package org.keycloak.quarkus.runtime.storage.infinispan.jgroups.impl;

import java.io.IOException;
import java.security.GeneralSecurityException;
import java.security.KeyManagementException;
import java.security.NoSuchAlgorithmException;
import java.util.concurrent.TimeUnit;
import javax.net.ssl.KeyManager;
import javax.net.ssl.SSLContext;
import javax.net.ssl.SSLParameters;
import javax.net.ssl.SSLServerSocket;
import javax.net.ssl.TrustManager;
import org.infinispan.configuration.parsing.ConfigurationBuilderHolder;
import org.jgroups.util.DefaultSocketFactory;
import org.jgroups.util.SocketFactory;
import org.keycloak.common.util.Retry;
import org.keycloak.config.CachingOptions;
import org.keycloak.infinispan.module.certificates.CertificateReloadManager;
import org.keycloak.infinispan.module.certificates.JGroupsCertificate;
import org.keycloak.infinispan.module.certificates.JGroupsCertificateHolder;
import org.keycloak.infinispan.module.configuration.global.KeycloakConfigurationBuilder;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.KeycloakSessionFactory;
import org.keycloak.models.utils.KeycloakModelUtils;
import org.keycloak.quarkus.runtime.storage.infinispan.CacheManagerFactory;
import org.keycloak.storage.configuration.ServerConfigStorageProvider;

/* loaded from: input_file:org/keycloak/quarkus/runtime/storage/infinispan/jgroups/impl/JpaJGroupsTlsConfigurator.class */
public class JpaJGroupsTlsConfigurator extends BaseJGroupsTlsConfigurator {
    private static final String TLS_PROTOCOL_VERSION = "TLSv1.3";
    private static final String TLS_PROTOCOL = "TLS";
    private static final int STARTUP_RETRIES = 5;
    private static final int STARTUP_RETRY_SLEEP_MILLIS = 500;
    public static final JpaJGroupsTlsConfigurator INSTANCE = new JpaJGroupsTlsConfigurator();

    @Override // org.keycloak.quarkus.runtime.storage.infinispan.jgroups.JGroupsStackConfigurator
    public boolean requiresKeycloakSession() {
        return true;
    }

    @Override // org.keycloak.quarkus.runtime.storage.infinispan.jgroups.impl.BaseJGroupsTlsConfigurator
    SocketFactory createSocketFactory(ConfigurationBuilderHolder configurationBuilderHolder, KeycloakSession keycloakSession) {
        KeycloakSessionFactory keycloakSessionFactory = keycloakSession.getKeycloakSessionFactory();
        KeycloakConfigurationBuilder addModule = configurationBuilderHolder.getGlobalConfigurationBuilder().addModule(KeycloakConfigurationBuilder.class);
        JGroupsCertificateHolder loadInitialCertificateWithRetry = loadInitialCertificateWithRetry(keycloakSessionFactory);
        addModule.setJGroupsCertificateRotation(CacheManagerFactory.requiredIntegerProperty(CachingOptions.CACHE_EMBEDDED_MTLS_ROTATION));
        addModule.setKeycloakSessionFactory(keycloakSessionFactory);
        addModule.setJGroupCertificateHolder(loadInitialCertificateWithRetry);
        try {
            SSLContext sSLContext = SSLContext.getInstance(TLS_PROTOCOL);
            sSLContext.init(new KeyManager[]{loadInitialCertificateWithRetry.keyManager()}, new TrustManager[]{loadInitialCertificateWithRetry.trustManager()}, null);
            return createFromContext(sSLContext);
        } catch (KeyManagementException | NoSuchAlgorithmException e) {
            throw new RuntimeException(e);
        }
    }

    private static JGroupsCertificateHolder loadInitialCertificateWithRetry(KeycloakSessionFactory keycloakSessionFactory) {
        return (JGroupsCertificateHolder) Retry.call(i -> {
            return (JGroupsCertificateHolder) KeycloakModelUtils.runJobInTransactionWithResult(keycloakSessionFactory, JpaJGroupsTlsConfigurator::createOrLoadCertificate);
        }, STARTUP_RETRIES, 500L);
    }

    private static JGroupsCertificateHolder createOrLoadCertificate(KeycloakSession keycloakSession) {
        try {
            int requiredIntegerProperty = CacheManagerFactory.requiredIntegerProperty(CachingOptions.CACHE_EMBEDDED_MTLS_ROTATION);
            return JGroupsCertificateHolder.create(JGroupsCertificate.fromJson(keycloakSession.getProvider(ServerConfigStorageProvider.class).loadOrCreate("crt_jgroups", () -> {
                return CertificateReloadManager.generateSelfSignedCertificate(TimeUnit.DAYS.toSeconds(requiredIntegerProperty) * 2);
            })));
        } catch (IOException | GeneralSecurityException e) {
            throw new RuntimeException(e);
        }
    }

    private static SocketFactory createFromContext(SSLContext sSLContext) {
        DefaultSocketFactory defaultSocketFactory = new DefaultSocketFactory(sSLContext);
        SSLParameters sSLParameters = new SSLParameters();
        sSLParameters.setProtocols(new String[]{TLS_PROTOCOL_VERSION});
        sSLParameters.setNeedClientAuth(true);
        defaultSocketFactory.setServerSocketConfigurator(serverSocket -> {
            ((SSLServerSocket) serverSocket).setSSLParameters(sSLParameters);
        });
        return defaultSocketFactory;
    }

    @Override // org.keycloak.quarkus.runtime.storage.infinispan.jgroups.impl.BaseJGroupsTlsConfigurator, org.keycloak.quarkus.runtime.storage.infinispan.jgroups.JGroupsStackConfigurator
    public /* bridge */ /* synthetic */ void configure(ConfigurationBuilderHolder configurationBuilderHolder, KeycloakSession keycloakSession) {
        super.configure(configurationBuilderHolder, keycloakSession);
    }
}
