package org.apache.ignite3.internal.cli.core.rest;

import jakarta.annotation.PreDestroy;
import jakarta.inject.Singleton;
import java.io.File;
import java.io.IOException;
import java.lang.reflect.Type;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.SecureRandom;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.util.Arrays;
import java.util.List;
import java.util.Map;
import java.util.concurrent.ConcurrentHashMap;
import java.util.concurrent.atomic.AtomicReference;
import java.util.regex.Pattern;
import java.util.stream.Collectors;
import javax.net.ssl.KeyManager;
import javax.net.ssl.KeyManagerFactory;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManager;
import javax.net.ssl.TrustManagerFactory;
import javax.net.ssl.X509TrustManager;
import okhttp3.Call;
import okhttp3.ConnectionSpec;
import okhttp3.OkHttpClient;
import okhttp3.internal.tls.OkHostnameVerifier;
import org.apache.ignite3.internal.cli.config.CliConfigKeys;
import org.apache.ignite3.internal.cli.config.ConfigManager;
import org.apache.ignite3.internal.cli.config.ConfigManagerProvider;
import org.apache.ignite3.internal.cli.core.exception.IgniteCliApiException;
import org.apache.ignite3.internal.cli.event.ConnectionEventListener;
import org.apache.ignite3.internal.cli.logger.CliLoggers;
import org.apache.ignite3.internal.util.StringUtils;
import org.apache.ignite3.rest.client.api.AuthenticationApi;
import org.apache.ignite3.rest.client.invoker.ApiCallback;
import org.apache.ignite3.rest.client.invoker.ApiClient;
import org.apache.ignite3.rest.client.invoker.ApiException;
import org.apache.ignite3.rest.client.invoker.ApiResponse;
import org.apache.ignite3.rest.client.model.LoginBody;
import org.jetbrains.annotations.Nullable;

@Singleton
/* loaded from: input_file:org/apache/ignite3/internal/cli/core/rest/ApiClientFactory.class */
public class ApiClientFactory implements ConnectionEventListener {
    private static final Pattern INCORRECT_PASSWORD_PATTERN = Pattern.compile(".*keystore password was incorrect.*");
    private final ConfigManagerProvider configManagerProvider;
    private final TokenStore tokenStore;
    private final Map<ApiClientSettings, ApiClient> clientMap = new ConcurrentHashMap();
    private final AtomicReference<ApiClientSettings> currentSessionSettings = new AtomicReference<>();
    private boolean tokenRenewModeEnabled = false;

    public ApiClientFactory(ConfigManagerProvider configManagerProvider, TokenStore tokenStore) {
        this.configManagerProvider = configManagerProvider;
        this.tokenStore = tokenStore;
    }

    @Override // org.apache.ignite3.internal.cli.event.ConnectionEventListener
    public void onDisconnect() {
        setSessionSettings(null);
        this.clientMap.clear();
    }

    public void tokenAutoRenewEnabled(boolean z) {
        this.tokenRenewModeEnabled = z;
    }

    public ApiClient getClient(String str) {
        return getClientFromSettings(settingsWithAuth(str));
    }

    @PreDestroy
    private void clearLoggers() {
        CliLoggers.clearLoggers();
    }

    private ApiClient getClientFromSettings(ApiClientSettings apiClientSettings) {
        ApiClient computeIfAbsent = this.clientMap.computeIfAbsent(apiClientSettings, this::buildClient);
        CliLoggers.addApiClient(computeIfAbsent);
        return computeIfAbsent;
    }

    private ApiClientSettings settingsWithAuth(String str) {
        ConfigManager configManager = this.configManagerProvider.get();
        return setupAuthentication(ApiClientSettings.builder().basePath(str).keyStorePath(configManager.getCurrentProperty(CliConfigKeys.REST_KEY_STORE_PATH.value())).keyStorePassword(configManager.getCurrentProperty(CliConfigKeys.REST_KEY_STORE_PASSWORD.value())).trustStorePath(configManager.getCurrentProperty(CliConfigKeys.REST_TRUST_STORE_PATH.value())).trustStorePassword(configManager.getCurrentProperty(CliConfigKeys.REST_TRUST_STORE_PASSWORD.value())).ciphers(configManager.getCurrentProperty(CliConfigKeys.REST_CIPHERS.value()))).build();
    }

    private ApiClientSettingsBuilder setupAuthentication(ApiClientSettingsBuilder apiClientSettingsBuilder) {
        ConfigManager configManager = this.configManagerProvider.get();
        ApiClientSettings currentSessionSettings = currentSessionSettings();
        apiClientSettingsBuilder.basicAuthenticationUsername(currentSessionSettings != null ? currentSessionSettings.basicAuthenticationUsername() : configManager.getCurrentProperty(CliConfigKeys.BASIC_AUTHENTICATION_USERNAME.value())).basicAuthenticationPassword(currentSessionSettings != null ? currentSessionSettings.basicAuthenticationPassword() : configManager.getCurrentProperty(CliConfigKeys.BASIC_AUTHENTICATION_PASSWORD.value())).token(this.tokenStore.getCurrentToken());
        return apiClientSettingsBuilder;
    }

    public ApiClient buildClient(ApiClientSettings apiClientSettings) {
        try {
            OkHttpClient.Builder builder = new OkHttpClient.Builder();
            builder.retryOnConnectionFailure(false);
            if (!StringUtils.nullOrBlank(apiClientSettings.trustStorePath()) || !StringUtils.nullOrBlank(apiClientSettings.trustStorePassword())) {
                applySslSettings(builder, apiClientSettings);
            }
            OkHttpClient build = builder.build();
            return (apiClientSettings.hasAuthentication() ? apiClientWithAuth(build, apiClientSettings) : new ApiClient(build)).setBasePath(apiClientSettings.basePath());
        } catch (Exception e) {
            throw new IgniteCliApiException(e, apiClientSettings.basePath());
        }
    }

    private ApiClient apiClientWithAuth(OkHttpClient okHttpClient, ApiClientSettings apiClientSettings) {
        ApiClient apiClient;
        String str = apiClientSettings.token();
        if (this.tokenRenewModeEnabled) {
            apiClient = apiClientWithTokenRenew(apiClientSettings, okHttpClient);
            apiClient.setBearerToken(str);
        } else {
            apiClient = new ApiClient(okHttpClient);
            if (str != null) {
                apiClient.setBearerToken(str);
            } else {
                apiClient.setUsername(apiClientSettings.basicAuthenticationUsername());
                apiClient.setPassword(apiClientSettings.basicAuthenticationPassword());
            }
        }
        return apiClient;
    }

    private ApiClient apiClientWithTokenRenew(final ApiClientSettings apiClientSettings, OkHttpClient okHttpClient) {
        return new ApiClient(okHttpClient) { // from class: org.apache.ignite3.internal.cli.core.rest.ApiClientFactory.1
            private boolean shouldRetry = true;

            @Override // org.apache.ignite3.rest.client.invoker.ApiClient
            public <T> ApiResponse<T> execute(Call call, Type type) throws ApiException {
                try {
                    try {
                        ApiResponse<T> execute = super.execute(call, type);
                        this.shouldRetry = true;
                        return execute;
                    } catch (ApiException e) {
                        if (e.getCode() != 401 || ApiClientFactory.this.tokenStore.isTokenPersisted() || !this.shouldRetry) {
                            throw e;
                        }
                        this.shouldRetry = false;
                        ApiResponse<T> execute2 = super.execute(renewToken(call), type);
                        this.shouldRetry = true;
                        return execute2;
                    }
                } catch (Throwable th) {
                    this.shouldRetry = true;
                    throw th;
                }
            }

            @Override // org.apache.ignite3.rest.client.invoker.ApiClient
            public <T> void executeAsync(Call call, Type type, ApiCallback<T> apiCallback) {
                super.executeAsync(call, type, new ReAuthApiCallback(apiCallback, ApiClientFactory.this.tokenStore, () -> {
                    try {
                        super.executeAsync(renewToken(call), type, apiCallback);
                    } catch (ApiException e) {
                        apiCallback.onFailure(e, 0, null);
                    }
                }));
            }

            private Call renewToken(Call call) throws ApiException {
                String login = ApiClientFactory.login(this, apiClientSettings);
                ApiClientFactory.this.tokenStore.setToken(login);
                setBearerToken(login);
                return getHttpClient().newCall(call.request().newBuilder().removeHeader("Authorization").addHeader("Authorization", "Bearer " + login).build());
            }
        };
    }

    private static String login(ApiClient apiClient, ApiClientSettings apiClientSettings) throws ApiException {
        return new AuthenticationApi(apiClient).login(new LoginBody().username(apiClientSettings.basicAuthenticationUsername()).password(apiClientSettings.basicAuthenticationPassword()));
    }

    public void setSessionSettings(@Nullable ApiClientSettings apiClientSettings) {
        if (apiClientSettings != null) {
            this.currentSessionSettings.compareAndSet(null, apiClientSettings);
        } else {
            this.currentSessionSettings.set(null);
        }
    }

    public ApiClientSettings currentSessionSettings() {
        return this.currentSessionSettings.get();
    }

    private static void applySslSettings(OkHttpClient.Builder builder, ApiClientSettings apiClientSettings) throws UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, KeyManagementException {
        TrustManagerFactory trustManagerFactory = trustManagerFactory(apiClientSettings);
        KeyManagerFactory keyManagerFactory = keyManagerFactory(apiClientSettings);
        TrustManager[] trustManagers = trustManagerFactory.getTrustManagers();
        KeyManager[] keyManagers = keyManagerFactory.getKeyManagers();
        SSLContext sSLContext = SSLContext.getInstance("TLS");
        sSLContext.init(keyManagers, trustManagers, new SecureRandom());
        setCiphers(builder, apiClientSettings);
        builder.sslSocketFactory(sSLContext.getSocketFactory(), (X509TrustManager) trustManagers[0]).hostnameVerifier(OkHostnameVerifier.INSTANCE);
    }

    private static KeyManagerFactory keyManagerFactory(ApiClientSettings apiClientSettings) throws NoSuchAlgorithmException, KeyStoreException, UnrecoverableKeyException, CertificateException, IOException {
        try {
            KeyManagerFactory keyManagerFactory = KeyManagerFactory.getInstance(KeyManagerFactory.getDefaultAlgorithm());
            if (StringUtils.nullOrBlank(apiClientSettings.keyStorePath())) {
                keyManagerFactory.init(null, null);
            } else {
                char[] charArray = apiClientSettings.keyStorePassword() == null ? null : apiClientSettings.keyStorePassword().toCharArray();
                keyManagerFactory.init(KeyStore.getInstance(new File(apiClientSettings.keyStorePath()), charArray), charArray);
            }
            return keyManagerFactory;
        } catch (IOException e) {
            if (INCORRECT_PASSWORD_PATTERN.matcher(e.getMessage()).matches()) {
                throw new IOException("Key-store password was incorrect", e.getCause());
            }
            throw e;
        }
    }

    private static TrustManagerFactory trustManagerFactory(ApiClientSettings apiClientSettings) throws NoSuchAlgorithmException, KeyStoreException, CertificateException, IOException {
        try {
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            if (StringUtils.nullOrBlank(apiClientSettings.trustStorePath())) {
                trustManagerFactory.init((KeyStore) null);
            } else {
                trustManagerFactory.init(KeyStore.getInstance(new File(apiClientSettings.trustStorePath()), apiClientSettings.trustStorePassword() == null ? null : apiClientSettings.trustStorePassword().toCharArray()));
            }
            return trustManagerFactory;
        } catch (IOException e) {
            if (INCORRECT_PASSWORD_PATTERN.matcher(e.getMessage()).matches()) {
                throw new IOException("Trust-store password was incorrect", e.getCause());
            }
            throw e;
        }
    }

    private static void setCiphers(OkHttpClient.Builder builder, ApiClientSettings apiClientSettings) {
        if (StringUtils.nullOrBlank(apiClientSettings.ciphers())) {
            return;
        }
        builder.connectionSpecs(List.of(new ConnectionSpec.Builder(true).cipherSuites((String[]) ((List) Arrays.stream(apiClientSettings.ciphers().split(",")).map((v0) -> {
            return v0.strip();
        }).collect(Collectors.toList())).toArray(i -> {
            return new String[i];
        })).build()));
    }
}
