package io.cellery.security.cell.sts.server.core.validators;

import io.cellery.security.cell.sts.server.core.CellStsUtils;
import io.cellery.security.cell.sts.server.core.service.CelleryCellSTSException;
import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Collection;
import java.util.List;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import org.apache.commons.lang.StringUtils;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;

/* loaded from: input_file:io/cellery/security/cell/sts/server/core/validators/CelleryTrustManager.class */
public class CelleryTrustManager implements X509TrustManager {
    public static final String TRUST_CERTS_DEFAULT_LOCATION = "/etc/certs/trusted-certs";
    public static final String TRUST_CERTS_LOCATION_ENV = "TRUSTED_CERTS_LOCATION";
    public String trustCertsLocation;
    private static Log log = LogFactory.getLog(CelleryTrustManager.class);
    private X509TrustManager defaultTrustManager;
    private X509TrustManager trustManager;
    private static final String VALIDATE_SERVER_CERT = "VALIDATE_SERVER_CERT";
    private boolean validateServerCertificate = Boolean.parseBoolean(CellStsUtils.resolveSystemVariable(VALIDATE_SERVER_CERT));
    KeyStore keyStore;

    public CelleryTrustManager() throws CelleryCellSTSException {
        this.trustCertsLocation = TRUST_CERTS_DEFAULT_LOCATION;
        String resolveSystemVariable = CellStsUtils.resolveSystemVariable(TRUST_CERTS_LOCATION_ENV);
        if (StringUtils.isNotEmpty(resolveSystemVariable)) {
            this.trustCertsLocation = resolveSystemVariable;
        }
        log.info("validate server certificate is set to : " + this.validateServerCertificate);
        setupTrustManager();
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkClientTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (this.validateServerCertificate) {
            try {
                this.defaultTrustManager.checkServerTrusted(x509CertificateArr, str);
            } catch (CertificateException e) {
                this.trustManager.checkServerTrusted(x509CertificateArr, str);
            }
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public void checkServerTrusted(X509Certificate[] x509CertificateArr, String str) throws CertificateException {
        if (this.validateServerCertificate) {
            try {
                this.defaultTrustManager.checkServerTrusted(x509CertificateArr, str);
            } catch (CertificateException e) {
                this.trustManager.checkServerTrusted(x509CertificateArr, str);
            }
        }
    }

    @Override // javax.net.ssl.X509TrustManager
    public X509Certificate[] getAcceptedIssuers() {
        return new X509Certificate[0];
    }

    private void setupTrustManager() throws CelleryCellSTSException {
        findDefaultTrustManager();
        setCustomTrustManager();
    }

    private void findDefaultTrustManager() throws CelleryCellSTSException {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init((KeyStore) null);
            for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                if (trustManager instanceof X509TrustManager) {
                    this.defaultTrustManager = (X509TrustManager) trustManager;
                    return;
                }
            }
            throw new CelleryCellSTSException("No registered trust manager found");
        } catch (KeyStoreException | NoSuchAlgorithmException e) {
            throw new CelleryCellSTSException("Error while setting trust manager", e);
        }
    }

    private void setCustomTrustManager() throws CelleryCellSTSException {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            addCertificates();
            trustManagerFactory.init(this.keyStore);
            for (TrustManager trustManager : trustManagerFactory.getTrustManagers()) {
                if (trustManager instanceof X509TrustManager) {
                    this.trustManager = (X509TrustManager) trustManager;
                    return;
                }
            }
            throw new CelleryCellSTSException("No registered trust manager found");
        } catch (KeyStoreException | NoSuchAlgorithmException e) {
            throw new CelleryCellSTSException("Error while setting trust manager", e);
        }
    }

    private void addCertificates() throws CelleryCellSTSException {
        try {
            this.keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            this.keyStore.load(null);
            readCertificates();
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new CelleryCellSTSException("Error while creating empty keystore", e);
        }
    }

    private List<X509Certificate> readCertificates() throws CelleryCellSTSException {
        File[] listFiles = new File(this.trustCertsLocation).listFiles();
        ArrayList arrayList = new ArrayList();
        if (listFiles != null) {
            Arrays.stream(listFiles).forEach(file -> {
                try {
                    if (StringUtils.isNotEmpty(file.getName()) && file.getName().endsWith(".pem")) {
                        CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
                        FileInputStream fileInputStream = new FileInputStream(file);
                        Throwable th = null;
                        try {
                            try {
                                Collection<? extends Certificate> generateCertificates = certificateFactory.generateCertificates(fileInputStream);
                                if (generateCertificates != null) {
                                    generateCertificates.stream().forEach(certificate -> {
                                        X509Certificate x509Certificate = (X509Certificate) certificate;
                                        try {
                                            this.keyStore.setCertificateEntry(x509Certificate.getIssuerDN().getName(), x509Certificate);
                                        } catch (KeyStoreException e) {
                                            log.error("Error while adding certificate s {} " + certificate.toString(), e);
                                        }
                                        arrayList.add(x509Certificate);
                                        log.debug("Added to trust store: " + x509Certificate.getIssuerDN().getName());
                                    });
                                }
                                if (fileInputStream != null) {
                                    if (0 != 0) {
                                        try {
                                            fileInputStream.close();
                                        } catch (Throwable th2) {
                                            th.addSuppressed(th2);
                                        }
                                    } else {
                                        fileInputStream.close();
                                    }
                                }
                            } catch (Throwable th3) {
                                th = th3;
                                throw th3;
                            }
                        } finally {
                        }
                    } else {
                        log.debug("Found a non certificate file : " + file.getName());
                    }
                } catch (IOException | CertificateException e) {
                    log.error("Error while adding trusted certificte from file : " + file, e);
                }
            });
        }
        return arrayList;
    }
}
