package com.azure.spring.cloud.autoconfigure.implementation.keyvault.jca;

import com.azure.security.keyvault.jca.KeyVaultJcaProvider;
import com.azure.spring.cloud.autoconfigure.implementation.keyvault.jca.properties.AzureKeyVaultJcaProperties;
import com.azure.spring.cloud.autoconfigure.implementation.keyvault.jca.properties.AzureKeyVaultSslBundleProperties;
import com.azure.spring.cloud.core.implementation.properties.PropertyMapper;
import java.io.IOException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.Security;
import java.security.cert.CertificateException;
import java.util.Arrays;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicBoolean;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.boot.autoconfigure.ssl.SslBundleRegistrar;
import org.springframework.boot.ssl.SslBundle;
import org.springframework.boot.ssl.SslBundleKey;
import org.springframework.boot.ssl.SslBundleRegistry;
import org.springframework.boot.ssl.SslOptions;
import org.springframework.boot.ssl.SslStoreBundle;
import org.springframework.context.ResourceLoaderAware;
import org.springframework.core.io.ResourceLoader;
import org.springframework.util.ClassUtils;
import org.springframework.util.StringUtils;

/* loaded from: input_file:com/azure/spring/cloud/autoconfigure/implementation/keyvault/jca/AzureKeyVaultSslBundleRegistrar.class */
public class AzureKeyVaultSslBundleRegistrar implements SslBundleRegistrar, ResourceLoaderAware {
    private ResourceLoader resourceLoader;
    private final Map<String, AzureKeyVaultJcaProperties.JcaVaultProperties> jcaVaults;
    private final Map<String, AzureKeyVaultSslBundleProperties.KeyVaultSslBundleProperties> sslBundles;
    private static final Logger LOGGER = LoggerFactory.getLogger(AzureKeyVaultSslBundleRegistrar.class);
    private static final String[] JCA_SYSTEM_PROPERTY_KEYS = {"azure.keyvault.uri", "azure.keyvault.tenant-id", "azure.keyvault.client-id", "azure.keyvault.client-secret", "azure.keyvault.managed-identity", "azure.keyvault.jca.certificates-refresh-interval", "azure.keyvault.jca.refresh-certificates-when-have-un-trust-certificate", "azure.cert-path.well-known", "azure.cert-path.custom"};

    public AzureKeyVaultSslBundleRegistrar(AzureKeyVaultJcaProperties azureKeyVaultJcaProperties, AzureKeyVaultSslBundleProperties azureKeyVaultSslBundleProperties) {
        this.jcaVaults = azureKeyVaultJcaProperties.getVaults();
        this.sslBundles = azureKeyVaultSslBundleProperties.getKeyvault();
    }

    public void registerBundles(SslBundleRegistry sslBundleRegistry) {
        if (!hasKeyVaultJcaOnClasspath()) {
            LOGGER.debug("Skip configuring Key Vault SSL bundles because {}", "'com.azure:azure-security-keyvault-jca' doesn't exist in classpath.");
        } else if (this.sslBundles.isEmpty()) {
            LOGGER.debug("Skip configuring Key Vault SSL bundles because {}", "'spring.ssl.bundle.azure-keyvault' is empty.");
        } else {
            AtomicBoolean atomicBoolean = new AtomicBoolean(false);
            this.sslBundles.forEach((str, keyVaultSslBundleProperties) -> {
                boolean hasAnyCertConfigured = hasAnyCertConfigured(this.jcaVaults, keyVaultSslBundleProperties.getTruststore());
                boolean hasAnyCertConfigured2 = hasAnyCertConfigured(this.jcaVaults, keyVaultSslBundleProperties.getKeystore());
                if (!(hasAnyCertConfigured || hasAnyCertConfigured2)) {
                    LOGGER.debug("Skip configuring Key Vault SSL bundle '{}'. Consider configuring 'keyvault-ref', 'certificate-paths.custom' or 'certificate-paths.well-known' properties of the keystore or truststore.", str);
                    return;
                }
                SslStoreBundle of = SslStoreBundle.of(initilizeKeyVaultKeyStore("keystore", str, hasAnyCertConfigured2, atomicBoolean, this.jcaVaults.get(keyVaultSslBundleProperties.getKeystore().getKeyvaultRef()), keyVaultSslBundleProperties.getKeystore()), (String) null, initilizeKeyVaultKeyStore("truststore", str, hasAnyCertConfigured, atomicBoolean, this.jcaVaults.get(keyVaultSslBundleProperties.getTruststore().getKeyvaultRef()), keyVaultSslBundleProperties.getTruststore()));
                SslBundleKey sslBundleKey = (SslBundleKey) Optional.ofNullable(keyVaultSslBundleProperties.getKey()).map(key -> {
                    return SslBundleKey.of(key.getPassword(), key.getAlias());
                }).orElse(SslBundleKey.NONE);
                sslBundleRegistry.registerBundle(str, SslBundle.of(of, sslBundleKey, (SslOptions) Optional.ofNullable(keyVaultSslBundleProperties.getOptions()).map(options -> {
                    return SslOptions.of(options.getCiphers(), options.getEnabledProtocols());
                }).orElse(SslOptions.NONE), keyVaultSslBundleProperties.getProtocol(), new KeyVaultSslManagerBundle(of, sslBundleKey, keyVaultSslBundleProperties.isForClientAuth())));
                LOGGER.debug("Registered Azure Key Vault SSL bundle '{}'.", str);
            });
        }
    }

    private KeyStore initilizeKeyVaultKeyStore(String str, String str2, boolean z, AtomicBoolean atomicBoolean, AzureKeyVaultJcaProperties.JcaVaultProperties jcaVaultProperties, AzureKeyVaultSslBundleProperties.KeyStoreProperties keyStoreProperties) {
        if (!z) {
            LOGGER.debug("The {} parameter of Key Vault SSL bundle '{}' is null.", str, str2);
            return null;
        }
        configureJcaKeyStoreSystemProperties(jcaVaultProperties, keyStoreProperties, this.resourceLoader);
        if (atomicBoolean.compareAndSet(false, true)) {
            Security.removeProvider("AzureKeyVault");
            Security.insertProviderAt(new KeyVaultJcaProvider(), 1);
        }
        try {
            KeyStore keyStore = hasEmbeddedTomcat() ? KeyStore.getInstance("DKS", "AzureKeyVault") : KeyStore.getInstance("AzureKeyVault");
            keyStore.load(null);
            return keyStore;
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | NoSuchProviderException | CertificateException e) {
            throw new RuntimeException("Failed to load Key Vault " + str + " for SSL bundle '" + str2 + "'", e);
        }
    }

    private static boolean hasKeyVaultJcaOnClasspath() {
        return ClassUtils.isPresent("com.azure.security.keyvault.jca.KeyVaultJcaProvider", AzureKeyVaultSslBundleRegistrar.class.getClassLoader());
    }

    private static boolean hasAnyCertConfigured(Map<String, AzureKeyVaultJcaProperties.JcaVaultProperties> map, AzureKeyVaultSslBundleProperties.KeyStoreProperties keyStoreProperties) {
        AzureKeyVaultSslBundleProperties.CertificatePathsProperties certificatePaths = keyStoreProperties.getCertificatePaths();
        String keyvaultRef = keyStoreProperties.getKeyvaultRef();
        return (StringUtils.hasText(certificatePaths.getWellKnown()) || StringUtils.hasText(certificatePaths.getCustom())) || (StringUtils.hasText(keyvaultRef) && map.get(keyvaultRef) != null);
    }

    private static boolean hasEmbeddedTomcat() {
        try {
            Class.forName("org.apache.tomcat.InstanceManager");
            return true;
        } catch (ClassNotFoundException e) {
            return false;
        }
    }

    private static void configureJcaKeyStoreSystemProperties(AzureKeyVaultJcaProperties.JcaVaultProperties jcaVaultProperties, AzureKeyVaultSslBundleProperties.KeyStoreProperties keyStoreProperties, ResourceLoader resourceLoader) {
        PropertyMapper propertyMapper = new PropertyMapper();
        clearJcaSystemProperties();
        if (jcaVaultProperties != null) {
            propertyMapper.from(jcaVaultProperties.getEndpoint()).when(StringUtils::hasText).to(str -> {
                System.setProperty("azure.keyvault.uri", str);
            });
            propertyMapper.from(jcaVaultProperties.getProfile().getTenantId()).when(StringUtils::hasText).to(str2 -> {
                System.setProperty("azure.keyvault.tenant-id", str2);
            });
            propertyMapper.from(jcaVaultProperties.getCredential().getClientId()).when(StringUtils::hasText).to(str3 -> {
                System.setProperty("azure.keyvault.client-id", str3);
            });
            propertyMapper.from(jcaVaultProperties.getCredential().getClientSecret()).when(StringUtils::hasText).to(str4 -> {
                System.setProperty("azure.keyvault.client-secret", str4);
            });
            propertyMapper.from(Boolean.valueOf(jcaVaultProperties.getCredential().isManagedIdentityEnabled())).whenTrue().to(bool -> {
                System.setProperty("azure.keyvault.managed-identity", jcaVaultProperties.getCredential().getClientId());
            });
        }
        propertyMapper.from(keyStoreProperties.getCertificatesRefreshInterval()).when((v0) -> {
            return Objects.nonNull(v0);
        }).to(duration -> {
            System.setProperty("azure.keyvault.jca.certificates-refresh-interval", String.valueOf(duration.toMillis()));
        });
        propertyMapper.from(Boolean.valueOf(keyStoreProperties.isRefreshCertificatesWhenHaveUntrustedCertificate())).to(bool2 -> {
            System.setProperty("azure.keyvault.jca.refresh-certificates-when-have-un-trust-certificate", Boolean.toString(bool2.booleanValue()));
        });
        propertyMapper.from(keyStoreProperties.getCertificatePaths().getWellKnown()).to(str5 -> {
            resolvePath(resourceLoader, str5).ifPresent(str5 -> {
                System.setProperty("azure.cert-path.well-known", str5);
            });
        });
        propertyMapper.from(keyStoreProperties.getCertificatePaths().getCustom()).to(str6 -> {
            resolvePath(resourceLoader, str6).ifPresent(str6 -> {
                System.setProperty("azure.cert-path.custom", str6);
            });
        });
    }

    private static void clearJcaSystemProperties() {
        Arrays.stream(JCA_SYSTEM_PROPERTY_KEYS).forEach(System::clearProperty);
    }

    private static Optional<String> resolvePath(ResourceLoader resourceLoader, String str) {
        Optional filter = Optional.ofNullable(str).filter(str2 -> {
            return str2.startsWith("classpath:") || str2.startsWith("file:");
        });
        Objects.requireNonNull(resourceLoader);
        return filter.map(resourceLoader::getResource).map(resource -> {
            try {
                return resource.getFile().getAbsolutePath();
            } catch (IOException e) {
                throw new RuntimeException("Failed to load the certificate path '" + str + "'", e);
            }
        });
    }

    public void setResourceLoader(ResourceLoader resourceLoader) {
        this.resourceLoader = resourceLoader;
    }
}
