package org.apache.knox.gateway.shell;

import com.sun.security.auth.callback.TextCallbackHandler;
import de.thetaphi.forbiddenapis.SuppressForbidden;
import java.io.ByteArrayInputStream;
import java.io.Closeable;
import java.io.File;
import java.io.FileNotFoundException;
import java.io.IOException;
import java.io.InputStream;
import java.net.URI;
import java.net.URISyntaxException;
import java.net.URL;
import java.nio.file.Files;
import java.nio.file.OpenOption;
import java.security.AccessController;
import java.security.GeneralSecurityException;
import java.security.KeyStore;
import java.security.KeyStoreException;
import java.security.NoSuchAlgorithmException;
import java.security.Principal;
import java.security.cert.CertificateException;
import java.security.cert.CertificateFactory;
import java.security.cert.X509Certificate;
import java.util.HashMap;
import java.util.Map;
import java.util.concurrent.Callable;
import java.util.concurrent.ExecutionException;
import java.util.concurrent.ExecutorService;
import java.util.concurrent.Executors;
import java.util.concurrent.Future;
import java.util.concurrent.TimeUnit;
import java.util.concurrent.TimeoutException;
import javax.net.ssl.HostnameVerifier;
import javax.security.auth.Subject;
import javax.security.auth.login.AppConfigurationEntry;
import javax.security.auth.login.Configuration;
import javax.security.auth.login.LoginContext;
import javax.security.auth.login.LoginException;
import org.apache.commons.codec.binary.Base64;
import org.apache.commons.lang3.StringUtils;
import org.apache.http.HttpHost;
import org.apache.http.HttpRequest;
import org.apache.http.auth.AuthScope;
import org.apache.http.auth.UsernamePasswordCredentials;
import org.apache.http.client.CredentialsProvider;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.config.ConnectionConfig;
import org.apache.http.config.RegistryBuilder;
import org.apache.http.config.SocketConfig;
import org.apache.http.conn.socket.PlainConnectionSocketFactory;
import org.apache.http.conn.ssl.NoopHostnameVerifier;
import org.apache.http.conn.ssl.SSLConnectionSocketFactory;
import org.apache.http.conn.ssl.TrustSelfSignedStrategy;
import org.apache.http.impl.auth.BasicScheme;
import org.apache.http.impl.auth.SPNegoSchemeFactory;
import org.apache.http.impl.client.BasicAuthCache;
import org.apache.http.impl.client.BasicCredentialsProvider;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.impl.client.HttpClients;
import org.apache.http.impl.conn.PoolingHttpClientConnectionManager;
import org.apache.http.protocol.BasicHttpContext;
import org.apache.http.ssl.SSLContexts;
import org.apache.http.ssl.TrustStrategy;
import org.apache.knox.gateway.i18n.messages.MessagesFactory;
import org.apache.knox.gateway.shell.util.ClientTrustStoreHelper;

/* loaded from: input_file:org/apache/knox/gateway/shell/KnoxSession.class */
public class KnoxSession implements Closeable {
    private static final String DEFAULT_JAAS_FILE = "/jaas.conf";
    public static final String JGSS_LOGIN_MOUDLE = "com.sun.security.jgss.initiate";
    public static final String END_CERTIFICATE = "-----END CERTIFICATE-----\n";
    public static final String BEGIN_CERTIFICATE = "-----BEGIN CERTIFICATE-----\n";
    private static final KnoxShellMessages LOG = (KnoxShellMessages) MessagesFactory.get(KnoxShellMessages.class);
    private static final CredentialsProvider EMPTY_CREDENTIALS_PROVIDER = new BasicCredentialsProvider();
    private boolean isKerberos;
    private URL jaasConfigURL;
    String base;
    HttpHost host;
    CloseableHttpClient client;
    BasicHttpContext context;
    ExecutorService executor;
    Map<String, String> headers;

    /* loaded from: input_file:org/apache/knox/gateway/shell/KnoxSession$ConfigurationFactory.class */
    private static class ConfigurationFactory {
        private static final Class implClazz;

        private ConfigurationFactory() {
        }

        static Configuration create(URI uri) {
            Configuration configuration = null;
            if (implClazz != null) {
                try {
                    configuration = (Configuration) implClazz.getDeclaredConstructor(URI.class).newInstance(uri);
                } catch (Exception e) {
                    KnoxSession.LOG.failedToInstantiateJAASConfigurationFileImplementation(implClazz.getCanonicalName(), e.getLocalizedMessage());
                }
            } else {
                KnoxSession.LOG.noJAASConfigurationFileImplementation();
            }
            return configuration;
        }

        static {
            String str = System.getProperty("java.vendor").contains("IBM") ? "com.ibm.security.auth.login.ConfigFile" : "com.sun.security.auth.login.ConfigFile";
            KnoxSession.LOG.usingJAASConfigurationFileImplementation(str);
            Class<?> cls = null;
            try {
                cls = Class.forName(str, false, Thread.currentThread().getContextClassLoader());
            } catch (ClassNotFoundException e) {
                KnoxSession.LOG.failedToLoadJAASConfigurationFileImplementation(str, e.getLocalizedMessage());
            }
            implClazz = cls;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/apache/knox/gateway/shell/KnoxSession$JAASClientConfig.class */
    public static final class JAASClientConfig extends Configuration {
        private static final Configuration baseConfig = Configuration.getConfiguration();
        private Configuration configFile;

        JAASClientConfig(URL url) throws Exception {
            if (url != null) {
                this.configFile = ConfigurationFactory.create(url.toURI());
            }
        }

        public AppConfigurationEntry[] getAppConfigurationEntry(String str) {
            AppConfigurationEntry[] appConfigurationEntryArr = null;
            if (this.configFile != null) {
                appConfigurationEntryArr = this.configFile.getAppConfigurationEntry(str);
            }
            if (appConfigurationEntryArr == null) {
                appConfigurationEntryArr = baseConfig.getAppConfigurationEntry(str);
            }
            return appConfigurationEntryArr;
        }
    }

    public Map<String, String> getHeaders() {
        return this.headers;
    }

    public void setHeaders(Map<String, String> map) {
        this.headers = map;
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public KnoxSession() throws KnoxShellException, URISyntaxException {
        this.headers = new HashMap();
    }

    public KnoxSession(ClientContext clientContext) throws KnoxShellException, URISyntaxException {
        this.headers = new HashMap();
        this.executor = Executors.newCachedThreadPool();
        this.base = clientContext.url();
        try {
            this.client = createClient(clientContext);
        } catch (GeneralSecurityException e) {
            throw new KnoxShellException("Failed to create HTTP client.", e);
        }
    }

    public static KnoxSession login(String str, Map<String, String> map) throws URISyntaxException {
        KnoxSession knoxSession = new KnoxSession(ClientContext.with(str));
        knoxSession.setHeaders(map);
        return knoxSession;
    }

    public static KnoxSession login(String str, Map<String, String> map, String str2, String str3) throws URISyntaxException {
        KnoxSession knoxSession = new KnoxSession(ClientContext.with(str).connection().withTruststore(str2, str3).end());
        knoxSession.setHeaders(map);
        return knoxSession;
    }

    public static KnoxSession login(String str, String str2, String str3) throws URISyntaxException {
        return new KnoxSession(ClientContext.with(str2, str3, str));
    }

    public static KnoxSession login(String str, String str2, String str3, String str4, String str5) throws URISyntaxException {
        return new KnoxSession(ClientContext.with(str2, str3, str).connection().withTruststore(str4, str5).end());
    }

    public static KnoxSession login(ClientContext clientContext) throws URISyntaxException {
        return new KnoxSession(clientContext);
    }

    public static KnoxSession kerberosLogin(String str, String str2, String str3, boolean z) throws URISyntaxException {
        return new KnoxSession(ClientContext.with(str).kerberos().enable(true).jaasConf(str2).krb5Conf(str3).debug(z).end());
    }

    public static KnoxSession kerberosLogin(String str) throws URISyntaxException {
        return kerberosLogin(str, false);
    }

    public static KnoxSession kerberosLogin(String str, boolean z) throws URISyntaxException {
        return kerberosLogin(str, "", "", z);
    }

    public static KnoxSession loginInsecure(String str, String str2, String str3) throws URISyntaxException {
        return new KnoxSession(ClientContext.with(str2, str3, str).connection().secure(false).end());
    }

    /* JADX INFO: Access modifiers changed from: protected */
    public CloseableHttpClient createClient(ClientContext clientContext) throws GeneralSecurityException {
        HostnameVerifier hostnameVerifier = NoopHostnameVerifier.INSTANCE;
        TrustStrategy trustStrategy = null;
        if (clientContext.connection().secure()) {
            hostnameVerifier = SSLConnectionSocketFactory.getDefaultHostnameVerifier();
        } else {
            trustStrategy = TrustSelfSignedStrategy.INSTANCE;
            System.out.println("**************** WARNING ******************\nThis is an insecure client instance and may\nleave the interactions subject to a man in\nthe middle attack. Please use the login()\nmethod instead of loginInsecure() for any\nsensitive or production usecases.\n*******************************************");
        }
        PoolingHttpClientConnectionManager poolingHttpClientConnectionManager = new PoolingHttpClientConnectionManager(RegistryBuilder.create().register("http", PlainConnectionSocketFactory.getSocketFactory()).register("https", new SSLConnectionSocketFactory(SSLContexts.custom().loadTrustMaterial(getTrustStore(clientContext), trustStrategy).build(), hostnameVerifier)).build());
        poolingHttpClientConnectionManager.setMaxTotal(clientContext.pool().maxTotal());
        poolingHttpClientConnectionManager.setDefaultMaxPerRoute(clientContext.pool().defaultMaxPerRoute());
        poolingHttpClientConnectionManager.setDefaultConnectionConfig(ConnectionConfig.custom().setBufferSize(clientContext.connection().bufferSize()).build());
        poolingHttpClientConnectionManager.setDefaultSocketConfig(SocketConfig.custom().setSoKeepAlive(clientContext.socket().keepalive()).setSoLinger(clientContext.socket().linger()).setSoReuseAddress(clientContext.socket().reuseAddress()).setSoTimeout(clientContext.socket().timeout()).setTcpNoDelay(clientContext.socket().tcpNoDelay()).build());
        URI create = URI.create(clientContext.url());
        this.host = new HttpHost(create.getHost(), create.getPort(), create.getScheme());
        if (!clientContext.kerberos().enable()) {
            BasicAuthCache basicAuthCache = new BasicAuthCache();
            basicAuthCache.put(this.host, new BasicScheme());
            this.context = new BasicHttpContext();
            this.context.setAttribute("http.auth.auth-cache", basicAuthCache);
            BasicCredentialsProvider basicCredentialsProvider = null;
            if (clientContext.username() != null && clientContext.password() != null) {
                basicCredentialsProvider = new BasicCredentialsProvider();
                basicCredentialsProvider.setCredentials(new AuthScope(this.host.getHostName(), this.host.getPort()), new UsernamePasswordCredentials(clientContext.username(), clientContext.password()));
            }
            return HttpClients.custom().setConnectionManager(poolingHttpClientConnectionManager).setDefaultCredentialsProvider(basicCredentialsProvider).build();
        }
        this.isKerberos = true;
        if (!StringUtils.isBlank(clientContext.kerberos().krb5Conf())) {
            System.setProperty("java.security.krb5.conf", clientContext.kerberos().krb5Conf());
        }
        if (!StringUtils.isBlank(clientContext.kerberos().jaasConf())) {
            File file = new File(clientContext.kerberos().jaasConf());
            if (file.exists()) {
                try {
                    this.jaasConfigURL = file.getCanonicalFile().toURI().toURL();
                    LOG.jaasConfigurationLocation(this.jaasConfigURL.toExternalForm());
                } catch (IOException e) {
                    LOG.failedToLocateJAASConfiguration(e.getMessage());
                }
            } else {
                LOG.jaasConfigurationDoesNotExist(file.getAbsolutePath());
            }
        }
        if (this.jaasConfigURL == null) {
            LOG.usingDefaultJAASConfiguration();
            this.jaasConfigURL = getClass().getResource(DEFAULT_JAAS_FILE);
            LOG.jaasConfigurationLocation(this.jaasConfigURL.toExternalForm());
        }
        if (clientContext.kerberos().debug()) {
            System.setProperty("sun.security.krb5.debug", "true");
            System.setProperty("sun.security.jgss.debug", "true");
        }
        System.setProperty("javax.security.auth.useSubjectCredsOnly", String.valueOf(clientContext.useSubjectCredsOnly()));
        return HttpClients.custom().setConnectionManager(poolingHttpClientConnectionManager).setDefaultAuthSchemeRegistry(RegistryBuilder.create().register("Negotiate", new SPNegoSchemeFactory(true)).build()).setDefaultCredentialsProvider(EMPTY_CREDENTIALS_PROVIDER).build();
    }

    protected X509Certificate generateCertificateFromBytes(byte[] bArr) throws CertificateException {
        return (X509Certificate) CertificateFactory.getInstance("X.509").generateCertificate(new ByteArrayInputStream(bArr));
    }

    private KeyStore getTrustStore(ClientContext clientContext) throws GeneralSecurityException {
        String property;
        String endpointPublicCertPem = clientContext.connection().endpointPublicCertPem();
        if (endpointPublicCertPem != null) {
            if (endpointPublicCertPem.contains("BEGIN")) {
                endpointPublicCertPem = endpointPublicCertPem.substring(BEGIN_CERTIFICATE.length() - 1, endpointPublicCertPem.indexOf(END_CERTIFICATE.substring(0, END_CERTIFICATE.length() - 1)));
            }
            try {
                byte[] decodeBase64 = Base64.decodeBase64(endpointPublicCertPem);
                KeyStore keyStore = KeyStore.getInstance("JKS");
                keyStore.load(null);
                keyStore.setCertificateEntry("knox-gateway", generateCertificateFromBytes(decodeBase64));
                return keyStore;
            } catch (IOException e) {
                LOG.unableToLoadProvidedPEMEncodedTrustedCert(e);
            }
        }
        discoverTruststoreDetails(clientContext);
        File file = new File(clientContext.connection().truststoreLocation());
        if (file.exists()) {
            property = clientContext.connection().truststorePass();
        } else {
            String property2 = System.getProperty("javax.net.ssl.trustStore");
            property = System.getProperty("javax.net.ssl.trustStorePassword", "changeit");
            if (property2 == null) {
                property2 = System.getProperty("java.home") + File.separator + "lib" + File.separator + "security" + File.separator + "cacerts";
            }
            file = new File(property2);
        }
        if (!file.exists()) {
            throw new KnoxShellException("Unable to find a truststore for secure login.Please import the gateway-identity certificate into the JVM truststore or set the truststore location ENV variables.");
        }
        try {
            InputStream newInputStream = Files.newInputStream(file.toPath(), new OpenOption[0]);
            Throwable th = null;
            try {
                KeyStore keyStore2 = KeyStore.getInstance("JKS");
                keyStore2.load(newInputStream, property.toCharArray());
                if (newInputStream != null) {
                    if (0 != 0) {
                        try {
                            newInputStream.close();
                        } catch (Throwable th2) {
                            th.addSuppressed(th2);
                        }
                    } else {
                        newInputStream.close();
                    }
                }
                return keyStore2;
            } catch (Throwable th3) {
                if (newInputStream != null) {
                    if (0 != 0) {
                        try {
                            newInputStream.close();
                        } catch (Throwable th4) {
                            th.addSuppressed(th4);
                        }
                    } else {
                        newInputStream.close();
                    }
                }
                throw th3;
            }
        } catch (FileNotFoundException e2) {
            throw new KnoxShellException("Unable to read truststore. Please import the gateway-identity certificate into the JVM truststore or set the truststore location ENV variables.", e2);
        } catch (IOException e3) {
            throw new KnoxShellException("Unable to load truststore. May be related to password setting or truststore format.", e3);
        } catch (KeyStoreException e4) {
            throw new KnoxShellException("Unable to create keystore of expected type.", e4);
        } catch (NoSuchAlgorithmException e5) {
            throw new KnoxShellException("Unable to load the truststore. Please import the gateway-identity certificate into the JVM truststore or set the truststore location ENV variables.", e5);
        } catch (CertificateException e6) {
            throw new KnoxShellException("Certificate cannot be found in the truststore. Please import the gateway-identity certificate into the JVM truststore or set the truststore location ENV variables.", e6);
        }
    }

    protected void discoverTruststoreDetails(ClientContext clientContext) {
        if (clientContext.connection().truststoreLocation() == null || clientContext.connection().truststorePass() == null) {
            clientContext.connection().withTruststore(ClientTrustStoreHelper.getClientTrustStoreFile().getAbsolutePath(), ClientTrustStoreHelper.getClientTrustStoreFilePassword());
        }
    }

    public String base() {
        return this.base;
    }

    @SuppressForbidden
    public CloseableHttpResponse executeNow(HttpRequest httpRequest) throws IOException {
        if (!this.isKerberos) {
            CloseableHttpResponse execute = this.client.execute(this.host, httpRequest, this.context);
            if (execute.getStatusLine().getStatusCode() < 400) {
                return execute;
            }
            throw new ErrorResponse(httpRequest.getRequestLine().getUri() + ": ", execute);
        }
        Subject subject = Subject.getSubject(AccessController.getContext());
        if (subject == null) {
            try {
                LOG.noSubjectAvailable();
                try {
                    LoginContext loginContext = new LoginContext(JGSS_LOGIN_MOUDLE, (Subject) null, new TextCallbackHandler(), new JAASClientConfig(this.jaasConfigURL));
                    loginContext.login();
                    subject = loginContext.getSubject();
                } catch (Exception e) {
                    LOG.failedToLoadJAASConfiguration(this.jaasConfigURL.toExternalForm());
                    throw new KnoxShellException(e.toString(), e);
                }
            } catch (LoginException e2) {
                throw new KnoxShellException(e2.toString(), e2);
            }
        }
        return (CloseableHttpResponse) Subject.doAs(subject, () -> {
            try {
                CloseableHttpResponse execute2 = this.client.execute(this.host, httpRequest, this.context);
                if (execute2.getStatusLine().getStatusCode() < 400) {
                    return execute2;
                }
                throw new ErrorResponse(httpRequest.getRequestLine().getUri() + ": ", execute2);
            } catch (IOException e3) {
                throw new KnoxShellException(e3.toString(), e3);
            }
        });
    }

    public <T> Future<T> executeLater(Callable<T> callable) {
        return this.executor.submit(callable);
    }

    public void waitFor(Future<?>... futureArr) throws ExecutionException, InterruptedException {
        if (futureArr != null) {
            for (Future<?> future : futureArr) {
                future.get();
            }
        }
    }

    public void waitFor(long j, TimeUnit timeUnit, Future<?>... futureArr) throws ExecutionException, TimeoutException, InterruptedException {
        if (futureArr != null) {
            long convert = TimeUnit.MILLISECONDS.convert(j, timeUnit);
            for (Future<?> future : futureArr) {
                long currentTimeMillis = System.currentTimeMillis();
                future.get(convert, TimeUnit.MILLISECONDS);
                convert -= System.currentTimeMillis() - currentTimeMillis;
            }
        }
    }

    private void closeClient() throws IOException {
        if (this.client != null) {
            this.client.close();
        }
    }

    public void shutdown() throws InterruptedException, IOException {
        try {
            this.executor.shutdownNow();
        } finally {
            closeClient();
        }
    }

    public boolean shutdown(long j, TimeUnit timeUnit) throws InterruptedException, IOException {
        try {
            this.executor.shutdown();
            boolean awaitTermination = this.executor.awaitTermination(j, timeUnit);
            closeClient();
            return awaitTermination;
        } catch (Throwable th) {
            closeClient();
            throw th;
        }
    }

    @Override // java.io.Closeable, java.lang.AutoCloseable
    public void close() throws IOException {
        try {
            shutdown();
        } catch (InterruptedException e) {
            throw new KnoxShellException("Can not shutdown underlying resources", e);
        }
    }

    public String toString() {
        StringBuilder sb = new StringBuilder("KnoxSession{base='");
        sb.append(this.base).append("'}");
        return sb.toString();
    }

    static {
        EMPTY_CREDENTIALS_PROVIDER.setCredentials(AuthScope.ANY, new org.apache.http.auth.Credentials() { // from class: org.apache.knox.gateway.shell.KnoxSession.1
            @Override // org.apache.http.auth.Credentials
            public Principal getUserPrincipal() {
                return null;
            }

            @Override // org.apache.http.auth.Credentials
            public String getPassword() {
                return null;
            }
        });
    }
}
