package org.springframework.vault.client;

import io.netty.handler.ssl.SslContextBuilder;
import io.netty.handler.ssl.SslProvider;
import java.io.IOException;
import java.io.InputStream;
import java.net.ProxySelector;
import java.net.Socket;
import java.security.GeneralSecurityException;
import java.security.InvalidAlgorithmParameterException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.PrivateKey;
import java.security.UnrecoverableKeyException;
import java.security.cert.X509Certificate;
import java.util.Arrays;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.KeyManagerFactorySpi;
import javax.net.ssl.ManagerFactoryParameters;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLEngine;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509ExtendedKeyManager;
import javax.net.ssl.X509TrustManager;
import okhttp3.ConnectionSpec;
import okhttp3.OkHttpClient;
import org.apache.commons.logging.Log;
import org.apache.commons.logging.LogFactory;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.impl.client.HttpClientBuilder;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.client.LaxRedirectStrategy;
import org.apache.http.impl.conn.DefaultSchemePortResolver;
import org.apache.http.impl.conn.SystemDefaultRoutePlanner;
import org.springframework.http.client.ClientHttpRequestFactory;
import org.springframework.http.client.HttpComponentsClientHttpRequestFactory;
import org.springframework.http.client.Netty4ClientHttpRequestFactory;
import org.springframework.http.client.OkHttp3ClientHttpRequestFactory;
import org.springframework.http.client.SimpleClientHttpRequestFactory;
import org.springframework.lang.Nullable;
import org.springframework.util.Assert;
import org.springframework.util.ClassUtils;
import org.springframework.util.FileCopyUtils;
import org.springframework.util.StringUtils;
import org.springframework.vault.support.ClientOptions;
import org.springframework.vault.support.PemObject;
import org.springframework.vault.support.SslConfiguration;

/* loaded from: input_file:org/springframework/vault/client/ClientHttpRequestFactoryFactory.class */
public class ClientHttpRequestFactoryFactory {
    private static Log logger = LogFactory.getLog(ClientHttpRequestFactoryFactory.class);
    private static final boolean HTTP_COMPONENTS_PRESENT = isPresent("org.apache.http.client.HttpClient");
    private static final boolean OKHTTP3_PRESENT = isPresent("okhttp3.OkHttpClient");
    private static final boolean NETTY_PRESENT = isPresent("io.netty.channel.nio.NioEventLoopGroup", "io.netty.handler.ssl.SslContext", "io.netty.handler.codec.http.HttpClientCodec");

    /* loaded from: input_file:org/springframework/vault/client/ClientHttpRequestFactoryFactory$HttpComponents.class */
    static class HttpComponents {
        HttpComponents() {
        }

        static ClientHttpRequestFactory usingHttpComponents(ClientOptions clientOptions, SslConfiguration sslConfiguration) throws GeneralSecurityException, IOException {
            HttpClientBuilder custom = HttpClients.custom();
            custom.setRoutePlanner(new SystemDefaultRoutePlanner(DefaultSchemePortResolver.INSTANCE, ProxySelector.getDefault()));
            if (ClientHttpRequestFactoryFactory.hasSslConfiguration(sslConfiguration)) {
                SSLContext sSLContext = ClientHttpRequestFactoryFactory.getSSLContext(sslConfiguration, ClientHttpRequestFactoryFactory.getTrustManagers(sslConfiguration));
                String[] strArr = null;
                if (!sslConfiguration.getEnabledProtocols().isEmpty()) {
                    strArr = (String[]) sslConfiguration.getEnabledProtocols().toArray(new String[0]);
                }
                String[] strArr2 = null;
                if (!sslConfiguration.getEnabledCipherSuites().isEmpty()) {
                    strArr2 = (String[]) sslConfiguration.getEnabledCipherSuites().toArray(new String[0]);
                }
                custom.setSSLSocketFactory(new SSLConnectionSocketFactory(sSLContext, strArr, strArr2, SSLConnectionSocketFactory.getDefaultHostnameVerifier()));
                custom.setSSLContext(sSLContext);
            }
            custom.setDefaultRequestConfig(RequestConfig.custom().setConnectTimeout(Math.toIntExact(clientOptions.getConnectionTimeout().toMillis())).setSocketTimeout(Math.toIntExact(clientOptions.getReadTimeout().toMillis())).setAuthenticationEnabled(true).build());
            custom.setRedirectStrategy(new LaxRedirectStrategy());
            return new HttpComponentsClientHttpRequestFactory(custom.build());
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    /* loaded from: input_file:org/springframework/vault/client/ClientHttpRequestFactoryFactory$KeySelectingKeyManagerFactory.class */
    public static class KeySelectingKeyManagerFactory extends KeyManagerFactory {
        KeySelectingKeyManagerFactory(final KeyManagerFactory keyManagerFactory, final SslConfiguration.KeyConfiguration keyConfiguration) {
            super(new KeyManagerFactorySpi() { // from class: org.springframework.vault.client.ClientHttpRequestFactoryFactory.KeySelectingKeyManagerFactory.1
                @Override // javax.net.ssl.KeyManagerFactorySpi
                protected void engineInit(KeyStore keyStore, char[] cArr) throws KeyStoreException, NoSuchAlgorithmException, UnrecoverableKeyException {
                    keyManagerFactory.init(keyStore, cArr);
                }

                @Override // javax.net.ssl.KeyManagerFactorySpi
                protected void engineInit(ManagerFactoryParameters managerFactoryParameters) throws InvalidAlgorithmParameterException {
                    keyManagerFactory.init(managerFactoryParameters);
                }

                @Override // javax.net.ssl.KeyManagerFactorySpi
                protected KeyManager[] engineGetKeyManagers() {
                    KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
                    return (keyManagers.length == 1 && (keyManagers[0] instanceof X509ExtendedKeyManager)) ? new KeyManager[]{new KeySelectingX509KeyManager((X509ExtendedKeyManager) keyManagers[0], keyConfiguration)} : keyManagers;
                }
            }, keyManagerFactory.getProvider(), keyManagerFactory.getAlgorithm());
        }
    }

    /* loaded from: input_file:org/springframework/vault/client/ClientHttpRequestFactoryFactory$KeySelectingX509KeyManager.class */
    private static class KeySelectingX509KeyManager extends X509ExtendedKeyManager {
        private final X509ExtendedKeyManager delegate;
        private final SslConfiguration.KeyConfiguration keyConfiguration;

        KeySelectingX509KeyManager(X509ExtendedKeyManager x509ExtendedKeyManager, SslConfiguration.KeyConfiguration keyConfiguration) {
            this.delegate = x509ExtendedKeyManager;
            this.keyConfiguration = keyConfiguration;
        }

        @Override // javax.net.ssl.X509KeyManager
        public String[] getClientAliases(String str, Principal[] principalArr) {
            return this.delegate.getClientAliases(str, principalArr);
        }

        @Override // javax.net.ssl.X509KeyManager
        public String chooseClientAlias(String[] strArr, Principal[] principalArr, Socket socket) {
            return this.keyConfiguration.getKeyAlias();
        }

        @Override // javax.net.ssl.X509ExtendedKeyManager
        public String chooseEngineClientAlias(String[] strArr, Principal[] principalArr, SSLEngine sSLEngine) {
            return this.keyConfiguration.getKeyAlias();
        }

        @Override // javax.net.ssl.X509KeyManager
        public String[] getServerAliases(String str, Principal[] principalArr) {
            return this.delegate.getServerAliases(str, principalArr);
        }

        @Override // javax.net.ssl.X509KeyManager
        public String chooseServerAlias(String str, Principal[] principalArr, Socket socket) {
            return this.delegate.chooseServerAlias(str, principalArr, socket);
        }

        @Override // javax.net.ssl.X509KeyManager
        public X509Certificate[] getCertificateChain(String str) {
            return this.delegate.getCertificateChain(str);
        }

        @Override // javax.net.ssl.X509KeyManager
        public PrivateKey getPrivateKey(String str) {
            return this.delegate.getPrivateKey(str);
        }
    }

    /* loaded from: input_file:org/springframework/vault/client/ClientHttpRequestFactoryFactory$Netty.class */
    static class Netty {
        Netty() {
        }

        static ClientHttpRequestFactory usingNetty(ClientOptions clientOptions, SslConfiguration sslConfiguration) throws GeneralSecurityException, IOException {
            Netty4ClientHttpRequestFactory netty4ClientHttpRequestFactory = new Netty4ClientHttpRequestFactory();
            if (ClientHttpRequestFactoryFactory.hasSslConfiguration(sslConfiguration)) {
                SslContextBuilder forClient = SslContextBuilder.forClient();
                if (sslConfiguration.getTrustStoreConfiguration().isPresent()) {
                    forClient.trustManager(ClientHttpRequestFactoryFactory.createTrustManagerFactory(sslConfiguration.getTrustStoreConfiguration()));
                }
                if (sslConfiguration.getKeyStoreConfiguration().isPresent()) {
                    forClient.keyManager(ClientHttpRequestFactoryFactory.createKeyManagerFactory(sslConfiguration.getKeyStoreConfiguration(), sslConfiguration.getKeyConfiguration()));
                }
                if (!sslConfiguration.getEnabledProtocols().isEmpty()) {
                    forClient.protocols(sslConfiguration.getEnabledProtocols());
                }
                if (!sslConfiguration.getEnabledCipherSuites().isEmpty()) {
                    forClient.ciphers(sslConfiguration.getEnabledCipherSuites());
                }
                netty4ClientHttpRequestFactory.setSslContext(forClient.sslProvider(SslProvider.JDK).build());
            }
            netty4ClientHttpRequestFactory.setConnectTimeout(Math.toIntExact(clientOptions.getConnectionTimeout().toMillis()));
            netty4ClientHttpRequestFactory.setReadTimeout(Math.toIntExact(clientOptions.getReadTimeout().toMillis()));
            netty4ClientHttpRequestFactory.afterPropertiesSet();
            return netty4ClientHttpRequestFactory;
        }
    }

    /* loaded from: input_file:org/springframework/vault/client/ClientHttpRequestFactoryFactory$OkHttp3.class */
    static class OkHttp3 {
        OkHttp3() {
        }

        static ClientHttpRequestFactory usingOkHttp3(ClientOptions clientOptions, SslConfiguration sslConfiguration) throws GeneralSecurityException, IOException {
            OkHttpClient.Builder builder = new OkHttpClient.Builder();
            ConnectionSpec connectionSpec = ConnectionSpec.MODERN_TLS;
            if (ClientHttpRequestFactoryFactory.hasSslConfiguration(sslConfiguration)) {
                TrustManager[] trustManagers = ClientHttpRequestFactoryFactory.getTrustManagers(sslConfiguration);
                if (trustManagers.length != 1 || !(trustManagers[0] instanceof X509TrustManager)) {
                    throw new IllegalStateException("Unexpected default trust managers:" + Arrays.toString(trustManagers));
                }
                X509TrustManager x509TrustManager = (X509TrustManager) trustManagers[0];
                SSLContext sSLContext = ClientHttpRequestFactoryFactory.getSSLContext(sslConfiguration, trustManagers);
                ConnectionSpec.Builder builder2 = new ConnectionSpec.Builder(connectionSpec);
                if (!sslConfiguration.getEnabledProtocols().isEmpty()) {
                    builder2.tlsVersions((String[]) sslConfiguration.getEnabledProtocols().toArray(new String[0]));
                }
                if (!sslConfiguration.getEnabledCipherSuites().isEmpty()) {
                    builder2.cipherSuites((String[]) sslConfiguration.getEnabledCipherSuites().toArray(new String[0]));
                }
                connectionSpec = builder2.build();
                builder.sslSocketFactory(sSLContext.getSocketFactory(), x509TrustManager);
            }
            builder.connectionSpecs(Arrays.asList(connectionSpec, ConnectionSpec.CLEARTEXT));
            builder.connectTimeout(clientOptions.getConnectionTimeout().toMillis(), TimeUnit.MILLISECONDS).readTimeout(clientOptions.getReadTimeout().toMillis(), TimeUnit.MILLISECONDS);
            return new OkHttp3ClientHttpRequestFactory(builder.build());
        }
    }

    private static boolean isPresent(String... strArr) {
        for (String str : strArr) {
            if (!ClassUtils.isPresent(str, ClientHttpRequestFactoryFactory.class.getClassLoader())) {
                return false;
            }
        }
        return true;
    }

    public static ClientHttpRequestFactory create(ClientOptions clientOptions, SslConfiguration sslConfiguration) {
        Assert.notNull(clientOptions, "ClientOptions must not be null");
        Assert.notNull(sslConfiguration, "SslConfiguration must not be null");
        try {
            if (HTTP_COMPONENTS_PRESENT) {
                return HttpComponents.usingHttpComponents(clientOptions, sslConfiguration);
            }
            if (OKHTTP3_PRESENT) {
                return OkHttp3.usingOkHttp3(clientOptions, sslConfiguration);
            }
            if (NETTY_PRESENT) {
                return Netty.usingNetty(clientOptions, sslConfiguration);
            }
            if (hasSslConfiguration(sslConfiguration)) {
                logger.warn("VaultProperties has SSL configured but the SSL configuration must be applied outside the Vault Client to use the JDK HTTP client");
            }
            return new SimpleClientHttpRequestFactory();
        } catch (IOException | GeneralSecurityException e) {
            throw new IllegalStateException(e);
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    public static SSLContext getSSLContext(SslConfiguration sslConfiguration, TrustManager[] trustManagerArr) throws GeneralSecurityException, IOException {
        KeyManager[] keyManagers = sslConfiguration.getKeyStoreConfiguration().isPresent() ? createKeyManagerFactory(sslConfiguration.getKeyStoreConfiguration(), sslConfiguration.getKeyConfiguration()).getKeyManagers() : null;
        SSLContext sSLContext = SSLContext.getInstance("TLS");
        sSLContext.init(keyManagers, trustManagerArr, null);
        return sSLContext;
    }

    /* JADX INFO: Access modifiers changed from: private */
    @Nullable
    public static TrustManager[] getTrustManagers(SslConfiguration sslConfiguration) throws GeneralSecurityException, IOException {
        if (sslConfiguration.getTrustStoreConfiguration().isPresent()) {
            return createTrustManagerFactory(sslConfiguration.getTrustStoreConfiguration()).getTrustManagers();
        }
        return null;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static KeyManagerFactory createKeyManagerFactory(SslConfiguration.KeyStoreConfiguration keyStoreConfiguration, SslConfiguration.KeyConfiguration keyConfiguration) throws GeneralSecurityException, IOException {
        KeyStore keyStore = getKeyStore(keyStoreConfiguration);
        KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
        char[] keyPassword = keyConfiguration.getKeyPassword();
        if (keyPassword == null) {
            keyPassword = keyStoreConfiguration.getStorePassword() == null ? new char[0] : keyStoreConfiguration.getStorePassword();
        }
        keyManagerFactory.init(keyStore, keyPassword);
        return StringUtils.hasText(keyConfiguration.getKeyAlias()) ? new KeySelectingKeyManagerFactory(keyManagerFactory, keyConfiguration) : keyManagerFactory;
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static KeyStore getKeyStore(SslConfiguration.KeyStoreConfiguration keyStoreConfiguration) throws IOException, GeneralSecurityException {
        KeyStore keyStore = KeyStore.getInstance(getKeyStoreType(keyStoreConfiguration));
        loadKeyStore(keyStoreConfiguration, keyStore);
        return keyStore;
    }

    private static String getKeyStoreType(SslConfiguration.KeyStoreConfiguration keyStoreConfiguration) {
        return (!StringUtils.hasText(keyStoreConfiguration.getStoreType()) || SslConfiguration.PEM_KEYSTORE_TYPE.equalsIgnoreCase(keyStoreConfiguration.getStoreType())) ? KeyStore.getDefaultType() : keyStoreConfiguration.getStoreType();
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static TrustManagerFactory createTrustManagerFactory(SslConfiguration.KeyStoreConfiguration keyStoreConfiguration) throws GeneralSecurityException, IOException {
        KeyStore keyStore = getKeyStore(keyStoreConfiguration);
        TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
        trustManagerFactory.init(keyStore);
        return trustManagerFactory;
    }

    private static void loadKeyStore(SslConfiguration.KeyStoreConfiguration keyStoreConfiguration, KeyStore keyStore) throws IOException, GeneralSecurityException {
        if (logger.isDebugEnabled()) {
            logger.debug(String.format("Loading keystore from %s", keyStoreConfiguration.getResource()));
        }
        InputStream inputStream = null;
        try {
            inputStream = keyStoreConfiguration.getResource().getInputStream();
            if (SslConfiguration.PEM_KEYSTORE_TYPE.equalsIgnoreCase(keyStoreConfiguration.getStoreType())) {
                keyStore.load(null);
                loadFromPem(keyStore, inputStream);
            } else {
                keyStore.load(inputStream, keyStoreConfiguration.getStorePassword());
            }
            if (logger.isDebugEnabled()) {
                logger.debug(String.format("Keystore loaded with %d entries", Integer.valueOf(keyStore.size())));
            }
            if (inputStream != null) {
                inputStream.close();
            }
        } catch (Throwable th) {
            if (inputStream != null) {
                inputStream.close();
            }
            throw th;
        }
    }

    private static void loadFromPem(KeyStore keyStore, InputStream inputStream) throws IOException, KeyStoreException {
        for (PemObject pemObject : PemObject.parse(new String(FileCopyUtils.copyToByteArray(inputStream)))) {
            if (pemObject.isCertificate()) {
                X509Certificate certificate = pemObject.getCertificate();
                String name = certificate.getSubjectX500Principal().getName();
                if (logger.isDebugEnabled()) {
                    logger.debug(String.format("Adding certificate with alias %s", name));
                }
                keyStore.setCertificateEntry(name, certificate);
            }
        }
    }

    /* JADX INFO: Access modifiers changed from: package-private */
    public static boolean hasSslConfiguration(SslConfiguration sslConfiguration) {
        return sslConfiguration.getTrustStoreConfiguration().isPresent() || sslConfiguration.getKeyStoreConfiguration().isPresent();
    }
}
