package org.jfrog.access.client;

import java.security.cert.Certificate;
import java.util.Objects;
import java.util.concurrent.TimeUnit;
import javax.annotation.Nonnull;
import javax.annotation.Nullable;
import org.jfrog.access.client.confstore.AccessClientConfigStore;
import org.jfrog.access.client.token.TokenRequest;
import org.jfrog.access.common.ServiceId;
import org.jfrog.access.version.AccessVersion;
import org.slf4j.Logger;
import org.slf4j.LoggerFactory;

/* loaded from: input_file:org/jfrog/access/client/AccessClientBootstrap.class */
public class AccessClientBootstrap {
    private static final Logger log = LoggerFactory.getLogger(AccessClientBootstrap.class);
    public static final long SERVICE_ADMIN_TOKEN_EXPIRY = TimeUnit.SECONDS.convert(10950, TimeUnit.DAYS);
    private final AccessClientConfigStore configStore;
    private final ServiceId serviceId;
    private AccessClient accessClient;

    public AccessClientBootstrap(@Nonnull AccessClientConfigStore accessClientConfigStore) {
        this(accessClientConfigStore, null);
    }

    public AccessClientBootstrap(@Nonnull AccessClientConfigStore accessClientConfigStore, @Nullable AccessClient accessClient) {
        this.configStore = (AccessClientConfigStore) Objects.requireNonNull(accessClientConfigStore, "Access client config store is required");
        this.configStore.storeAccessClientVersion(AccessVersion.current());
        this.serviceId = accessClientConfigStore.getServiceId();
        this.accessClient = accessClient != null ? accessClient : accessClientConfigStore.newClientBuilder().create();
        fetchAndSaveAccessRootCertificate();
        bootstrapServiceAdminToken();
    }

    public AccessClient getAccessClient() {
        return this.accessClient;
    }

    private void fetchAndSaveAccessRootCertificate() {
        try {
            Certificate rootCertificate = this.accessClient.useAuth((AccessAuth) null).cert().getRootCertificate();
            if (!this.configStore.isRootCertificateExists()) {
                this.configStore.storeRootCertificate(rootCertificate);
            } else if (!this.configStore.getRootCertificate().equals(rootCertificate)) {
                log.info("*** Detected root certificate changed ***");
                this.configStore.storeRootCertificate(rootCertificate);
            }
            this.accessClient.updateRootCertificate(rootCertificate);
        } catch (Exception e) {
            throw new RuntimeException("Failed to fetch and save root certificate from the access server.", e);
        }
    }

    private void bootstrapServiceAdminToken() {
        if (this.configStore.isAdminTokenExists()) {
            revokeServiceAdminTokenIfInvalid();
        }
        if (this.configStore.isAdminTokenExists()) {
            return;
        }
        createAndStoreServiceAdminToken();
    }

    private void createAndStoreServiceAdminToken() {
        String str;
        String str2;
        try {
            if (this.configStore.isBootstrapAdminCredentialsExist()) {
                String[] bootstrapAdminCredentials = this.configStore.getBootstrapAdminCredentials();
                str = bootstrapAdminCredentials[0];
                str2 = bootstrapAdminCredentials[1];
            } else {
                log.warn("Access admin credentials not found, using default admin credentials.");
                str = "admin";
                str2 = "password";
            }
            TokenRequest.Builder builder = TokenRequest.builder();
            builder.nonRefreshable().subject(this.serviceId.getFormattedName()).expiresIn(Long.valueOf(SERVICE_ADMIN_TOKEN_EXPIRY)).scopes(this.serviceId + ":admin", new String[]{this.serviceId.getServiceType() + "@*:token"});
            String tokenValue = this.accessClient.useAuth(new AccessAuthCredentials(str, str2)).token().create(builder.build()).getTokenValue();
            this.configStore.storeAdminToken(tokenValue);
            this.configStore.discardBootstrapAdminCredentials();
            this.accessClient = this.accessClient.useAuth(new AccessAuthToken(tokenValue));
        } catch (Exception e) {
            throw new RuntimeException("Failed to generate service admin token using bootstrap credentials.", e);
        }
    }

    private void revokeServiceAdminTokenIfInvalid() {
        try {
            if (this.accessClient.token().verifyAdminToken(this.configStore.getAdminToken())) {
            } else {
                throw new IllegalArgumentException("Admin token failed verification.");
            }
        } catch (Exception e) {
            log.warn("Admin token of service '{}' is invalid, revoking and creating a new token: {}", this.serviceId, e);
            log.debug("Admin token of service '{}' is invalid.", this.serviceId, e);
            this.configStore.revokeAdminToken();
        }
    }
}
