package io.camunda.operate.connect;

import com.amazonaws.regions.DefaultAwsRegionProviderChain;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.datatype.jsr310.JavaTimeModule;
import io.camunda.operate.conditions.OpensearchCondition;
import io.camunda.operate.exceptions.OperateRuntimeException;
import io.camunda.operate.opensearch.ExtendedOpenSearchClient;
import io.camunda.operate.property.OpensearchProperties;
import io.camunda.operate.property.OperateOpensearchProperties;
import io.camunda.operate.property.OperateProperties;
import io.camunda.operate.property.SslProperties;
import io.camunda.search.connect.plugin.PluginRepository;
import java.io.BufferedInputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.time.Duration;
import java.util.concurrent.CompletableFuture;
import javax.net.ssl.SSLContext;
import net.jodah.failsafe.Failsafe;
import net.jodah.failsafe.RetryPolicy;
import org.apache.hc.client5.http.auth.AuthScope;
import org.apache.hc.client5.http.auth.UsernamePasswordCredentials;
import org.apache.hc.client5.http.config.RequestConfig;
import org.apache.hc.client5.http.impl.async.HttpAsyncClientBuilder;
import org.apache.hc.client5.http.impl.auth.BasicCredentialsProvider;
import org.apache.hc.client5.http.impl.nio.PoolingAsyncClientConnectionManagerBuilder;
import org.apache.hc.client5.http.ssl.ClientTlsStrategyBuilder;
import org.apache.hc.core5.http.HttpHost;
import org.apache.hc.core5.http.HttpRequestInterceptor;
import org.apache.hc.core5.util.Timeout;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.ssl.SSLContexts;
import org.elasticsearch.ElasticsearchException;
import org.opensearch.client.json.jackson.JacksonJsonpMapper;
import org.opensearch.client.opensearch.OpenSearchAsyncClient;
import org.opensearch.client.opensearch.OpenSearchClient;
import org.opensearch.client.opensearch.cluster.HealthRequest;
import org.opensearch.client.opensearch.cluster.HealthResponse;
import org.opensearch.client.transport.aws.AwsSdk2Transport;
import org.opensearch.client.transport.aws.AwsSdk2TransportOptions;
import org.opensearch.client.transport.httpclient5.ApacheHttpClient5TransportBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Qualifier;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Conditional;
import org.springframework.context.annotation.Configuration;
import org.springframework.context.annotation.Primary;
import org.springframework.util.StringUtils;
import software.amazon.awssdk.auth.credentials.DefaultCredentialsProvider;
import software.amazon.awssdk.http.crt.AwsCrtHttpClient;
import software.amazon.awssdk.regions.Region;

@Configuration
@Conditional({OpensearchCondition.class})
/* loaded from: input_file:io/camunda/operate/connect/OpensearchConnector.class */
public class OpensearchConnector {
    private static final Logger LOGGER = LoggerFactory.getLogger(OpensearchConnector.class);
    private PluginRepository osClientRepository = new PluginRepository();
    private PluginRepository zeebeOsClientRepository = new PluginRepository();
    private final OperateProperties operateProperties;
    private final ObjectMapper objectMapper;

    public OpensearchConnector(OperateProperties operateProperties, @Qualifier("operateObjectMapper") ObjectMapper objectMapper) {
        this.operateProperties = operateProperties;
        this.objectMapper = objectMapper;
    }

    public void setOsClientRepository(PluginRepository pluginRepository) {
        this.osClientRepository = pluginRepository;
    }

    public void setZeebeOsClientRepository(PluginRepository pluginRepository) {
        this.zeebeOsClientRepository = pluginRepository;
    }

    @Bean
    @Primary
    public OpenSearchClient openSearchClient() {
        this.osClientRepository.load(this.operateProperties.getOpensearch().getInterceptorPlugins());
        OpenSearchClient createOsClient = createOsClient(this.operateProperties.getOpensearch(), this.osClientRepository);
        if (this.operateProperties.getOpensearch().isHealthCheckEnabled()) {
            try {
                LOGGER.info("OpenSearch cluster health: {}", createOsClient.cluster().health().status());
            } catch (IOException e) {
                LOGGER.error("Error in getting health status from {}", "localhost:9205", e);
            }
        } else {
            LOGGER.warn("OpenSearch cluster health check is disabled.");
        }
        return createOsClient;
    }

    @Bean
    public OpenSearchAsyncClient openSearchAsyncClient() {
        this.osClientRepository.load(this.operateProperties.getOpensearch().getInterceptorPlugins());
        OpenSearchAsyncClient createAsyncOsClient = createAsyncOsClient(this.operateProperties.getOpensearch(), this.osClientRepository);
        if (this.operateProperties.getOpensearch().isHealthCheckEnabled()) {
            try {
                createAsyncOsClient.cluster().health().whenComplete((healthResponse, th) -> {
                    if (th != null) {
                        LOGGER.error("Error in getting health status from {}", "localhost:9205", th);
                    } else {
                        LOGGER.info("OpenSearch cluster health: {}", healthResponse.status());
                    }
                });
            } catch (IOException e) {
                throw new RuntimeException(e);
            }
        } else {
            LOGGER.warn("OpenSearch cluster health check is disabled.");
        }
        return createAsyncOsClient;
    }

    @Bean({"zeebeOpensearchClient"})
    public OpenSearchClient zeebeOpensearchClient() {
        System.setProperty("es.set.netty.runtime.available.processors", "false");
        this.zeebeOsClientRepository.load(this.operateProperties.getZeebeOpensearch().getInterceptorPlugins());
        return createOsClient(this.operateProperties.getZeebeOpensearch(), this.zeebeOsClientRepository);
    }

    public OpenSearchAsyncClient createAsyncOsClient(OpensearchProperties opensearchProperties, PluginRepository pluginRepository) {
        LOGGER.debug("Creating Async OpenSearch connection...");
        LOGGER.debug("Creating OpenSearch connection...");
        if (hasAwsCredentials()) {
            return getAwsAsyncClient(opensearchProperties);
        }
        ApacheHttpClient5TransportBuilder builder = ApacheHttpClient5TransportBuilder.builder(new HttpHost[]{getHttpHost(opensearchProperties)});
        builder.setHttpClientConfigCallback(httpAsyncClientBuilder -> {
            configureHttpClient(httpAsyncClientBuilder, opensearchProperties, pluginRepository.asRequestInterceptor());
            return httpAsyncClientBuilder;
        });
        builder.setRequestConfigCallback(builder2 -> {
            setTimeouts(builder2, opensearchProperties);
            return builder2;
        });
        JacksonJsonpMapper jacksonJsonpMapper = new JacksonJsonpMapper();
        jacksonJsonpMapper.objectMapper().registerModule(new JavaTimeModule());
        builder.setMapper(jacksonJsonpMapper);
        OpenSearchAsyncClient openSearchAsyncClient = new OpenSearchAsyncClient(builder.build());
        if (this.operateProperties.getOpensearch().isHealthCheckEnabled()) {
            try {
                openSearchAsyncClient.cluster().health().whenComplete((healthResponse, th) -> {
                    if (th != null) {
                        LOGGER.error("Error in getting health status from {}", "localhost:9205", th);
                    } else {
                        LOGGER.info("OpenSearch cluster health: {}", healthResponse.status());
                    }
                });
                if (checkHealth(openSearchAsyncClient)) {
                    LOGGER.debug("OpenSearch connection was successfully created.");
                } else {
                    LOGGER.warn("OpenSearch cluster is not accessible");
                }
            } catch (IOException e) {
                throw new OperateRuntimeException(e);
            }
        } else {
            LOGGER.warn("OpenSearch cluster health check is disabled.");
        }
        return openSearchAsyncClient;
    }

    private boolean hasAwsCredentials() {
        if (!this.operateProperties.getOpensearch().isAwsEnabled()) {
            LOGGER.info("AWS Credentials are disabled. Using basic auth.");
            return false;
        }
        try {
            DefaultCredentialsProvider.create().resolveCredentials();
            LOGGER.info("AWS Credentials can be resolved. Use AWS Opensearch");
            return true;
        } catch (Exception e) {
            LOGGER.warn("AWS not configured due to: {} ", e.getMessage());
            return false;
        }
    }

    public OpenSearchClient createOsClient(OpensearchProperties opensearchProperties, PluginRepository pluginRepository) {
        LOGGER.debug("Creating OpenSearch connection...");
        if (hasAwsCredentials()) {
            return getAwsClient(opensearchProperties);
        }
        ApacheHttpClient5TransportBuilder builder = ApacheHttpClient5TransportBuilder.builder(new HttpHost[]{getHttpHost(opensearchProperties)});
        builder.setHttpClientConfigCallback(httpAsyncClientBuilder -> {
            configureHttpClient(httpAsyncClientBuilder, opensearchProperties, pluginRepository.asRequestInterceptor());
            return httpAsyncClientBuilder;
        });
        builder.setRequestConfigCallback(builder2 -> {
            setTimeouts(builder2, opensearchProperties);
            return builder2;
        });
        builder.setMapper(new JacksonJsonpMapper(this.objectMapper));
        ExtendedOpenSearchClient extendedOpenSearchClient = new ExtendedOpenSearchClient(builder.build());
        if (this.operateProperties.getOpensearch().isHealthCheckEnabled()) {
            try {
                LOGGER.info("OpenSearch cluster health: {}", extendedOpenSearchClient.cluster().health().status());
            } catch (IOException e) {
                LOGGER.error("Error in getting health status from {}", "localhost:9205", e);
            }
            if (checkHealth(extendedOpenSearchClient)) {
                LOGGER.debug("OpenSearch connection was successfully created.");
            } else {
                LOGGER.warn("OpenSearch cluster is not accessible");
            }
        } else {
            LOGGER.warn("OpenSearch cluster health check is disabled.");
        }
        return extendedOpenSearchClient;
    }

    private OpenSearchClient getAwsClient(OpensearchProperties opensearchProperties) {
        return new ExtendedOpenSearchClient(new AwsSdk2Transport(AwsCrtHttpClient.builder().build(), opensearchProperties.getHost(), Region.of(new DefaultAwsRegionProviderChain().getRegion()), AwsSdk2TransportOptions.builder().setMapper(new JacksonJsonpMapper(this.objectMapper)).build()));
    }

    private OpenSearchAsyncClient getAwsAsyncClient(OpensearchProperties opensearchProperties) {
        return new OpenSearchAsyncClient(new AwsSdk2Transport(AwsCrtHttpClient.builder().build(), opensearchProperties.getHost(), Region.of(new DefaultAwsRegionProviderChain().getRegion()), AwsSdk2TransportOptions.builder().setMapper(new JacksonJsonpMapper(this.objectMapper)).build()));
    }

    private HttpHost getHttpHost(OpensearchProperties opensearchProperties) {
        try {
            URI uri = new URI(opensearchProperties.getUrl());
            return new HttpHost(uri.getScheme(), uri.getHost(), uri.getPort());
        } catch (URISyntaxException e) {
            throw new OperateRuntimeException("Error in url: " + opensearchProperties.getUrl(), e);
        }
    }

    private HttpAsyncClientBuilder setupAuthentication(HttpAsyncClientBuilder httpAsyncClientBuilder, OpensearchProperties opensearchProperties) {
        if (!StringUtils.hasText(opensearchProperties.getUsername()) || !StringUtils.hasText(opensearchProperties.getPassword())) {
            LOGGER.warn("Username and/or password for are empty. Basic authentication for OpenSearch is not used.");
            return httpAsyncClientBuilder;
        }
        BasicCredentialsProvider basicCredentialsProvider = new BasicCredentialsProvider();
        basicCredentialsProvider.setCredentials(new AuthScope(getHttpHost(opensearchProperties)), new UsernamePasswordCredentials(opensearchProperties.getUsername(), opensearchProperties.getPassword().toCharArray()));
        httpAsyncClientBuilder.setDefaultCredentialsProvider(basicCredentialsProvider);
        return httpAsyncClientBuilder;
    }

    private void setupSSLContext(HttpAsyncClientBuilder httpAsyncClientBuilder, SslProperties sslProperties) {
        try {
            ClientTlsStrategyBuilder create = ClientTlsStrategyBuilder.create();
            create.setSslContext(getSSLContext(sslProperties));
            if (!sslProperties.isVerifyHostname()) {
                create.setHostnameVerifier(NoopHostnameVerifier.INSTANCE);
            }
            httpAsyncClientBuilder.setConnectionManager(PoolingAsyncClientConnectionManagerBuilder.create().setTlsStrategy(create.build()).build());
        } catch (Exception e) {
            LOGGER.error("Error in setting up SSLContext", e);
        }
    }

    private SSLContext getSSLContext(SslProperties sslProperties) throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
        KeyStore loadCustomTrustStore = loadCustomTrustStore(sslProperties);
        return loadCustomTrustStore.size() > 0 ? SSLContexts.custom().loadTrustMaterial(loadCustomTrustStore, sslProperties.isSelfSigned() ? new TrustSelfSignedStrategy() : null).build() : SSLContext.getDefault();
    }

    private KeyStore loadCustomTrustStore(SslProperties sslProperties) {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null);
            String certificatePath = sslProperties.getCertificatePath();
            if (certificatePath != null) {
                setCertificateInTrustStore(keyStore, certificatePath);
            }
            return keyStore;
        } catch (Exception e) {
            throw new OperateRuntimeException("Could not create certificate trustStore for the secured OpenSearch Connection!", e);
        }
    }

    private void setCertificateInTrustStore(KeyStore keyStore, String str) {
        try {
            keyStore.setCertificateEntry("opensearch-host", loadCertificateFromPath(str));
        } catch (Exception e) {
            throw new OperateRuntimeException("Could not load configured server certificate for the secured OpenSearch Connection!", e);
        }
    }

    private Certificate loadCertificateFromPath(String str) throws IOException, CertificateException {
        BufferedInputStream bufferedInputStream = new BufferedInputStream(new FileInputStream(str));
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            if (bufferedInputStream.available() <= 0) {
                throw new OperateRuntimeException("Could not load certificate from file, file is empty. File: " + str);
            }
            Certificate generateCertificate = certificateFactory.generateCertificate(bufferedInputStream);
            LOGGER.debug("Found certificate: {}", generateCertificate);
            bufferedInputStream.close();
            return generateCertificate;
        } catch (Throwable th) {
            try {
                bufferedInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    protected HttpAsyncClientBuilder configureHttpClient(HttpAsyncClientBuilder httpAsyncClientBuilder, OpensearchProperties opensearchProperties, HttpRequestInterceptor... httpRequestInterceptorArr) {
        setupAuthentication(httpAsyncClientBuilder, opensearchProperties);
        LOGGER.trace("Attempt to load interceptor plugins");
        for (HttpRequestInterceptor httpRequestInterceptor : httpRequestInterceptorArr) {
            httpAsyncClientBuilder.addRequestInterceptorLast(httpRequestInterceptor);
        }
        if (opensearchProperties.getSsl() != null) {
            setupSSLContext(httpAsyncClientBuilder, opensearchProperties.getSsl());
        }
        return httpAsyncClientBuilder;
    }

    private RequestConfig.Builder setTimeouts(RequestConfig.Builder builder, OpensearchProperties opensearchProperties) {
        if (opensearchProperties.getSocketTimeout() != null) {
            builder.setResponseTimeout(Timeout.ofMilliseconds(opensearchProperties.getSocketTimeout().intValue()));
        }
        if (opensearchProperties.getConnectTimeout() != null) {
            builder.setConnectTimeout(Timeout.ofMilliseconds(opensearchProperties.getConnectTimeout().intValue()));
        }
        return builder;
    }

    public boolean checkHealth(OpenSearchClient openSearchClient) {
        OperateOpensearchProperties opensearch = this.operateProperties.getOpensearch();
        return ((Boolean) Failsafe.with(getConnectionRetryPolicy(opensearch), new RetryPolicy[0]).get(() -> {
            return Boolean.valueOf(openSearchClient.cluster().health(new HealthRequest.Builder().build()).clusterName().equals(opensearch.getClusterName()));
        })).booleanValue();
    }

    public boolean checkHealth(OpenSearchAsyncClient openSearchAsyncClient) {
        OperateOpensearchProperties opensearch = this.operateProperties.getOpensearch();
        return ((Boolean) Failsafe.with(getConnectionRetryPolicy(opensearch), new RetryPolicy[0]).get(() -> {
            CompletableFuture health = openSearchAsyncClient.cluster().health(new HealthRequest.Builder().build());
            health.whenComplete((healthResponse, th) -> {
                if (th != null) {
                    LOGGER.error(String.format("Error checking async health %", th.getMessage()));
                } else {
                    LOGGER.debug("Succesfully returned checkHealth");
                }
            });
            return Boolean.valueOf(((HealthResponse) health.get()).clusterName().equals(opensearch.getClusterName()));
        })).booleanValue();
    }

    private RetryPolicy<Boolean> getConnectionRetryPolicy(OpensearchProperties opensearchProperties) {
        String format = String.format("connect to OpenSearch at %s", opensearchProperties.getUrl());
        return ((RetryPolicy) new RetryPolicy().handle(new Class[]{IOException.class, ElasticsearchException.class})).withDelay(Duration.ofSeconds(3L)).withMaxAttempts(50).onRetry(executionAttemptedEvent -> {
            LOGGER.info("Retrying #{} {} due to {}", new Object[]{Integer.valueOf(executionAttemptedEvent.getAttemptCount()), format, executionAttemptedEvent.getLastFailure()});
        }).onAbort(executionCompletedEvent -> {
            LOGGER.error("Abort {} by {}", format, executionCompletedEvent.getFailure());
        }).onRetriesExceeded(executionCompletedEvent2 -> {
            LOGGER.error("Retries {} exceeded for {}", Integer.valueOf(executionCompletedEvent2.getAttemptCount()), format);
        });
    }
}
