package io.micronaut.kubernetes.client.openapi.ssl;

import io.micronaut.core.annotation.Internal;
import io.micronaut.core.io.ResourceResolver;
import io.micronaut.http.client.netty.ssl.NettyClientSslBuilder;
import io.micronaut.http.ssl.ClientSslConfiguration;
import io.micronaut.http.ssl.SslConfiguration;
import io.micronaut.kubernetes.client.openapi.config.KubeConfig;
import io.micronaut.kubernetes.client.openapi.config.KubernetesClientConfiguration;
import io.micronaut.kubernetes.client.openapi.config.model.AuthInfo;
import io.micronaut.kubernetes.client.openapi.config.model.Cluster;
import java.io.ByteArrayInputStream;
import java.io.InputStream;
import java.security.KeyStore;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Collection;
import java.util.Iterator;
import java.util.Optional;

@Internal
/* loaded from: input_file:io/micronaut/kubernetes/client/openapi/ssl/KubernetesClientSslBuilder.class */
public final class KubernetesClientSslBuilder extends NettyClientSslBuilder {
    private static final String X509_CERTIFICATE_TYPE = "X509";
    private final ResourceResolver resourceResolver;
    private final KubeConfig kubeConfig;
    private final KubernetesPrivateKeyLoader kubernetesPrivateKeyLoader;
    private final KubernetesClientConfiguration kubernetesClientConfiguration;

    public KubernetesClientSslBuilder(ResourceResolver resourceResolver, KubeConfig kubeConfig, KubernetesPrivateKeyLoader kubernetesPrivateKeyLoader, KubernetesClientConfiguration kubernetesClientConfiguration) {
        super(resourceResolver);
        this.resourceResolver = resourceResolver;
        this.kubeConfig = kubeConfig;
        this.kubernetesPrivateKeyLoader = kubernetesPrivateKeyLoader;
        this.kubernetesClientConfiguration = kubernetesClientConfiguration;
    }

    protected Optional<KeyStore> getKeyStore(SslConfiguration sslConfiguration) throws Exception {
        String str;
        if (this.kubeConfig == null || this.kubeConfig.getUser() == null) {
            return Optional.empty();
        }
        AuthInfo user = this.kubeConfig.getUser();
        byte[] clientCertificateData = user.clientCertificateData();
        byte[] clientKeyData = user.clientKeyData();
        if (clientCertificateData == null || clientKeyData == null) {
            return Optional.empty();
        }
        Collection<? extends Certificate> generateCertificates = CertificateFactory.getInstance(X509_CERTIFICATE_TYPE).generateCertificates(new ByteArrayInputStream(clientCertificateData));
        Optional alias = sslConfiguration.getKey().getAlias();
        String name = alias.isPresent() ? (String) alias.get() : ((X509Certificate) generateCertificates.iterator().next()).getSubjectX500Principal().getName();
        PrivateKey loadPrivateKey = this.kubernetesPrivateKeyLoader.loadPrivateKey(clientKeyData);
        Optional password = sslConfiguration.getKey().getPassword();
        Optional password2 = sslConfiguration.getKeyStore().getPassword();
        if (password.isPresent()) {
            str = (String) password.get();
        } else if (password2.isPresent()) {
            str = (String) password2.get();
        } else {
            str = "";
            sslConfiguration.getKey().setPassword("");
        }
        KeyStore keyStore = KeyStore.getInstance((String) sslConfiguration.getKeyStore().getType().orElse("JKS"));
        keyStore.load(null);
        keyStore.setKeyEntry(name, loadPrivateKey, str.toCharArray(), (Certificate[]) generateCertificates.toArray(new X509Certificate[0]));
        return Optional.of(keyStore);
    }

    protected Optional<KeyStore> getTrustStore(SslConfiguration sslConfiguration) throws Exception {
        byte[] bArr = null;
        if (this.kubeConfig != null) {
            Cluster cluster = this.kubeConfig.getCluster();
            Boolean insecureSkipTlsVerify = cluster.insecureSkipTlsVerify();
            if (insecureSkipTlsVerify != null && insecureSkipTlsVerify.booleanValue()) {
                ((ClientSslConfiguration) sslConfiguration).setInsecureTrustAllCertificates(true);
                return Optional.empty();
            }
            bArr = cluster.certificateAuthorityData();
        } else if (this.kubernetesClientConfiguration.getServiceAccount().isEnabled()) {
            Optional resourceAsStream = this.resourceResolver.getResourceAsStream(this.kubernetesClientConfiguration.getServiceAccount().getCertificateAuthorityPath());
            if (resourceAsStream.isEmpty()) {
                return Optional.empty();
            }
            bArr = ((InputStream) resourceAsStream.get()).readAllBytes();
        }
        if (bArr == null) {
            return Optional.empty();
        }
        Collection<? extends Certificate> generateCertificates = CertificateFactory.getInstance("X.509").generateCertificates(new ByteArrayInputStream(bArr));
        if (generateCertificates.isEmpty()) {
            throw new IllegalArgumentException("Expected non-empty set of trusted certificates");
        }
        KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
        keyStore.load(null, null);
        int i = 0;
        Iterator<? extends Certificate> it = generateCertificates.iterator();
        while (it.hasNext()) {
            keyStore.setCertificateEntry("ca" + i, it.next());
            i++;
        }
        return Optional.of(keyStore);
    }
}
