package com.jetbrains.bundle.hub_client.util;

import com.jetbrains.bundle.hub_client.util.validation.ClientCertificateRequiredException;
import com.jetbrains.bundle.hub_client.util.validation.HubUrlRedirectionException;
import com.jetbrains.bundle.hub_client.util.validation.HubUrlValidationException;
import com.jetbrains.bundle.hub_client.util.validation.UntrustedServerCertificateException;
import com.jetbrains.service.util.ssl.CertRequestInfo;
import com.jetbrains.service.util.ssl.CompositeX509KeyManager;
import com.jetbrains.service.util.ssl.CompositeX509TrustManager;
import com.jetbrains.service.util.ssl.KeystoreUtil;
import java.io.IOException;
import java.security.InvalidKeyException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.NoSuchProviderException;
import java.security.SignatureException;
import java.security.UnrecoverableKeyException;
import java.security.cert.CertificateException;
import java.security.cert.X509Certificate;
import java.util.concurrent.ConcurrentHashMap;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLHandshakeException;
import javax.net.ssl.TrustManager;
import javax.ws.rs.RedirectionException;
import javax.ws.rs.client.ClientBuilder;
import jetbrains.jetpass.client.accounts.ServiceCredentialsValidationResult;
import jetbrains.jetpass.client.hub.HubClient;
import org.jetbrains.annotations.NotNull;
import org.jetbrains.annotations.Nullable;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:com/jetbrains/bundle/hub_client/util/HubClientProvider.class */
public class HubClientProvider {
    private final Logger LOG;
    private final ConcurrentHashMap<String, HubClient> hubClients;
    private final Object hubClientsMonitor;
    private CompositeX509KeyManager compositeX509KeyManager;
    private CompositeX509TrustManager compositeX509TrustManager;
    private KeyStore additionalKeyStore;
    private String additionalHubKeyPassword;
    private KeyStore temporaryKeyStore;
    private int hubConnectionTimeoutInMillis;
    private int hubReadTimeoutInMillis;

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: com.jetbrains.bundle.hub_client.util.HubClientProvider$1, reason: invalid class name */
    /* loaded from: input_file:com/jetbrains/bundle/hub_client/util/HubClientProvider$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$jetbrains$jetpass$client$accounts$ServiceCredentialsValidationResult$Status = new int[ServiceCredentialsValidationResult.Status.values().length];

        static {
            try {
                $SwitchMap$jetbrains$jetpass$client$accounts$ServiceCredentialsValidationResult$Status[ServiceCredentialsValidationResult.Status.OK.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$jetbrains$jetpass$client$accounts$ServiceCredentialsValidationResult$Status[ServiceCredentialsValidationResult.Status.SERVICE_CREDENTIALS_UNDEFINED.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$jetbrains$jetpass$client$accounts$ServiceCredentialsValidationResult$Status[ServiceCredentialsValidationResult.Status.WRONG_URL.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$jetbrains$jetpass$client$accounts$ServiceCredentialsValidationResult$Status[ServiceCredentialsValidationResult.Status.CANT_CONNECT.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
        }
    }

    public HubClientProvider() {
        this(null, null);
    }

    public HubClientProvider(@Nullable KeyStore keyStore, @Nullable String str) {
        this.LOG = LoggerFactory.getLogger(getClass());
        this.hubClients = new ConcurrentHashMap<>();
        this.hubClientsMonitor = new Object();
        this.hubConnectionTimeoutInMillis = Integer.getInteger("bundle.hub.connection.timeout", 15000).intValue();
        this.hubReadTimeoutInMillis = Integer.getInteger("bundle.hub.read.timeout", 15000).intValue();
        this.additionalKeyStore = keyStore;
        this.additionalHubKeyPassword = str;
        createTemporaryKeyStore();
    }

    private void rebuildCompositeManagers() throws NoSuchAlgorithmException, UnrecoverableKeyException, KeyStoreException, IOException, CertificateException {
        this.compositeX509KeyManager = KeystoreUtil.buildCompositeKeyManager(this.additionalKeyStore, this.additionalHubKeyPassword, this.temporaryKeyStore);
        this.compositeX509TrustManager = KeystoreUtil.buildCompositeTrustManager(new KeyStore[]{this.additionalKeyStore, this.temporaryKeyStore});
    }

    private void createTemporaryKeyStore() {
        try {
            this.temporaryKeyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            this.temporaryKeyStore.load(null, null);
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | CertificateException e) {
            throw new RuntimeException("SSL settings exception: " + e.getMessage(), e);
        }
    }

    @NotNull
    public HubClient getHubClient(String str) throws HubUrlValidationException {
        return validateAndRememberHubClient(str, false);
    }

    @NotNull
    public HubClient validateAndRememberHubClient(String str, boolean z) throws HubUrlValidationException {
        HubClient hubClient = this.hubClients.get(str);
        if (hubClient == null || z) {
            synchronized (this.hubClientsMonitor) {
                hubClient = this.hubClients.get(str);
                if (hubClient == null || z) {
                    hubClient = buildAndValidateHubClient(str);
                    this.hubClients.put(str, hubClient);
                }
            }
        }
        return hubClient;
    }

    private HubClient buildHubClient(@NotNull String str) throws UnrecoverableKeyException, CertificateException, NoSuchAlgorithmException, KeyStoreException, IOException, KeyManagementException {
        rebuildCompositeManagers();
        SSLContext sSLContext = SSLContext.getInstance("SSL");
        sSLContext.init(new KeyManager[]{this.compositeX509KeyManager}, new TrustManager[]{this.compositeX509TrustManager}, null);
        ClientBuilder newBuilder = ClientBuilder.newBuilder();
        newBuilder.sslContext(sSLContext);
        HubClient.HubClientBuilder baseUrl = HubClient.Companion.builder(newBuilder).baseUrl(str);
        baseUrl.connectTimeout(Integer.valueOf(this.hubConnectionTimeoutInMillis));
        baseUrl.readTimeout(Integer.valueOf(this.hubReadTimeoutInMillis));
        return baseUrl.build();
    }

    private HubClient buildAndValidateHubClient(@NotNull String str) throws HubUrlValidationException {
        X509Certificate[] lastCheckedChain;
        try {
            HubClient buildHubClient = buildHubClient(str);
            ServiceCredentialsValidationResult checkServiceCredentials = buildHubClient.getAccountsClient().checkServiceCredentials();
            switch (AnonymousClass1.$SwitchMap$jetbrains$jetpass$client$accounts$ServiceCredentialsValidationResult$Status[checkServiceCredentials.getStatus().ordinal()]) {
                case 1:
                case 2:
                    return buildHubClient;
                case 3:
                    CertRequestInfo lastCertRequestInfo = this.compositeX509KeyManager.getLastCertRequestInfo();
                    if (lastCertRequestInfo != null && lastCertRequestInfo.getAlias() == null) {
                        this.LOG.debug("ClientCertificateRequiredException in buildAndValidateHubClient. Hub url {}", str);
                        throw new ClientCertificateRequiredException("Client SSL certificate not found. Please, provide additional keystore with required certificate.", checkServiceCredentials.getStatus(), checkServiceCredentials.getCause(), lastCertRequestInfo);
                    }
                    RedirectionException cause = checkServiceCredentials.getCause();
                    if (cause instanceof RedirectionException) {
                        RedirectionException redirectionException = cause;
                        this.LOG.debug("RedirectionException in buildAndValidateHubClient. Hub url {}", str, redirectionException);
                        throw new HubUrlRedirectionException("Hub URL must not response with redirect: " + checkServiceCredentials.getMessage(), checkServiceCredentials.getStatus(), redirectionException);
                    }
                    break;
                case 4:
                    if ((checkServiceCredentials.getCause() instanceof SSLHandshakeException) && (lastCheckedChain = this.compositeX509TrustManager.getLastCheckedChain()) != null && lastCheckedChain.length > 0 && lastCheckedChain[0] != null) {
                        X509Certificate x509Certificate = lastCheckedChain[0];
                        String str2 = str + "-" + x509Certificate.getSerialNumber();
                        this.temporaryKeyStore.setCertificateEntry(str2, x509Certificate);
                        ServiceCredentialsValidationResult checkServiceCredentials2 = buildHubClient(str).getAccountsClient().checkServiceCredentials();
                        this.temporaryKeyStore.deleteEntry(str2);
                        switch (AnonymousClass1.$SwitchMap$jetbrains$jetpass$client$accounts$ServiceCredentialsValidationResult$Status[checkServiceCredentials2.getStatus().ordinal()]) {
                            case 1:
                            case 2:
                                X509Certificate[] buildFullUntrustedChain = buildFullUntrustedChain(lastCheckedChain);
                                this.LOG.debug("UntrustedServerCertificateException in buildAndValidateHubClient. Hub url {}", str);
                                throw new UntrustedServerCertificateException("Server SSL certificate not trusted.", checkServiceCredentials.getStatus(), checkServiceCredentials.getCause(), buildFullUntrustedChain, buildFullUntrustedChain.length > lastCheckedChain.length);
                            case 3:
                                CertRequestInfo lastCertRequestInfo2 = this.compositeX509KeyManager.getLastCertRequestInfo();
                                if (lastCertRequestInfo2 != null && lastCertRequestInfo2.getAlias() == null) {
                                    this.LOG.debug("ClientCertificateRequiredException in buildAndValidateHubClient. Hub url {}", str);
                                    throw new ClientCertificateRequiredException("Client SSL certificate not found. Please, provide additional keystore with required certificate.", checkServiceCredentials2.getStatus(), checkServiceCredentials2.getCause(), lastCertRequestInfo2);
                                }
                                break;
                            default:
                                checkServiceCredentials = checkServiceCredentials2;
                                break;
                        }
                    }
                    this.LOG.debug("Cannot connect to Hub url {}. Status {}: {}. Reason: {}", new Object[]{str, checkServiceCredentials.getStatus().name(), checkServiceCredentials.getStatus().getMessage(), checkServiceCredentials.getCause()});
                    throw new HubUrlValidationException(checkServiceCredentials.getMessage(), checkServiceCredentials.getStatus(), checkServiceCredentials.getCause());
            }
            this.LOG.debug("Cannot use url {}. Status {}: {}. Reason: {}", new Object[]{str, checkServiceCredentials.getStatus().name(), checkServiceCredentials.getStatus().getMessage(), checkServiceCredentials.getCause()});
            String message = checkServiceCredentials.getMessage();
            throw new HubUrlValidationException((message == null || !message.startsWith("Unknown target response")) ? message : "Unknown target response", checkServiceCredentials.getStatus(), checkServiceCredentials.getCause());
        } catch (HubUrlValidationException e) {
            this.LOG.debug("Rethrow HubUrlValidationException in buildAndValidateHubClient. Hub url {}", str, e);
            throw e;
        } catch (Exception e2) {
            this.LOG.debug("Exception in buildAndValidateHubClient. Hub url {}", str, e2);
            throw new HubUrlValidationException(e2.getMessage(), ServiceCredentialsValidationResult.Status.OTHER, e2);
        }
    }

    private X509Certificate[] buildFullUntrustedChain(X509Certificate[] x509CertificateArr) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException {
        X509Certificate x509Certificate = x509CertificateArr[x509CertificateArr.length - 1];
        this.LOG.debug("Try to verify last certificate: " + x509Certificate.getSubjectDN().getName());
        if (isSelfSigned(x509Certificate)) {
            this.LOG.debug("last certificate is self-signed!");
            return x509CertificateArr;
        }
        String name = x509Certificate.getIssuerDN().getName();
        this.LOG.debug("Expected issuer: " + name);
        for (X509Certificate x509Certificate2 : this.compositeX509TrustManager.getAcceptedIssuers()) {
            if (x509Certificate2.getIssuerDN().getName().equals(name)) {
                try {
                    x509Certificate.verify(x509Certificate2.getPublicKey());
                    this.LOG.debug("Found! " + x509Certificate2.getIssuerDN().getName());
                    X509Certificate[] x509CertificateArr2 = new X509Certificate[x509CertificateArr.length + 1];
                    System.arraycopy(x509CertificateArr, 0, x509CertificateArr2, 0, x509CertificateArr.length);
                    x509CertificateArr2[x509CertificateArr.length] = x509Certificate2;
                    return x509CertificateArr2;
                } catch (InvalidKeyException | NoSuchProviderException | SignatureException e) {
                    this.LOG.trace("Cannot verify with " + x509Certificate2.getIssuerDN().getName());
                }
            }
        }
        return x509CertificateArr;
    }

    private boolean isSelfSigned(X509Certificate x509Certificate) throws CertificateException, NoSuchAlgorithmException, NoSuchProviderException {
        try {
            x509Certificate.verify(x509Certificate.getPublicKey());
            return true;
        } catch (InvalidKeyException | SignatureException e) {
            return false;
        }
    }
}
