package au.org.consumerdatastandards.client;

import com.google.gson.JsonElement;
import com.google.gson.JsonObject;
import com.google.gson.JsonParser;
import com.nimbusds.jose.JOSEException;
import com.nimbusds.jose.JWSAlgorithm;
import com.nimbusds.jose.JWSHeader;
import com.nimbusds.jose.crypto.RSASSASigner;
import com.nimbusds.jose.jwk.JWKSet;
import com.nimbusds.jose.jwk.RSAKey;
import com.nimbusds.jwt.JWTClaimsSet;
import com.nimbusds.jwt.SignedJWT;
import java.io.File;
import java.io.FileInputStream;
import java.io.FileNotFoundException;
import java.io.FileReader;
import java.io.IOException;
import java.net.InetSocketAddress;
import java.net.MalformedURLException;
import java.net.Proxy;
import java.net.URL;
import java.security.KeyFactory;
import java.security.KeyPair;
import java.security.NoSuchAlgorithmException;
import java.security.PrivateKey;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.security.spec.InvalidKeySpecException;
import java.security.spec.KeySpec;
import java.security.spec.PKCS8EncodedKeySpec;
import java.text.ParseException;
import java.util.Arrays;
import java.util.Base64;
import java.util.Date;
import java.util.HashMap;
import java.util.List;
import java.util.UUID;
import okhttp3.Credentials;
import okhttp3.FormBody;
import okhttp3.OkHttpClient;
import okhttp3.Request;
import okhttp3.tls.HandshakeCertificates;
import okhttp3.tls.HeldCertificate;
import org.apache.commons.lang3.StringUtils;
import org.bouncycastle.util.io.pem.PemObject;
import org.bouncycastle.util.io.pem.PemReader;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:au/org/consumerdatastandards/client/ApiClientFactory.class */
public class ApiClientFactory {
    private static final int EXPIRY_BUFFER = 10000;
    private static final long DEFAULT_ACCESS_TOKEN_VALIDITY = 60;
    private static final Logger LOGGER = LoggerFactory.getLogger(ApiClientFactory.class);
    private static final List<String> VALID_PROXY_TYPES = Arrays.asList("HTTP:", "HTTPS:", "SOCKS:");
    private static final JsonParser parser = new JsonParser();
    private static final HashMap<String, JsonObject> discoveredConfigs = new HashMap<>();
    public static long accessTokenExpiresAt;
    protected final ApiClientOptions clientOptions;

    public ApiClientFactory(ApiClientOptions apiClientOptions) {
        this.clientOptions = apiClientOptions;
    }

    public ApiClient create(boolean z, boolean z2) throws ApiException {
        String serverUrl = this.clientOptions.getServerUrl();
        if (StringUtils.isBlank(serverUrl)) {
            LOGGER.error("Server Base URL is currently unset, cannot proceed until it is specified using `server` command");
            throw new ApiException("Server URL not set, please use `server` command to set Server URL first");
        }
        if (!isValidUrl(serverUrl)) {
            LOGGER.error("Invalid server url of {} specified, please double check", serverUrl);
            throw new ApiException("Invalid Server URL, please double check it");
        }
        ApiClient apiClient = new ApiClient(this.clientOptions.isValidationEnabled() || z2);
        String proxy = this.clientOptions.getProxy();
        if (!StringUtils.isBlank(proxy)) {
            setProxy(apiClient, proxy);
            LOGGER.info("Proxy is set to {}", proxy);
        }
        OkHttpClient httpClient = apiClient.getHttpClient();
        apiClient.setBasePath(serverUrl);
        LOGGER.info("Server Base URL is set to {}", serverUrl);
        String userAgent = this.clientOptions.getUserAgent();
        if (!StringUtils.isBlank(userAgent)) {
            apiClient.addDefaultHeader("x-cds-client-headers", Base64.getEncoder().encodeToString(("User-Agent: " + userAgent).getBytes()));
            LOGGER.info("User Agent in x-cds-client-headers is set to {}", userAgent);
        }
        if (z) {
            if ((accessTokenExpiresAt == 0 || accessTokenExpiresAt < System.currentTimeMillis() + 10000) && StringUtils.isNotBlank(this.clientOptions.getRefreshToken())) {
                renewTokens(this.clientOptions, httpClient);
            }
            if (StringUtils.isBlank(this.clientOptions.getAccessToken()) && StringUtils.isNotBlank(this.clientOptions.getAuthServer())) {
                acquireNewTokens();
            }
            apiClient.addDefaultHeader("Authorization", "Bearer " + this.clientOptions.getAccessToken());
        }
        if (this.clientOptions.isMtlsEnabled()) {
            validateClientCertSettings();
            String rootCaFilePath = this.clientOptions.getRootCaFilePath();
            String keyFilePath = this.clientOptions.getKeyFilePath();
            String certFilePath = this.clientOptions.getCertFilePath();
            try {
                X509Certificate loadCertificate = loadCertificate(rootCaFilePath);
                X509Certificate loadCertificate2 = loadCertificate(certFilePath);
                apiClient.setHttpClient(buildHttpClient(httpClient, loadCertificate, new HeldCertificate(new KeyPair(loadCertificate2.getPublicKey(), loadPrivateKey(keyFilePath)), loadCertificate2), new X509Certificate[0]));
                LOGGER.info("Enabled MTLS");
            } catch (IOException | NoSuchAlgorithmException | CertificateException | InvalidKeySpecException e) {
                throw new ApiException(e);
            }
        } else {
            apiClient.setHttpClient(httpClient);
            LOGGER.info("Disabled MTLS");
        }
        apiClient.setDebugging(this.clientOptions.isDebugEnabled());
        LOGGER.info("Debugging is set to {}", Boolean.valueOf(apiClient.isDebugging()));
        apiClient.setVerifyingSsl(this.clientOptions.isVerifyingSsl());
        LOGGER.info("Verifying SSL is set to {}", Boolean.valueOf(apiClient.isVerifyingSsl()));
        return apiClient;
    }

    protected void acquireNewTokens() {
        LOGGER.warn("New tokens required.");
    }

    private static void renewTokens(ApiClientOptions apiClientOptions, OkHttpClient okHttpClient) throws ApiException {
        try {
            String asString = discoveredInfo(okHttpClient, apiClientOptions.getAuthServer()).get("token_endpoint").getAsString();
            RSAKey rSAKey = (RSAKey) JWKSet.load(new File(apiClientOptions.getJwksPath())).getKeys().get(0);
            SignedJWT signedJWT = new SignedJWT(new JWSHeader.Builder(JWSAlgorithm.RS256).keyID(rSAKey.getKeyID()).build(), new JWTClaimsSet.Builder().subject(apiClientOptions.getClientId()).issuer(apiClientOptions.getClientId()).audience(asString).expirationTime(new Date(System.currentTimeMillis() + 300000)).jwtID(UUID.randomUUID().toString()).build());
            signedJWT.sign(new RSASSASigner(rSAKey));
            JsonObject asJsonObject = parser.parse(okHttpClient.newCall(new Request.Builder().url(asString).post(new FormBody.Builder().add("grant_type", "refresh_token").add("client_id", apiClientOptions.getClientId()).add("client_assertion_type", "urn:ietf:params:oauth:client-assertion-type:jwt-bearer").add("client_assertion", signedJWT.serialize()).add("refresh_token", apiClientOptions.getRefreshToken()).build()).build()).execute().body().string()).getAsJsonObject();
            if (asJsonObject.has("error")) {
                JsonElement jsonElement = asJsonObject.get("error_description");
                throw new ApiException((jsonElement == null ? asJsonObject.get("error") : jsonElement).getAsString());
            }
            apiClientOptions.setAccessToken(asJsonObject.get("access_token").getAsString());
            JsonElement jsonElement2 = asJsonObject.get("expires_in");
            accessTokenExpiresAt = System.currentTimeMillis() + ((jsonElement2 == null ? DEFAULT_ACCESS_TOKEN_VALIDITY : jsonElement2.getAsLong()) * 1000);
            JsonElement jsonElement3 = asJsonObject.get("refresh_token");
            if (jsonElement3 != null) {
                apiClientOptions.setRefreshToken(jsonElement3.getAsString());
            }
        } catch (IOException | ParseException | JOSEException e) {
            throw new ApiException(e);
        }
    }

    private static JsonObject discoveredInfo(OkHttpClient okHttpClient, String str) throws IOException {
        JsonObject jsonObject = discoveredConfigs.get(str);
        if (jsonObject == null) {
            jsonObject = parser.parse(okHttpClient.newCall(new Request.Builder().url(str + (str.endsWith("/") ? "" : "/") + ".well-known/openid-configuration").get().build()).execute().body().string()).getAsJsonObject();
            discoveredConfigs.put(str, jsonObject);
        }
        return jsonObject;
    }

    private static X509Certificate loadCertificate(String str) throws CertificateException, FileNotFoundException {
        return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new FileInputStream(str));
    }

    private static PrivateKey loadPrivateKey(String str) throws IOException, ApiException, NoSuchAlgorithmException, InvalidKeySpecException {
        PemObject readPemObject = new PemReader(new FileReader(str)).readPemObject();
        String type = readPemObject.getType();
        if (!type.endsWith("PRIVATE KEY")) {
            throw new ApiException("Invalid key file content - expecting first line similar to\n-----BEGIN RSA PRIVATE KEY-----");
        }
        String trim = type.replace("PRIVATE KEY", "").trim();
        if (!StringUtils.isNotBlank(trim) || "RSA".equals(trim)) {
            return generateRSAPrivateKey(new PKCS8EncodedKeySpec(readPemObject.getContent()));
        }
        throw new ApiException("Invalid algorithm for MTLS: " + trim);
    }

    private static PrivateKey generateRSAPrivateKey(KeySpec keySpec) throws NoSuchAlgorithmException, InvalidKeySpecException {
        return KeyFactory.getInstance("RSA").generatePrivate(keySpec);
    }

    private static OkHttpClient buildHttpClient(OkHttpClient okHttpClient, X509Certificate x509Certificate, HeldCertificate heldCertificate, X509Certificate... x509CertificateArr) {
        HandshakeCertificates.Builder addTrustedCertificate = new HandshakeCertificates.Builder().addPlatformTrustedCertificates().addTrustedCertificate(x509Certificate);
        if (heldCertificate != null) {
            addTrustedCertificate.heldCertificate(heldCertificate, x509CertificateArr);
        }
        HandshakeCertificates build = addTrustedCertificate.build();
        return okHttpClient.newBuilder().sslSocketFactory(build.sslSocketFactory(), build.trustManager()).build();
    }

    private void validateClientCertSettings() throws ApiException {
        String rootCaFilePath = this.clientOptions.getRootCaFilePath();
        String certFilePath = this.clientOptions.getCertFilePath();
        String keyFilePath = this.clientOptions.getKeyFilePath();
        if (StringUtils.isBlank(rootCaFilePath)) {
            throw new ApiException("Root CA path is not set");
        }
        if (StringUtils.isBlank(certFilePath)) {
            throw new ApiException("Client certificate path is not set");
        }
        if (StringUtils.isBlank(keyFilePath)) {
            throw new ApiException("Client key file path is not set");
        }
        File file = new File(rootCaFilePath);
        File file2 = new File(certFilePath);
        File file3 = new File(keyFilePath);
        if (!file.exists()) {
            throw new ApiException("Root CA file " + rootCaFilePath + " cannot be found");
        }
        if (!file2.exists()) {
            throw new ApiException("Certificate file " + certFilePath + " cannot be found");
        }
        if (!file3.exists()) {
            throw new ApiException("Client key file " + keyFilePath + " cannot be found");
        }
    }

    private static void setProxy(ApiClient apiClient, String str) throws ApiException {
        OkHttpClient.Builder newBuilder = apiClient.getHttpClient().newBuilder();
        if ("none".equalsIgnoreCase(str)) {
            newBuilder.proxy(Proxy.NO_PROXY);
        } else {
            String[] split = str.split("//");
            if (split.length != 2) {
                printProxyExamples();
                throw new ApiException("Invalid proxy, please double check it.");
            }
            if (!VALID_PROXY_TYPES.contains(split[0].toUpperCase())) {
                printProxyExamples();
                throw new ApiException("Invalid proxy, please double check it.");
            }
            String[] split2 = split[1].split("@");
            if (split2.length > 2) {
                printProxyExamples();
                throw new ApiException("Invalid proxy, please double check it.");
            }
            String[] split3 = split2[split2.length - 1].split(":");
            if (split3.length != 2) {
                printProxyExamples();
                throw new ApiException("Invalid proxy, please double check it.");
            }
            String str2 = split3[0];
            String str3 = split3[1];
            if (!str3.matches("[1-9]\\d*")) {
                printProxyExamples();
                throw new ApiException("Invalid proxy, please double check it.");
            }
            newBuilder.proxy(new Proxy(getProxyType(split[0]), new InetSocketAddress(str2, Integer.parseInt(str3))));
            if (split2.length > 1) {
                String[] split4 = split2[0].split(":", 2);
                if (split4.length != 2) {
                    printProxyExamples();
                    throw new ApiException("Invalid proxy, please double check it.");
                }
                newBuilder.proxyAuthenticator((route, response) -> {
                    return response.request().newBuilder().header("Proxy-Authorization", Credentials.basic(split4[0], split4[1])).build();
                });
            }
        }
        apiClient.setHttpClient(newBuilder.build());
    }

    private static Proxy.Type getProxyType(String str) {
        return str.equalsIgnoreCase("socks:") ? Proxy.Type.SOCKS : Proxy.Type.HTTP;
    }

    private static void printProxyExamples() {
        LOGGER.info("Valid proxy examples:");
        LOGGER.info("http://http.proxy:8080");
        LOGGER.info("https://https.proxy:8443");
        LOGGER.info("socks://socks.proxy:5500");
        LOGGER.info("http://user:pass@http.proxy:8080");
        LOGGER.info("https://user:pass@https.proxy:8443");
        LOGGER.info("socks://user:pass@socks.proxy:5500");
    }

    private static boolean isValidUrl(String str) {
        String lowerCase = str.toLowerCase();
        if (!lowerCase.startsWith("https://") && !lowerCase.startsWith("http://")) {
            LOGGER.error("Invalid scheme specified for server url, only https:// and http:// are supported");
            return false;
        }
        try {
            new URL(str);
            LOGGER.trace("Server URL of {} passes validation", str);
            return true;
        } catch (MalformedURLException e) {
            LOGGER.error("Specified URL of {} is malformed and exception caught: {}", str, e.getMessage());
            return false;
        }
    }
}
