package io.micronaut.oraclecloud.oke.workload.identity;

import com.oracle.bmc.auth.ServiceAccountTokenSupplier;
import com.oracle.bmc.auth.SessionKeySupplier;
import com.oracle.bmc.auth.okeworkloadidentity.internal.OkeTenancyOnlyAuthenticationDetailsProvider;
import com.oracle.bmc.auth.okeworkloadidentity.internal.OkeWorkloadIdentityResourcePrincipalsFederationClient;
import com.oracle.bmc.circuitbreaker.CircuitBreakerConfiguration;
import com.oracle.bmc.http.ClientConfigurator;
import com.oracle.bmc.http.client.HttpClient;
import com.oracle.bmc.http.client.HttpClientBuilder;
import com.oracle.bmc.http.internal.AuthnClientFilter;
import com.oracle.bmc.http.internal.ClientIdFilter;
import com.oracle.bmc.http.internal.LogHeadersFilter;
import com.oracle.bmc.http.signing.RequestSigner;
import com.oracle.bmc.util.internal.StringUtils;
import io.micronaut.buffer.netty.NettyByteBufferFactory;
import io.micronaut.core.annotation.AnnotationMetadataResolver;
import io.micronaut.core.convert.ConversionService;
import io.micronaut.core.io.ResourceResolver;
import io.micronaut.http.MediaType;
import io.micronaut.http.body.ContextlessMessageBodyHandlerRegistry;
import io.micronaut.http.body.TypedMessageBodyHandler;
import io.micronaut.http.client.LoadBalancer;
import io.micronaut.http.client.netty.DefaultHttpClient;
import io.micronaut.http.codec.CodecConfiguration;
import io.micronaut.http.codec.MediaTypeCodec;
import io.micronaut.http.codec.MediaTypeCodecRegistry;
import io.micronaut.http.filter.HttpClientFilter;
import io.micronaut.http.netty.body.NettyByteBufMessageBodyHandler;
import io.micronaut.http.netty.body.NettyJsonHandler;
import io.micronaut.http.netty.body.NettyJsonStreamHandler;
import io.micronaut.http.netty.body.NettyWritableBodyWriter;
import io.micronaut.json.JsonMapper;
import io.micronaut.json.codec.JsonMediaTypeCodec;
import io.micronaut.json.codec.JsonStreamMediaTypeCodec;
import io.micronaut.oraclecloud.httpclient.netty.ManagedNettyHttpProvider;
import io.micronaut.oraclecloud.httpclient.netty.OciNettyClientFilter;
import io.micronaut.runtime.ApplicationConfiguration;
import io.netty.channel.MultithreadEventLoopGroup;
import io.netty.util.concurrent.DefaultThreadFactory;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.net.URI;
import java.nio.file.Files;
import java.nio.file.LinkOption;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.Collections;
import java.util.Iterator;
import java.util.List;
import java.util.concurrent.Executors;
import javax.net.ssl.TrustManagerFactory;

/* loaded from: input_file:io/micronaut/oraclecloud/oke/workload/identity/MicronautOkeWorkloadIdentityResourcePrincipalsFederationClient.class */
final class MicronautOkeWorkloadIdentityResourcePrincipalsFederationClient extends OkeWorkloadIdentityResourcePrincipalsFederationClient {
    public static final String KUBERNETES_SERVICE_ACCOUNT_ERROR_MESSAGE = "Kubernetes service account ca cert doesn't exist.";
    static final String KUBERNETES_SERVICE_ACCOUNT_CERT_PATH = "/var/run/secrets/kubernetes.io/serviceaccount/ca.crt";
    private final List<OciNettyClientFilter<?>> nettyClientFilters;

    public MicronautOkeWorkloadIdentityResourcePrincipalsFederationClient(SessionKeySupplier sessionKeySupplier, ServiceAccountTokenSupplier serviceAccountTokenSupplier, OkeTenancyOnlyAuthenticationDetailsProvider okeTenancyOnlyAuthenticationDetailsProvider, ClientConfigurator clientConfigurator, CircuitBreakerConfiguration circuitBreakerConfiguration, List<ClientConfigurator> list, List<OciNettyClientFilter<?>> list2) {
        super(sessionKeySupplier, serviceAccountTokenSupplier, okeTenancyOnlyAuthenticationDetailsProvider, clientConfigurator, circuitBreakerConfiguration, list);
        this.nettyClientFilters = list2;
    }

    public static OkeNettyClientSslBuilder okeNettyClientSslBuilder(String str) {
        Path path = Paths.get(str, new String[0]);
        if (!Files.exists(path, new LinkOption[0])) {
            throw new IllegalArgumentException(KUBERNETES_SERVICE_ACCOUNT_ERROR_MESSAGE);
        }
        try {
            FileInputStream fileInputStream = new FileInputStream(path.toFile());
            try {
                X509Certificate x509Certificate = (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(fileInputStream);
                KeyStore keyStore = KeyStore.getInstance(KeyStore.getDefaultType());
                keyStore.load(null, null);
                TrustManagerFactory trustManagerFactory = TrustManagerFactory.getInstance(TrustManagerFactory.getDefaultAlgorithm());
                keyStore.setCertificateEntry("ocp-cert", x509Certificate);
                trustManagerFactory.init(keyStore);
                OkeNettyClientSslBuilder okeNettyClientSslBuilder = new OkeNettyClientSslBuilder(new ResourceResolver(), trustManagerFactory, keyStore);
                fileInputStream.close();
                return okeNettyClientSslBuilder;
            } catch (Throwable th) {
                try {
                    fileInputStream.close();
                } catch (Throwable th2) {
                    th.addSuppressed(th2);
                }
                throw th;
            }
        } catch (FileNotFoundException e) {
            throw new IllegalArgumentException(KUBERNETES_SERVICE_ACCOUNT_ERROR_MESSAGE, e);
        } catch (IOException e2) {
            throw new IllegalArgumentException("Cannot load keystore. Please contact OKE Foundation team for help.", e2);
        } catch (KeyStoreException e3) {
            throw new IllegalArgumentException("Cannot create keystore based on Kubernetes ca cert. Please contact OKE Foundation team for help.", e3);
        } catch (NoSuchAlgorithmException e4) {
            throw new IllegalArgumentException("Cannot load keystore. Please contact OKE Foundation team for help.", e4);
        } catch (CertificateException e5) {
            throw new IllegalArgumentException("Invalid Kubernetes ca certification. Please contact OKE Foundation team for help.", e5);
        }
    }

    DefaultHttpClient defaultHttpClient() {
        JsonMapper createDefault = JsonMapper.createDefault();
        ApplicationConfiguration applicationConfiguration = new ApplicationConfiguration();
        ContextlessMessageBodyHandlerRegistry contextlessMessageBodyHandlerRegistry = new ContextlessMessageBodyHandlerRegistry(applicationConfiguration, NettyByteBufferFactory.DEFAULT, new TypedMessageBodyHandler[]{new NettyByteBufMessageBodyHandler(), new NettyWritableBodyWriter(applicationConfiguration)});
        contextlessMessageBodyHandlerRegistry.add(MediaType.APPLICATION_JSON_TYPE, new NettyJsonHandler(createDefault));
        contextlessMessageBodyHandlerRegistry.add(MediaType.APPLICATION_JSON_STREAM_TYPE, new NettyJsonStreamHandler(createDefault));
        return new DefaultHttpClient((LoadBalancer) null, MicronautOkeWorkloadIdentityAuthenticationDetailsProviderBuilder.getOkeHttpClientConfiguration(), (String) null, new DefaultThreadFactory(MultithreadEventLoopGroup.class), okeNettyClientSslBuilder(KUBERNETES_SERVICE_ACCOUNT_CERT_PATH), MediaTypeCodecRegistry.of(new MediaTypeCodec[]{new JsonMediaTypeCodec(createDefault, applicationConfiguration, (CodecConfiguration) null), new JsonStreamMediaTypeCodec(createDefault, applicationConfiguration, (CodecConfiguration) null)}), contextlessMessageBodyHandlerRegistry, AnnotationMetadataResolver.DEFAULT, ConversionService.SHARED, new HttpClientFilter[0]);
    }

    protected HttpClient makeClient(String str, RequestSigner requestSigner) {
        if (StringUtils.isBlank(str)) {
            return null;
        }
        HttpClientBuilder registerRequestInterceptor = new ManagedNettyHttpProvider(defaultHttpClient(), Executors.newCachedThreadPool(), this.nettyClientFilters).newBuilder().baseUri(URI.create(str)).registerRequestInterceptor(1000, new AuthnClientFilter(requestSigner, Collections.emptyMap())).registerRequestInterceptor(3000, new ClientIdFilter()).registerRequestInterceptor(5000, new LogHeadersFilter());
        if (this.clientConfigurator != null) {
            this.clientConfigurator.customizeClient(registerRequestInterceptor);
        }
        Iterator it = this.additionalClientConfigurator.iterator();
        while (it.hasNext()) {
            ((ClientConfigurator) it.next()).customizeClient(registerRequestInterceptor);
        }
        return registerRequestInterceptor.build();
    }
}
