JettyConfig.PROPERTY_JETTY_AUTH_OIDC_PROVIDER_CLIENT_CONNECT_TIMEOUT, (String) getOidcProviderClientConnectTimeout().map((v0) -> {
            return String.valueOf(v0);
        }).orElse(null));
        hashMap.put(JettyConfig.PROPERTY_JETTY_AUTH_OIDC_PROVIDER_CLIENT_IDLE_TIMEOUT, (String) getOidcProviderClientIdleTimeout().map((v0) -> {
            return String.valueOf(v0);
        }).orElse(null));
        hashMap.put(JettyConfig.PROPERTY_JETTY_AUTH_OIDC_PROVIDER_CLIENT_TRUST_CERTIFICATES, (String) getOidcProviderClientTrustCertificatesPath().map((v0) -> {
            return v0.toString();
        }).orElse(null));
        hashMap.put(JettyConfig.PROPERTY_JETTY_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE, (String) getOidcProviderClientCertificatePath().map((v0) -> {
            return v0.toString();
        }).orElse(null));
        hashMap.put(JettyConfig.PROPERTY_JETTY_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY, (String) getOidcProviderClientCertificatePrivateKeyPath().map((v0) -> {
            return v0.toString();
        }).orElse(null));
        hashMap.put(JettyConfig.PROPERTY_JETTY_AUTH_OIDC_PROVIDER_CLIENT_CERTIFICATE_PRIVATE_KEY_PASSWORD, (String) getOidcProviderClientCertificatePrivateKeyPassword().map(String::valueOf).orElse(null));
        hashMap.put(JettyConfig.PROPERTY_JETTY_AUTH_OIDC_PROVIDER_CLIENT_PROXY_URL, (String) getOidcProviderClientProxyUrl().map((v0) -> {
            return v0.toString();
        }).orElse(null));
        hashMap.put(JettyConfig.PROPERTY_JETTY_AUTH_OIDC_CLIENT_ID, getOidcClientId().orElse(null));
        hashMap.put(JettyConfig.PROPERTY_JETTY_AUTH_OIDC_CLIENT_SECRET, getOidcClientSecret().orElse(null));
        hashMap.put(JettyConfig.PROPERTY_JETTY_AUTH_OIDC_SSO_BACK_CHANNEL_LOGOUT, String.valueOf(getOidcSsoBackChannelLogoutEnabled()));
        hashMap.put(JettyConfig.PROPERTY_JETTY_AUTH_OIDC_SSO_BACK_CHANNEL_LOGOUT_PATH, getOidcSsoBackChannelPath().orElse(null));
        hashMap.put(JettyConfig.PROPERTY_JETTY_LOG4J_CONFIG, (String) getLog4JConfigPath().map((v0) -> {
            return v0.toString();
        }).orElse(null));
        return hashMap;
    }

    public static final BiFunction<JettyConfig, Server, Connector> httpConnector() {
        return (jettyConfig, server) -> {
            ServerConnector serverConnector = new ServerConnector(server, new ConnectionFactory[]{httpConnectionFactory(new ForwardedRequestCustomizer(), new ForwardedSecureRequestCustomizer(jettyConfig.getClientCertificateHeaderName().orElseThrow(JettyConfig.propertyNotDefined(JettyConfig.PROPERTY_JETTY_AUTH_CLIENT_CERTIFICATE_HEADER_NAME))))});
            serverConnector.setHost(jettyConfig.getHost().orElseThrow(JettyConfig.propertyNotDefined(JettyConfig.PROPERTY_JETTY_HOST)));
            serverConnector.setPort(jettyConfig.getPort().orElseThrow(JettyConfig.propertyNotDefined(JettyConfig.PROPERTY_JETTY_PORT)).intValue());
            return serverConnector;
        };
    }

    private static HttpConnectionFactory httpConnectionFactory(HttpConfiguration.Customizer... customizerArr) {
        HttpConfiguration httpConfiguration = new HttpConfiguration();
        httpConfiguration.setSendServerVersion(false);
        httpConfiguration.setSendXPoweredBy(false);
        httpConfiguration.setSendDateHeader(false);
        Stream stream = Arrays.stream(customizerArr);
        Objects.requireNonNull(httpConfiguration);
        stream.forEach(httpConfiguration::addCustomizer);
        return new HttpConnectionFactory(httpConfiguration);
    }

    public static final BiFunction<JettyConfig, Server, Connector> httpsConnector() {
        char[] charArray = UUID.randomUUID().toString().toCharArray();
        return (jettyConfig, server) -> {
            ConnectionFactory[] connectionFactoryArr = new ConnectionFactory[2];
            connectionFactoryArr[0] = sslConnectionFactory(jettyConfig.getClientTrustStore().orElseThrow(JettyConfig.propertyNotDefined(JettyConfig.PROPERTY_JETTY_AUTH_CLIENT_TRUST_CERTIFICATES)), jettyConfig.getServerKeyStore(charArray).orElseThrow(JettyConfig.propertiesNotDefined(JettyConfig.PROPERTY_JETTY_SERVER_CERTIFICATE, JettyConfig.PROPERTY_JETTY_SERVER_CERTIFICATE_PRIVATE_KEY)), charArray, jettyConfig.getOidcConfig() == null);
            connectionFactoryArr[1] = httpConnectionFactory(new SecureRequestCustomizer());
            ServerConnector serverConnector = new ServerConnector(server, connectionFactoryArr);
            serverConnector.setHost(jettyConfig.getHost().orElseThrow(JettyConfig.propertyNotDefined(JettyConfig.PROPERTY_JETTY_HOST)));
            serverConnector.setPort(jettyConfig.getPort().orElseThrow(JettyConfig.propertyNotDefined(JettyConfig.PROPERTY_JETTY_PORT)).intValue());
            return serverConnector;
        };
    }

    private static SslConnectionFactory sslConnectionFactory(KeyStore keyStore, KeyStore keyStore2, char[] cArr, boolean z) {
        logCertificateConfig(keyStore, keyStore2);
        SslContextFactory.Server server = new SslContextFactory.Server() { // from class: dev.dsf.common.jetty.AbstractJettyConfig.1
            protected KeyStore loadTrustStore(Resource resource) throws Exception {
                return getTrustStore();
            }
        };
        server.setKeyStore(keyStore2);
        server.setKeyStorePassword(String.valueOf(cArr));
        server.setTrustStore(keyStore);
        if (z) {
            server.setNeedClientAuth(true);
        } else {
            server.setWantClientAuth(true);
        }
        return new SslConnectionFactory(server, HttpVersion.HTTP_1_1.asString());
    }

    private KeyStore readTrustStore(Path path) {
        try {
            return CertificateReader.allFromCer(path);
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            logger.warn("Error while reading trust store from {}: {} - {}", new Object[]{path.toString(), e.getClass().getName(), e.getMessage()});
            throw new RuntimeException(e);
        }
    }

    private KeyStore readKeyStore(Path path, Path path2, Path path3, char[] cArr, char[] cArr2) {
        try {
            PrivateKey readPrivateKeyFromPem = PemIo.readPrivateKeyFromPem(path3, cArr);
            X509Certificate readX509CertificateFromPem = PemIo.readX509CertificateFromPem(path);
            ArrayList arrayList = new ArrayList();
            arrayList.add(readX509CertificateFromPem);
            if (path2 != null) {
                InputStream newInputStream = Files.newInputStream(path2, new OpenOption[0]);
                try {
                    arrayList.addAll(CertificateFactory.getInstance("X509").generateCertificates(newInputStream));
                    if (newInputStream != null) {
                        newInputStream.close();
                    }
                } finally {
                }
            }
            return CertificateHelper.toJksKeyStore(readPrivateKeyFromPem, (Certificate[]) arrayList.toArray(i -> {
                return new Certificate[i];
            }), UUID.randomUUID().toString(), cArr2);
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException | PKCSException e) {
            throw new RuntimeException(e);
        }
    }

    @Override // dev.dsf.common.jetty.JettyConfig
    public Optional<KeyStore> getClientTrustStore() {
        return getClientTrustCertificatesPath().map(this::readTrustStore);
    }

    @Override // dev.dsf.common.jetty.JettyConfig
    public Optional<KeyStore> getServerKeyStore(char[] cArr) {
        return (getServerCertificatePath().isEmpty() || getServerCertificatePrivateKeyPath().isEmpty()) ? Optional.empty() : Optional.of(readKeyStore(getServerCertificatePath().get(), getServerCertificateChainPath().orElse(null), getServerCertificatePrivateKeyPath().get(), getServerCertificatePrivateKeyPassword().orElse(null), cArr));
    }

    @Override // dev.dsf.common.jetty.JettyConfig
    public Optional<KeyStore> getOidcProviderClientTrustStore() {
        return getOidcProviderClientTrustCertificatesPath().map(this::readTrustStore);
    }

    @Override // dev.dsf.common.jetty.JettyConfig
    public Optional<KeyStore> getOidcProviderClientKeyStore(char[] cArr) {
        return (getOidcProviderClientCertificatePath().isEmpty() || getOidcProviderClientCertificatePrivateKeyPath().isEmpty()) ? Optional.empty() : Optional.of(readKeyStore(getOidcProviderClientCertificatePath().get(), getServerCertificateChainPath().orElse(null), getOidcProviderClientCertificatePrivateKeyPath().get(), getOidcProviderClientCertificatePrivateKeyPassword().orElse(null), cArr));
    }

    private static void logCertificateConfig(KeyStore keyStore, KeyStore keyStore2) {
        if (logger.isDebugEnabled()) {
            if (keyStore != null) {
                try {
                    logger.debug("Using trust store for https connector with: {}", CertificateHelper.listCertificateSubjectNames(keyStore));
                } catch (KeyStoreException e) {
                    logger.warn("Error while printing trust store / key store config", e);
                    return;
                }
            }
            if (keyStore2 != null) {
                logger.debug("Using key store for https connector with: {}", CertificateHelper.listCertificateSubjectNames(keyStore2));
            }
        }
    }
}
