package io.gravitee.node.kubernetes.keystoreloader;

import io.gravitee.common.util.KeyStoreUtils;
import io.gravitee.kubernetes.client.KubernetesClient;
import io.gravitee.kubernetes.client.api.ResourceQuery;
import io.gravitee.kubernetes.client.api.WatchQuery;
import io.gravitee.kubernetes.client.model.v1.Secret;
import io.gravitee.node.api.certificate.KeyStoreLoaderOptions;
import io.reactivex.rxjava3.core.Completable;
import io.reactivex.rxjava3.core.Flowable;
import io.reactivex.rxjava3.schedulers.Schedulers;
import java.security.KeyStore;
import java.util.Arrays;
import java.util.Base64;
import java.util.List;
import java.util.Map;
import java.util.Optional;
import java.util.concurrent.TimeUnit;
import java.util.regex.Matcher;
import java.util.regex.Pattern;
import java.util.stream.Collectors;

/* loaded from: input_file:io/gravitee/node/kubernetes/keystoreloader/KubernetesSecretKeyStoreLoader.class */
public class KubernetesSecretKeyStoreLoader extends AbstractKubernetesKeyStoreLoader<Secret> {
    private static final List<String> SUPPORTED_TYPES = Arrays.asList("JKS".toLowerCase(), "PEM".toLowerCase(), "PKCS12".toLowerCase());
    private static final Pattern SECRET_PATTERN = Pattern.compile("^(.*)/secrets/(.*)$");
    private static final Pattern SECRET_OPAQUE_PATTERN = Pattern.compile("^(.*/secrets/[^/]*)/.*$");
    protected static final String KUBERNETES_TLS_SECRET = "kubernetes.io/tls";
    protected static final String KUBERNETES_OPAQUE_SECRET = "Opaque";
    protected static final String KUBERNETES_TLS_CRT = "tls.crt";
    protected static final String KUBERNETES_TLS_KEY = "tls.key";

    public KubernetesSecretKeyStoreLoader(KeyStoreLoaderOptions keyStoreLoaderOptions, KubernetesClient kubernetesClient) {
        super(keyStoreLoaderOptions, kubernetesClient);
        prepareLocations();
    }

    private void prepareLocations() {
        this.options.getKubernetesLocations().forEach(str -> {
            Matcher matcher = SECRET_OPAQUE_PATTERN.matcher(str);
            if (matcher.matches()) {
                this.resources.put(matcher.group(1), ResourceQuery.from(str).build());
            } else {
                this.resources.put(str, ResourceQuery.from(str).build());
            }
        });
    }

    public static boolean canHandle(KeyStoreLoaderOptions keyStoreLoaderOptions) {
        List kubernetesLocations = keyStoreLoaderOptions.getKubernetesLocations();
        return kubernetesLocations != null && !kubernetesLocations.isEmpty() && SUPPORTED_TYPES.contains(keyStoreLoaderOptions.getKeyStoreType().toLowerCase()) && kubernetesLocations.stream().allMatch(str -> {
            return SECRET_PATTERN.matcher(str).matches();
        });
    }

    @Override // io.gravitee.node.kubernetes.keystoreloader.AbstractKubernetesKeyStoreLoader
    protected Completable init() {
        return Completable.merge((List) this.resources.keySet().stream().map(str -> {
            return this.kubernetesClient.get(ResourceQuery.from(str).build()).observeOn(Schedulers.computation()).flatMapCompletable(this::loadKeyStore);
        }).collect(Collectors.toList())).observeOn(Schedulers.computation()).andThen(Completable.fromRunnable(this::refreshKeyStoreBundle));
    }

    @Override // io.gravitee.node.kubernetes.keystoreloader.AbstractKubernetesKeyStoreLoader
    protected Flowable<Secret> watch() {
        return Flowable.merge((List) this.resources.keySet().stream().map(str -> {
            return this.kubernetesClient.watch(WatchQuery.from(str).build()).observeOn(Schedulers.computation()).repeat().retryWhen(flowable -> {
                return flowable.delay(10000L, TimeUnit.MILLISECONDS);
            });
        }).collect(Collectors.toList())).filter(event -> {
            return event.getType().equalsIgnoreCase("MODIFIED");
        }).map((v0) -> {
            return v0.getObject();
        });
    }

    /* JADX INFO: Access modifiers changed from: protected */
    @Override // io.gravitee.node.kubernetes.keystoreloader.AbstractKubernetesKeyStoreLoader
    public Completable loadKeyStore(Secret secret) {
        KeyStore initFromContent;
        Map data = secret.getData();
        if (secret.getType().equals(KUBERNETES_TLS_SECRET)) {
            initFromContent = KeyStoreUtils.initFromPem(new String(Base64.getDecoder().decode((String) data.get(KUBERNETES_TLS_CRT))), new String(Base64.getDecoder().decode((String) data.get(KUBERNETES_TLS_KEY))), this.options.getKeyStorePassword(), secret.getMetadata().getName());
        } else {
            if (!secret.getType().equals(KUBERNETES_OPAQUE_SECRET)) {
                return Completable.error(new IllegalArgumentException(String.format("Invalid secret type [%s]", secret.getType())));
            }
            if (this.options.getKeyStoreType().equalsIgnoreCase("PEM")) {
                return Completable.error(new IllegalArgumentException("Pem format is not supported with opaque secret, use kubernetes tls secret instead."));
            }
            Optional findFirst = this.resources.values().stream().filter(resourceQuery -> {
                return resourceQuery.getNamespace().equalsIgnoreCase(secret.getMetadata().getNamespace()) && (secret.getType().equalsIgnoreCase(KUBERNETES_OPAQUE_SECRET) || resourceQuery.getType().getName().equalsIgnoreCase(secret.getType())) && resourceQuery.getResource().equalsIgnoreCase(secret.getMetadata().getName());
            }).findFirst();
            if (findFirst.isEmpty()) {
                return Completable.error(new IllegalArgumentException("Unable to load keystore: unknown secret."));
            }
            if (((ResourceQuery) findFirst.get()).getResourceKey() == null || ((ResourceQuery) findFirst.get()).getResourceKey().isEmpty()) {
                return Completable.error(new IllegalArgumentException("You must specify a data when using opaque secret (ex: /my-namespace/secrets/my-secret/my-keystore)."));
            }
            initFromContent = KeyStoreUtils.initFromContent(this.options.getKeyStoreType(), (String) data.get(((ResourceQuery) findFirst.get()).getResourceKey()), this.options.getKeyStorePassword());
        }
        this.keyStoresByLocation.put(secret.getMetadata().getUid(), initFromContent);
        return Completable.complete();
    }
}
