package io.camunda.tasklist.es;

import co.elastic.clients.elasticsearch.ElasticsearchClient;
import co.elastic.clients.elasticsearch._types.ElasticsearchException;
import co.elastic.clients.elasticsearch.cluster.HealthResponse;
import co.elastic.clients.json.jackson.JacksonJsonpMapper;
import co.elastic.clients.transport.rest_client.RestClientTransport;
import com.fasterxml.jackson.core.JsonGenerator;
import com.fasterxml.jackson.core.JsonParser;
import com.fasterxml.jackson.databind.DeserializationContext;
import com.fasterxml.jackson.databind.JsonDeserializer;
import com.fasterxml.jackson.databind.JsonSerializer;
import com.fasterxml.jackson.databind.SerializerProvider;
import io.camunda.search.connect.plugin.PluginRepository;
import io.camunda.tasklist.data.conditionals.ElasticSearchCondition;
import io.camunda.tasklist.exceptions.TasklistRuntimeException;
import io.camunda.tasklist.property.ElasticsearchProperties;
import io.camunda.tasklist.property.SslProperties;
import io.camunda.tasklist.property.TasklistElasticsearchProperties;
import io.camunda.tasklist.property.TasklistProperties;
import io.camunda.tasklist.util.RetryOperation;
import jakarta.annotation.PreDestroy;
import java.io.BufferedInputStream;
import java.io.FileInputStream;
import java.io.IOException;
import java.io.UncheckedIOException;
import java.net.URI;
import java.net.URISyntaxException;
import java.security.KeyManagementException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.Certificate;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.time.Duration;
import java.time.Instant;
import java.time.OffsetDateTime;
import java.time.format.DateTimeFormatter;
import java.time.format.DateTimeParseException;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.SSLContext;
import net.jodah.failsafe.Failsafe;
import net.jodah.failsafe.RetryPolicy;
import org.apache.http.HttpHost;
import org.apache.http.HttpRequestInterceptor;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.config.RequestConfig;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.impl.nio.client.HttpAsyncClientBuilder;
import org.apache.http.ssl.SSLContexts;
import org.elasticsearch.action.admin.cluster.health.ClusterHealthRequest;
import org.elasticsearch.client.RequestOptions;
import org.elasticsearch.client.RestClient;
import org.elasticsearch.client.RestClientBuilder;
import org.elasticsearch.client.RestHighLevelClient;
import org.elasticsearch.client.RestHighLevelClientBuilder;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;
import org.springframework.beans.factory.annotation.Autowired;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Conditional;
import org.springframework.context.annotation.Configuration;
import org.springframework.stereotype.Component;
import org.springframework.util.StringUtils;

@Configuration
@Conditional({ElasticSearchCondition.class})
@Component
/* loaded from: input_file:io/camunda/tasklist/es/ElasticsearchConnector.class */
public class ElasticsearchConnector {
    private static final Logger LOGGER = LoggerFactory.getLogger(ElasticsearchConnector.class);
    private PluginRepository esClientRepository = new PluginRepository();
    private PluginRepository zeebeEsClientRepository = new PluginRepository();

    @Autowired
    private TasklistProperties tasklistProperties;
    private ElasticsearchClient elasticsearchClient;

    /* loaded from: input_file:io/camunda/tasklist/es/ElasticsearchConnector$CustomInstantDeserializer.class */
    public static class CustomInstantDeserializer extends JsonDeserializer<Instant> {
        /* renamed from: deserialize, reason: merged with bridge method [inline-methods] */
        public Instant m4deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException {
            return Instant.ofEpochMilli(Long.parseLong(jsonParser.getText()));
        }
    }

    /* loaded from: input_file:io/camunda/tasklist/es/ElasticsearchConnector$CustomOffsetDateTimeDeserializer.class */
    public static class CustomOffsetDateTimeDeserializer extends JsonDeserializer<OffsetDateTime> {
        private final DateTimeFormatter formatter;

        public CustomOffsetDateTimeDeserializer(DateTimeFormatter dateTimeFormatter) {
            this.formatter = dateTimeFormatter;
        }

        /* renamed from: deserialize, reason: merged with bridge method [inline-methods] */
        public OffsetDateTime m5deserialize(JsonParser jsonParser, DeserializationContext deserializationContext) throws IOException {
            try {
                return OffsetDateTime.parse(jsonParser.getText(), this.formatter);
            } catch (DateTimeParseException e) {
                throw new TasklistRuntimeException("Exception occurred when deserializing date.", e);
            }
        }
    }

    /* loaded from: input_file:io/camunda/tasklist/es/ElasticsearchConnector$CustomOffsetDateTimeSerializer.class */
    public static class CustomOffsetDateTimeSerializer extends JsonSerializer<OffsetDateTime> {
        private final DateTimeFormatter formatter;

        public CustomOffsetDateTimeSerializer(DateTimeFormatter dateTimeFormatter) {
            this.formatter = dateTimeFormatter;
        }

        public void serialize(OffsetDateTime offsetDateTime, JsonGenerator jsonGenerator, SerializerProvider serializerProvider) throws IOException {
            if (offsetDateTime == null) {
                jsonGenerator.writeNull();
            } else {
                jsonGenerator.writeString(offsetDateTime.format(this.formatter));
            }
        }
    }

    public void setEsClientRepository(PluginRepository pluginRepository) {
        this.esClientRepository = pluginRepository;
    }

    public void setZeebeEsClientRepository(PluginRepository pluginRepository) {
        this.zeebeEsClientRepository = pluginRepository;
    }

    public void setTasklistProperties(TasklistProperties tasklistProperties) {
        this.tasklistProperties = tasklistProperties;
    }

    @Bean
    public ElasticsearchClient tasklistElasticsearchClient() {
        LOGGER.debug("Creating ElasticsearchClient ...");
        TasklistElasticsearchProperties elasticsearch = this.tasklistProperties.getElasticsearch();
        this.esClientRepository.load(this.tasklistProperties.getElasticsearch().getInterceptorPlugins());
        RestClientBuilder builder = RestClient.builder(new HttpHost[]{getHttpHost(elasticsearch)});
        if (elasticsearch.getConnectTimeout() != null || elasticsearch.getSocketTimeout() != null) {
            builder.setRequestConfigCallback(builder2 -> {
                return setTimeouts(builder2, elasticsearch);
            });
        }
        this.elasticsearchClient = new ElasticsearchClient(new RestClientTransport(builder.setHttpClientConfigCallback(httpAsyncClientBuilder -> {
            return configureHttpClient(httpAsyncClientBuilder, elasticsearch, this.esClientRepository.asRequestInterceptor());
        }).build(), new JacksonJsonpMapper()));
        if (checkHealth(this.elasticsearchClient)) {
            LOGGER.debug("Elasticsearch connection was successfully created.");
        } else {
            LOGGER.warn("Elasticsearch cluster is not accessible");
        }
        return this.elasticsearchClient;
    }

    @PreDestroy
    public void tearDown() {
        if (this.elasticsearchClient != null) {
            try {
                this.elasticsearchClient._transport().close();
            } catch (IOException e) {
                throw new UncheckedIOException(e);
            }
        }
    }

    @Bean(destroyMethod = "close")
    public RestHighLevelClient tasklistEsClient() {
        System.setProperty("es.set.netty.runtime.available.processors", "false");
        this.esClientRepository.load(this.tasklistProperties.getElasticsearch().getInterceptorPlugins());
        return createEsClient(this.tasklistProperties.getElasticsearch(), this.esClientRepository);
    }

    @Bean(destroyMethod = "close")
    public RestHighLevelClient tasklistZeebeEsClient() {
        System.setProperty("es.set.netty.runtime.available.processors", "false");
        this.zeebeEsClientRepository.load(this.tasklistProperties.getZeebeElasticsearch().getInterceptorPlugins());
        return createEsClient(this.tasklistProperties.getZeebeElasticsearch(), this.zeebeEsClientRepository);
    }

    protected RestHighLevelClient createEsClient(ElasticsearchProperties elasticsearchProperties, PluginRepository pluginRepository) {
        LOGGER.debug("Creating Elasticsearch connection...");
        RestClientBuilder httpClientConfigCallback = RestClient.builder(new HttpHost[]{getHttpHost(elasticsearchProperties)}).setHttpClientConfigCallback(httpAsyncClientBuilder -> {
            return configureHttpClient(httpAsyncClientBuilder, elasticsearchProperties, pluginRepository.asRequestInterceptor());
        });
        if (elasticsearchProperties.getConnectTimeout() != null || elasticsearchProperties.getSocketTimeout() != null) {
            httpClientConfigCallback.setRequestConfigCallback(builder -> {
                return setTimeouts(builder, elasticsearchProperties);
            });
        }
        RestHighLevelClient build = new RestHighLevelClientBuilder(httpClientConfigCallback.build()).setApiCompatibilityMode(true).build();
        if (checkHealth(build)) {
            LOGGER.debug("Elasticsearch connection was successfully created.");
        } else {
            LOGGER.warn("Elasticsearch cluster is not accessible");
        }
        return build;
    }

    private HttpAsyncClientBuilder configureHttpClient(HttpAsyncClientBuilder httpAsyncClientBuilder, ElasticsearchProperties elasticsearchProperties, HttpRequestInterceptor... httpRequestInterceptorArr) {
        setupAuthentication(httpAsyncClientBuilder, elasticsearchProperties);
        LOGGER.trace("Attempt to load interceptor plugins");
        for (HttpRequestInterceptor httpRequestInterceptor : httpRequestInterceptorArr) {
            httpAsyncClientBuilder.addInterceptorLast(httpRequestInterceptor);
        }
        if (elasticsearchProperties.getSsl() != null) {
            setupSSLContext(httpAsyncClientBuilder, elasticsearchProperties.getSsl());
        }
        return httpAsyncClientBuilder;
    }

    private void setupSSLContext(HttpAsyncClientBuilder httpAsyncClientBuilder, SslProperties sslProperties) {
        try {
            httpAsyncClientBuilder.setSSLContext(getSSLContext(sslProperties));
            if (!sslProperties.isVerifyHostname()) {
                httpAsyncClientBuilder.setSSLHostnameVerifier(NoopHostnameVerifier.INSTANCE);
            }
        } catch (Exception e) {
            LOGGER.error("Error in setting up SSLContext", e);
        }
    }

    private SSLContext getSSLContext(SslProperties sslProperties) throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
        KeyStore loadCustomTrustStore = loadCustomTrustStore(sslProperties);
        return loadCustomTrustStore.size() > 0 ? SSLContexts.custom().loadTrustMaterial(loadCustomTrustStore, sslProperties.isSelfSigned() ? new TrustSelfSignedStrategy() : null).build() : SSLContext.getDefault();
    }

    private KeyStore loadCustomTrustStore(SslProperties sslProperties) {
        try {
            KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
            keyStore.load(null);
            String certificatePath = sslProperties.getCertificatePath();
            if (certificatePath != null) {
                setCertificateInTrustStore(keyStore, certificatePath);
            }
            return keyStore;
        } catch (Exception e) {
            throw new TasklistRuntimeException("Could not create certificate trustStore for the secured Elasticsearch Connection!", e);
        }
    }

    private void setCertificateInTrustStore(KeyStore keyStore, String str) {
        try {
            keyStore.setCertificateEntry("elasticsearch-host", loadCertificateFromPath(str));
        } catch (Exception e) {
            throw new TasklistRuntimeException("Could not load configured server certificate for the secured Elasticsearch Connection!", e);
        }
    }

    private Certificate loadCertificateFromPath(String str) throws IOException, CertificateException {
        BufferedInputStream bufferedInputStream = new BufferedInputStream(new FileInputStream(str));
        try {
            CertificateFactory certificateFactory = CertificateFactory.getInstance("X.509");
            if (bufferedInputStream.available() <= 0) {
                throw new TasklistRuntimeException("Could not load certificate from file, file is empty. File: " + str);
            }
            Certificate generateCertificate = certificateFactory.generateCertificate(bufferedInputStream);
            LOGGER.debug("Found certificate: {}", generateCertificate);
            bufferedInputStream.close();
            return generateCertificate;
        } catch (Throwable th) {
            try {
                bufferedInputStream.close();
            } catch (Throwable th2) {
                th.addSuppressed(th2);
            }
            throw th;
        }
    }

    public boolean checkHealth(ElasticsearchClient elasticsearchClient) {
        TasklistElasticsearchProperties elasticsearch = this.tasklistProperties.getElasticsearch();
        if (!elasticsearch.isHealthCheckEnabled()) {
            LOGGER.debug("Elasticsearch health check is disabled");
            return true;
        }
        try {
            return ((Boolean) RetryOperation.newBuilder().noOfRetry(50).retryOn(IOException.class, ElasticsearchException.class).delayInterval(3, TimeUnit.SECONDS).message(String.format("Connect to Elasticsearch cluster [%s] at %s", elasticsearch.getClusterName(), elasticsearch.getUrl())).retryConsumer(() -> {
                HealthResponse health = elasticsearchClient.cluster().health();
                LOGGER.info("Elasticsearch cluster health: {}", health.status());
                return Boolean.valueOf(health.clusterName().equals(elasticsearch.getClusterName()));
            }).build().retry()).booleanValue();
        } catch (Exception e) {
            throw new TasklistRuntimeException("Couldn't connect to Elasticsearch. Abort.", e);
        }
    }

    public boolean checkHealth(RestHighLevelClient restHighLevelClient) {
        TasklistElasticsearchProperties elasticsearch = this.tasklistProperties.getElasticsearch();
        if (elasticsearch.isHealthCheckEnabled()) {
            return ((Boolean) Failsafe.with(getConnectionRetryPolicy(elasticsearch), new RetryPolicy[0]).get(() -> {
                return Boolean.valueOf(restHighLevelClient.cluster().health(new ClusterHealthRequest(), RequestOptions.DEFAULT).getClusterName().equals(elasticsearch.getClusterName()));
            })).booleanValue();
        }
        LOGGER.debug("Elasticsearch health check is disabled");
        return true;
    }

    private RetryPolicy<Boolean> getConnectionRetryPolicy(ElasticsearchProperties elasticsearchProperties) {
        String format = String.format("connect to Elasticsearch at %s", elasticsearchProperties.getUrl());
        return ((RetryPolicy) new RetryPolicy().handle(new Class[]{IOException.class, org.elasticsearch.ElasticsearchException.class})).withDelay(Duration.ofSeconds(3L)).withMaxAttempts(50).onRetry(executionAttemptedEvent -> {
            LOGGER.info("Retrying #{} {} due to {}", new Object[]{Integer.valueOf(executionAttemptedEvent.getAttemptCount()), format, executionAttemptedEvent.getLastFailure()});
        }).onAbort(executionCompletedEvent -> {
            LOGGER.error("Abort {} by {}", format, executionCompletedEvent.getFailure());
        }).onRetriesExceeded(executionCompletedEvent2 -> {
            LOGGER.error("Retries {} exceeded for {}", Integer.valueOf(executionCompletedEvent2.getAttemptCount()), format);
        });
    }

    private RequestConfig.Builder setTimeouts(RequestConfig.Builder builder, ElasticsearchProperties elasticsearchProperties) {
        if (elasticsearchProperties.getSocketTimeout() != null) {
            builder.setSocketTimeout(elasticsearchProperties.getSocketTimeout().intValue());
        }
        if (elasticsearchProperties.getConnectTimeout() != null) {
            builder.setConnectTimeout(elasticsearchProperties.getConnectTimeout().intValue());
        }
        return builder;
    }

    private HttpHost getHttpHost(ElasticsearchProperties elasticsearchProperties) {
        try {
            URI uri = new URI(elasticsearchProperties.getUrl());
            return new HttpHost(uri.getHost(), uri.getPort(), uri.getScheme());
        } catch (URISyntaxException e) {
            throw new TasklistRuntimeException("Error in url: " + elasticsearchProperties.getUrl(), e);
        }
    }

    private HttpAsyncClientBuilder setupAuthentication(HttpAsyncClientBuilder httpAsyncClientBuilder, ElasticsearchProperties elasticsearchProperties) {
        if (!StringUtils.hasText(elasticsearchProperties.getUsername()) || !StringUtils.hasText(elasticsearchProperties.getPassword())) {
            LOGGER.warn("Username and/or password for are empty. Basic authentication for elasticsearch is not used.");
            return httpAsyncClientBuilder;
        }
        BasicCredentialsProvider basicCredentialsProvider = new BasicCredentialsProvider();
        basicCredentialsProvider.setCredentials(AuthScope.ANY, new UsernamePasswordCredentials(elasticsearchProperties.getUsername(), elasticsearchProperties.getPassword()));
        httpAsyncClientBuilder.setDefaultCredentialsProvider(basicCredentialsProvider);
        return httpAsyncClientBuilder;
    }
}
