package ai.vespa.hosted.cd.commons;

import ai.vespa.hosted.api.Properties;
import ai.vespa.hosted.cd.EndpointAuthenticator;
import com.yahoo.config.provision.SystemName;
import com.yahoo.security.KeyUtils;
import com.yahoo.security.SslContextBuilder;
import com.yahoo.security.X509CertificateUtils;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.security.NoSuchAlgorithmException;
import java.security.cert.X509Certificate;
import java.time.Instant;
import java.util.Optional;
import java.util.logging.Logger;
import javax.net.ssl.SSLContext;

/* loaded from: input_file:ai/vespa/hosted/cd/commons/DefaultEndpointAuthenticator.class */
public class DefaultEndpointAuthenticator implements EndpointAuthenticator {
    private static final Logger logger = Logger.getLogger(DefaultEndpointAuthenticator.class.getName());
    private final boolean hasLocalTestConfig;

    public DefaultEndpointAuthenticator(SystemName systemName) {
        this.hasLocalTestConfig = systemName == SystemName.dev;
    }

    public SSLContext sslContext() {
        try {
            Path path = null;
            Path path2 = null;
            Optional nonBlankProperty = Properties.getNonBlankProperty("vespa.test.credentials.root");
            if (nonBlankProperty.isPresent()) {
                Path of = Path.of((String) nonBlankProperty.get(), new String[0]);
                path = of.resolve("cert");
                path2 = of.resolve("key");
            } else {
                if (Properties.dataPlaneCertificateFile().isPresent()) {
                    path = (Path) Properties.dataPlaneCertificateFile().get();
                }
                if (Properties.dataPlaneKeyFile().isPresent()) {
                    path2 = (Path) Properties.dataPlaneKeyFile().get();
                }
            }
            if (path == null || path2 == null) {
                if (!this.hasLocalTestConfig) {
                    logger.warning("##################################################################################\n# Data plane key and/or certificate missing; please specify                      #\n# '-DdataPlaneCertificateFile=/path/to/certificate' and                          #\n# '-DdataPlaneKeyFile=/path/to/private_key'.                                     #\n# Trying the default SSLContext, but this will most likely cause HTTP error 401. #\n##################################################################################");
                }
                return SSLContext.getDefault();
            }
            X509Certificate fromPem = X509CertificateUtils.fromPem(new String(Files.readAllBytes(path)));
            if (Instant.now().isBefore(fromPem.getNotBefore().toInstant()) || Instant.now().isAfter(fromPem.getNotAfter().toInstant())) {
                throw new IllegalStateException("Certificate at '" + path + "' is valid between " + fromPem.getNotBefore() + " and " + fromPem.getNotAfter() + " — not now.");
            }
            return new SslContextBuilder().withKeyStore(KeyUtils.fromPemEncodedPrivateKey(new String(Files.readAllBytes(path2))), fromPem).build();
        } catch (IOException e) {
            throw new UncheckedIOException(e);
        } catch (NoSuchAlgorithmException e2) {
            throw new IllegalStateException(e2);
        }
    }
}
