package com.yahoo.vespa.hosted.node.admin.configserver;

import com.yahoo.vespa.athenz.tls.AthenzIdentityVerifier;
import com.yahoo.vespa.athenz.tls.AthenzSslContextBuilder;
import com.yahoo.vespa.hosted.node.admin.component.ConfigServerInfo;
import com.yahoo.vespa.hosted.node.admin.component.Environment;
import com.yahoo.vespa.hosted.node.admin.configserver.certificate.ConfigServerKeyStoreRefresher;
import com.yahoo.vespa.hosted.node.admin.util.KeyStoreOptions;
import java.util.Collections;
import java.util.Optional;
import javax.net.ssl.HostnameVerifier;
import javax.net.ssl.SSLContext;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;

/* loaded from: input_file:com/yahoo/vespa/hosted/node/admin/configserver/SslConfigServerApiImpl.class */
public class SslConfigServerApiImpl implements ConfigServerApi {
    private final ConfigServerApiImpl configServerApi;
    private final Optional<ConfigServerKeyStoreRefresher> keyStoreRefresher;
    private final ConfigServerInfo configServerInfo;

    public SslConfigServerApiImpl(ConfigServerInfo configServerInfo, String str) {
        this.configServerInfo = configServerInfo;
        this.configServerApi = new ConfigServerApiImpl(configServerInfo.getConfigServerUris(), makeSslConnectionSocketFactory(Optional.empty()));
        this.keyStoreRefresher = configServerInfo.getKeyStoreOptions().map(keyStoreOptions -> {
            Runnable runnable = () -> {
                this.configServerApi.setSSLConnectionSocketFactory(makeSslConnectionSocketFactory(Optional.of(keyStoreOptions)));
            };
            ConfigServerKeyStoreRefresher configServerKeyStoreRefresher = new ConfigServerKeyStoreRefresher(keyStoreOptions, runnable, this.configServerApi, str);
            try {
                configServerKeyStoreRefresher.refreshKeyStoreIfNeeded();
                runnable.run();
                configServerKeyStoreRefresher.start();
                return configServerKeyStoreRefresher;
            } catch (Exception e) {
                throw new RuntimeException("Failed to acquire certificate to config server", e);
            }
        });
    }

    public SslConfigServerApiImpl(Environment environment) {
        this(environment.getConfigServerInfo(), environment.getParentHostHostname());
    }

    @Override // com.yahoo.vespa.hosted.node.admin.configserver.ConfigServerApi
    public <T> T get(String str, Class<T> cls) {
        return (T) this.configServerApi.get(str, cls);
    }

    @Override // com.yahoo.vespa.hosted.node.admin.configserver.ConfigServerApi
    public <T> T post(String str, Object obj, Class<T> cls) {
        return (T) this.configServerApi.post(str, obj, cls);
    }

    @Override // com.yahoo.vespa.hosted.node.admin.configserver.ConfigServerApi
    public <T> T put(String str, Optional<Object> optional, Class<T> cls) {
        return (T) this.configServerApi.put(str, optional, cls);
    }

    @Override // com.yahoo.vespa.hosted.node.admin.configserver.ConfigServerApi
    public <T> T patch(String str, Object obj, Class<T> cls) {
        return (T) this.configServerApi.patch(str, obj, cls);
    }

    @Override // com.yahoo.vespa.hosted.node.admin.configserver.ConfigServerApi
    public <T> T delete(String str, Class<T> cls) {
        return (T) this.configServerApi.delete(str, cls);
    }

    @Override // com.yahoo.vespa.hosted.node.admin.configserver.ConfigServerApi, java.lang.AutoCloseable
    public void close() {
        this.keyStoreRefresher.ifPresent((v0) -> {
            v0.stop();
        });
        this.configServerApi.close();
    }

    private SSLConnectionSocketFactory makeSslConnectionSocketFactory(Optional<KeyStoreOptions> optional) {
        return new SSLConnectionSocketFactory(makeSslContext(optional), makeHostnameVerifier());
    }

    private SSLContext makeSslContext(Optional<KeyStoreOptions> optional) {
        AthenzSslContextBuilder athenzSslContextBuilder = new AthenzSslContextBuilder();
        Optional<U> map = this.configServerInfo.getTrustStoreOptions().map((v0) -> {
            return v0.loadKeyStore();
        });
        athenzSslContextBuilder.getClass();
        map.ifPresent(athenzSslContextBuilder::withTrustStore);
        optional.ifPresent(keyStoreOptions -> {
            athenzSslContextBuilder.withKeyStore(keyStoreOptions.loadKeyStore(), keyStoreOptions.password);
        });
        return athenzSslContextBuilder.build();
    }

    private HostnameVerifier makeHostnameVerifier() {
        return (HostnameVerifier) this.configServerInfo.getAthenzIdentity().map(athenzIdentity -> {
            return new AthenzIdentityVerifier(Collections.singleton(athenzIdentity));
        }).orElseGet(SSLConnectionSocketFactory::getDefaultHostnameVerifier);
    }
}
