package io.camunda.operate.connect;

import co.elastic.clients.elasticsearch.ElasticsearchClient;
import co.elastic.clients.elasticsearch._types.ElasticsearchException;
import co.elastic.clients.elasticsearch.cluster.HealthResponse;
import co.elastic.clients.json.jackson.JacksonJsonpMapper;
import co.elastic.clients.transport.rest_client.RestClientTransport;
import io.camunda.operate.conditions.ElasticsearchCondition;
import io.camunda.operate.exceptions.OperateRuntimeException;
import io.camunda.operate.property.ElasticsearchProperties;
import io.camunda.operate.property.OperateElasticsearchProperties;
import io.camunda.operate.property.OperateProperties;
import io.camunda.operate.property.SslProperties;
import io.camunda.operate.util.RetryOperation;
import jakarta.annotation.PreDestroy;
import java.io.BufferedInputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLContext;
import org.apache.http.HttpHost;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.impl.nio.client.HttpAsyncClientBuilder;
import org.apache.http.ssl.SSLContexts;
import org.elasticsearch.action.admin.cluster.health.ClusterHealthRequest;
import org.elasticsearch.client.RequestOptions;
import org.elasticsearch.client.RestClient;
import org.elasticsearch.client.RestClientBuilder;
import org.elasticsearch.client.RestHighLevelClient;
import org.elasticsearch.client.RestHighLevelClientBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Conditional;
import org.springframework.context.annotation.Configuration;

@Conditional({ElasticsearchCondition.class})
@Configuration
/* loaded from: input_file:io/camunda/operate/connect/ElasticsearchConnector.class */
public class ElasticsearchConnector {
    private static final Logger LOGGER = LoggerFactory.getLogger(ElasticsearchConnector.class);

    @Autowired
    private OperateProperties operateProperties;
    private ElasticsearchClient elasticsearchClient;

    public static void closeEsClient(RestHighLevelClient restHighLevelClient) {
        if (restHighLevelClient != null) {
            try {
                restHighLevelClient.close();
            } catch (IOException e) {
                LOGGER.error("Could not close esClient", e);
            }
        }
    }

    public static void closeEsClient(ElasticsearchClient elasticsearchClient) {
        if (elasticsearchClient != null) {
            elasticsearchClient.shutdown();
        }
    }

    @Bean
    public ElasticsearchClient elasticsearchClient() {
        LOGGER.debug("Creating ElasticsearchClient ...");
        OperateElasticsearchProperties elasticsearch = this.operateProperties.getElasticsearch();
        RestClientBuilder builder = RestClient.builder(new HttpHost[]{getHttpHost(elasticsearch)});
        if (elasticsearch.getConnectTimeout() != null || elasticsearch.getSocketTimeout() != null) {
            builder.setRequestConfigCallback(builder2 -> {
                return setTimeouts(builder2, elasticsearch);
            });
        }
        this.elasticsearchClient = new ElasticsearchClient(new RestClientTransport(builder.setHttpClientConfigCallback(httpAsyncClientBuilder -> {
            return configureHttpClient(httpAsyncClientBuilder, elasticsearch);
        }).build(), new JacksonJsonpMapper()));
        if (checkHealth(this.elasticsearchClient)) {
            LOGGER.debug("Elasticsearch connection was successfully created.");
        } else {
            LOGGER.warn("Elasticsearch cluster is not accessible");
        }
        return this.elasticsearchClient;
    }

    public boolean checkHealth(ElasticsearchClient elasticsearchClient) {
        OperateElasticsearchProperties elasticsearch = this.operateProperties.getElasticsearch();
        try {
            return ((Boolean) RetryOperation.newBuilder().noOfRetry(50).retryOn(IOException.class, ElasticsearchException.class).delayInterval(3, TimeUnit.SECONDS).message(String.format("Connect to Elasticsearch cluster [%s] at %s", elasticsearch.getClusterName(), elasticsearch.getUrl())).retryConsumer(() -> {
                HealthResponse health = elasticsearchClient.cluster().health();
                LOGGER.info("Elasticsearch cluster health: {}", health.status());
                return Boolean.valueOf(health.clusterName().equals(elasticsearch.getClusterName()));
            }).build().retry()).booleanValue();
        } catch (Exception e) {
            throw new OperateRuntimeException("Couldn't connect to Elasticsearch. Abort.", e);
        }
    }

    @Bean
    public RestHighLevelClient esClient() {
        System.setProperty("es.set.netty.runtime.available.processors", "false");
        return createEsClient(this.operateProperties.getElasticsearch());
    }

    @Bean({"zeebeEsClient"})
    public RestHighLevelClient zeebeEsClient() {
        System.setProperty("es.set.netty.runtime.available.processors", "false");
        return createEsClient(this.operateProperties.getZeebeElasticsearch());
    }

    @PreDestroy
    public void tearDown() {
        if (this.elasticsearchClient != null) {
            try {
                this.elasticsearchClient._transport().close();
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        }
    }

    public RestHighLevelClient createEsClient(ElasticsearchProperties elasticsearchProperties) {
        LOGGER.debug("Creating Elasticsearch connection...");
        RestClientBuilder httpClientConfigCallback = RestClient.builder(new HttpHost[]{getHttpHost(elasticsearchProperties)}).setHttpClientConfigCallback(httpAsyncClientBuilder -> {
            return configureHttpClient(httpAsyncClientBuilder, elasticsearchProperties);
        });
        if (elasticsearchProperties.getConnectTimeout() != null || elasticsearchProperties.getSocketTimeout() != null) {
            httpClientConfigCallback.setRequestConfigCallback(builder -> {
                return setTimeouts(builder, elasticsearchProperties);
            });
        }
        RestHighLevelClient build = new RestHighLevelClientBuilder(httpClientConfigCallback.build()).setApiCompatibilityMode(true).build();
        if (checkHealth(build)) {
            LOGGER.debug("Elasticsearch connection was successfully created.");
        } else {
            LOGGER.warn("Elasticsearch cluster is not accessible");
        }
        return build;
    }

    protected HttpAsyncClientBuilder configureHttpClient(HttpAsyncClientBuilder httpAsyncClientBuilder, ElasticsearchProperties elasticsearchProperties) {
        setupAuthentication(httpAsyncClientBuilder, elasticsearchProperties);
        if (elasticsearchProperties.getSsl() != null) {
            setupSSLContext(httpAsyncClientBuilder, elasticsearchProperties.getSsl());
        }
        return httpAsyncClientBuilder;
    }

    private void setupSSLContext(HttpAsyncClientBuilder httpAsyncClientBuilder, SslProperties sslProperties) {
        try {
            httpAsyncClientBuilder.setSSLContext(getSSLContext(sslProperties));
            if (!sslProperties.isVerifyHostname()) {
                httpAsyncClientBuilder.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE);
            }
        } catch (Exception e) {
            LOGGER.error("Error in setting up SSLContext", e);
        }
    }

    private SSLContext getSSLContext(SslProperties sslProperties) throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
        KeyStore loadCustomTrustStore = loadCustomTrustStore(sslProperties);
        return loadCustomTrustStore.size() > 0 ? SSLContexts.custom().loadTrustMaterial(loadCustomTrustStore, sslProperties.isSelfSigned() ? new TrustSelfSignedStrategy() : null).build() : SSLContext.getDefault();
    }

    private KeyStore loadCustomTrustStore(SslProperties sslProperties) {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null);
            String certificatePath = sslProperties.getCertificatePath();
            if (certificatePath != null) {
                setCertificateInTrustStore(keyStore, certificatePath);
            }
            return keyStore;
        } catch (Exception e) {
            throw new OperateRuntimeException("Could not create certificate trustStore for the secured Elasticsearch Connection!", e);
        }
    }

    private void setCertificateInTrustStore(KeyStore keyStore, String str) {
        try {
            keyStore.setCertificateEntry("elasticsearch-host", loadCertificateFromPath(str));
        } catch (Exception e) {
            throw new OperateRuntimeException("Could not load configured server certificate for the secured Elasticsearch Connection!", e);
        }
    }

    private Certificate loadCertificateFromPath(String str) throws IOException, CertificateException {
        BufferedInputStream bufferedInputStream = new BufferedInputStream(new FileInputStream(str));
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            if (bufferedInputStream.available() <= 0) {
                throw new OperateRuntimeException("Could not load certificate from file, file is empty. File: " + str);
            }
            Certificate generateCertificate = certificateFactory.generateCertificate(bufferedInputStream);
            LOGGER.debug("Found certificate: {}", generateCertificate);
            bufferedInputStream.close();
            return generateCertificate;
        } catch (Throwable th) {
            try {
                bufferedInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    private RequestConfig.Builder setTimeouts(RequestConfig.Builder builder, ElasticsearchProperties elasticsearchProperties) {
        if (elasticsearchProperties.getSocketTimeout() != null) {
            builder.setSocketTimeout(elasticsearchProperties.getSocketTimeout().intValue());
        }
        if (elasticsearchProperties.getConnectTimeout() != null) {
            builder.setConnectTimeout(elasticsearchProperties.getConnectTimeout().intValue());
        }
        return builder;
    }

    private HttpHost getHttpHost(ElasticsearchProperties elasticsearchProperties) {
        try {
            URI uri = new URI(elasticsearchProperties.getUrl());
            return new HttpHost(uri.getHost(), uri.getPort(), uri.getScheme());
        } catch (URISyntaxException e) {
            throw new OperateRuntimeException("Error in url: " + elasticsearchProperties.getUrl(), e);
        }
    }

    private void setupAuthentication(HttpAsyncClientBuilder httpAsyncClientBuilder, ElasticsearchProperties elasticsearchProperties) {
        String username = elasticsearchProperties.getUsername();
        String password = elasticsearchProperties.getPassword();
        if (username == null || password == null || username.isEmpty() || password.isEmpty()) {
            LOGGER.warn("Username and/or password for are empty. Basic authentication for elasticsearch is not used.");
            return;
        }
        BasicCredentialsProvider basicCredentialsProvider = new BasicCredentialsProvider();
        basicCredentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(username, password));
        httpAsyncClientBuilder.setDefaultCredentialsProvider(basicCredentialsProvider);
    }

    public boolean checkHealth(RestHighLevelClient restHighLevelClient) {
        OperateElasticsearchProperties elasticsearch = this.operateProperties.getElasticsearch();
        try {
            return ((Boolean) RetryOperation.newBuilder().noOfRetry(50).retryOn(IOException.class, org.elasticsearch.ElasticsearchException.class).delayInterval(3, TimeUnit.SECONDS).message(String.format("Connect to Elasticsearch cluster [%s] at %s", elasticsearch.getClusterName(), elasticsearch.getUrl())).retryConsumer(() -> {
                return Boolean.valueOf(restHighLevelClient.cluster().health(new ClusterHealthRequest(), RequestOptions.DEFAULT).getClusterName().equals(elasticsearch.getClusterName()));
            }).build().retry()).booleanValue();
        } catch (Exception e) {
            throw new OperateRuntimeException("Couldn't connect to Elasticsearch. Abort.", e);
        }
    }
}
