package com.predic8.membrane.core.transport.ssl.acme;

import com.fasterxml.jackson.core.JsonProcessingException;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.datatype.joda.JodaModule;
import com.predic8.membrane.core.Constants;
import com.predic8.membrane.core.interceptor.session.SessionManager;
import com.predic8.membrane.core.transport.ssl.AcmeSSLContext;
import com.predic8.membrane.core.transport.ssl.PEMSupport;
import com.predic8.membrane.core.transport.ssl.SSLContext;
import java.io.IOException;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.Optional;
import java.util.concurrent.atomic.AtomicReference;
import java.util.stream.Collectors;
import org.joda.time.DateTime;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/predic8/membrane/core/transport/ssl/acme/AcmeRenewal.class */
public class AcmeRenewal {
    private static final Logger LOG = LoggerFactory.getLogger(AcmeRenewal.class);
    private static final long ERROR_WAIT_MILLISECONDS = 300000;
    private static final long LEASE_DURATION_MILLISECONDS = 300000;
    private static final long LEASE_RENEW_MILLISECONDS = 240000;
    private final AcmeSynchronizedStorageEngine asse;
    private final String[] hosts;
    private final AcmeClient client;
    private final ObjectMapper om = new ObjectMapper().registerModule(new JodaModule());

    @FunctionalInterface
    /* loaded from: input_file:com/predic8/membrane/core/transport/ssl/acme/AcmeRenewal$Runnable.class */
    public interface Runnable {
        void run() throws Exception;
    }

    @FunctionalInterface
    /* loaded from: input_file:com/predic8/membrane/core/transport/ssl/acme/AcmeRenewal$Supplier.class */
    public interface Supplier<T> {
        T get() throws Exception;
    }

    public AcmeRenewal(AcmeClient acmeClient, String[] strArr) {
        this.client = acmeClient;
        this.asse = acmeClient.getAsse();
        this.hosts = strArr;
    }

    public void doWork() {
        if (requiresWork()) {
            withMasterLease(() -> {
                try {
                    tryGetCertificate();
                } catch (InterruptedException e) {
                    Thread.currentThread().interrupt();
                } catch (Exception e2) {
                    e2.printStackTrace();
                    try {
                        Thread.sleep(60000L);
                    } catch (InterruptedException e3) {
                        Thread.currentThread().interrupt();
                    }
                }
            });
        }
    }

    private void tryGetCertificate() throws Exception {
        this.client.loadDirectory();
        verifyAccountContact();
        if (getAccountURL() == null) {
            this.client.ensureAccountKeyExists();
            if (LOG.isDebugEnabled()) {
                LOG.debug("acme (" + id() + "): storing account URL");
            }
            setAccountURL(this.client.createAccount());
        }
        if (isOALExpiredOrError()) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("acme (" + id() + "): archiving OAL");
            }
            this.client.getAsse().archiveOAL(this.hosts);
        }
        if (getOAL() == null) {
            if (LOG.isDebugEnabled()) {
                LOG.debug("acme (" + id() + "): creating OAL");
            }
            setOAL(this.client.createOrder(getAccountURL(), Arrays.asList(this.hosts)));
        }
        AtomicReference<OrderAndLocation> atomicReference = new AtomicReference<>(getOAL());
        try {
            makeOrderValid(atomicReference);
            if (LOG.isDebugEnabled()) {
                LOG.debug("acme (" + id() + "): downloading certificate");
            }
            String downloadCertificate = this.client.downloadCertificate(getAccountURL(), this.hosts, atomicReference.get().getOrder().getCertificate());
            if (LOG.isDebugEnabled()) {
                LOG.debug("acme (" + id() + "): promoting key+cert to production");
            }
            this.asse.setKeyPair(this.hosts, this.client.getOALKey(this.hosts));
            this.asse.setCertChain(this.hosts, downloadCertificate);
            if (LOG.isDebugEnabled()) {
                LOG.debug("acme (" + id() + "): retiring OAL");
            }
            this.asse.archiveOAL(this.hosts);
        } catch (Exception e) {
            this.client.setOALError(this.hosts, new AcmeErrorLog(e.getClass().getName() + " " + e.getMessage(), e instanceof FatalAcmeException, new DateTime()));
            throw e;
        }
    }

    private void makeOrderValid(AtomicReference<OrderAndLocation> atomicReference) throws Exception {
        atomicReference.set(this.client.getOrder(getAccountURL(), atomicReference.get().getLocation()));
        if (LOG.isDebugEnabled()) {
            LOG.debug("acme (" + id() + "): order is " + atomicReference.get().getOrder().getStatus());
        }
        if ("pending".equals(atomicReference.get().getOrder().getStatus())) {
            fulfillChallenges(atomicReference.get());
            atomicReference.set(this.client.getOrder(getAccountURL(), atomicReference.get().getLocation()));
            waitFor("order to become non-'PENDING'", () -> {
                return Boolean.valueOf(!"pending".equals(((OrderAndLocation) atomicReference.get()).getOrder().getStatus()));
            }, () -> {
                atomicReference.set(this.client.getOrder(getAccountURL(), ((OrderAndLocation) atomicReference.get()).getLocation()));
            });
            if (!Order.ORDER_STATUS_READY.equals(atomicReference.get().getOrder().getStatus())) {
                throw new FatalAcmeException("order status " + this.om.writeValueAsString(atomicReference));
            }
        }
        if (Order.ORDER_STATUS_READY.equals(atomicReference.get().getOrder().getStatus())) {
            if (this.client.getOALKey(this.hosts) == null) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("acme (" + id() + "): generating certificate key");
                }
                this.client.setOALKey(this.hosts, this.client.generateCertificateKey(this.hosts));
            }
            if (LOG.isDebugEnabled()) {
                LOG.debug("acme (" + id() + "): finalizing order");
            }
            this.client.finalizeOrder(getAccountURL(), atomicReference.get().getOrder().getFinalize(), this.client.generateCSR(this.hosts, this.client.getOALKey(this.hosts).getPrivateKey()));
        }
        waitFor("order to become 'VALID'", () -> {
            return Boolean.valueOf((Order.ORDER_STATUS_READY.equals(((OrderAndLocation) atomicReference.get()).getOrder().getStatus()) || "processing".equals(((OrderAndLocation) atomicReference.get()).getOrder().getStatus())) ? false : true);
        }, () -> {
            atomicReference.set(this.client.getOrder(getAccountURL(), ((OrderAndLocation) atomicReference.get()).getLocation()));
        });
        if (!"valid".equals(atomicReference.get().getOrder().getStatus())) {
            throw new FatalAcmeException("order status " + this.om.writeValueAsString(atomicReference));
        }
    }

    private String id() {
        return this.hosts[0] + (this.hosts.length > 1 ? ",..." : Constants.EMPTY_STRING);
    }

    private void fulfillChallenges(OrderAndLocation orderAndLocation) throws Exception {
        for (String str : orderAndLocation.getOrder().getAuthorizations()) {
            AtomicReference atomicReference = new AtomicReference(this.client.getAuth(getAccountURL(), str));
            AtomicReference atomicReference2 = new AtomicReference(getChallenge((Authorization) atomicReference.get()));
            if (LOG.isDebugEnabled()) {
                LOG.debug("acme (" + id() + "): authorization is " + ((Authorization) atomicReference.get()).getStatus() + ", challenge is " + ((Challenge) atomicReference2.get()).getStatus());
            }
            if ("pending".equals(((Challenge) atomicReference2.get()).getStatus())) {
                if (LOG.isDebugEnabled()) {
                    LOG.debug("acme (" + id() + "): provisioning challenge " + ((Authorization) atomicReference.get()).getIdentifier().getValue());
                }
                String provision = this.client.provision((Authorization) atomicReference.get());
                if (LOG.isDebugEnabled()) {
                    LOG.debug("acme (" + id() + "): triggering challenge check " + ((Authorization) atomicReference.get()).getIdentifier().getValue());
                }
                this.client.readyForChallenge(getAccountURL(), provision);
            }
            waitFor("challenge and authorization to become non-'PENDING'", () -> {
                return Boolean.valueOf(("pending".equals(((Challenge) atomicReference2.get()).getStatus()) && "pending".equals(((Authorization) atomicReference.get()).getStatus())) ? false : true);
            }, () -> {
                atomicReference.set(this.client.getAuth(getAccountURL(), str));
                atomicReference2.set(getChallenge((Authorization) atomicReference.get()));
            });
            if (!"valid".equals(((Challenge) atomicReference2.get()).getStatus())) {
                throw new FatalAcmeException(((Challenge) atomicReference2.get()).getStatus() + " during " + this.om.writeValueAsString(atomicReference));
            }
            if (!"valid".equals(((Authorization) atomicReference.get()).getStatus())) {
                throw new FatalAcmeException(((Authorization) atomicReference.get()).getStatus() + " during " + this.om.writeValueAsString(atomicReference));
            }
        }
    }

    private void waitFor(String str, Supplier<Boolean> supplier, Runnable runnable) throws Exception {
        if (LOG.isDebugEnabled()) {
            LOG.debug("acme (" + id() + "): waiting for " + str);
        }
        long currentTimeMillis = System.currentTimeMillis();
        long j = 1000;
        while (!supplier.get().booleanValue()) {
            Thread.sleep(j);
            if (j < 20000) {
                j *= 2;
            }
            runnable.run();
            if (System.currentTimeMillis() - currentTimeMillis > AcmeSSLContext.RENEW_PERIOD) {
                throw new RuntimeException("Timeout (5min) while waiting for " + str + ".");
            }
        }
    }

    private Challenge getChallenge(Authorization authorization) throws JsonProcessingException, FatalAcmeException {
        Optional<Challenge> findAny = authorization.getChallenges().stream().filter(challenge -> {
            return this.client.getChallengeType().equals(challenge.getType());
        }).findAny();
        if (findAny.isPresent()) {
            return findAny.get();
        }
        throw new FatalAcmeException("Could not find challenge of type http01: " + this.om.writeValueAsString(authorization));
    }

    private void verifyAccountContact() {
        String str = (String) this.client.getContacts().stream().collect(Collectors.joining(SessionManager.SESSION_VALUE_SEPARATOR));
        if (this.asse.getAccountContacts() == null) {
            this.asse.setAccountContacts(str);
        } else if (!str.equals(this.asse.getAccountContacts())) {
            throw new RuntimeException("It looks like you pointed an ACME client configured with '" + str + "' as contact to a storage where a key for '" + this.asse.getAccountContacts() + "' is present.");
        }
    }

    private OrderAndLocation getOAL() throws JsonProcessingException {
        String oal = this.asse.getOAL(this.hosts);
        if (oal == null) {
            return null;
        }
        return (OrderAndLocation) this.om.readValue(oal, OrderAndLocation.class);
    }

    private void setOAL(OrderAndLocation orderAndLocation) throws JsonProcessingException {
        this.asse.setOAL(this.hosts, this.om.writeValueAsString(orderAndLocation));
    }

    private String getAccountURL() {
        return this.asse.getAccountURL();
    }

    private void setAccountURL(String str) {
        this.asse.setAccountURL(str);
    }

    private boolean requiresWork() {
        String certificates = this.client.getCertificates(this.hosts);
        if (certificates == null) {
            return true;
        }
        try {
            ArrayList arrayList = new ArrayList(PEMSupport.getInstance().parseCertificates(certificates));
            if (arrayList.size() == 0) {
                return true;
            }
            return System.currentTimeMillis() > SSLContext.getMinimumValidity(arrayList) - AcmeSSLContext.RENEW_PERIOD;
        } catch (IOException e) {
            LOG.warn("Error parsing ACME certificate " + Arrays.toString(this.hosts), e);
            return true;
        }
    }

    private boolean isOALExpiredOrError() throws JsonProcessingException {
        OrderAndLocation oal = getOAL();
        if (oal != null && oal.getOrder().getExpires().isAfterNow()) {
            return true;
        }
        AcmeErrorLog oALError = this.client.getOALError(this.hosts);
        if (oALError == null) {
            return false;
        }
        long millis = (oALError.getTime().getMillis() + AcmeSSLContext.RENEW_PERIOD) - System.currentTimeMillis();
        if (millis <= 0) {
            return true;
        }
        try {
            LOG.warn("Waiting " + (millis / 1000) + " seconds after ACME order error...");
            Thread.sleep(millis);
            return true;
        } catch (InterruptedException e) {
            Thread.currentThread().interrupt();
            return true;
        }
    }

    private boolean withMasterLease(final Runnable runnable) {
        if (!this.client.getAsse().acquireLease(AcmeSSLContext.RENEW_PERIOD)) {
            return false;
        }
        final AtomicReference atomicReference = new AtomicReference();
        Thread thread = new Thread() { // from class: com.predic8.membrane.core.transport.ssl.acme.AcmeRenewal.1
            @Override // java.lang.Thread, java.lang.Runnable
            public void run() {
                try {
                    runnable.run();
                } catch (InterruptedException e) {
                } catch (Throwable th) {
                    atomicReference.set(th);
                }
            }
        };
        thread.start();
        do {
            try {
                thread.join(LEASE_RENEW_MILLISECONDS);
                if (!thread.isAlive()) {
                    this.client.getAsse().releaseLease();
                    if (atomicReference.get() == null) {
                        return true;
                    }
                    throw new RuntimeException((Throwable) atomicReference.get());
                    break;
                }
            } catch (InterruptedException e) {
                thread.interrupt();
                Thread.currentThread().interrupt();
            }
        } while (this.client.getAsse().prolongLease(AcmeSSLContext.RENEW_PERIOD));
        thread.interrupt();
        return true;
    }
}
