package se.arkalix.internal.net.http.client;

import io.netty.bootstrap.Bootstrap;
import io.netty.handler.ssl.ClientAuth;
import io.netty.handler.ssl.SslContext;
import io.netty.handler.ssl.SslContextBuilder;
import java.net.InetSocketAddress;
import java.security.PrivateKey;
import java.security.cert.Certificate;
import java.util.Map;
import java.util.Objects;
import java.util.Optional;
import java.util.WeakHashMap;
import javax.net.ssl.SSLException;
import se.arkalix.ArSystem;
import se.arkalix.internal.security.identity.X509Certificates;
import se.arkalix.internal.util.concurrent.FutureCompletion;
import se.arkalix.internal.util.concurrent.NettyFutures;
import se.arkalix.internal.util.concurrent.NettyScheduler;
import se.arkalix.net.http.client.HttpClient;
import se.arkalix.net.http.client.HttpClientConnection;
import se.arkalix.security.SecurityException;
import se.arkalix.security.identity.OwnedIdentity;
import se.arkalix.security.identity.TrustStore;
import se.arkalix.util.concurrent.Future;
import se.arkalix.util.concurrent.Schedulers;

/* loaded from: input_file:se/arkalix/internal/net/http/client/NettyHttpClient.class */
public class NettyHttpClient implements HttpClient {
    private static final Map<ArSystem, NettyHttpClient> cache = new WeakHashMap();
    private static NettyHttpClient http = null;
    private static NettyHttpClient https = null;
    private final Bootstrap bootstrap;
    private final InetSocketAddress localSocketAddress;
    private final SslContext sslContext;

    /* loaded from: input_file:se/arkalix/internal/net/http/client/NettyHttpClient$Builder.class */
    public static class Builder {
        private InetSocketAddress localSocketAddress;
        private Certificate[] certificateChain;
        private PrivateKey privateKey;
        private Certificate[] trustedCertificates;
        private boolean isSecure = true;

        public final void localSocketAddress(InetSocketAddress inetSocketAddress) {
            this.localSocketAddress = inetSocketAddress;
        }

        public final void identity(OwnedIdentity ownedIdentity) {
            identity(ownedIdentity.chain(), ownedIdentity.privateKey());
        }

        public final void identity(Certificate[] certificateArr, PrivateKey privateKey) {
            this.certificateChain = certificateArr;
            this.privateKey = privateKey;
        }

        public final void trustStore(TrustStore trustStore) {
            trustStore(trustStore.certificates());
        }

        public final void trustStore(Certificate[] certificateArr) {
            this.trustedCertificates = certificateArr;
        }

        public final void insecure() {
            this.isSecure = false;
        }

        public NettyHttpClient build() {
            return new NettyHttpClient(this);
        }
    }

    public NettyHttpClient(Builder builder) {
        NettyScheduler nettyScheduler = (NettyScheduler) Schedulers.fixed();
        this.bootstrap = new Bootstrap().group(nettyScheduler.eventLoopGroup()).channel(nettyScheduler.socketChannelClass());
        this.localSocketAddress = builder.localSocketAddress;
        if (!builder.isSecure) {
            if (builder.certificateChain != null) {
                throw new IllegalArgumentException("HTTP client using secure transport; certificate chain not expected");
            }
            if (builder.privateKey != null) {
                throw new IllegalArgumentException("HTTP client using secure transport; private key not expected");
            }
            if (builder.trustedCertificates != null) {
                throw new IllegalArgumentException("HTTP client using secure transport; trust store not expected");
            }
            this.sslContext = null;
            return;
        }
        SslContextBuilder startTls = SslContextBuilder.forClient().trustManager((builder.trustedCertificates == null || builder.trustedCertificates.length <= 0) ? null : X509Certificates.castOrThrow(builder.trustedCertificates, (num, certificate) -> {
            return new IllegalArgumentException("Certificate at index " + num + " of given trust store is not a X509Certificate; cannot use trust store");
        })).startTls(false);
        if (builder.certificateChain != null) {
            if (builder.privateKey == null) {
                throw new IllegalArgumentException("A certificate chain was provided without a private key");
            }
            startTls.keyManager(builder.privateKey, X509Certificates.castOrThrow(builder.certificateChain, (num2, certificate2) -> {
                return new IllegalArgumentException("Certificate at index " + num2 + " of given certificate chain is not a X509Certificate; cannot use certificate chain");
            })).clientAuth(ClientAuth.REQUIRE);
        } else if (builder.privateKey != null) {
            throw new IllegalArgumentException("A private key was provided without a certificate chain");
        }
        try {
            this.sslContext = startTls.build();
        } catch (SSLException e) {
            throw new SecurityException("Failed to create SSL context for HttpClient", e);
        }
    }

    public static synchronized NettyHttpClient from(ArSystem arSystem) {
        NettyHttpClient nettyHttpClient = cache.get(arSystem);
        if (nettyHttpClient != null) {
            return nettyHttpClient;
        }
        Builder builder = new Builder();
        if (arSystem.isSecure()) {
            builder.identity(arSystem.identity());
            builder.trustStore(arSystem.trustStore());
        } else {
            builder.insecure();
        }
        builder.localSocketAddress(new InetSocketAddress(arSystem.address(), 0));
        NettyHttpClient build = builder.build();
        cache.put(arSystem, build);
        return build;
    }

    @Override // se.arkalix.net.http.client.HttpClient
    public boolean isSecure() {
        return this.sslContext != null;
    }

    @Override // se.arkalix.net.http.client.HttpClient
    public Optional<InetSocketAddress> localSocketAddress() {
        return Optional.ofNullable(this.localSocketAddress);
    }

    public static synchronized NettyHttpClient insecure() {
        if (http == null) {
            http = new Builder().build();
        }
        return http;
    }

    public static synchronized NettyHttpClient secure() {
        if (https == null) {
            https = new Builder().build();
        }
        return https;
    }

    @Override // se.arkalix.net.http.client.HttpClient
    public Future<HttpClientConnection> connect(InetSocketAddress inetSocketAddress, InetSocketAddress inetSocketAddress2) {
        Objects.requireNonNull(inetSocketAddress, "Expected remoteSocketAddress");
        FutureCompletion futureCompletion = new FutureCompletion();
        return NettyFutures.adapt(this.bootstrap.clone().handler(new NettyHttpClientConnectionInitializer(futureCompletion, this.sslContext)).connect(inetSocketAddress, inetSocketAddress2 != null ? inetSocketAddress2 : this.localSocketAddress)).flatMap(channel -> {
            return futureCompletion;
        });
    }
}
