package au.org.consumerdatastandards.client.cli.support;

import au.org.consumerdatastandards.client.ApiClient;
import au.org.consumerdatastandards.client.ApiException;
import ch.qos.logback.classic.Logger;
import com.fasterxml.jackson.core.type.TypeReference;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.gargoylesoftware.htmlunit.html.HtmlSubscript;
import com.google.inject.CreationException;
import gherkin.GherkinLanguageConstants;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.MalformedURLException;
import java.net.Proxy;
import java.net.URL;
import java.nio.charset.StandardCharsets;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec;
import java.security.spec.PKCS8EncodedKeySpec;
import java.util.Arrays;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import okhttp3.Credentials;
import okhttp3.OkHttpClient;
import okhttp3.tls.HandshakeCertificates;
import okhttp3.tls.HeldCertificate;
import org.apache.commons.lang3.StringUtils;
import org.apache.commons.net.util.Base64;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemReader;
import org.jruby.ext.openssl.x509store.PEMInputOutput;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:BOOT-INF/classes/au/org/consumerdatastandards/client/cli/support/ApiUtil.class */
public class ApiUtil {
    private static final Logger LOGGER = (Logger) LoggerFactory.getLogger((Class<?>) ApiUtil.class);
    private static final List<String> VALID_PROXY_TYPES = Arrays.asList("HTTP:", "HTTPS:", "SOCKS:");

    public static ApiClient createApiClient(ApiClientOptions apiClientOptions) throws ApiException {
        String serverUrl = apiClientOptions.getServerUrl();
        if (StringUtils.isBlank(serverUrl)) {
            LOGGER.error("Server Base URL is currently unset, cannot proceed until it is specified using `server` command");
            throw new ApiException("Server URL not set, please use `server` command to set Server URL first");
        }
        if (!isValidUrl(serverUrl)) {
            LOGGER.error("Invalid server url of {} specified, please double check", serverUrl);
            throw new ApiException("Invalid Server URL, please double check it");
        }
        ApiClient apiClient = new ApiClient();
        OkHttpClient httpClient = apiClient.getHttpClient();
        apiClient.setBasePath(serverUrl);
        LOGGER.info("Server Base URL is set to {}", serverUrl);
        String userAgent = apiClientOptions.getUserAgent();
        if (!StringUtils.isBlank(userAgent)) {
            apiClient.setUserAgent(userAgent);
            LOGGER.info("User Agent is set to {}", userAgent);
        }
        String accessToken = apiClientOptions.getAccessToken();
        if (StringUtils.isNotBlank(accessToken)) {
            apiClient.addDefaultHeader("Authorization", "Bearer " + accessToken);
            apiClient.addDefaultHeader("x-cds-subject", getSub(accessToken));
        }
        if (apiClientOptions.isMtlsEnabled()) {
            validateClientCertSettings(apiClientOptions);
            String keyFilePath = apiClientOptions.getKeyFilePath();
            try {
                X509Certificate loadCertificate = loadCertificate(apiClientOptions.getCertFilePath());
                apiClient.setHttpClient(buildHttpClient(httpClient, new HeldCertificate(new KeyPair(loadCertificate.getPublicKey(), loadPrivateKey(keyFilePath)), loadCertificate), new X509Certificate[0]));
                LOGGER.info("Enabled MTLS");
            } catch (CreationException | IOException | NoSuchAlgorithmException | CertificateException | InvalidKeySpecException e) {
                throw new ApiException(e);
            }
        } else {
            apiClient.setHttpClient(httpClient);
            LOGGER.info("Disabled MTLS");
        }
        String proxy = apiClientOptions.getProxy();
        if (!StringUtils.isBlank(proxy)) {
            setProxy(apiClient, proxy);
            LOGGER.info("Proxy is set to {}", proxy);
        }
        apiClient.setDebugging(apiClientOptions.isDebugEnabled());
        LOGGER.info("Debugging is set to {}", Boolean.valueOf(apiClient.isDebugging()));
        apiClient.setVerifyingSsl(apiClientOptions.isVerifyingSsl());
        LOGGER.info("Verifying SSL is set to {}", Boolean.valueOf(apiClient.isVerifyingSsl()));
        return apiClient;
    }

    private static X509Certificate loadCertificate(String str) throws CertificateException, FileNotFoundException {
        return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new FileInputStream(str));
    }

    private static String getSub(String str) throws ApiException {
        try {
            return ((Map) new ObjectMapper().readValue(new String(Base64.decodeBase64(str.split("\\.")[1]), StandardCharsets.UTF_8), new TypeReference<HashMap<String, Object>>() { // from class: au.org.consumerdatastandards.client.cli.support.ApiUtil.1
            })).get(HtmlSubscript.TAG_NAME).toString();
        } catch (IOException e) {
            throw new ApiException(e);
        }
    }

    private static PrivateKey loadPrivateKey(String str) throws IOException, ApiException, NoSuchAlgorithmException, InvalidKeySpecException {
        PemObject readPemObject = new PemReader(new FileReader(str)).readPemObject();
        String type = readPemObject.getType();
        if (!type.endsWith(PEMInputOutput.PEM_STRING_PKCS8INF)) {
            throw new ApiException("Invalid key file content - expecting first line similar to\n-----BEGIN RSA PRIVATE KEY-----");
        }
        String trim = type.replace(PEMInputOutput.PEM_STRING_PKCS8INF, "").trim();
        if (!StringUtils.isNotBlank(trim) || "RSA".equals(trim)) {
            return generateRSAPrivateKey(new PKCS8EncodedKeySpec(readPemObject.getContent()));
        }
        throw new ApiException("Invalid algorithm for MTLS: " + trim);
    }

    private static PrivateKey generateRSAPrivateKey(KeySpec keySpec) throws NoSuchAlgorithmException, InvalidKeySpecException {
        return KeyFactory.getInstance("RSA").generatePrivate(keySpec);
    }

    private static OkHttpClient buildHttpClient(OkHttpClient okHttpClient, HeldCertificate heldCertificate, X509Certificate... x509CertificateArr) {
        HandshakeCertificates.Builder addPlatformTrustedCertificates = new HandshakeCertificates.Builder().addPlatformTrustedCertificates();
        if (heldCertificate != null) {
            addPlatformTrustedCertificates.heldCertificate(heldCertificate, x509CertificateArr);
        }
        HandshakeCertificates build = addPlatformTrustedCertificates.build();
        return okHttpClient.newBuilder().sslSocketFactory(build.sslSocketFactory(), build.trustManager()).build();
    }

    private static void validateClientCertSettings(ApiClientOptions apiClientOptions) throws ApiException {
        String certFilePath = apiClientOptions.getCertFilePath();
        String keyFilePath = apiClientOptions.getKeyFilePath();
        if (StringUtils.isBlank(certFilePath)) {
            throw new ApiException("Client certificate path is not set");
        }
        if (StringUtils.isBlank(keyFilePath)) {
            throw new ApiException("Key file path is not set");
        }
        File file = new File(certFilePath);
        File file2 = new File(keyFilePath);
        if (!file.exists()) {
            throw new ApiException("Certificate file " + certFilePath + " cannot be found");
        }
        if (!file2.exists()) {
            throw new ApiException("Key file " + keyFilePath + " cannot be found");
        }
    }

    private static void setProxy(ApiClient apiClient, String str) throws ApiException {
        OkHttpClient.Builder newBuilder = apiClient.getHttpClient().newBuilder();
        if ("none".equalsIgnoreCase(str)) {
            newBuilder.proxy(Proxy.NO_PROXY);
        } else {
            String[] split = str.split("//");
            if (split.length != 2) {
                printProxyExamples();
                throw new ApiException("Invalid proxy, please double check it.");
            }
            if (!VALID_PROXY_TYPES.contains(split[0].toUpperCase())) {
                printProxyExamples();
                throw new ApiException("Invalid proxy, please double check it.");
            }
            String[] split2 = split[1].split(GherkinLanguageConstants.TAG_PREFIX);
            if (split2.length > 2) {
                printProxyExamples();
                throw new ApiException("Invalid proxy, please double check it.");
            }
            String[] split3 = split2[split2.length - 1].split(":");
            if (split3.length != 2) {
                printProxyExamples();
                throw new ApiException("Invalid proxy, please double check it.");
            }
            String str2 = split3[0];
            String str3 = split3[1];
            if (!str3.matches("[1-9]\\d*")) {
                printProxyExamples();
                throw new ApiException("Invalid proxy, please double check it.");
            }
            newBuilder.proxy(new Proxy(getProxyType(split[0]), new InetSocketAddress(str2, Integer.parseInt(str3))));
            if (split2.length > 1) {
                String[] split4 = split2[0].split(":", 2);
                if (split4.length != 2) {
                    printProxyExamples();
                    throw new ApiException("Invalid proxy, please double check it.");
                }
                newBuilder.proxyAuthenticator((route, response) -> {
                    return response.request().newBuilder().header("Proxy-Authorization", Credentials.basic(split4[0], split4[1])).build();
                });
            }
        }
        apiClient.setHttpClient(newBuilder.build());
    }

    private static Proxy.Type getProxyType(String str) {
        return str.equalsIgnoreCase("socks:") ? Proxy.Type.SOCKS : Proxy.Type.HTTP;
    }

    private static void printProxyExamples() {
        LOGGER.info("Valid proxy examples:");
        LOGGER.info("http://http.proxy:8080");
        LOGGER.info("https://https.proxy:8443");
        LOGGER.info("socks://socks.proxy:5500");
        LOGGER.info("http://user:pass@http.proxy:8080");
        LOGGER.info("https://user:pass@https.proxy:8443");
        LOGGER.info("socks://user:pass@socks.proxy:5500");
    }

    private static boolean isValidUrl(String str) {
        String lowerCase = str.toLowerCase();
        if (!lowerCase.startsWith("https://") && !lowerCase.startsWith("http://")) {
            LOGGER.error("Invalid scheme specified for server url, only https:// and http:// are supported");
            return false;
        }
        try {
            new URL(str);
            LOGGER.trace("Server URL of {} passes validation", str);
            return true;
        } catch (MalformedURLException e) {
            LOGGER.error("Specified URL of {} is malformed and exception caught: {}", str, e.getMessage());
            return false;
        }
    }
}
