package dev.dsf.common.config;

import de.rwh.utils.crypto.CertificateHelper;
import de.rwh.utils.crypto.io.CertificateReader;
import de.rwh.utils.crypto.io.PemIo;
import dev.dsf.common.auth.BackChannelLogoutAuthenticator;
import dev.dsf.common.auth.BearerTokenAuthenticator;
import dev.dsf.common.auth.ClientCertificateAuthenticator;
import dev.dsf.common.auth.DelegatingAuthenticator;
import dev.dsf.common.auth.DsfLoginService;
import dev.dsf.common.auth.DsfOpenIdConfiguration;
import dev.dsf.common.auth.DsfOpenIdLoginService;
import dev.dsf.common.auth.DsfSecurityHandler;
import dev.dsf.common.auth.StatusPortAuthenticator;
import dev.dsf.common.documentation.Documentation;
import dev.dsf.common.jetty.HttpClientWithGetRetry;
import dev.dsf.common.jetty.JettyServer;
import dev.dsf.tools.docker.secrets.DockerSecretsPropertySourceFactory;
import jakarta.servlet.ServletContainerInitializer;
import java.io.IOException;
import java.io.InputStream;
import java.net.MalformedURLException;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.time.Duration;
import java.time.temporal.ChronoUnit;
import java.util.ArrayList;
import java.util.Collections;
import java.util.List;
import java.util.Locale;
import java.util.Map;
import java.util.Objects;
import java.util.Properties;
import java.util.UUID;
import java.util.function.Function;
import java.util.function.Supplier;
import java.util.stream.Collectors;
import org.bouncycastle.jce.provider.BouncyCastleProvider;
import org.bouncycastle.pkcs.PKCSException;
import org.eclipse.jetty.client.HttpClient;
import org.eclipse.jetty.client.HttpProxy;
import org.eclipse.jetty.client.Origin;
import org.eclipse.jetty.client.ProxyConfiguration;
import org.eclipse.jetty.client.http.HttpClientTransportOverHTTP;
import org.eclipse.jetty.io.ClientConnector;
import org.eclipse.jetty.security.openid.OpenIdAuthenticator;
import org.eclipse.jetty.server.Connector;
import org.eclipse.jetty.server.Server;
import org.eclipse.jetty.server.session.SessionHandler;
import org.eclipse.jetty.util.ssl.SslContextFactory;
import org.eclipse.jetty.webapp.WebAppContext;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Value;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.PropertySource;
import org.springframework.context.support.PropertySourcesPlaceholderConfigurer;
import org.springframework.core.env.ConfigurableEnvironment;

@Configuration
@PropertySource(value = {"file:conf/jetty.properties"}, encoding = "UTF-8", ignoreResourceNotFound = true)
/* loaded from: input_file:dev/dsf/common/config/AbstractJettyConfig.class */
public abstract class AbstractJettyConfig {
    private static final Logger logger = LoggerFactory.getLogger(AbstractJettyConfig.class);
    private static final BouncyCastleProvider provider = new BouncyCastleProvider();

    @Value("${dev.dsf.server.status.host:127.0.0.1}")
    @Documentation(required = true, description = "Status connector host")
    private String statusHost;

    @Value("${dev.dsf.server.status.port}")
    @Documentation(required = true, description = "Status connector port, default in docker image: `10000`")
    private int statusPort;

    @Value("${dev.dsf.server.api.host:127.0.0.1}")
    @Documentation(required = true, description = "API connector host, default in docker image: `0.0.0.0`")
    private String apiHost;

    @Value("${dev.dsf.server.api.port}")
    @Documentation(required = true, description = "API connector port, default in docker image: `8080`")
    private int apiPort;

    @Value("${dev.dsf.server.context.path}")
    @Documentation(required = true, description = "Web application context path, default in `bpe` docker image: `/bpe`, default in `fhir` docker image: `/fhir`", recommendation = "Only modify for testing")
    private String contextPath;

    @Value("${dev.dsf.server.auth.client.certificate.header:X-ClientCert}")
    @Documentation(required = true, description = "Name of HTTP header with client certificate from reverse proxy")
    private String clientCertificateHeaderName;

    @Value("${dev.dsf.server.auth.trust.client.certificate.cas}")
    @Documentation(required = true, description = "PEM encoded file with one or more trusted root certificates to validate client certificates for https connections from local and remote clients", recommendation = "Use docker secret file to configure", example = "/run/secrets/app_client_trust_certificates.pem")
    private String clientCertificateTrustStoreFile;

    @Value("${dev.dsf.server.certificate:#{null}}")
    @Documentation(description = "Server certificate file for testing", recommendation = "Only specify For testing when terminating TLS in jetty server")
    private String serverCertificateFile;

    @Value("${dev.dsf.server.certificate.chain:#{null}}")
    @Documentation(description = "Server certificate chain file for testing", recommendation = "Only specify For testing when terminating TLS in jetty server")
    private String serverCertificateChainFile;

    @Value("${dev.dsf.server.certificate.key:#{null}}")
    @Documentation(description = "Server certificate private key file for testing", recommendation = "Only specify For testing when terminating TLS in jetty server")
    private String serverCertificateKeyFile;

    @Value("${dev.dsf.server.certificate.key.password:#{null}}")
    @Documentation(description = "Server certificate private key file password for testing", recommendation = "Only specify For testing when terminating TLS in jetty server")
    private char[] serverCertificateKeyFilePassword;

    @Value("${dev.dsf.server.auth.oidc.authorization.code.flow:false}")
    @Documentation(description = "Set to `true` to enable OIDC authorization code flow", recommendation = "Requires *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL*, *DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID* and *DEV_DSF_SERVER_AUTH_OIDC_CLIENT_SECRET* to be specified")
    private boolean oidcAuthorizationCodeFlowEnabled;

    @Value("${dev.dsf.server.auth.oidc.bearer.token:false}")
    @Documentation(description = "Set to `true` to enable OIDC bearer token authentication", recommendation = "Requires *DEV_DSF_SERVER_AUTH_OIDC_PROVIDER_REALM_BASE_URL* to be specified")
    private boolean oidcBearerTokenEnabled;

    @Value("${dev.dsf.server.auth.oidc.provider.realm.base.url:#{null}}")
    @Documentation(description = "OIDC provider realm base url", example = "https://keycloak.test.com:8443/realms/example-realm-name")
    private String oidcProviderRealmBaseUrl;

    @Value("${dev.dsf.server.auth.oidc.provider.client.connectTimeout:5000}")
    @Documentation(description = "OIDC provider client connect timeout in milliseconds")
    private long oidcProviderClientConnectTimeout;

    @Value("${dev.dsf.server.auth.oidc.provider.client.idleTimeout:30000}")
    @Documentation(description = "OIDC provider client idle timeout in milliseconds")
    private long oidcProviderClientIdleTimeout;

    @Value("${dev.dsf.server.auth.oidc.provider.client.trust.server.certificate.cas:#{null}}")
    @Documentation(description = "PEM encoded file with one or more trusted root certificates to validate server certificates for https connections to the OIDC provider", recommendation = "Use docker secret file to configure", example = "/run/secrets/oidc_provider_trust_certificates.pem")
    private String oidcProviderClientTrustCertificatesFile;

    @Value("${dev.dsf.server.auth.oidc.provider.client.certificate:#{null}}")
    @Documentation(description = "PEM encoded file with client certificate for https connections to the OIDC provider", recommendation = "Use docker secret file to configure", example = "/run/secrets/oidc_provider_client_certificate.pem")
    private String oidcProviderClientCertificateFile;

    @Value("${dev.dsf.server.auth.oidc.provider.client.certificate.private.key:#{null}}")
    @Documentation(description = "Private key corresponding to the client certificate for the OIDC provider as PEM encoded file. Use *${env_variable}_PASSWORD* or *${env_variable}_PASSWORD_FILE* if private key is encrypted", recommendation = "Use docker secret file to configure", example = "/run/secrets/oidc_provider_client_certificate_private_key.pem")
    private String oidcProviderClientCertificatePrivateKeyFile;

    @Value("${dev.dsf.server.auth.oidc.provider.client.certificate.private.key.password:#{null}}")
    @Documentation(description = "Password to decrypt the client certificate for the OIDC provider encrypted private key", recommendation = "Use docker secret file to configure using *${env_variable}_FILE*", example = "/run/secrets/oidc_provider_client_certificate_private_key.pem.password")
    private char[] oidcProviderClientCertificatePrivateKeyPassword;

    @Value("${dev.dsf.server.auth.oidc.client.id:#{null}}")
    @Documentation(description = "OIDC provider client_id, must be specified if *DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW* is enabled")
    private String oidcClientId;

    @Value("${dev.dsf.server.auth.oidc.client.secret:#{null}}")
    @Documentation(description = "OIDC provider client_secret, must be specified if *DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW* is enabled")
    private String oidcClientSecret;

    @Value("${dev.dsf.server.auth.oidc.back.channel.logout:false}")
    @Documentation(description = "Set to `true` to enable OIDC back-channel logout", recommendation = "Requires *DEV_DSF_SERVER_AUTH_OIDC_AUTHORIZATION_CODE_FLOW* to be set to `true` (enabled), *DEV_DSF_SERVER_AUTH_OIDC_CLIENT_ID* and *DEV_DSF_SERVER_AUTH_OIDC_BACK_CHANNEL_LOGOUT_PATH* to be specified")
    private boolean oidcBackChannelLogoutEnabled;

    @Value("${dev.dsf.server.auth.oidc.back.channel.logout.path:/back-channel-logout}")
    @Documentation(description = "Path called by the OIDC provide to request back-channel logout")
    private String oidcBackChannelPath;

    @Value("${dev.dsf.proxy.url:#{null}}")
    private String proxyUrl;

    @Value("${dev.dsf.proxy.username:#{null}}")
    private String proxyUsername;

    @Value("${dev.dsf.proxy.password:#{null}}")
    private char[] proxyPassword;

    @Value("#{'${dev.dsf.proxy.noProxy:}'.trim().split('(,[ ]?)|(\\\\n)')}")
    private List<String> proxyNoProxy;

    protected abstract Function<Server, Connector> apiConnector();

    protected abstract String mavenServerModuleName();

    protected abstract List<Class<? extends ServletContainerInitializer>> servletContainerInitializers();

    /* JADX INFO: Access modifiers changed from: protected */
    public final Function<Server, Connector> httpApiConnector() {
        return JettyServer.httpConnector(this.apiHost, this.apiPort, this.clientCertificateHeaderName);
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public final Function<Server, Connector> httpsApiConnector() {
        char[] charArray = UUID.randomUUID().toString().toCharArray();
        return JettyServer.httpsConnector(this.apiHost, this.apiPort, clientCertificateTrustStore(), serverCertificateKeyStore(charArray), charArray, (this.oidcAuthorizationCodeFlowEnabled || this.oidcBearerTokenEnabled) ? false : true);
    }

    protected final Function<Server, Connector> statusConnector() {
        return JettyServer.statusConnector(this.statusHost, this.statusPort);
    }

    @Bean
    public static PropertySourcesPlaceholderConfigurer propertySourcesPlaceholderConfigurer(ConfigurableEnvironment configurableEnvironment) {
        new DockerSecretsPropertySourceFactory(configurableEnvironment).readDockerSecretsAndAddPropertiesToEnvironment();
        return new PropertySourcesPlaceholderConfigurer();
    }

    @Bean
    public JettyServer jettyServer(ConfigurableEnvironment configurableEnvironment) {
        org.springframework.core.env.PropertySource propertySource = configurableEnvironment.getPropertySources().get("URL [file:conf/jetty.properties]");
        return new JettyServer(apiConnector(), statusConnector(), mavenServerModuleName(), this.contextPath, servletContainerInitializers(), propertySource == null ? Collections.emptyMap() : (Map) ((Properties) propertySource.getSource()).entrySet().stream().collect(Collectors.toMap(entry -> {
            return Objects.toString(entry.getKey());
        }, entry2 -> {
            return Objects.toString(entry2.getValue());
        })), clientCertificateTrustStore(), this::configureSecurityHandler);
    }

    private KeyStore serverCertificateKeyStore(char[] cArr) {
        try {
            return readKeyStore(checkFile(this.serverCertificateFile, "Server certificate file"), checkOptionalFile(this.serverCertificateChainFile, "Server certificate chain file"), checkFile(this.serverCertificateKeyFile, "Server certificate key file"), this.serverCertificateKeyFilePassword, cArr);
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException | PKCSException e) {
            throw new RuntimeException(e);
        }
    }

    private KeyStore readKeyStore(Path path, Path path2, Path path3, char[] cArr, char[] cArr2) throws IOException, PKCSException, CertificateException, KeyStoreException, NoSuchAlgorithmException {
        PrivateKey readPrivateKeyFromPem = PemIo.readPrivateKeyFromPem(path3, cArr);
        X509Certificate readX509CertificateFromPem = PemIo.readX509CertificateFromPem(path);
        ArrayList arrayList = new ArrayList();
        arrayList.add(readX509CertificateFromPem);
        if (path2 != null) {
            InputStream newInputStream = Files.newInputStream(path2, new OpenOption[0]);
            try {
                arrayList.addAll(CertificateFactory.getInstance("X509").generateCertificates(newInputStream));
                if (newInputStream != null) {
                    newInputStream.close();
                }
            } catch (Throwable th) {
                if (newInputStream != null) {
                    try {
                        newInputStream.close();
                    } catch (Throwable th2) {
                        th.addSuppressed(th2);
                    }
                }
                throw th;
            }
        }
        return CertificateHelper.toJksKeyStore(readPrivateKeyFromPem, (Certificate[]) arrayList.toArray(i -> {
            return new Certificate[i];
        }), UUID.randomUUID().toString(), cArr2);
    }

    private KeyStore clientCertificateTrustStore() {
        try {
            return CertificateReader.allFromCer(checkFile(this.clientCertificateTrustStoreFile, "Client certificate trust store file"));
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new RuntimeException(e);
        }
    }

    private Path checkFile(String str, String str2) throws IOException {
        if (str == null || str.isBlank()) {
            throw new RuntimeException(str2 + " not defined");
        }
        Path path = Paths.get(str, new String[0]);
        if (Files.isReadable(path)) {
            return path;
        }
        throw new IOException(str2 + " '" + path.toAbsolutePath().toString() + "' not readable");
    }

    private Path checkOptionalFile(String str, String str2) throws IOException {
        if (str == null || str.isBlank()) {
            return null;
        }
        Path path = Paths.get(str, new String[0]);
        if (Files.isReadable(path)) {
            return path;
        }
        throw new IOException(str2 + " '" + path.toAbsolutePath().toString() + "' not readable");
    }

    /* JADX WARN: Multi-variable type inference failed */
    /* JADX WARN: Type inference failed for: r1v22, types: [java.util.EventListener] */
    private void configureSecurityHandler(WebAppContext webAppContext) {
        SessionHandler sessionHandler = webAppContext.getSessionHandler();
        DsfLoginService dsfLoginService = new DsfLoginService(webAppContext);
        DsfOpenIdConfiguration dsfOpenIdConfiguration = null;
        OpenIdAuthenticator openIdAuthenticator = null;
        DsfOpenIdLoginService dsfOpenIdLoginService = null;
        BearerTokenAuthenticator bearerTokenAuthenticator = null;
        BackChannelLogoutAuthenticator backChannelLogoutAuthenticator = null;
        if (this.oidcAuthorizationCodeFlowEnabled || this.oidcBearerTokenEnabled || this.oidcBackChannelLogoutEnabled) {
            dsfOpenIdConfiguration = new DsfOpenIdConfiguration(this.oidcProviderRealmBaseUrl, this.oidcClientId, this.oidcClientSecret, createOidcClient(), this.oidcBackChannelLogoutEnabled, this.oidcBearerTokenEnabled);
            if (this.oidcAuthorizationCodeFlowEnabled) {
                if (this.oidcProviderRealmBaseUrl == null) {
                    throw propertyNotDefined("dev.dsf.server.auth.oidc.provider.realm.base.url").get();
                }
                if (this.oidcClientId == null) {
                    throw propertyNotDefined("dev.dsf.server.auth.oidc.client.id").get();
                }
                if (this.oidcClientSecret == null) {
                    throw propertyNotDefined("dev.dsf.server.auth.oidc.client.secret").get();
                }
                openIdAuthenticator = new OpenIdAuthenticator(dsfOpenIdConfiguration);
                logger.info("OIDC authorization code flow enabled");
            }
            if (this.oidcBearerTokenEnabled) {
                if (this.oidcProviderRealmBaseUrl == null) {
                    throw propertyNotDefined("dev.dsf.server.auth.oidc.provider.realm.base.url").get();
                }
                bearerTokenAuthenticator = new BearerTokenAuthenticator(dsfOpenIdConfiguration);
                logger.info("OIDC bearer token enabled");
            }
            if (this.oidcBackChannelLogoutEnabled) {
                if (!this.oidcAuthorizationCodeFlowEnabled) {
                    throw propertyNotDefinedTrue("dev.dsf.server.auth.oidc.authorization.code.flow").get();
                }
                if (this.oidcClientId == null) {
                    throw propertyNotDefined("dev.dsf.server.auth.oidc.client.id").get();
                }
                if (this.oidcBackChannelPath == null) {
                    throw propertyNotDefined("dev.dsf.server.auth.oidc.back.channel.logout.path").get();
                }
                backChannelLogoutAuthenticator = new BackChannelLogoutAuthenticator(dsfOpenIdConfiguration, this.oidcBackChannelPath);
                logger.info("OIDC back-channel logout enabled");
            }
            dsfOpenIdLoginService = new DsfOpenIdLoginService(dsfOpenIdConfiguration, dsfLoginService);
        }
        DsfSecurityHandler dsfSecurityHandler = new DsfSecurityHandler(dsfLoginService, new DelegatingAuthenticator(sessionHandler, new StatusPortAuthenticator(this.statusPort), new ClientCertificateAuthenticator(clientCertificateTrustStore()), bearerTokenAuthenticator, openIdAuthenticator, dsfOpenIdLoginService, backChannelLogoutAuthenticator), dsfOpenIdConfiguration);
        dsfSecurityHandler.setSessionRenewedOnAuthentication(true);
        webAppContext.setSecurityHandler(dsfSecurityHandler);
        sessionHandler.addEventListener(backChannelLogoutAuthenticator);
    }

    private Supplier<RuntimeException> propertyNotDefined(String str) {
        return () -> {
            return new RuntimeException("Property " + str + " not defined (environment variable " + propertyToEnvironmentVariableName(str) + ")");
        };
    }

    private Supplier<RuntimeException> propertyNotDefinedTrue(String str) {
        return () -> {
            return new RuntimeException("Property " + str + " not defined as 'true' (environment variable " + propertyToEnvironmentVariableName(str) + ")");
        };
    }

    private String propertyToEnvironmentVariableName(String str) {
        return str.toUpperCase(Locale.ENGLISH).replace('.', '_');
    }

    private Duration oidcClientIdleTimeout() {
        if (this.oidcProviderClientIdleTimeout >= 0) {
            return Duration.of(this.oidcProviderClientIdleTimeout, ChronoUnit.MILLIS);
        }
        return null;
    }

    private Duration oidcClientConnectTimeout() {
        if (this.oidcProviderClientConnectTimeout >= 0) {
            return Duration.of(this.oidcProviderClientConnectTimeout, ChronoUnit.MILLIS);
        }
        return null;
    }

    private ProxyConfiguration.Proxy oidcClientProxy() {
        ProxyConfigImpl proxyConfigImpl = new ProxyConfigImpl(this.proxyUrl, this.proxyUsername, this.proxyPassword, this.proxyNoProxy);
        if (proxyConfigImpl.getUrl() == null || !proxyConfigImpl.isNoProxyUrl(this.oidcProviderRealmBaseUrl)) {
            return null;
        }
        try {
            URL url = new URL(proxyConfigImpl.getUrl());
            return new HttpProxy(new Origin.Address(url.getHost(), url.getPort() < 0 ? url.getDefaultPort() : url.getPort()), "https".equals(url.getProtocol()));
        } catch (MalformedURLException e) {
            throw new RuntimeException(e);
        }
    }

    private HttpClient createOidcClient() {
        char[] charArray = UUID.randomUUID().toString().toCharArray();
        KeyStore oidcProviderClientKeyStore = oidcProviderClientKeyStore(charArray);
        SslContextFactory.Client client = new SslContextFactory.Client(false);
        if (oidcProviderClientTrustStore() != null) {
            client.setTrustStore(oidcProviderClientTrustStore());
        }
        if (oidcProviderClientKeyStore != null) {
            client.setKeyStore(oidcProviderClientKeyStore);
            client.setKeyStorePassword(String.valueOf(charArray));
        }
        ClientConnector clientConnector = new ClientConnector();
        clientConnector.setSslContextFactory(client);
        if (oidcClientIdleTimeout() != null) {
            clientConnector.setIdleTimeout(oidcClientIdleTimeout());
        }
        if (oidcClientConnectTimeout() != null) {
            clientConnector.setConnectTimeout(oidcClientConnectTimeout());
        }
        HttpClientWithGetRetry httpClientWithGetRetry = new HttpClientWithGetRetry(new HttpClientTransportOverHTTP(clientConnector), 5);
        if (oidcClientProxy() != null) {
            httpClientWithGetRetry.getProxyConfiguration().addProxy(oidcClientProxy());
        }
        return httpClientWithGetRetry;
    }

    private KeyStore oidcProviderClientTrustStore() {
        try {
            Path checkOptionalFile = checkOptionalFile(this.oidcProviderClientTrustCertificatesFile, "OIDC provider client certificate trust store file");
            if (checkOptionalFile == null) {
                return null;
            }
            return CertificateReader.allFromCer(checkOptionalFile);
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new RuntimeException(e);
        }
    }

    private KeyStore oidcProviderClientKeyStore(char[] cArr) {
        try {
            Path checkOptionalFile = checkOptionalFile(this.oidcProviderClientCertificateFile, "OIDC provider client certificate file");
            Path checkOptionalFile2 = checkOptionalFile(this.oidcProviderClientCertificatePrivateKeyFile, "OIDC provider client certificate key file");
            if (checkOptionalFile == null && checkOptionalFile2 != null) {
                throw new IOException("OIDC provider client certificate key file defined but OIDC provider client certificate file not defined");
            }
            if (checkOptionalFile != null && checkOptionalFile2 == null) {
                throw new IOException("OIDC provider client certificate file defined but OIDC provider client certificate key file not defined");
            }
            if (checkOptionalFile == null || checkOptionalFile2 == null) {
                return null;
            }
            X509Certificate readX509CertificateFromPem = PemIo.readX509CertificateFromPem(checkOptionalFile);
            return CertificateHelper.toJksKeyStore(PemIo.readPrivateKeyFromPem(provider, checkOptionalFile2, this.oidcProviderClientCertificatePrivateKeyPassword), new Certificate[]{readX509CertificateFromPem}, CertificateHelper.getSubjectCommonName(readX509CertificateFromPem), cArr);
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException | PKCSException e) {
            throw new RuntimeException(e);
        }
    }
}
