package io.gravitee.node.certificates.file;

import com.sun.nio.file.SensitivityWatchEventModifier;
import io.gravitee.common.util.KeyStoreUtils;
import io.gravitee.node.api.certificate.AbstractStoreLoaderOptions;
import io.gravitee.node.api.certificate.KeyStoreEvent;
import io.gravitee.node.api.certificate.KeyStoreProcessingException;
import io.gravitee.node.certificates.AbstractKeyStoreLoader;
import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.nio.file.FileSystem;
import java.nio.file.FileSystems;
import java.nio.file.Path;
import java.nio.file.StandardWatchEventKinds;
import java.nio.file.WatchEvent;
import java.nio.file.WatchKey;
import java.nio.file.WatchService;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.UnrecoverableEntryException;
import java.security.cert.CertificateException;
import java.util.ArrayList;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.Objects;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.TimeUnit;
import java.util.function.Predicate;
import java.util.stream.Stream;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:io/gravitee/node/certificates/file/AbstractFileKeyStoreLoader.class */
public abstract class AbstractFileKeyStoreLoader<O extends AbstractStoreLoaderOptions> extends AbstractKeyStoreLoader<O> {
    private static final Logger log = LoggerFactory.getLogger(AbstractFileKeyStoreLoader.class);
    private final ExecutorService executor;
    private final List<Path> filesToWatch;
    private boolean started;
    private KeyStore keyStore;

    /* JADX INFO: Access modifiers changed from: protected */
    /* loaded from: input_file:io/gravitee/node/certificates/file/AbstractFileKeyStoreLoader$LoadResult.class */
    public static final class LoadResult extends Record {
        private final KeyStore keyStore;
        private final List<Path> paths;

        /* JADX INFO: Access modifiers changed from: protected */
        public LoadResult(KeyStore keyStore, List<Path> list) {
            this.keyStore = keyStore;
            this.paths = list;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, LoadResult.class), LoadResult.class, "keyStore;paths", "FIELD:Lio/gravitee/node/certificates/file/AbstractFileKeyStoreLoader$LoadResult;->keyStore:Ljava/security/KeyStore;", "FIELD:Lio/gravitee/node/certificates/file/AbstractFileKeyStoreLoader$LoadResult;->paths:Ljava/util/List;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, LoadResult.class), LoadResult.class, "keyStore;paths", "FIELD:Lio/gravitee/node/certificates/file/AbstractFileKeyStoreLoader$LoadResult;->keyStore:Ljava/security/KeyStore;", "FIELD:Lio/gravitee/node/certificates/file/AbstractFileKeyStoreLoader$LoadResult;->paths:Ljava/util/List;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, LoadResult.class, Object.class), LoadResult.class, "keyStore;paths", "FIELD:Lio/gravitee/node/certificates/file/AbstractFileKeyStoreLoader$LoadResult;->keyStore:Ljava/security/KeyStore;", "FIELD:Lio/gravitee/node/certificates/file/AbstractFileKeyStoreLoader$LoadResult;->paths:Ljava/util/List;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public KeyStore keyStore() {
            return this.keyStore;
        }

        public List<Path> paths() {
            return this.paths;
        }
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public AbstractFileKeyStoreLoader(O o) {
        super(o);
        this.executor = Executors.newSingleThreadExecutor(runnable -> {
            return new Thread(runnable, "gio.file-cert-watcher");
        });
        this.filesToWatch = new ArrayList();
    }

    public void start() {
        log.debug("Initializing file keystore certificates.");
        load();
        this.started = true;
        if (!this.options.isWatch() || this.filesToWatch.isEmpty()) {
            return;
        }
        try {
            startWatch(prepareWatch());
        } catch (IOException e) {
            log.error("Unable to watch the keystore files.", e);
        }
    }

    public void stop() {
        this.started = false;
        this.executor.shutdown();
    }

    final void load() {
        if (this.options.getType().equalsIgnoreCase("JKS") || this.options.getType().equalsIgnoreCase("PKCS12")) {
            LoadResult loadFromKeyStore = loadFromKeyStore();
            this.keyStore = loadFromKeyStore.keyStore();
            setFilesToWatch(loadFromKeyStore.paths());
        } else if (this.options.getType().equalsIgnoreCase("PEM") || this.options.getType().equalsIgnoreCase("PEM-FOLDER")) {
            LoadResult loadFromPems = loadFromPems();
            this.keyStore = loadFromPems.keyStore();
            setFilesToWatch(loadFromPems.paths());
        }
        if (this.keyStore != null) {
            onEvent(new KeyStoreEvent.LoadEvent(id(), this.keyStore, getPassword()));
        }
    }

    protected String getDefaultAlias() {
        return null;
    }

    protected abstract LoadResult loadFromPems();

    protected LoadResult loadFromKeyStore() {
        if (this.options.getPaths() == null || this.options.getPaths().isEmpty()) {
            throw new KeyStoreProcessingException(getKeyStoreLoadingErrorMessage());
        }
        log.info("loading keystore from locations: {}", this.options.getPaths());
        Stream stream = this.options.getPaths().stream();
        FileSystem fileSystem = FileSystems.getDefault();
        Objects.requireNonNull(fileSystem);
        List list = stream.map(str -> {
            return fileSystem.getPath(str, new String[0]);
        }).toList();
        return new LoadResult(list.size() == 1 ? KeyStoreUtils.initFromPath(this.options.getType(), ((Path) list.get(0)).toString(), getPassword()) : merge(list.stream().map(path -> {
            return KeyStoreUtils.initFromPath(this.options.getType(), path.toString(), getPassword());
        }).toList()), list);
    }

    private KeyStore merge(List<KeyStore> list) {
        try {
            char[] passwordToCharArray = KeyStoreUtils.passwordToCharArray(getPassword());
            KeyStore.PasswordProtection passwordProtection = new KeyStore.PasswordProtection(passwordToCharArray);
            KeyStore keyStore = KeyStore.getInstance(this.options.getType());
            keyStore.load(null, passwordToCharArray);
            for (KeyStore keyStore2 : list) {
                Iterator it = Collections.list(keyStore2.aliases()).iterator();
                while (it.hasNext()) {
                    String str = (String) it.next();
                    if (keyStore.containsAlias(str)) {
                        throw new IllegalArgumentException("Alias '%s' exists is duplicate in loaded trust stores");
                    }
                    if (keyStore2.isCertificateEntry(str)) {
                        keyStore.setEntry(str, keyStore2.getEntry(str, null), null);
                    } else {
                        keyStore.setEntry(str, keyStore2.getEntry(str, passwordProtection), passwordProtection);
                    }
                }
            }
            return keyStore;
        } catch (IOException | KeyStoreException | NoSuchAlgorithmException | UnrecoverableEntryException | CertificateException e) {
            throw new IllegalArgumentException("cannot merge truststores", e);
        }
    }

    protected abstract String getKeyStoreLoadingErrorMessage();

    private WatchService prepareWatch() throws IOException {
        WatchService newWatchService = FileSystems.getDefault().newWatchService();
        Iterator it = this.filesToWatch.stream().map((v0) -> {
            return v0.getParent();
        }).distinct().toList().iterator();
        while (it.hasNext()) {
            ((Path) it.next()).register(newWatchService, new WatchEvent.Kind[]{StandardWatchEventKinds.ENTRY_MODIFY}, SensitivityWatchEventModifier.HIGH);
        }
        return newWatchService;
    }

    private void startWatch(WatchService watchService) {
        this.executor.execute(() -> {
            try {
                log.info("Start watching files in: {}", this.filesToWatch.stream().map((v0) -> {
                    return v0.getParent();
                }).distinct().toList());
                while (this.started) {
                    WatchKey poll = watchService.poll(200L, TimeUnit.MILLISECONDS);
                    if (poll != null) {
                        if (poll.pollEvents().stream().map(watchEvent -> {
                            return (Path) watchEvent.context();
                        }).filter(watchGuard()).findFirst().isPresent()) {
                            load();
                        }
                        if (!poll.reset()) {
                            break;
                        }
                    }
                }
            } catch (InterruptedException e) {
                log.info("Watch for keystore files has been stopped.");
            }
        });
    }

    protected Predicate<Path> watchGuard() {
        return path -> {
            Stream<R> map = this.filesToWatch.stream().map((v0) -> {
                return v0.getFileName();
            });
            Objects.requireNonNull(path);
            return map.anyMatch((v1) -> {
                return r1.equals(v1);
            });
        };
    }

    private void setFilesToWatch(List<Path> list) {
        if (this.filesToWatch.isEmpty()) {
            this.filesToWatch.addAll(list);
        }
    }
}
