package com.venafi.vcert.sdk.connectors.tpp;

import com.google.common.annotations.VisibleForTesting;
import com.google.common.net.HttpHeaders;
import com.venafi.vcert.sdk.VCertException;
import com.venafi.vcert.sdk.certificate.CertificateRequest;
import com.venafi.vcert.sdk.certificate.ChainOption;
import com.venafi.vcert.sdk.certificate.CsrOriginOption;
import com.venafi.vcert.sdk.certificate.ImportRequest;
import com.venafi.vcert.sdk.certificate.ImportResponse;
import com.venafi.vcert.sdk.certificate.KeyType;
import com.venafi.vcert.sdk.certificate.PEMCollection;
import com.venafi.vcert.sdk.certificate.PublicKeyAlgorithm;
import com.venafi.vcert.sdk.certificate.RenewalRequest;
import com.venafi.vcert.sdk.certificate.RevocationRequest;
import com.venafi.vcert.sdk.connectors.Connector;
import com.venafi.vcert.sdk.connectors.Policy;
import com.venafi.vcert.sdk.connectors.ServerPolicy;
import com.venafi.vcert.sdk.connectors.ZoneConfiguration;
import com.venafi.vcert.sdk.connectors.tpp.AbstractTppConnector;
import com.venafi.vcert.sdk.connectors.tpp.Tpp;
import com.venafi.vcert.sdk.connectors.tpp.endpoint.ClearPolicyAttributeRequest;
import com.venafi.vcert.sdk.connectors.tpp.endpoint.CreateDNRequest;
import com.venafi.vcert.sdk.connectors.tpp.endpoint.CreateDNResponse;
import com.venafi.vcert.sdk.connectors.tpp.endpoint.DNIsValidRequest;
import com.venafi.vcert.sdk.connectors.tpp.endpoint.DNIsValidResponse;
import com.venafi.vcert.sdk.connectors.tpp.endpoint.GetPolicyAttributeRequest;
import com.venafi.vcert.sdk.connectors.tpp.endpoint.GetPolicyAttributeResponse;
import com.venafi.vcert.sdk.connectors.tpp.endpoint.GetPolicyRequest;
import com.venafi.vcert.sdk.connectors.tpp.endpoint.GetPolicyResponse;
import com.venafi.vcert.sdk.connectors.tpp.endpoint.SetPolicyAttributeRequest;
import com.venafi.vcert.sdk.connectors.tpp.endpoint.SetPolicyAttributeResponse;
import com.venafi.vcert.sdk.endpoint.Authentication;
import com.venafi.vcert.sdk.endpoint.ConnectorType;
import com.venafi.vcert.sdk.policy.converter.TPPPolicySpecificationConverter;
import com.venafi.vcert.sdk.policy.domain.PolicySpecification;
import com.venafi.vcert.sdk.utils.Is;
import com.venafi.vcert.sdk.utils.VCertUtils;
import feign.Response;
import java.net.InetAddress;
import java.text.MessageFormat;
import java.time.Duration;
import java.time.Instant;
import java.time.OffsetDateTime;
import java.time.temporal.TemporalAmount;
import java.util.ArrayList;
import java.util.Base64;
import java.util.Collection;
import java.util.Collections;
import java.util.HashMap;
import java.util.List;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.stream.Collectors;
import org.apache.commons.lang3.StringUtils;
import org.bouncycastle.util.Strings;

/* loaded from: input_file:WEB-INF/lib/vcert-java-0.6.2.jar:com/venafi/vcert/sdk/connectors/tpp/TppConnector.class */
public class TppConnector extends AbstractTppConnector implements Connector {

    @VisibleForTesting
    OffsetDateTime bestBeforeEnd;
    private String apiKey;
    private TppAPI tppAPI;

    public TppConnector(Tpp tpp) {
        super(tpp);
    }

    @Override // com.venafi.vcert.sdk.connectors.Connector
    public ConnectorType getType() {
        return ConnectorType.TPP;
    }

    @Override // com.venafi.vcert.sdk.connectors.Connector
    public void setBaseUrl(String str) throws VCertException {
        throw new UnsupportedOperationException("Method not yet implemented");
    }

    @Override // com.venafi.vcert.sdk.connectors.Connector
    public void setZone(String str) {
        this.zone = str;
    }

    @Override // com.venafi.vcert.sdk.connectors.Connector
    public void setVendorAndProductName(String str) {
        this.vendorAndProductName = str;
    }

    @Override // com.venafi.vcert.sdk.connectors.Connector
    public String getVendorAndProductName() {
        return this.vendorAndProductName;
    }

    @Override // com.venafi.vcert.sdk.connectors.Connector
    public void ping() throws VCertException {
        Response doPing = doPing();
        if (doPing.status() != 200) {
            throw new VCertException(String.format("ping failed with status %d and reason %s", Integer.valueOf(doPing.status()), doPing.reason()));
        }
    }

    private Response doPing() {
        return this.tpp.ping(this.apiKey);
    }

    @Override // com.venafi.vcert.sdk.connectors.Connector
    public void authenticate(Authentication authentication) throws VCertException {
        VCertException.throwIfNull(authentication, "failed to authenticate: missing credentials");
        AuthorizeResponse authorize = this.tpp.authorize(new AbstractTppConnector.AuthorizeRequest(authentication.user(), authentication.password()));
        this.apiKey = authorize.apiKey();
        this.bestBeforeEnd = authorize.validUntil();
    }

    @Override // com.venafi.vcert.sdk.connectors.Connector
    public ZoneConfiguration readZoneConfiguration(String str) throws VCertException {
        VCertException.throwIfNull(str, "empty zone");
        ServerPolicy policy = this.tpp.readZoneConfiguration(new AbstractTppConnector.ReadZoneConfigurationRequest(getPolicyDN(str)), this.apiKey).policy();
        Policy policy2 = policy.toPolicy();
        ZoneConfiguration zoneConfig = policy.toZoneConfig();
        zoneConfig.policy(policy2);
        zoneConfig.zoneId(str);
        return zoneConfig;
    }

    @Override // com.venafi.vcert.sdk.connectors.Connector
    public CertificateRequest generateRequest(ZoneConfiguration zoneConfiguration, CertificateRequest certificateRequest) throws VCertException {
        if (zoneConfiguration == null) {
            zoneConfiguration = readZoneConfiguration(this.zone);
        }
        String str = zoneConfiguration.customAttributeValues().get(TppPolicyConstants.TPP_MANAGEMENT_TYPE);
        if ("Monitoring".equals(str) || "Unassigned".equals(str)) {
            throw new VCertException("Unable to request certificate from TPP, current TPP configuration would not allow the request to be processed");
        }
        zoneConfiguration.applyCertificateRequestDefaultSettingsIfNeeded(certificateRequest);
        switch (certificateRequest.csrOrigin()) {
            case LocalGeneratedCSR:
                if (!"0".equals(zoneConfiguration.customAttributeValues().get(TppPolicyConstants.TPP_MANUAL_CSR))) {
                    certificateRequest.generatePrivateKey();
                    certificateRequest.generateCSR();
                    break;
                } else {
                    throw new VCertException("Unable to request certificate by local generated CSR when zone configuration is 'Manual Csr' = 0");
                }
            case UserProvidedCSR:
                if ("0".equals(zoneConfiguration.customAttributeValues().get(TppPolicyConstants.TPP_MANUAL_CSR))) {
                    throw new VCertException("Unable to request certificate with user provided CSR when zone configuration is 'Manual Csr' = 0");
                }
                if (Is.blank(certificateRequest.csr())) {
                    throw new VCertException("CSR was supposed to be provided by user, but it's empty");
                }
                break;
            case ServiceGeneratedCSR:
                certificateRequest.csr(null);
                break;
        }
        return certificateRequest;
    }

    @Override // com.venafi.vcert.sdk.connectors.Connector
    public String requestCertificate(CertificateRequest certificateRequest, String str) throws VCertException {
        return requestCertificate(certificateRequest, new ZoneConfiguration().zoneId(str));
    }

    @Override // com.venafi.vcert.sdk.connectors.Connector
    public String requestCertificate(CertificateRequest certificateRequest, ZoneConfiguration zoneConfiguration) throws VCertException {
        if (StringUtils.isBlank(zoneConfiguration.zoneId())) {
            zoneConfiguration.zoneId(this.zone);
        }
        String certificateDN = this.tpp.requestCertificate(prepareRequest(certificateRequest, zoneConfiguration.zoneId()), this.apiKey).certificateDN();
        certificateRequest.pickupId(certificateDN);
        return certificateDN;
    }

    private AbstractTppConnector.CertificateRequestsPayload prepareRequest(CertificateRequest certificateRequest, String str) throws VCertException {
        AbstractTppConnector.CertificateRequestsPayload caSpecificAttributes;
        ArrayList arrayList = new ArrayList();
        if (!StringUtils.isBlank(this.vendorAndProductName)) {
            arrayList.add(new AbstractTppConnector.NameValuePair(HttpHeaders.ORIGIN, this.vendorAndProductName));
        }
        switch (certificateRequest.csrOrigin()) {
            case LocalGeneratedCSR:
                caSpecificAttributes = new AbstractTppConnector.CertificateRequestsPayload().policyDN(getPolicyDN(str)).pkcs10(new String(certificateRequest.csr())).objectName(certificateRequest.friendlyName()).disableAutomaticRenewal(true).origin(this.vendorAndProductName).caSpecificAttributes(arrayList);
                break;
            case UserProvidedCSR:
                caSpecificAttributes = new AbstractTppConnector.CertificateRequestsPayload().policyDN(getPolicyDN(str)).pkcs10(new String(certificateRequest.csr())).objectName(certificateRequest.friendlyName()).subjectAltNames(wrapAltNames(certificateRequest)).disableAutomaticRenewal(true).origin(this.vendorAndProductName).caSpecificAttributes(arrayList);
                break;
            case ServiceGeneratedCSR:
                caSpecificAttributes = new AbstractTppConnector.CertificateRequestsPayload().policyDN(getPolicyDN(str)).objectName(certificateRequest.friendlyName()).subject(certificateRequest.subject().commonName()).subjectAltNames(wrapAltNames(certificateRequest)).disableAutomaticRenewal(true).origin(this.vendorAndProductName).caSpecificAttributes(arrayList);
                break;
            default:
                throw new VCertException(MessageFormat.format("Unexpected option in PrivateKeyOrigin: {0}", certificateRequest.csrOrigin()));
        }
        if (certificateRequest.keyType() == null) {
            certificateRequest.keyType(KeyType.defaultKeyType());
        }
        switch (certificateRequest.keyType()) {
            case RSA:
                caSpecificAttributes.keyAlgorithm(PublicKeyAlgorithm.RSA.name());
                caSpecificAttributes.keyBitSize(certificateRequest.keyLength());
                break;
            case ECDSA:
                caSpecificAttributes.keyAlgorithm("ECC");
                caSpecificAttributes.ellipticCurve(certificateRequest.keyCurve().value());
                break;
        }
        VCertUtils.addExpirationDateAttribute(certificateRequest, caSpecificAttributes);
        VCertUtils.addCustomFieldsToRequest(certificateRequest, caSpecificAttributes);
        return caSpecificAttributes;
    }

    private Collection<AbstractTppConnector.SANItem> wrapAltNames(CertificateRequest certificateRequest) {
        ArrayList arrayList = new ArrayList();
        arrayList.addAll(toSanItems(certificateRequest.emailAddresses(), 1));
        arrayList.addAll(toSanItems(certificateRequest.dnsNames(), 2));
        arrayList.addAll(toSanItems(certificateRequest.ipAddresses(), 7));
        return arrayList;
    }

    private List<AbstractTppConnector.SANItem> toSanItems(Collection<?> collection, int i) {
        return (List) ((Collection) Optional.ofNullable(collection).orElse(Collections.emptyList())).stream().filter(Objects::nonNull).map(obj -> {
            return new AbstractTppConnector.SANItem().type(i).name(i == 7 ? ((InetAddress) obj).getHostAddress() : obj.toString());
        }).collect(Collectors.toList());
    }

    @Override // com.venafi.vcert.sdk.connectors.Connector
    public PEMCollection retrieveCertificate(CertificateRequest certificateRequest) throws VCertException {
        boolean z = certificateRequest.chainOption() != ChainOption.ChainOptionIgnore;
        boolean z2 = z && certificateRequest.chainOption() == ChainOption.ChainOptionRootFirst;
        if (StringUtils.isNotBlank(certificateRequest.pickupId()) && StringUtils.isNotBlank(certificateRequest.thumbprint())) {
            Tpp.CertificateSearchResponse searchCertificatesByFingerprint = searchCertificatesByFingerprint(certificateRequest.thumbprint());
            if (searchCertificatesByFingerprint.certificates().size() == 0) {
                throw new VCertException(String.format("No certificate found using fingerprint %s", certificateRequest.thumbprint()));
            }
            if (searchCertificatesByFingerprint.certificates().size() > 1) {
                throw new VCertException(String.format("Error: more than one CertificateRequestId was found with the same thumbprint %s", certificateRequest.thumbprint()));
            }
            certificateRequest.pickupId(searchCertificatesByFingerprint.certificates().get(0).certificateRequestId());
        }
        AbstractTppConnector.CertificateRetrieveRequest includeChain = new AbstractTppConnector.CertificateRetrieveRequest().certificateDN(certificateRequest.pickupId()).format("base64").rootFirstOrder(z2).includeChain(z);
        if (certificateRequest.csrOrigin() == CsrOriginOption.ServiceGeneratedCSR || certificateRequest.fetchPrivateKey()) {
            includeChain.includePrivateKey(true);
            includeChain.password(certificateRequest.keyPassword());
        }
        Instant now = Instant.now();
        while (true) {
            Tpp.CertificateRetrieveResponse retrieveCertificateOnce = retrieveCertificateOnce(includeChain);
            if (StringUtils.isNotBlank(retrieveCertificateOnce.certificateData())) {
                PEMCollection fromResponse = PEMCollection.fromResponse(Strings.fromByteArray(Base64.getDecoder().decode(retrieveCertificateOnce.certificateData())), certificateRequest.chainOption(), certificateRequest.privateKey(), certificateRequest.keyPassword());
                certificateRequest.checkCertificate(fromResponse.certificate());
                return fromResponse;
            }
            if (Duration.ZERO.equals(certificateRequest.timeout())) {
                throw new VCertException(String.format("Failed to retrieve certificate %s. Status %s", certificateRequest.pickupId(), retrieveCertificateOnce.status()));
            }
            if (Instant.now().isAfter(now.plus((TemporalAmount) certificateRequest.timeout()))) {
                throw new VCertException(String.format("Timeout trying to retrieve certificate %s", certificateRequest.pickupId()));
            }
            try {
                TimeUnit.SECONDS.sleep(2L);
            } catch (InterruptedException e) {
                e.printStackTrace();
                throw new VCertException("Error attempting to retry", e);
            }
        }
    }

    private Tpp.CertificateRetrieveResponse retrieveCertificateOnce(AbstractTppConnector.CertificateRetrieveRequest certificateRetrieveRequest) {
        return this.tpp.certificateRetrieve(certificateRetrieveRequest, this.apiKey);
    }

    private Tpp.CertificateSearchResponse searchCertificatesByFingerprint(String str) {
        HashMap hashMap = new HashMap();
        hashMap.put("Thumbprint", str);
        return searchCertificates(hashMap);
    }

    private Tpp.CertificateSearchResponse searchCertificates(Map<String, String> map) {
        return this.tpp.searchCertificates(map, this.apiKey);
    }

    @Override // com.venafi.vcert.sdk.connectors.Connector
    public void revokeCertificate(RevocationRequest revocationRequest) throws VCertException {
        Integer num = revocationReasons.get(revocationRequest.reason());
        if (num == null) {
            throw new VCertException(String.format("could not parse revocation reason `%s`", revocationRequest.reason()));
        }
        Tpp.CertificateRevokeResponse revokeCertificate = revokeCertificate(new AbstractTppConnector.CertificateRevokeRequest().certificateDN(revocationRequest.certificateDN()).thumbprint(revocationRequest.thumbprint()).reason(num).comments(revocationRequest.comments()).disable(revocationRequest.disable()));
        if (!revokeCertificate.success()) {
            throw new VCertException(String.format("Revocation error: %s", revokeCertificate.error()));
        }
    }

    private Tpp.CertificateRevokeResponse revokeCertificate(AbstractTppConnector.CertificateRevokeRequest certificateRevokeRequest) {
        return this.tpp.revokeCertificate(certificateRevokeRequest, this.apiKey);
    }

    @Override // com.venafi.vcert.sdk.connectors.Connector
    public String renewCertificate(RenewalRequest renewalRequest) throws VCertException {
        String certificateDN;
        if (StringUtils.isNotBlank(renewalRequest.thumbprint()) && StringUtils.isBlank(renewalRequest.certificateDN())) {
            Tpp.CertificateSearchResponse searchCertificatesByFingerprint = searchCertificatesByFingerprint(renewalRequest.thumbprint());
            if (searchCertificatesByFingerprint.certificates().isEmpty()) {
                throw new VCertException(String.format("No certificate found using fingerprint %s", renewalRequest.thumbprint()));
            }
            if (searchCertificatesByFingerprint.certificates().size() > 1) {
                throw new VCertException(String.format("More than one certificate was found with the same thumbprint", new Object[0]));
            }
            certificateDN = searchCertificatesByFingerprint.certificates().get(0).certificateRequestId();
        } else {
            certificateDN = renewalRequest.certificateDN();
        }
        if (Objects.isNull(certificateDN)) {
            throw new VCertException("Failed to create renewal request: CertificateDN or Thumbprint required");
        }
        AbstractTppConnector.CertificateRenewalRequest certificateRenewalRequest = new AbstractTppConnector.CertificateRenewalRequest();
        certificateRenewalRequest.certificateDN(certificateDN);
        if (Objects.nonNull(renewalRequest.request()) && renewalRequest.request().csr().length > 0) {
            certificateRenewalRequest.PKCS10(Strings.fromByteArray(renewalRequest.request().csr()));
        }
        Tpp.CertificateRenewalResponse renewCertificate = this.tpp.renewCertificate(certificateRenewalRequest, apiKey());
        if (renewCertificate.success()) {
            return certificateDN;
        }
        throw new VCertException(String.format("Certificate renewal error: %s", renewCertificate.error()));
    }

    @Override // com.venafi.vcert.sdk.connectors.Connector
    public ImportResponse importCertificate(ImportRequest importRequest) throws VCertException {
        if (StringUtils.isBlank(importRequest.policyDN())) {
            importRequest.policyDN(getPolicyDN(this.zone));
        }
        return doImportCertificate(importRequest);
    }

    private ImportResponse doImportCertificate(ImportRequest importRequest) {
        return this.tpp.importCertificate(importRequest, this.apiKey);
    }

    @Override // com.venafi.vcert.sdk.connectors.Connector
    public Policy readPolicyConfiguration(String str) throws VCertException {
        throw new UnsupportedOperationException("Method not yet implemented");
    }

    @Override // com.venafi.vcert.sdk.connectors.Connector
    public void setPolicy(String str, PolicySpecification policySpecification) throws VCertException {
        try {
            setPolicy(str, TPPPolicySpecificationConverter.INSTANCE.convertFromPolicySpecification(policySpecification));
        } catch (Exception e) {
            throw new VCertException(e);
        }
    }

    @Override // com.venafi.vcert.sdk.connectors.Connector
    public PolicySpecification getPolicy(String str) throws VCertException {
        try {
            return TPPPolicySpecificationConverter.INSTANCE.convertToPolicySpecification(getTPPPolicy(str));
        } catch (Exception e) {
            throw new VCertException(e);
        }
    }

    @Override // com.venafi.vcert.sdk.connectors.tpp.AbstractTppConnector
    protected TppAPI getTppAPI() {
        if (this.tppAPI == null) {
            this.tppAPI = new TppAPI(this.tpp) { // from class: com.venafi.vcert.sdk.connectors.tpp.TppConnector.1
                @Override // com.venafi.vcert.sdk.connectors.tpp.TppAPI
                String getAuthKey() throws VCertException {
                    if (TppConnector.this.apiKey() == null) {
                        throw new VCertException("API Key is null");
                    }
                    return TppConnector.this.apiKey();
                }

                @Override // com.venafi.vcert.sdk.connectors.tpp.TppAPI
                public DNIsValidResponse dnIsValid(DNIsValidRequest dNIsValidRequest) throws VCertException {
                    return this.tpp.dnIsValid(dNIsValidRequest, getAuthKey());
                }

                /* JADX INFO: Access modifiers changed from: package-private */
                @Override // com.venafi.vcert.sdk.connectors.tpp.TppAPI
                public CreateDNResponse createDN(CreateDNRequest createDNRequest) throws VCertException {
                    return this.tpp.createDN(createDNRequest, getAuthKey());
                }

                /* JADX INFO: Access modifiers changed from: package-private */
                @Override // com.venafi.vcert.sdk.connectors.tpp.TppAPI
                public SetPolicyAttributeResponse setPolicyAttribute(SetPolicyAttributeRequest setPolicyAttributeRequest) throws VCertException {
                    return this.tpp.setPolicyAttribute(setPolicyAttributeRequest, getAuthKey());
                }

                @Override // com.venafi.vcert.sdk.connectors.tpp.TppAPI
                GetPolicyAttributeResponse getPolicyAttribute(GetPolicyAttributeRequest getPolicyAttributeRequest) throws VCertException {
                    return this.tpp.getPolicyAttribute(getPolicyAttributeRequest, getAuthKey());
                }

                /* JADX INFO: Access modifiers changed from: package-private */
                @Override // com.venafi.vcert.sdk.connectors.tpp.TppAPI
                public GetPolicyResponse getPolicy(GetPolicyRequest getPolicyRequest) throws VCertException {
                    return this.tpp.getPolicy(getPolicyRequest, getAuthKey());
                }

                /* JADX INFO: Access modifiers changed from: package-private */
                @Override // com.venafi.vcert.sdk.connectors.tpp.TppAPI
                public Response clearPolicyAttribute(ClearPolicyAttributeRequest clearPolicyAttributeRequest) throws VCertException {
                    return this.tpp.clearPolicyAttribute(clearPolicyAttributeRequest, getAuthKey());
                }
            };
        }
        return this.tppAPI;
    }

    public String apiKey() {
        return this.apiKey;
    }
}
