package org.apache.activemq.artemis.spi.core.security.jaas.kubernetes.client;

import java.io.File;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.URI;
import java.net.http.HttpClient;
import java.net.http.HttpRequest;
import java.net.http.HttpResponse;
import java.nio.file.Path;
import java.security.KeyStore;
import java.security.SecureRandom;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Scanner;
import javax.net.ssl.SSLContext;
import javax.net.ssl.TrustManagerFactory;
import org.apache.activemq.artemis.spi.core.security.jaas.kubernetes.model.TokenReview;
import org.apache.activemq.artemis.utils.JsonLoader;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:artemis-server-2.32.0.jar:org/apache/activemq/artemis/spi/core/security/jaas/kubernetes/client/KubernetesClientImpl.class */
public class KubernetesClientImpl implements KubernetesClient {
    private static final Logger logger = LoggerFactory.getLogger(KubernetesClientImpl.class);
    private static final String KUBERNETES_HOST = "KUBERNETES_SERVICE_HOST";
    private static final String KUBERNETES_PORT = "KUBERNETES_SERVICE_PORT";
    private static final String KUBERNETES_TOKEN_PATH = "KUBERNETES_TOKEN_PATH";
    private static final String KUBERNETES_CA_PATH = "KUBERNETES_CA_PATH";
    private static final String KUBERNETES_TOKENREVIEW_URI_PATTERN = "https://%s:%s/apis/authentication.k8s.io/v1/tokenreviews";
    private static final String DEFAULT_KUBERNETES_TOKEN_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/token";
    private static final String DEFAULT_KUBERNETES_CA_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt";
    private String tokenPath = getParam(KUBERNETES_TOKEN_PATH, DEFAULT_KUBERNETES_TOKEN_PATH);
    private String caPath = getParam(KUBERNETES_CA_PATH, DEFAULT_KUBERNETES_CA_PATH);
    private URI apiUri = URI.create(String.format(KUBERNETES_TOKENREVIEW_URI_PATTERN, getParam(KUBERNETES_HOST), getParam(KUBERNETES_PORT)));

    public KubernetesClientImpl() {
        logger.debug("using apiUri {}", this.apiUri);
    }

    public String getParam(String str, String str2) {
        String property = System.getProperty(str);
        if (property == null) {
            property = System.getenv(str);
        }
        return property == null ? str2 : property;
    }

    private String getParam(String str) {
        return getParam(str, null);
    }

    @Override // org.apache.activemq.artemis.spi.core.security.jaas.kubernetes.client.KubernetesClient
    public TokenReview getTokenReview(String str) {
        HttpResponse send;
        TokenReview tokenReview = new TokenReview();
        try {
            logger.debug("Loading client authentication token from {}", this.tokenPath);
            String readFile = readFile(this.tokenPath);
            logger.debug("Loaded client authentication token from {}", this.tokenPath);
            String buildJsonRequest = buildJsonRequest(str);
            try {
                HttpClient build = HttpClient.newBuilder().sslContext(buildSSLContext()).build();
                HttpRequest build2 = HttpRequest.newBuilder(this.apiUri).header("Authorization", "Bearer " + readFile).header("Accept", "application/json; charset=utf-8").POST(HttpRequest.BodyPublishers.ofString(buildJsonRequest)).build();
                logger.debug("Submit TokenReview request to Kubernetes API");
                try {
                    send = build.send(build2, HttpResponse.BodyHandlers.ofString());
                } catch (IOException | InterruptedException e) {
                    logger.error("Unable to request ReviewToken", e);
                }
                if (send.statusCode() == 201) {
                    logger.debug("Received valid TokenReview response");
                    return TokenReview.fromJsonString((String) send.body());
                }
                logger.error("Unable to retrieve a valid TokenReview. Received StatusCode: {}. Body: {}", Integer.valueOf(send.statusCode()), send.body());
                return tokenReview;
            } catch (Exception e2) {
                logger.error("Unable to build a valid SSLContext", e2);
                return tokenReview;
            }
        } catch (IOException e3) {
            logger.error("Cannot retrieve Service Account Authentication Token from " + this.tokenPath, e3);
            return tokenReview;
        }
    }

    private String readFile(String str) throws IOException {
        Scanner scanner = new Scanner(Path.of(str, new String[0]));
        try {
            StringBuilder sb = new StringBuilder();
            while (scanner.hasNextLine()) {
                String nextLine = scanner.nextLine();
                if (!nextLine.isBlank() && !nextLine.startsWith("#")) {
                    sb.append(nextLine);
                }
            }
            String sb2 = sb.toString();
            scanner.close();
            return sb2;
        } catch (Throwable th) {
            try {
                scanner.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private String buildJsonRequest(String str) {
        return JsonLoader.createObjectBuilder().add("apiVersion", "authentication.k8s.io/v1").add("kind", "TokenReview").add("spec", JsonLoader.createObjectBuilder().add("token", str).build()).build().toString();
    }

    private SSLContext buildSSLContext() throws Exception {
        SSLContext sSLContext = SSLContext.getInstance("SSL");
        File file = new File(this.caPath);
        if (!file.exists()) {
            logger.debug("Kubernetes CA certificate not found at: {}. Truststore not configured", this.caPath);
            return sSLContext;
        }
        FileInputStream fileInputStream = new FileInputStream(file);
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(fileInputStream);
            keyStore.load(null, null);
            keyStore.setCertificateEntry(file.getName(), x509Certificate);
            TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
            trustManagerFactory.init(keyStore);
            sSLContext.init(null, trustManagerFactory.getTrustManagers(), new SecureRandom());
            fileInputStream.close();
            return sSLContext;
        } catch (Throwable th) {
            try {
                fileInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }
}
