package org.apache.synapse.transport.netty.sender;

import java.util.ArrayList;
import java.util.List;
import java.util.Objects;
import javax.xml.namespace.QName;
import org.apache.axiom.om.OMElement;
import org.apache.axis2.AxisFault;
import org.apache.axis2.description.TransportOutDescription;
import org.apache.axis2.transport.base.ParamUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.sandesha2.Sandesha2Constants;
import org.apache.synapse.transport.netty.BridgeConstants;
import org.apache.synapse.transport.netty.config.TargetConfiguration;
import org.apache.synapse.transport.nhttp.util.SecureVaultValueReader;
import org.wso2.securevault.SecretResolver;
import org.wso2.transport.http.netty.contract.config.Parameter;
import org.wso2.transport.http.netty.contract.config.SslConfiguration;

/* loaded from: input_file:WEB-INF/lib/synapse-nhttp-transport-4.0.0-wso2v47.jar:org/apache/synapse/transport/netty/sender/ClientSSLConfigurationBuilder.class */
public class ClientSSLConfigurationBuilder {
    private static final Log LOG = LogFactory.getLog(ClientSSLConfigurationBuilder.class);
    private String keyStore;
    private String keyStorePass;
    private String certPass;
    private String trustStore;
    private String trustStorePass;
    private String tlsStoreType;
    private boolean validateCertEnabled;
    private int cacheValidityPeriod;
    private int cacheSize;
    private int sessionTimeOut;
    private long handshakeTimeOut;
    private boolean disableCertValidation;
    private String sslProtocol = "TLS";
    private boolean hostnameVerifier = false;
    List<Parameter> clientParamList = new ArrayList();

    public void setClientSSLConfig(SslConfiguration sslConfiguration) {
        sslConfiguration.setKeyStoreFile(this.keyStore);
        sslConfiguration.setKeyStorePass(this.keyStorePass);
        sslConfiguration.setCertPass(this.certPass);
        sslConfiguration.setTLSStoreType(this.tlsStoreType);
        if (this.disableCertValidation) {
            sslConfiguration.disableSsl();
            return;
        }
        sslConfiguration.setTrustStoreFile(this.trustStore);
        sslConfiguration.setTrustStorePass(this.trustStorePass);
        sslConfiguration.setSSLProtocol(this.sslProtocol);
        if (this.validateCertEnabled) {
            sslConfiguration.setValidateCertEnabled(true);
            if (this.cacheValidityPeriod > 0) {
                sslConfiguration.setCacheValidityPeriod(this.cacheValidityPeriod);
            }
            if (this.cacheSize > 0) {
                sslConfiguration.setCacheSize(this.cacheSize);
            }
        }
        sslConfiguration.setSslSessionTimeOut(this.sessionTimeOut);
        sslConfiguration.setSslHandshakeTimeOut(this.handshakeTimeOut);
        sslConfiguration.setParameters(this.clientParamList);
        sslConfiguration.setHostNameVerificationEnabled(this.hostnameVerifier);
    }

    public ClientSSLConfigurationBuilder parseSSL(TargetConfiguration targetConfiguration, TransportOutDescription transportOutDescription) throws AxisFault {
        SecretResolver secretResolver = targetConfiguration.getConfigurationContext().getAxisConfiguration().getSecretResolver();
        populateKeyStoreConfigs(transportOutDescription.getParameter(BridgeConstants.KEY_STORE), secretResolver);
        org.apache.axis2.description.Parameter parameter = transportOutDescription.getParameter(BridgeConstants.TRUST_STORE);
        boolean optionalParamBoolean = ParamUtils.getOptionalParamBoolean(transportOutDescription, BridgeConstants.NO_VALIDATE_CERT, false);
        if (isCertValidationDisabled(optionalParamBoolean, parameter)) {
            if (LOG.isWarnEnabled()) {
                LOG.warn("Server certificate validation (trust) has been disabled.");
            }
            this.disableCertValidation = true;
            return this;
        }
        populateTrustStoreConfigs(parameter, secretResolver, optionalParamBoolean);
        populateProtocolConfigs(transportOutDescription.getParameter(BridgeConstants.SSL_PROTOCOL), transportOutDescription.getParameter(BridgeConstants.HTTPS_PROTOCOL));
        populateCertValidationConfigs(transportOutDescription.getParameter(BridgeConstants.CLIENT_REVOCATION));
        populateCiphersConfigs(transportOutDescription.getParameter("PreferredCiphers"));
        populateTimeoutConfigs(transportOutDescription.getParameter(BridgeConstants.SSL_SESSION_TIMEOUT), transportOutDescription.getParameter(BridgeConstants.SSL_HANDSHAKE_TIMEOUT));
        populateHostnameVerifierConfigs(transportOutDescription.getParameter(BridgeConstants.HOSTNAME_VERIFIER));
        return this;
    }

    private boolean isCertValidationDisabled(boolean z, org.apache.axis2.description.Parameter parameter) {
        if (parameter == null || parameter.getParameterElement().getFirstElement() == null) {
            return z;
        }
        return false;
    }

    private void populateKeyStoreConfigs(org.apache.axis2.description.Parameter parameter, SecretResolver secretResolver) throws AxisFault {
        OMElement oMElement = null;
        if (parameter != null) {
            oMElement = parameter.getParameterElement().getFirstElement();
        }
        if (oMElement == null) {
            throw new AxisFault("KeyStore must be provided for secure connection");
        }
        OMElement firstChildWithName = oMElement.getFirstChildWithName(new QName("Location"));
        OMElement firstChildWithName2 = oMElement.getFirstChildWithName(new QName("Type"));
        OMElement firstChildWithName3 = oMElement.getFirstChildWithName(new QName("Password"));
        OMElement firstChildWithName4 = oMElement.getFirstChildWithName(new QName(BridgeConstants.KEY_PASSWORD));
        if (Objects.nonNull(firstChildWithName)) {
            this.keyStore = firstChildWithName.getText();
        }
        if (Objects.isNull(this.keyStore) || this.keyStore.isEmpty()) {
            throw new AxisFault("KeyStore file location must be provided for secure connection");
        }
        if (Objects.nonNull(firstChildWithName2)) {
            this.tlsStoreType = firstChildWithName2.getText();
        }
        if (firstChildWithName3 == null) {
            throw new AxisFault("Cannot proceed because Password element is missing in KeyStore");
        }
        if (firstChildWithName4 == null) {
            throw new AxisFault("Cannot proceed because KeyPassword element is missing in KeyStore");
        }
        this.keyStorePass = SecureVaultValueReader.getSecureVaultValue(secretResolver, firstChildWithName3);
        this.certPass = SecureVaultValueReader.getSecureVaultValue(secretResolver, firstChildWithName4);
    }

    private void populateTrustStoreConfigs(org.apache.axis2.description.Parameter parameter, SecretResolver secretResolver, boolean z) throws AxisFault {
        OMElement oMElement = null;
        if (parameter != null) {
            oMElement = parameter.getParameterElement().getFirstElement();
        }
        if (oMElement == null) {
            throw new AxisFault("If server certification validation (novalidatecert) parameter is not configured to true, Truststore should be specified for secure connection");
        }
        if (z && LOG.isWarnEnabled()) {
            LOG.warn("Ignoring novalidatecert parameter since a truststore has been specified");
        }
        this.trustStore = oMElement.getFirstChildWithName(new QName("Location")).getText();
        oMElement.getFirstChildWithName(new QName("Type")).getText();
        OMElement firstChildWithName = oMElement.getFirstChildWithName(new QName("Password"));
        if (Objects.isNull(firstChildWithName)) {
            throw new AxisFault("Cannot proceed because Password element is missing in TrustStore");
        }
        this.trustStorePass = SecureVaultValueReader.getSecureVaultValue(secretResolver, firstChildWithName);
    }

    private void populateProtocolConfigs(org.apache.axis2.description.Parameter parameter, org.apache.axis2.description.Parameter parameter2) {
        if (Objects.nonNull(parameter) && !parameter.getValue().toString().isEmpty()) {
            this.sslProtocol = parameter.getValue().toString();
        }
        if (Objects.isNull(parameter2) || Objects.isNull(parameter2.getParameterElement())) {
            return;
        }
        String replaceAll = parameter2.getParameterElement().getText().replaceAll("\\s", "");
        if (replaceAll.isEmpty()) {
            return;
        }
        this.clientParamList.add(new Parameter("sslEnabledProtocols", replaceAll));
    }

    private void populateCertValidationConfigs(org.apache.axis2.description.Parameter parameter) {
        if ("true".equalsIgnoreCase(parameter != null ? parameter.getParameterElement().getAttribute(new QName("enable")).getAttributeValue() : null)) {
            this.validateCertEnabled = true;
            String text = parameter.getParameterElement().getFirstChildWithName(new QName(BridgeConstants.CACHE_SIZE)).getText();
            String text2 = parameter.getParameterElement().getFirstChildWithName(new QName(BridgeConstants.CACHE_DELAY)).getText();
            Integer num = null;
            Integer num2 = null;
            try {
                num = new Integer(text);
                num2 = new Integer(text2);
            } catch (NumberFormatException e) {
            }
            if (Objects.nonNull(num2) && num2.intValue() != 0) {
                this.cacheValidityPeriod = Math.toIntExact(num2.intValue());
            }
            if (!Objects.nonNull(num) || num.intValue() == 0) {
                return;
            }
            this.cacheSize = Math.toIntExact(num.intValue());
        }
    }

    private void populateCiphersConfigs(org.apache.axis2.description.Parameter parameter) {
        if (Objects.isNull(parameter) || Objects.isNull(parameter.getParameterElement())) {
            return;
        }
        String replaceAll = parameter.getParameterElement().getText().replaceAll("\\s", "");
        if (replaceAll.isEmpty()) {
            return;
        }
        this.clientParamList.add(new Parameter("ciphers", replaceAll));
    }

    private void populateTimeoutConfigs(org.apache.axis2.description.Parameter parameter, org.apache.axis2.description.Parameter parameter2) {
        if (Objects.nonNull(parameter) && Objects.nonNull(parameter.getParameterElement())) {
            String text = parameter.getParameterElement().getText();
            try {
                int parseInt = Integer.parseInt(text);
                if (parseInt > 0) {
                    this.sessionTimeOut = parseInt;
                } else {
                    LOG.warn("SessionTimeout should be a valid positive number. But found : " + text + ". Hence, using the default value of 86400s/24h");
                }
            } catch (NumberFormatException e) {
                LOG.warn("Invalid number found for SSL SessionTimeout : " + text + ". Hence, using the default value of 86400s/24h");
            }
        }
        if (Objects.nonNull(parameter2) && Objects.nonNull(parameter2.getParameterElement())) {
            String text2 = parameter2.getParameterElement().getText();
            try {
                int parseInt2 = Integer.parseInt(text2);
                if (parseInt2 > 0) {
                    this.handshakeTimeOut = parseInt2;
                } else {
                    LOG.warn("HandshakeTimeout should be a valid positive number. But found : " + text2 + ". Hence, using the default value of 10s");
                }
            } catch (NumberFormatException e2) {
                LOG.warn("Invalid number found for ssl handshakeTimeout : " + text2 + ". Hence, using the default value of 10s");
            }
        }
    }

    private void populateHostnameVerifierConfigs(org.apache.axis2.description.Parameter parameter) {
        if (Objects.nonNull(parameter) && Objects.nonNull(parameter.getParameterElement()) && Sandesha2Constants.Assertions.ELEM_ENABLED.equalsIgnoreCase(parameter.getParameterElement().getText())) {
            this.hostnameVerifier = true;
        }
    }
}
